Using tls:sasl/DIGEST-MD5 with client authentication

Similar Messages

• Switching from tls:simple to tls:sasl/DIGEST-MD5

  How can I do this, and can someone post an example of how? Can DS 5.2 support more than one Authentication Method at a time?
  TIA,
  Chris

  I'm not sure. That's why I asked. :) And I only ask because one of the settings made via
  idsconfig is which "Authentication Methods" the DS will support. The choices being:
  * none
  * simple
  * sasl/DIGEST-MD5
  * tls:simple
  * tls:sasl/DIGEST-MD5
  When I set this DS up, I chose only tls:simple. A SunSolve document I read indicated that you
  could have chosen more than one at that time, but I didn't. What I need to know is how to add support
  for additional Authenticaion Methods after the fact. I assume there is a directory object somewhere and
  its a matter of modifying or adding an attribute, but I wanted to make sure there were no gotchas
  or caveats I should be aware of beforehand.

• SASL DIGEST-MD5

  Did anybody have any problem with using DIGEST-MD5 with iPlanet running on a 2000 Advanced Server?
  I have no problem when iPlanet is running on 2000 Professional but always get the error 49 with message: "Internal authentication error." when trying to authenticate the user through SASL DIGEST-MD5. Simple authentication with the same credentials work fine.
  Looking at the LDAP packets I can see no differences, that makes me think that this is somehow related to the OS or iPlanet configuration.
  In both cases it was the same version iPlanet Server 5.1SP2 with default settings.
  BTW: It fails the same way with NT4SP6 Server.

  Michael,
  Sun ONE Directory Server 5.2 is not supported on Windows 2000 Professional. It is only supported on server versions of Windows 2000 (Server and Advanced Server).
  You should not have any problems running Directory Server on Windows 2000 Professional, though, but you should always keep in mind that the product has not been tested and is not supported on this platform.
  Bertold

• KDC identifying both with client authentication

  hi everybody
  i am using a client authentication certificate template's ,
  and i also want to use a KDC identifying both with client authentication
  looking for this configure specified
  thank you
  Marv Kikovanovich

  Hey Marv
  Thanks for posting ,
  You've need to add another Application Policy: "KDC Authentication" on client
  certificate template.
  Certification Authority\Certificate Templates\Manage
  properties the client certificate template - extensions TAB
  Edit Application Polices , and Add the "KDC Authentication" Policy.
  Good Luck.
  I'd be glad to answer any question

• HOWTO Bind using SASL DIGEST-MD5?

  I haven't been able to bind to an LDAP server using SASL DIGEST-MD5
  using the Novell CSharp library. Can anyone explain how this is done,
  or point me to a code example?
  I can connect, bind, and search this LDAP server using Apache Directory
  Studio, so I know that my credentials are correct.
  Also, I have already used the Novell CSharp library for searching other
  LDAP servers using simple authentication, and SSL, but never SASL
  DIGEST-MD5.
  Thanks in advance for any help.
  danielnapierski
  danielnapierski's Profile: http://forums.novell.com/member.php?userid=63370
  View this thread: http://forums.novell.com/showthread.php?t=414964

  More than fifty people have read this post, but there are no replies as
  of yet. I'm going to interpret that as "SASL DIGEST-MD5 is not
  supported by the Novell CSharp library."
  danielnapierski;1995522 Wrote:
  > I haven't been able to bind to an LDAP server using SASL DIGEST-MD5
  > using the Novell CSharp library. Can anyone explain how this is done,
  > or point me to a code example?
  >
  > I can connect, bind, and search this LDAP server using Apache Directory
  > Studio, so I know that my credentials are correct.
  >
  > Also, I have already used the Novell CSharp library for searching other
  > LDAP servers using simple authentication, and SSL, but never SASL
  > DIGEST-MD5.
  >
  > Thanks in advance for any help.
  danielnapierski
  danielnapierski's Profile: http://forums.novell.com/member.php?userid=63370
  View this thread: http://forums.novell.com/showthread.php?t=414964

• Reuse the LDAP connection when Using SASL DIGEST-MD5

  I have problem to use the same ldap connection for multiple SASL authenticaiton.
  step1, LDAPConection conn=new LDAPCo...
  conn.conect()..
  step2, do a SASL DIGEST-MD5, successfully get a challenge from server and server confirmation after the response is correct.
  step3, I want to use the same connection for another authetincation of different user, some how the server did not give back the challenge and reject the authenticaiton request again.
  So my question is how can we reuse the same connection for SASL authentication?
  Any switch or reset on the LDAP connection or the LDAP server has to be configured in some way to take multiple authentication using the same connection?

  More than fifty people have read this post, but there are no replies as
  of yet. I'm going to interpret that as "SASL DIGEST-MD5 is not
  supported by the Novell CSharp library."
  danielnapierski;1995522 Wrote:
  > I haven't been able to bind to an LDAP server using SASL DIGEST-MD5
  > using the Novell CSharp library. Can anyone explain how this is done,
  > or point me to a code example?
  >
  > I can connect, bind, and search this LDAP server using Apache Directory
  > Studio, so I know that my credentials are correct.
  >
  > Also, I have already used the Novell CSharp library for searching other
  > LDAP servers using simple authentication, and SSL, but never SASL
  > DIGEST-MD5.
  >
  > Thanks in advance for any help.
  danielnapierski
  danielnapierski's Profile: http://forums.novell.com/member.php?userid=63370
  View this thread: http://forums.novell.com/showthread.php?t=414964

• SASL - Digest MD5 - JNDI Help needed

  Hi All,
  I am using Sunone Directory Server 5.2 and jsdk1.4.1. I tried the Digest-MD5 SASL authentication example given in JNDI tutorial and it worked fine. The problem is , when i try to run the same program thrice or more in succession, it hangs. Actually, the initial context gets created but the operations like simple getAttrs etc does not happen. what could be the problem or rather what is the solution to overcome it.
  Attached below is the sample source code used...
  try {
  Hashtable env = new Hashtable(11);
  env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL, "ldap://localhost:389/");
  env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
  env.put(Context.SECURITY_PRINCIPAL, "dn:uid=xxx,ou=xxx,dc=xxx,dc=xxx");
  env.put(Context.SECURITY_CREDENTIALS, "xxxxx");
  System.out.println("about to get context");
  DirContext ctx = new InitialDirContext(env);
  System.out.println("got context");
  Attributes attrs = ctx.getAttributes("ldap://localhost:389", new String[]{"supportedSASLMechanisms"});
  System.out.println(attrs);
  } catch (NamingException e) {
    e.printStackTrace();
  }thanks in advance
  sridhar

  As i have metioned , this was the message from the other forum
  I have posted the mail correspondences we had (hope they won't consider this as an offence)...
  There was a bug in the provider. It has been fixed in 1.4.2 and later
  releases.
  Rosanna Lee
  Java Software, Sun Microsystems, Inc
  [email protected]
  Date: Mon, 13 Oct 2003 04:46:49 +0100 (BST)
  From: anala sridhar <[email protected]>
  Subject: JNDI problem
  To: [email protected]
  Hi,
  First, I would like to thank everyone behind the
  excellent JNDI tutorial. It acted as the bible for my
  JNDI learning.
  I tried the sample code ServerSasl.java provided. I
  got it working after a few trials. I tried to get the
  supportedSasl Mechanisms by the Sunone Directory
  Server 5.2 . I got them. Then i tried to authenticate
  using the default Digest-MD5 (am using jsdk 1.4.1).
  When, i try to run the same program in succession, it
  hangs up (4 or 5 times in a row). I am getting the
  initial context with the credentials provided but it
  hangs at doing the simple getAttrs operation. What
  could be the problem?
  Please reply to this query
  thanks in advance
  sridhar

• Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1

  Hello All,
  We are currently building up a HTTPS message exchange with an external client.
  Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
  The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
  Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
  Now we have to configure the addtional Client Authentication.
  At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
  But what are the next steps to get this scenario successfully in place?
  Many thanks in advance!
  Jochen

  Hi Colleagues,
  following Steps still have to be done:
  - Mapping public key to technical user at Java Stack
    As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
  - Be sure CA root certivicate at Database under STRUSTSSO2
  - Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
  - use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
  Many thanks to all for support!
  Regards,
  Jochen

• HTTPS with Client Authentication not available in EHP1?

  Hi Guys,
  I am not seeing this option in PI 7.1 EHP1.
  At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
  any help would be appreciated
  Thanks,
  Srini

  Hi Srinivas,
  I didnot use it personally. But when I see on SAP help I dont see that option anywhere. Please see this sap help:
  http://help.sap.com/saphelp_nwpi711/helpdata/en/48/3555240bea31c3e10000000a42189d/content.htm
  But you have an option sender agreeement for security. Please see this help:
  http://help.sap.com/saphelp_nwpi711/helpdata/en/48/ceb8cf18d3424be10000000a421937/content.htm
  Since we have the option to skip the adapter engine they have enabled this option in http adapter. So you can directly hit to integration engine skipping the adapter framework, which will help in improving the performance. Please see this help on this:
  http://help.sap.com/saphelp_nwpi711/helpdata/en/43/64db4daf9f30b4e10000000a11466f/frameset.htm
  Regards,
  ---Satish

• HTTPS with Client Authentication in SOAP sender Adapter

  Hi All,
  In SOAP Sender communication channel. When I generate WSDL with “HTTP Security Level = HTTP:” it works when third party tries to send data to XIwebservice.
  But when I tried with “HTTPS with Client Authentication” option its giving error
  “InfoPath either cannot connect to the data source, the service has timed out, or the server has an invalid certificate.”
  Please guide how to use “HTTPS with Client Authentication” option, and what all configuration need to apply in XI & in third party to use this.
  Regards

  Rohan,
  With spy you can trace the entire route, since you are using client authentication using certificate, it would be a better option to verify with the certificate.
  You also have the option of using a username/pwd combo though that is not advocated as it lowers security levels and is permeable to passive sniffing.
  So the answer to your question is yes, after importing the certificate with sender and third party reciever a test would reveal the complete scenario along with any issues that you could encounter..
  Regards
  Ravi Raman

• HTTPS With Client Authentication

  Hi,
  I've created a simple Web Service in PI 7.11 SP 4 when trying to connect to the Web Service from Soap UI I get the following error:
  java.security.AccessControlException: client certificate required
  In the the transaction scim the following can be seen:
  [Thr 5061] <<- SapSSLSessionInit()==SAP_O_K
  [Thr 5061]      in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
  [Thr 5061]     out: sssl_hdl = 1117534b0
  [Thr 5061] <<- SapSSLSetSessionCredHdl(sssl_hdl=1117534b0)==SAP_O_K
  [Thr 5061]      in: sssl_hdl = 1117534b0
  [Thr 5061]      in: cred_hdl = 116cfc110
  [Thr 5061] NiIBlockMode: set blockmode for hdl 271 TRUE
  [Thr 5061]   SSL NI-sock: local=XX.XX.XX.XX:50001  peer=XX.XX.XX.XX:2310
  [Thr 5061] <<- SapSSLSetNiHdl(sssl_hdl=1117534b0, ni_hdl=271)==SAP_O_K
  [Thr 5061] <<- SapSSLSessionStart(sssl_hdl=1117534b0)==SAP_O_K
  [Thr 5061]          status = "resumed SSL session, NO client cert"
  The fault is not at the Soap UI end as I've fired the request at a Tomcat server and confirmed that a certificate is sent when requested.
  Sender Communication Channel, 
  Transport Protocol: HTTP,
  Message Protocol: Soap 1.1,
  Adapter Engine: Central Adepter Engine,
  HTTPS with Client Authentication,
  Keep Headers
  Any ideas?
  Kind regards,
  John

  Hi Peter,
  If memory serves we did not find a solution to this problem. I think, and a quick check of the configuration suggests I'm right, that we're handling the HTTPS connection on an IIS box and passing it through to a non encrypted HTTP sender on PI.
  It may be that Soap UI is not configured correctly, however when I was getting the 'client certificate required', as mentioned in the original post, I'd confirmed that soap UI was correctly configured by connecting to an alternative Web Service. I also used Wireshark to see whether or not a certificate was being requested, or sent. It's invaluable if you're using Soap UI.
  All the best,
  John

• SOAP sender adapter with  client authentication

  Hi,
  Can you please tell me the steps to be followed to configure SOAP sender adpater for HTTPS with client authentication.
  Thanks

  Hello,
  Check out this SAP NOTE
  [Note 891877 - Message-specific configuration of HTTP-Security|https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=891877]
  Check out below blog for step by step process.
  /people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter
  Hope this will help.
  Nilesh
  Edited by: Nilesh Kshirsagar on May 28, 2009 11:31 AM

• SOAP Sender with HTTP(with SSL)=HTTPS with Client Authentication config

  Hi All,
  I have a Web-service-XI-Proxy scenario where we use SOAP Sender Adapter with HTTPs.  Double authentication (client- server) sertificate shall be used.
  Testing simple HTTP and XI user name/password works fine.
  Now I installed requred sertificates in TrustedCA and ssl-provider in VIsualadmin.
  But i can't see how i can configure certificates in SOAP sender Adapter. I've just did SOAP receiver for another scenario and there I could give keystore entry.
  I also doesn't know how to disable asking for name/password.  I am using XI 7.0.
  Please advise.
  Thanks,
  Nataliya

  Hi Nataliya,
  Go to SOAP Adapter> Inbound Security Checks-> HTTP Security Level--> Here you can specify  option "HTTP with Client Authentication. 
  One more thing HTTP Security level option is always available in Sender Adapter.
  For more clarity about HTTPS find below link.
  http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
  To enable the TrustedCA in SOAP Sender adapter. Go SOAP Sender> Security Parameter> Security Profile--> Web Service
  security. Then go to sender agreement there you need to give key store entry.

• OfficialFile.asmx The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'. ERROR

  We are getting an error on the authentication piece when trying to submit a file to the OfficialFile.asmx web service to submit a document to the Drop-Off Library. Here is the code snippet -
  public string FileUpload(HttpPostedFile FileInput, RecordsRepositoryProperty[] properties)
  string strFileUrl = string.Empty;
  RecordsRepositorySoapClient repository = new RecordsRepositorySoapClient();
  BinaryReader b = new BinaryReader(FileInput.InputStream);
  byte[] binData = b.ReadBytes(FileInput.ContentLength);
  repository.ClientCredentials.Windows.ClientCredential = new System.Net.NetworkCredential(iUserID, iUserPassword, iUserDomain);
  repository.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
  repository.SubmitFile(binData, properties, null, FileInput.FileName, HttpContext.Current.User.Identity.Name);
  strFileUrl = repository.GetFinalRoutingDestinationFolderUrl(properties, null, FileInput.FileName).Url;
  return strFileUrl;
  Although we are setting the network credential in the client call we still get the error
  - The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'.
  Ideas?
  Thanks in advance.

  Hi,
  Based on the error message, the issue is related to the authentication type.
  I suggest you can specify the credential type like the below:
  CredentialCache credentialCache = new CredentialCache();
  NetworkCredential credentials = new NetworkCredential(UserName, PassWord, sDomain);
  credentialCache.Add(new Uri(recordCenterUrl), "NTLM", credentials);
  Here is a detailed code demo for your reference:
  http://blogs.msdn.com/b/mcsnoiwb/archive/2011/06/06/sending-files-to-a-record-center-using-the-sp2010-webservice-officialfile-asmx.aspx
  Best Regards
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Jerry Guo
  TechNet Community Support

• The HTTP Request is unauthorized with client authentication scheme negotiate - MDS Excel Plugin error

  Hi,
  Some users in my company are experiencing a strange issue when connecting to our MDS server using the MDS Excel plugin. They receive the error message:
  "The HTTP Request is unauthorized with client authentication scheme negotiate. The authentication header received from the server was "NTLM,BASIC real="DOMAIN NAME IWA"
  They are receiving this error when first trying to connect. For some reason they only receive this error when connected to the work network via the VPN. They don't receive this error from within our network.
  Does anyone know what might be causing this issue and how to resolve?
  Many Thanks,
  Phil

  Try the following links and see if it helps:
  https://support.microsoft.com/en-us/kb/896861/
  https://social.technet.microsoft.com/Forums/projectserver/en-US/912c7179-8858-4c48-a71d-d9a21ff10a1b/the-http-request-is-unauthorized-with-client-authentication-scheme-ntlm-the-authentication?forum=project2010custprog
  -Nithesh Shetty Software Engineer, C & E -> IMML -> MDS, Microsoft.