Using tls:sasl/DIGEST-MD5 with client authentication
Hi
Have installed a certificate on the server and enabled it. Using Netscape i got the cert7.db and key3.db
These work with ldapsearch with -Z -p options to get data securely through port 636.
But when i copy db file to /var/ldap on the Solaris 8 client, and use a profile with tls:sasl/DIGEST-MD5 or tls:simple
i get :
Mesg: Session error , no avalible connection. And openConnection: sasl/DIGEST-MD5 (or simple) bind failed - Invalid credentials.
Must i use Certificate based Authentication instead?
Like the proxyagent must have a certificate installed. Or is there something that must be done to the cert7.db and key3.db files i got from Netscape?
Im trying to get sasl/DIGEST-MD5 to work with Solaris 9 client. This command work:
ldapsearch -D "" -w test1234 -o mech=DIGEST-MD5 -o authid="dn:cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" -o authzid="dn:cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" -b "dc=net2,dc=kongsberg,dc=com" "(objectclass=*)"
Client configured with this:
ldapclient -v init -a profileName=default -a domainName=net2.kongsberg.com -a proxyDN="cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" -a proxyPassword=test1234 172.18.2.19
Profile:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com
NS_LDAP_BINDPASSWD= {NS1}4a3788e8c053424f
NS_LDAP_SERVERS= 172.18.2.19
NS_LDAP_SEARCH_BASEDN= dc=net2,dc=kongsberg,dc=com
NS_LDAP_AUTH= sasl/DIGEST-MD5
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 10
messages log on client:
Jan 14 08:00:32 panzer ldap_cachemgr[904]: [ID 293258 daemon.error] libsldap: Status: 49 Mesg: openConnection: sasl/DIGEST-MD5 bind failed - Invalid credentials
Jan 14 08:00:32 panzer last message repeated 1 time
Jan 14 08:00:32 panzer ldap_cachemgr[904]: [ID 293258 daemon.error] libsldap: Status: 7 Mesg: Session error no available conn.
error log on server:
[14/Jan/2004:08:06:47 +0100] conn=1622 op=2 msgId=-1 - closing - U1
[14/Jan/2004:08:06:47 +0100] conn=1623 op=-1 msgId=-1 - fd=47 slot=47 LDAP connection from 172.18.2.41 to 172.18.2.19
[14/Jan/2004:08:06:47 +0100] conn=1622 op=-1 msgId=-1 - closed.
[14/Jan/2004:08:06:47 +0100] conn=1623 op=0 msgId=1 - BIND dn="dn: cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" method=sasl version=3 mech=DIGEST-MD5
[14/Jan/2004:08:06:47 +0100] conn=1623 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[14/Jan/2004:08:06:47 +0100] conn=1623 op=1 msgId=2 - BIND dn="dn: cn=proxyagent,ou=profile,dc=net2,dc=kongsberg,dc=com" method=sasl version=3 mech=DIGEST-MD5
[14/Jan/2004:08:06:47 +0100] conn=1623 op=1 msgId=2 - RESULT err=49 tag=97 nentries=0 etime=0
Not sure why i get Invalid credentials, the passwords
are stored in CLEAR. And you can see i use the same in ldapsearch and ldapclient.
Similar Messages
-
Switching from tls:simple to tls:sasl/DIGEST-MD5
How can I do this, and can someone post an example of how? Can DS 5.2 support more than one Authentication Method at a time?
TIA,
ChrisI'm not sure. That's why I asked. :) And I only ask because one of the settings made via
idsconfig is which "Authentication Methods" the DS will support. The choices being:
* none
* simple
* sasl/DIGEST-MD5
* tls:simple
* tls:sasl/DIGEST-MD5
When I set this DS up, I chose only tls:simple. A SunSolve document I read indicated that you
could have chosen more than one at that time, but I didn't. What I need to know is how to add support
for additional Authenticaion Methods after the fact. I assume there is a directory object somewhere and
its a matter of modifying or adding an attribute, but I wanted to make sure there were no gotchas
or caveats I should be aware of beforehand. -
Did anybody have any problem with using DIGEST-MD5 with iPlanet running on a 2000 Advanced Server?
I have no problem when iPlanet is running on 2000 Professional but always get the error 49 with message: "Internal authentication error." when trying to authenticate the user through SASL DIGEST-MD5. Simple authentication with the same credentials work fine.
Looking at the LDAP packets I can see no differences, that makes me think that this is somehow related to the OS or iPlanet configuration.
In both cases it was the same version iPlanet Server 5.1SP2 with default settings.
BTW: It fails the same way with NT4SP6 Server.Michael,
Sun ONE Directory Server 5.2 is not supported on Windows 2000 Professional. It is only supported on server versions of Windows 2000 (Server and Advanced Server).
You should not have any problems running Directory Server on Windows 2000 Professional, though, but you should always keep in mind that the product has not been tested and is not supported on this platform.
Bertold -
KDC identifying both with client authentication
hi everybody
i am using a client authentication certificate template's ,
and i also want to use a KDC identifying both with client authentication
looking for this configure specified
thank you
Marv KikovanovichHey Marv
Thanks for posting ,
You've need to add another Application Policy: "KDC Authentication" on client
certificate template.
Certification Authority\Certificate Templates\Manage
properties the client certificate template - extensions TAB
Edit Application Polices , and Add the "KDC Authentication" Policy.
Good Luck.
I'd be glad to answer any question -
HOWTO Bind using SASL DIGEST-MD5?
I haven't been able to bind to an LDAP server using SASL DIGEST-MD5
using the Novell CSharp library. Can anyone explain how this is done,
or point me to a code example?
I can connect, bind, and search this LDAP server using Apache Directory
Studio, so I know that my credentials are correct.
Also, I have already used the Novell CSharp library for searching other
LDAP servers using simple authentication, and SSL, but never SASL
DIGEST-MD5.
Thanks in advance for any help.
danielnapierski
danielnapierski's Profile: http://forums.novell.com/member.php?userid=63370
View this thread: http://forums.novell.com/showthread.php?t=414964More than fifty people have read this post, but there are no replies as
of yet. I'm going to interpret that as "SASL DIGEST-MD5 is not
supported by the Novell CSharp library."
danielnapierski;1995522 Wrote:
> I haven't been able to bind to an LDAP server using SASL DIGEST-MD5
> using the Novell CSharp library. Can anyone explain how this is done,
> or point me to a code example?
>
> I can connect, bind, and search this LDAP server using Apache Directory
> Studio, so I know that my credentials are correct.
>
> Also, I have already used the Novell CSharp library for searching other
> LDAP servers using simple authentication, and SSL, but never SASL
> DIGEST-MD5.
>
> Thanks in advance for any help.
danielnapierski
danielnapierski's Profile: http://forums.novell.com/member.php?userid=63370
View this thread: http://forums.novell.com/showthread.php?t=414964 -
Reuse the LDAP connection when Using SASL DIGEST-MD5
I have problem to use the same ldap connection for multiple SASL authenticaiton.
step1, LDAPConection conn=new LDAPCo...
conn.conect()..
step2, do a SASL DIGEST-MD5, successfully get a challenge from server and server confirmation after the response is correct.
step3, I want to use the same connection for another authetincation of different user, some how the server did not give back the challenge and reject the authenticaiton request again.
So my question is how can we reuse the same connection for SASL authentication?
Any switch or reset on the LDAP connection or the LDAP server has to be configured in some way to take multiple authentication using the same connection?More than fifty people have read this post, but there are no replies as
of yet. I'm going to interpret that as "SASL DIGEST-MD5 is not
supported by the Novell CSharp library."
danielnapierski;1995522 Wrote:
> I haven't been able to bind to an LDAP server using SASL DIGEST-MD5
> using the Novell CSharp library. Can anyone explain how this is done,
> or point me to a code example?
>
> I can connect, bind, and search this LDAP server using Apache Directory
> Studio, so I know that my credentials are correct.
>
> Also, I have already used the Novell CSharp library for searching other
> LDAP servers using simple authentication, and SSL, but never SASL
> DIGEST-MD5.
>
> Thanks in advance for any help.
danielnapierski
danielnapierski's Profile: http://forums.novell.com/member.php?userid=63370
View this thread: http://forums.novell.com/showthread.php?t=414964 -
SASL - Digest MD5 - JNDI Help needed
Hi All,
I am using Sunone Directory Server 5.2 and jsdk1.4.1. I tried the Digest-MD5 SASL authentication example given in JNDI tutorial and it worked fine. The problem is , when i try to run the same program thrice or more in succession, it hangs. Actually, the initial context gets created but the operations like simple getAttrs etc does not happen. what could be the problem or rather what is the solution to overcome it.
Attached below is the sample source code used...
try {
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://localhost:389/");
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, "dn:uid=xxx,ou=xxx,dc=xxx,dc=xxx");
env.put(Context.SECURITY_CREDENTIALS, "xxxxx");
System.out.println("about to get context");
DirContext ctx = new InitialDirContext(env);
System.out.println("got context");
Attributes attrs = ctx.getAttributes("ldap://localhost:389", new String[]{"supportedSASLMechanisms"});
System.out.println(attrs);
} catch (NamingException e) {
e.printStackTrace();
}thanks in advance
sridharAs i have metioned , this was the message from the other forum
I have posted the mail correspondences we had (hope they won't consider this as an offence)...
There was a bug in the provider. It has been fixed in 1.4.2 and later
releases.
Rosanna Lee
Java Software, Sun Microsystems, Inc
[email protected]
Date: Mon, 13 Oct 2003 04:46:49 +0100 (BST)
From: anala sridhar <[email protected]>
Subject: JNDI problem
To: [email protected]
Hi,
First, I would like to thank everyone behind the
excellent JNDI tutorial. It acted as the bible for my
JNDI learning.
I tried the sample code ServerSasl.java provided. I
got it working after a few trials. I tried to get the
supportedSasl Mechanisms by the Sunone Directory
Server 5.2 . I got them. Then i tried to authenticate
using the default Digest-MD5 (am using jsdk 1.4.1).
When, i try to run the same program in succession, it
hangs up (4 or 5 times in a row). I am getting the
initial context with the credentials provided but it
hangs at doing the simple getAttrs operation. What
could be the problem?
Please reply to this query
thanks in advance
sridhar -
Enabling HTTPS with Client Authentication for Sender SOAP Adapter on PI7.1
Hello All,
We are currently building up a HTTPS message exchange with an external client.
Our PI 7.1 recieved over HTTPS messages on an already configured Sender SOAP Adapter.
The HTTPS (SSL) connectivity works fine and was completely configured on the ABAP Stack at Trust Manager (TC=STRUSTSSO2)
Login to Message Servlet "com.sap.aii.adapter.soap.web.MessageServlet is required and works fine with user ID and password.
Now we have to configure the addtional Client Authentication.
At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
But what are the next steps to get this scenario successfully in place?
Many thanks in advance!
JochenHi Colleagues,
following Steps still have to be done:
- Mapping public key to technical user at Java Stack
As preparation you have to activate value "ume.logon.allow.cert" with true under "com.sap.security.core.ume.service" under Config Tool. At NWA under Identity Management at for repecively technical user the public key certificate
- Be sure CA root certivicate at Database under STRUSTSSO2
- Import intermediate Certificate under Certificate List at Trast Manager for the Respecive Server Note
- use Login Module "client_cert" which you have to configure under NWA\Configuration Management\Authentication for Components "sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter".
Many thanks to all for support!
Regards,
Jochen -
HTTPS with Client Authentication not available in EHP1?
Hi Guys,
I am not seeing this option in PI 7.1 EHP1.
At SOAP Adapter (Sender Communication Channel) under "HTTP Security Level"you are able to configure "HTTPS with Client Authentication".
any help would be appreciated
Thanks,
SriniHi Srinivas,
I didnot use it personally. But when I see on SAP help I dont see that option anywhere. Please see this sap help:
http://help.sap.com/saphelp_nwpi711/helpdata/en/48/3555240bea31c3e10000000a42189d/content.htm
But you have an option sender agreeement for security. Please see this help:
http://help.sap.com/saphelp_nwpi711/helpdata/en/48/ceb8cf18d3424be10000000a421937/content.htm
Since we have the option to skip the adapter engine they have enabled this option in http adapter. So you can directly hit to integration engine skipping the adapter framework, which will help in improving the performance. Please see this help on this:
http://help.sap.com/saphelp_nwpi711/helpdata/en/43/64db4daf9f30b4e10000000a11466f/frameset.htm
Regards,
---Satish -
HTTPS with Client Authentication in SOAP sender Adapter
Hi All,
In SOAP Sender communication channel. When I generate WSDL with HTTP Security Level = HTTP: it works when third party tries to send data to XIwebservice.
But when I tried with HTTPS with Client Authentication option its giving error
InfoPath either cannot connect to the data source, the service has timed out, or the server has an invalid certificate.
Please guide how to use HTTPS with Client Authentication option, and what all configuration need to apply in XI & in third party to use this.
RegardsRohan,
With spy you can trace the entire route, since you are using client authentication using certificate, it would be a better option to verify with the certificate.
You also have the option of using a username/pwd combo though that is not advocated as it lowers security levels and is permeable to passive sniffing.
So the answer to your question is yes, after importing the certificate with sender and third party reciever a test would reveal the complete scenario along with any issues that you could encounter..
Regards
Ravi Raman -
HTTPS With Client Authentication
Hi,
I've created a simple Web Service in PI 7.11 SP 4 when trying to connect to the Web Service from Soap UI I get the following error:
java.security.AccessControlException: client certificate required
In the the transaction scim the following can be seen:
[Thr 5061] <<- SapSSLSessionInit()==SAP_O_K
[Thr 5061] in: args = "role=2 (SERVER), auth_type=1 (ASK_CLIENT_CERT)"
[Thr 5061] out: sssl_hdl = 1117534b0
[Thr 5061] <<- SapSSLSetSessionCredHdl(sssl_hdl=1117534b0)==SAP_O_K
[Thr 5061] in: sssl_hdl = 1117534b0
[Thr 5061] in: cred_hdl = 116cfc110
[Thr 5061] NiIBlockMode: set blockmode for hdl 271 TRUE
[Thr 5061] SSL NI-sock: local=XX.XX.XX.XX:50001 peer=XX.XX.XX.XX:2310
[Thr 5061] <<- SapSSLSetNiHdl(sssl_hdl=1117534b0, ni_hdl=271)==SAP_O_K
[Thr 5061] <<- SapSSLSessionStart(sssl_hdl=1117534b0)==SAP_O_K
[Thr 5061] status = "resumed SSL session, NO client cert"
The fault is not at the Soap UI end as I've fired the request at a Tomcat server and confirmed that a certificate is sent when requested.
Sender Communication Channel,
Transport Protocol: HTTP,
Message Protocol: Soap 1.1,
Adapter Engine: Central Adepter Engine,
HTTPS with Client Authentication,
Keep Headers
Any ideas?
Kind regards,
JohnHi Peter,
If memory serves we did not find a solution to this problem. I think, and a quick check of the configuration suggests I'm right, that we're handling the HTTPS connection on an IIS box and passing it through to a non encrypted HTTP sender on PI.
It may be that Soap UI is not configured correctly, however when I was getting the 'client certificate required', as mentioned in the original post, I'd confirmed that soap UI was correctly configured by connecting to an alternative Web Service. I also used Wireshark to see whether or not a certificate was being requested, or sent. It's invaluable if you're using Soap UI.
All the best,
John -
SOAP sender adapter with client authentication
Hi,
Can you please tell me the steps to be followed to configure SOAP sender adpater for HTTPS with client authentication.
ThanksHello,
Check out this SAP NOTE
[Note 891877 - Message-specific configuration of HTTP-Security|https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=891877]
Check out below blog for step by step process.
/people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter
Hope this will help.
Nilesh
Edited by: Nilesh Kshirsagar on May 28, 2009 11:31 AM -
SOAP Sender with HTTP(with SSL)=HTTPS with Client Authentication config
Hi All,
I have a Web-service-XI-Proxy scenario where we use SOAP Sender Adapter with HTTPs. Double authentication (client- server) sertificate shall be used.
Testing simple HTTP and XI user name/password works fine.
Now I installed requred sertificates in TrustedCA and ssl-provider in VIsualadmin.
But i can't see how i can configure certificates in SOAP sender Adapter. I've just did SOAP receiver for another scenario and there I could give keystore entry.
I also doesn't know how to disable asking for name/password. I am using XI 7.0.
Please advise.
Thanks,
NataliyaHi Nataliya,
Go to SOAP Adapter> Inbound Security Checks-> HTTP Security Level--> Here you can specify option "HTTP with Client Authentication.
One more thing HTTP Security level option is always available in Sender Adapter.
For more clarity about HTTPS find below link.
http://help.sap.com/saphelp_nw04/helpdata/en/14/ef2940cbf2195de10000000a1550b0/content.htm
To enable the TrustedCA in SOAP Sender adapter. Go SOAP Sender> Security Parameter> Security Profile--> Web Service
security. Then go to sender agreement there you need to give key store entry. -
We are getting an error on the authentication piece when trying to submit a file to the OfficialFile.asmx web service to submit a document to the Drop-Off Library. Here is the code snippet -
public string FileUpload(HttpPostedFile FileInput, RecordsRepositoryProperty[] properties)
string strFileUrl = string.Empty;
RecordsRepositorySoapClient repository = new RecordsRepositorySoapClient();
BinaryReader b = new BinaryReader(FileInput.InputStream);
byte[] binData = b.ReadBytes(FileInput.ContentLength);
repository.ClientCredentials.Windows.ClientCredential = new System.Net.NetworkCredential(iUserID, iUserPassword, iUserDomain);
repository.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;
repository.SubmitFile(binData, properties, null, FileInput.FileName, HttpContext.Current.User.Identity.Name);
strFileUrl = repository.GetFinalRoutingDestinationFolderUrl(properties, null, FileInput.FileName).Url;
return strFileUrl;
Although we are setting the network credential in the client call we still get the error
- The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Negotiate,NTLM'.
Ideas?
Thanks in advance.Hi,
Based on the error message, the issue is related to the authentication type.
I suggest you can specify the credential type like the below:
CredentialCache credentialCache = new CredentialCache();
NetworkCredential credentials = new NetworkCredential(UserName, PassWord, sDomain);
credentialCache.Add(new Uri(recordCenterUrl), "NTLM", credentials);
Here is a detailed code demo for your reference:
http://blogs.msdn.com/b/mcsnoiwb/archive/2011/06/06/sending-files-to-a-record-center-using-the-sp2010-webservice-officialfile-asmx.aspx
Best Regards
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Jerry Guo
TechNet Community Support -
Hi,
Some users in my company are experiencing a strange issue when connecting to our MDS server using the MDS Excel plugin. They receive the error message:
"The HTTP Request is unauthorized with client authentication scheme negotiate. The authentication header received from the server was "NTLM,BASIC real="DOMAIN NAME IWA"
They are receiving this error when first trying to connect. For some reason they only receive this error when connected to the work network via the VPN. They don't receive this error from within our network.
Does anyone know what might be causing this issue and how to resolve?
Many Thanks,
PhilTry the following links and see if it helps:
https://support.microsoft.com/en-us/kb/896861/
https://social.technet.microsoft.com/Forums/projectserver/en-US/912c7179-8858-4c48-a71d-d9a21ff10a1b/the-http-request-is-unauthorized-with-client-authentication-scheme-ntlm-the-authentication?forum=project2010custprog
-Nithesh Shetty Software Engineer, C & E -> IMML -> MDS, Microsoft.
Maybe you are looking for
-
I am trying to open itunes on my computer. Windows 7 64-bit operating system. When I try to open itunes, I get an error message saying MSVCR80.dll file is missing. Where can I find this file and how can I get it on my computer? I have tried unin
-
I can't resize the reply window in Mac Mail
My mail is working fine. If I write a new email it all looks okay. If I reply or forward an email the window is so wide it would stretch maybe 3 times the width of my screen, so if I want to use any of the tools in the top right toolbar I have to dra
-
Need help with javascript for an attachment button in a pdf built in LiveCycle
what is the javascript to add an button for an attachment to a pdf
-
Recover from a failed Sound.load()
I've written a MP3 player for podcasts, and I am using the Sound.load() to load the MP3 file from a URL. From time to time, the download fails ... and an error occurs. I am able to catch the error just fine ... but now what? How do I restart the load
-
Starting OEM Service is a real pain.
Hi, has any encounter the following problem when starting the OEM Service. MESSAGE/LOG ========================================================== OEMCTL for Windows NT: Version 9.2.0.1.0 Production Copyright (c) 1998, 2002, Oracle Corporation. All ri