Using useBean for authentication

Similar Messages

• MacAir using AD for authentication. In AD, there is a network home assigned to that user. When logging into that account on the Mac, it takes 1-2 minutes after entering credentials, before displaying an error that it could not connect to it, every time.

  In our AD, all users have a network home that is set (smb://home for example). For some of our Mac users using AD for authentication, there is a 1-2 minute delay between entering their credentials and the OS being presented. The OS does not present itself until the user dismisses the alert: "There was a problem connecting to server home".Local users on the same machines do not have that problem.
  It remains in the dock as User's Network Home as a ? that I am unable to remove, and there is also a 'Unknown' in the log-in items for the user as well (that I am also unable to remove).
  Is there anyway to disable this share? Or to stop the Mac from trying to connect to it before loading the OS?

  In our AD, all users have a network home that is set (smb://home for example). For some of our Mac users using AD for authentication, there is a 1-2 minute delay between entering their credentials and the OS being presented. The OS does not present itself until the user dismisses the alert: "There was a problem connecting to server home".Local users on the same machines do not have that problem.
  It remains in the dock as User's Network Home as a ? that I am unable to remove, and there is also a 'Unknown' in the log-in items for the user as well (that I am also unable to remove).
  Is there anyway to disable this share? Or to stop the Mac from trying to connect to it before loading the OS?

• Problem configuring SOA suite to use OID for authentication

  We are in the process of rebuilding our environment to use the full SOA suite with our OID server for authentication (was previously just BPEL using AD directly), and have encountered several problems (below). We have rebuilt the OID server, and reinstalled the SOA suite into a clean ORACLE_HOME to no avail.
  We first rebuilt the OID server using the following steps (derived from Oracle® Internet Directory Administrator's Guide):
  1)     Create the Import and Export profiles for AD synchronization. We did this using the Directory Integration and Provisioning Server Administration tool under “Active Directory Configuration”
  2)     Modify the map file to specify the correct OU mappings between AD and OID.
  3)     Update the profile with the new map file using “dipassistant.bat mp”
  4)     Bootstrap the import profile using “dipassistant.bat bootstrap”
  5)     Start a new instance of the Integration server (odisrv) running on config set 1 (the config set containing the Active Directory import/export profiles) using “oidctl”
  6)     Set the Import profile to Enable. The OID server does not export changes to AD in our current configuration, so the Export profile is left on disable (and not bootstrapped)
  At this point it appears that the AD synchronizes correctly into our new OID server.
  Next we installed the SOA suite:
  1)     We ran “irca.bat” on our database server to create the ORABPEL, ORAESB, and ORAWSM schemas and associated integration repository structure.
  2)     After launching the SOA suite installer, we selected Advanced Install.
  3)     On the next screen, we selected J2EE Server, Web Server, and SOA Suite.
  4)     We then provided the credentials for our Oracle database, and the passwords for ORABPEL, ORAESB, and ORAWSM.
  5)     We configured our new AS instance as an administration instance, but did not opt to use from a separate HTTP server, and did not make this instance part of an OAS cluster topology.
  And finally, we configured our new SOA suite instance to use OID for authentication (using the instructions in Oracle® BPEL Process Manager Administrator's Guide section 2.1.3):
  1)     Used the configure_oid.bat command to seed OID with required users only.
  2)     Logged into the OracleAS Control Console
  3)     Chose the oc4j_soa instance, then Administration->Security->Identity Management
  4)     Configured the OID server using a non-ssl connection and the cn=orcladmin account.
  5)     When prompted, chose to reconfigure all applications in the oc4j_soa instance to OID, but not to use SSO for any of them.
  6)     Copied the contents of ORACLE_HOME\j2ee\home\config\jazn.xml to ORACLE_HOME\j2ee\oc4j_soa\config\jazn.xml
  7)     Restarted the application server.
  After this procedure, we encountered the following issues:
  1)     The BPEL console appears to authenticate users correctly out of OID, but no users have access to the default domain, including bpeladmin and oc4jadmin. All users receive a similar access denied message when attempting to log into the BPEL Admin Console.
  2)     We cannot upload a BPEL process to our new server via JDeveloper’s standard BPEL deployment mechanisms. The connection appears to be working properly and passes all tests, but on uploading a process we get a Java AccessDeniedException. ESB appears to be functioning properly, and accepts uploaded projects without issue.

  Bassman,
  We recently configured our SOA Suite to use OID and SSO. We had the same issues you are having, and we found the resolutions in a blog from Jaas Poot (http://blog.jpoot.com/category/oracle-appserver/oid-ldap/). For the BPEL domain access, this involved going to the data-sources.xml file and changing the database passwords from using ->pwForOrabpel for the orabpel schema and ->pwForOraesb for the oraesb schema to the real passwords; the blog explains more about this.
  The blog also covers the JDeveloper deployment issue, and another issue we encountered, where we couldn't access the BPEL Admin console. All of these were resolved following the steps in the blog.
  Hope this helps
  Candace

• How do I know WinRM uses Kerberos for authentication, and does not fall-back to NTLM?

  Hi,
  How do I know WinRM uses Kerberos for authentication, and does not fall-back to NTLM?
  /SaiTech

  Hi SaiTech,
  Kerberos will be selected by default in an AD domain, The default (assuming the client is in a domain, and is not connecting to itself via 127.0.0.1 or ::1 addresses) is to use Kerberos authentication, and not to fall back to NTLM.
  Please also Note that you may have to take some other steps as well to get non-Kerberos authentication working.  Specifically, you'd have to set up an HTTPS listener on the remote host, or modify the client's TrustedHosts list.
  Refer to:
  WINRM kerberos & Negotiate
  Authentication for Remote Connections
  In addition, you can also use Network Monitor to check the authentication method.
  If there is anything else regarding this issue, please feel free to post back.
  If you have any feedback on our support, please click here.
  Best Regards,
  Anna Wang
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• [SOLVED] SLiM will not use thinkfinger for authentication

  As the title of the post says, I can't get SLiM to utilize thinkfinger for authentication.
  I've setup PAM to try to use thinkfinger.so first
  from /etc/pam.d/login:
  auth sufficient pam_thinkfinger.so
  auth required pam_unix.so nullok try_first_pass
  However, when I go to login via SLiM it won't prompt for the "password or swipe finger", it just asks for a password (which does work). I'm also able to use thinkfinger to authenticate sudo and su just fine... (I edited the respective pam.d/ files).
  Any one able to help?
  Last edited by Rnicholson (2008-02-17 15:35:45)

  nightmorph wrote:
  It's okay that it doesn't ask to swipe your finger. Swipe your finger anyway. You can actually edit the text prompt in your SLiM theme. It's hardcoded into each SLiM theme config file -- if you want the text to be different, you have to change it; pam_thinkfinger won't change it for you.
  I use SLiM on my laptop and it works just fine with thinkfinger. All I did was edit the appropriate config file line to say "Enter password/Scan finger". Give it a shot.
  Oh, sorry... I should have mentioned that I did try swiping my finger anyway at the "password" prompt. No dice.
  I tried turning on logging in pam.d/login and I don't see anything (in /usr/var/log/auth.log) for when I login with SLiM. I don't see any options in /etc/slim.conf about pam, just settings for xauth. So, what does SLiM use? I guess I should also mention that I installed SLiM via pacman, perhaps there is a source config option that I need? ...Cause it appears SLiM isn't using pam.
  @Sigi - Do you find that the thinkfinger-svn version is better than the 0.3 release? Is there better support, other features? I have a T61p and find 0.3 works well (obviously other than this SLiM issue I'm having; which probably unrelated).
  Last edited by Rnicholson (2008-02-11 14:12:42)

• Samba/cifs shares using AD for Authentication

  Hi,
  I am trying to make use of the internal cifs shares in Solaris 11.1 but I am running into road blocks - can anyone shed light on this for me?
  I won't bore you with my first and abortive attempt at configuring auth with native kerperos and simply say that have decided to go with the third party product PBIS Open for the authentication.
  setup is a breeze and I can see the shares from elsewhere but for the life of me I cannot mount the shares. For the record the setup that was most successful went in this order:
  SAMBA
  pkg install service/file-system/smb
  zpool create xpool /var/tmp/xpool
  zfs set sharesmb=on xpool
  zfs create -o nbmand=on xpool/fs1
  zfs get -r share xpool
  svcadm enable -r smb/server
  smbadm show-shares host
  smbadm enable-user AD.DOMAIN\\user
  WORKAROUND to point to a working test DC:
  xx.xx.xx.xx      AD.DOMAIN >> /etc/hosts
  smbadm join -u user AD.Domain
  PBIS:
  cd /var/tmp/pbis-open-7.5.3.1536.solaris.sparcv9.pkg/
  ./install.sh
  svccfg -s system/name-service/switch
  setprop config/password = astring: "files lsass"
  setprop config/group = astring: "files lsass"
  setprop config/host = astring: "files dns mdns4_minimal [NOTFOUND=return] mdns4"
  svcadm refresh name-service/switch
  domainjoin-cli join AD.DOMAIN user
  After which I can ssh into the host as an ad user but I can't mount  (get permission denied).
  /var/adm/messages shows:
  Jan 22 15:52:14 host smbd[1635]: [ID 649633 daemon.notice] ndr_rpc_bind[tid=8]: \\ADDC.fqdn\PIPE\srvsvc: smb/client authentication failed (114)
  Jan 22 15:52:14 host smbd[1635]: [ID 649633 daemon.notice] ndr_rpc_bind[tid=8]: \\ADDC.fqdn\PIPE\lsarpc: smb/client authentication failed (114)
  Jan 22 15:52:14 host smbd[1635]: [ID 649633 daemon.notice] ndr_rpc_bind[tid=8]: \\ADDC.fqdn\PIPE\srvsvc: smb/client authentication failed (114)
  Jan 22 15:52:14 host smbd[1635]: [ID 649633 daemon.notice] ndr_rpc_bind[tid=8]: \\ADDC.fqdn\PIPE\lsarpc: smb/client authentication failed (114)
  Jan 22 15:52:14 host smbd[1635]: [ID 702911 daemon.notice] smbd_dc_monitor: domain service not responding
  and the DC logs show:
  Log Name:      System
  Source:        Microsoft-Windows-Security-Kerberos
  Date:          22/01/2014 3:46:54 PM
  Event ID:      3
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      ADDC.fqdn
  Description:
  A Kerberos Error Message was received:
  on logon session
  Client Time:
  Server Time: 5:46:54.0000 1/22/2014 Z
  Error Code: 0xd KDC_ERR_BADOPTION
  Extended Error: 0xc00000bb KLIN(0)
  Client Realm:
  Client Name:
  Server Realm: AD.DOMAIN
  Server Name: [email protected]
  Target Name: [email protected]@AD.DOMAIN
  Error Text:
  File: 9
  Line: f09
  Error Data is in record data.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
      <EventID Qualifiers="32768">3</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-01-22T05:46:54.000000000Z" />
      <EventRecordID>476941</EventRecordID>
      <Correlation />
      <Execution ProcessID="0" ThreadID="0" />
      <Channel>System</Channel>
      <Computer>ADDC.fqdn</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="LogonSession">
      </Data>
      <Data Name="ClientTime">
      </Data>
      <Data Name="ServerTime">5:46:54.0000 1/22/2014 Z</Data>
      <Data Name="ErrorCode">0xd</Data>
      <Data Name="ErrorMessage">KDC_ERR_BADOPTION</Data>
      <Data Name="ExtendedError">0xc00000bb KLIN(0)</Data>
      <Data Name="ClientRealm">
      </Data>
      <Data Name="ClientName">
      </Data>
      <Data Name="ServerRealm">STAFF-TEST.AD.GRIFFITH.EDU.AU</Data>
      <Data Name="ServerName">[email protected]</Data>
      <Data Name="TargetName">[email protected]@AD.DOMAIN</Data>
      <Data Name="ErrorText">
      </Data>
      <Data Name="File">9</Data>
      <Data Name="Line">f09</Data>
      <Binary>3015A103020103A20E040CBB0000C00000000003000000</Binary>
    </EventData>
  </Event>

  Although setting up SMB server in Solaris 11.1 seems to be straight forward, yet there another important part to be completed on the Windows Side. the following link describes what to be done at the windows domain level
  https://social.technet.microsoft.com/wiki/contents/articles/2751.kerberos-interoperability-step-by-step-guide-for-window…
  Now, to be straight forward you have to do the following:
  Use Ktpass on the Windows Server 2003/2008/2012R2 KDC to create the keytab file (a keytab is a file used to store the keys used by a host or service) and set up the account for the UNIX host, and then copy the keytab file to the UNIX system and merge the keytab file into /etc/krb5.keytab (check the documentation for your Kerberos Implementation as the keytab path may be different or configurable).
  1.   From the command line, use the following command to generate the keytab file for the UNIX host, map the principal to the account, and set the host principal password.
  C:> klist
  this command will list the encrption type used by your server
  C:> Ktpass –princ host/hostname@DNS-REALM-NAME –mapuser account -pass password –crypto ENCRYPTION-TYPE –out UNIXmachine.keytab
  where
  hostnameis the fully-qualified name of the host, for example, foobar.reskit.com.
  DNS-REALM-NAME is the uppercase DNS name of the Windows Server 2003 domain; for example, RESKIT.COM.
  account is the user account previously created for the UNIX host as performed in the procedure to create Computer and User Accounts.
  password is a complex password to be set on the account.
  ENCYRYPTION-TYPE is the encryption type used to encrypt the key. Either RC4-HMAC-NT (recommended), DES-CBC-MD5, or DES-CBC-CRC.
  Note
  In order to create a keytab using the RC4-HMAC-NT encryption type you need to use the ktpass.exe from Windows Server 2003 SP1 or later.
  2.   Securely transfer the keytab file (UNIXmachine.keytab from the example above) to the UNIX host. Then, merge the keytab file with any existing keytab file for the UNIX computer.
  The UNIX commands to merge the keytab file are:
  % ktutil
  ktutil: rkt UNIXmachine.keytab
  ktutil: list
  The output should appear similar to the following:
  slot  KVNO  Principal
      1      1   host/[email protected]
  ktutil: wkt /etc/krb5.keytab
  ktutil: q
  rejoin the domain using smbadm command as following
  smbadm join -u username DOAMIN
  where username = username created from step 1
  the second part is where you have the issue \\ADDC.fqdn\PIPE\srvsvc: smb/client authentication failed
  change the following in Domain group policy if you are using domain policy or Local policy is no group policy applied
  GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
  add  lsarpc to the following  policy
  Network access: Named pipes that can be accessed anonymously
  gpupdate /force
  observer your /var/adm/messages and see if these message stops or not

• Using OID for authentication in APEX and PL/SQL apps

  Hi,
  One of my colleagues (much more skilled in APEX than me) has written a PL/SQL package that makes it easy to use Oracle Internet Directory (OID) groups to control access to pages and items in APEX. It assumes that you are already using Oracle Single Sign-On (which he also set up for us).
  Being a package, it's easy to use in any PL/SQL application.
  He's given me permission to add his work to my web page but prefers to remain anonymous. You can see how to do it here:
  http://www.patrickhaston.co.uk/plsql/oid_authorisation.html
  The source code is available for download.
  Hope this is useful.
  Patrick.

  Nothing new - all documented with APEX.

• Client app using WSSE for authentication, WSSEClientHandler not found

  Hi,
  I'm trying to build a stand alone java client that uses login/password to connect to a webservice using WSSE.
  I thought that
  soapProxy = proxy.getCCSoap(username,password);
  would do the job. CC is the name of the web service.
  Now I've found on http://e-docs.bea.com/wls/docs81/webserv/security.html#1073530
  that I should use WSSEClientHandler from weblogic.webservice.core.handler and UserInfo from weblogic.xml.security do get the job done.
  Problem is now that neather of these classes are included in the support Jar i've downloaded from my web service's console.
  The error I get is this:
  java.rmi.RemoteException: SOAP Fault:javax.xml.rpc.soap.SOAPFaultException: EJB Exception: ; nested exception is:
       com.bea.wlw.runtime.jws.wssecurity.exception.WLWWSSEException: Policy requires Message to contain UsernameToken, UsernameToken not found in the Message.
  Can somebody help me out? I'm realy stuck on this :-(
  Kristof Taveirne

  Well yeah, i've read that post.
  But I don't understand the error since the soapheader realy does contain the UsernameToken! But weblogic can't find it for some strange reason.
  This is what i get in TestXML when i look at the logs:
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <env:Header>
  <wsse:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsse:UsernameToken wsu:Id="Id-1Sle_jmBkVTCRbF0KUXcN2BG" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsse:Username>Dr_Taveirne</wsse:Username>
  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">ktaveirn</wsse:Password>
  </wsse:UsernameToken>
  </wsse:Security>
  </env:Header>
  <env:Body>
  <n1:getConfig xmlns:n1="http://www.openuri.org/">
  <n1:login>Dr_Taveirne</n1:login>
  </n1:getConfig>
  </env:Body>
  </env:Envelope>
  Exception
  Submitted at donderdag 7 april 2005 14.58 u. CEST
  java.rmi.RemoteException: EJB Exception: ; nested exception is:
  com.bea.wlw.runtime.jws.wssecurity.exception.WLWWSSEException: Policy requires Message to contain UsernameToken, UsernameToken not found in the Message.
  You see? really strange behaviour if you ask me.
  Greetings,
  Kristof Taveirne

• Which clients are using my Sun One server for authentication?

  We use Sun One ver. 5.2 .
  Our LDAP clients use it for authentication.
  How can I list which clients recently used the Sun One server to authenticate?
  The reason I need that is because I want to upgrade the Sun One server and I want to notify the clients that I'm about to do it.
  Thanks.

  https://www.redhat.com/archives/fedora-directory-users/2005-September/msg00010.html
  Useful script to extract LDAP based user posixGroup memberships information
  ===
  Assuming you are using posixGroup objectclass and memberUid attribute to
  store your membership information, you may find my shell script useful
  and handy.
  It works on Solaris LDAP Client with "ldapaddent" and "ldaplist"
  commands, and works against FDS, SUN DS or OpenLDAP.
  ===
  Gary

• Issue with Authentication using JAAS for coherence

  Hi,
  I have configured security frame work using JAAS for storage enabled node,
  I am using keystore for authenticating the users, Below is the code used for authentication,
      Subject subject;
          try{ subject = Security.login(sUsername, sPassword.toCharArray()); }
          catch (Throwable t){
              subject = null;
              log("Authentication error:");
              log(t); }
          if (subject != null)
              for (Iterator iter = subject.getPrincipals().iterator(); iter.hasNext(); )
                  Principal principal = (Principal) iter.next();
                  log("Principal: " + principal.getName());
          Security.runAs(subject, new PrivilegedAction()
              public Object run()
                  NamedCache cache = CacheFactory.getCache(CACHE_NAME);
                  boolean flag = true;
                  while (flag) {}
                  return null;
              });and i am calling the above class in the callback handler which is defined in coherence operation descriptor.
          <security-config>
                  <enabled system-property="tangosol.coherence.security">true</enabled>
                  <login-module-name>TestCoherence</login-module-name>
                   <access-controller>
                  <class-name>com.tangosol.net.security.DefaultController</class-name>
                          <init-params>
                          <init-param id="1">
                          <param-type>java.io.File</param-type>
                          <param-value>config/keystore.jks</param-value>
                          </init-param>
                          <init-param id="2">
                          <param-type>java.io.File</param-type>
                          <param-value>config/permissions.xml</param-value>
                          </init-param>
                          </init-params>
                   </access-controller>
                   <callback-handler>
                          <class-name>Test</class-name>
                   </callback-handler>
           </security-config>I am using the following command line parameters for bringing up the storage enabled node.
  -Dtangosol.coherence.security.permissions="$CONFIG_PATH/permissions.xml" 
  -Dtangosol.coherence.security.keystore="$CONFIG_PATH/keystore.jks" 
  -Djava.security.auth.login.config="$CONFIG_PATH/login.config" 
  -Dtangosol.coherence.security=trueNow till the callback handler thread is alive, storage enabled node will be up. As soon as the call back handler thread dies. Storage enabled node stops with the following error,
  Exception in thread "main" java.lang.SecurityException: Authentication failed: Error initializing keystore
  at com.tangosol.coherence.component.net.security.Standard.loginSecure(Standard.CDB:36)
  at com.tangosol.coherence.component.net.security.Standard.getTempSubject(Standard.CDB:11)
  at com.tangosol.coherence.component.net.security.Standard.checkPermission(Standard.CDB:18)
  at com.tangosol.coherence.component.net.Security.checkPermission(Security.CDB:11)
  at com.tangosol.coherence.component.util.SafeCluster.ensureService(SafeCluster.CDB:6)
  at com.tangosol.coherence.component.net.management.Connector.startService(Connector.CDB:25)
  at com.tangosol.coherence.component.net.management.gateway.Remote.registerLocalModel(Remote.CDB:8)
  at com.tangosol.coherence.component.net.management.gateway.Local.registerLocalModel(Local.CDB:8)
  at com.tangosol.coherence.component.net.management.Gateway.register(Gateway.CDB:1)
  at com.tangosol.coherence.component.util.SafeCluster.ensureRunningCluster(SafeCluster.CDB:50)
  at com.tangosol.coherence.component.util.SafeCluster.start(SafeCluster.CDB:2)
  at com.tangosol.net.CacheFactory.ensureCluster(CacheFactory.java:948)
  at com.tangosol.net.DefaultConfigurableCacheFactory.ensureService(DefaultConfigurableCacheFactory.java:748)
  at com.tangosol.net.DefaultCacheServer.start(DefaultCacheServer.java:140)
  at com.tangosol.net.DefaultCacheServer.main(DefaultCacheServer.java:61)
  Please let me know where should i pass the credentials to the default cache server for authentication or should i change the any implementation of authentication here.
  Thanks in advance,
  Bhargav

  Bhargav,
  Rather than trying to loop forever in a callback handler try this
  import com.tangosol.net.CacheFactory;
  import com.tangosol.net.DefaultCacheServer;
  import com.tangosol.net.security.Security;
  import javax.security.auth.Subject;
  import java.security.PrivilegedExceptionAction;
  public class SecureCacheServer {
      public static void main(final String[] args) throws Exception {
          LoginContext lc = new LoginContext("Coherence");
          lc.login();      
          Subject subject = lc.getSubject();
          Security.runAs(subject, new PrivilegedExceptionAction() {
              public Object run() throws Exception {
                  DefaultCacheServer.main(args);
                  return null;
  }Then when you start your cache server just use the SecureCacheServer class above rather than DefaultCacheServer
  As the main method of DefaultCacheServer is running in a PrivilegedExceptionAction Coherence will use this identity anywhere it needs to do anything secured.
  I hope the code above compiles OK as it is a modified version of the code I really use.
  Hope this helps
  JK

• Install Sun ONE Directory Server 5,2 & how to use it for authenticate user

  Good afternoon, Excuse, are newbie in the scope I am learning and putting desire to him, this in my situation I am trying to install Sun ONE Directory Server 5,2 since I understand that this it is application LDAP for Solaris, ok I want to install it to authenticate user against the system, that is to say, to be able to acces the server entering with a created user from the data base of LDAP and make think user that his created in the system. But the documentation that I finds indicates the installation of Sun ONE Directory Server 5,2 but it not clearly about how to use it for authentication. Some one have any manual step by step of Sun ONE Directory Server 5,2 installation and how to make it for authentication systems users.
  I read the forum seeking for anwser and i get confuse
  Thanks for the help and sorry for any inconvenient
  Message was edited by:
  Aku_28
  Message was edited by:
  Aku_28

  I think that I found the Sun endorsed book locations for using LDAP accounts that don't use authentication besides "crypt". I now can use an account with a "ssha" password. It can be more than 8 characters long.
  Chapter 14 System Administration Guide: Naming and Directory Services
  Read page 201 which is the pam.conf file pam_ldap setups. I edited my "/etc/pam.conf" file to reflect this
  Chapter 7 Directory Server 5.2 2005Q4 - Administration Guide
  Read page 316-318 which has a graphical technique to specify password syntax. I set it up and then tried the password by running "su - brahms". It now requires a longer password than 8 characters and it is set up to use "ssha" for that UID entry "brahms".

• Best way for authentication?

  Hello,
  I'm running Oracle 10g Standard on a linux server and I would like to change the authentication method. The server is in an Active Directory. So users who are allowed to access the server can login using their domain account.
  Until now additionally they all have an oracle user account with its own password. I'd like to change oracle to use their domain account from Active Directory for login.
  I've experimented with the external login using user accounts created by
  CREATE USER ops$alex IDENTIFIED EXTERNALLY;
  So users logged in to the server can log in to oracle using the same account. But I want to allow remote users to login to oracle using the domain account that is verified externally by the operating system.
  There is a parameter remote_os_authent I could set to true and try, but documentation advises not to do this for security issues.
  We don't have the Oracle Advanced Security Option, so it's not possible for us to use kerberos for authentication.
  Is there any other way I can do to setup oracle authenticate domain users (by operating system)?

  Thank you very much. I've read the globally part and tried to create a user identified globally with complete ldap cn and dc names but I get
  ORA-00439: feature not enabled: Enterprise User Security
  So is there still any option available to use ldap Active Directory users with Oracle Standard 10g without oracle advanced security option? Or am I stuck with local users?

• Use Tacacs+ for Admin auth & Radius for user Auth?

  Can I setup my Aironet 1200 to use TACACS+ for authentication back to the cisco ACS server and RADIUS back to same server for user authentication?
  If I setup a server in Server Manager under Radius, then add that same server as a TACACS+ server, it deletes the RADIUS server, so I assume no.

  dont know about 1200s but you can do this on 1130AGs. Create a aaa group for authentication via radius, and one for tacacs+ then use aaa groups to point console/vty to the tacacs+ aaa group, and EAP authentication to the radius group.
  eg:
  aaa group server radius rad-group
  server x.x.x.x auth-port xxxx acct-port xxxx
  aaa group server tacacs+ admin-access
  server x.x.x.x
  aaa authentication login eap-method group rad-group
  aaa authentication login auth-admin-access group admin-access local
  aaa authorization exec default group admin-access local
  now under the ssid part of the config have:
  dot11 ssid yyyyyy
  authentication open (or whatever method you use) eap eap-method
  under console/vty etc:
  login authentication auth-admin-access
  you need some more stuff like radius and tacacs server keys, but the above should get you started. On 1130AGs dont use aaa auth for http(s), looks like it overloads the aaa server at the moment - see field notices - probably doesnt apply to 1200s.

• SSL: how to use Multiple Private key/Certificate pair for authentication.

  Hi all,
  i am implementing SSL in java using X509 Certificate/private key combination.
  i have two set of private key/certificate pair.
  one is factory default and another is generated at run time.
  my problem is to try ssl connection with both pairs on same tcp/ip connection.
  e.g. on server side: first try ssl connection with factory default certificate, if it fails try connecting with generated certificate on same tcp/ip connection.
  on client side: if generated certificate(this certificate was generated at server side) is present first perform server authentication using this certificate otherwise authenticate server with factory default certificate.
  can someone please help and let me know how do i need to configure both ends(client and server) for achieving the same.
  Thanks In Advance
  Saurabh Ahuja

  Client code does not contain any default truststore and needs a certificate for authentication.Of course it does. OpenSSL has a way of doing that: some kind of equivalent for the truststore. None of the stuff you've posted here about generating certificates at runtime has any bearing on that problem.
  It's like this. The idea of PKI with SSL is as follows:
  - the server has a private key and a signed certificate. Preferably it's signed by a CA that the client already trusts, otherwise if it's self-signed it has to be exported from the server's keystore and imported into the truststores of all the clients.
  - the client has a truststore that trusts the server, one way or the other, see above.
  - the server's private key is private to it. Nobody else has it. Nobody else can ever get it. If it ever leaks, the server is compromised, and server authentication via that private key now means absolutely nothing. You have lost security.
  - the server sends its cert to the client along with a digital signature signed by its private key.
  - the client (a) decides whether it trusts the cert, via its truststore, and (b) verifies the digital signature, which establishes that the server owns the certificate.
  At this point the server is authenticated to the client and the SSL connection is open. It can now be used as an ordinary socket connection.
  If you want client authentication too, you need all the above in reverse as well, i.e. reading server for client and client for server throughout. Note particularly that each client must have its own private key. Otherwise the private key isn't private, so signing something with it doesn't establish ownership, so client authentication isn't valid.
  You need to understand all this stuff and relate it to the apparently broken security design of your application. Generating a private key and a certificate at runtime is complete nonsense within the context of PKI and SSL. It proves nothing, establishes nothing, authenticates nothing; it just wastes time.

• Using Hyper-V 2012 r2, connecting to the console results in: A certification authority could not be contacted for authentication.

  I'm having some trouble with authentication to guests from my Hyper-V console.
  If I try to connect from the Hyper-V Manager to the console of any guest, I get the error:
  "A certification authority could not be contacted for authentication. If you are using a Remote Desktop Gateway with a smart card, try connecting to the remote computer using a password. For assistance, contact your system administrator or technical support."
  I'm not using an RDG and smart card.
  I have 2 virtual networks. The first is Production, the second is Isolated. Production has 2 NICs attached to the Production LAN, the second has 2 NICs in our DMZ. The host is a member server of the production domain. I can use MSTSC from the LAN or the DMZ
  to gain access to each Guest and the Host.
  The issues start if I try "Connect" from Hyper-V Manager in an attempt to use the console of any Guest. Each attempt fails with the above error. If I use an incorrect password, I get a different error: "The credentials that were used to connect
  to {Server FQDN} did not work. Please enter new credentials."
  Taking a look at the the event logs, I can see the session successfully authenticating to the Guest (4776 Credential validation and 4624 Logon), and the fact I get a different error if I enter an incorrect password show I get some way along the line. However
  if I take a look at the logs on the Host, however I get:
  An account failed to log on.
      Subject:
          Security ID:        NULL SID
          Account Name:        -
          Account Domain:        -
          Logon ID:        0x0    
      Logon Type:            3
      Account For Which Logon Failed:
          Security ID:        NULL SID
          Account Name:        
          Account Domain:        
      Failure Information:
          Failure Reason:        An Error occured during Logon.
          Status:            0xC000006D
          Sub Status:        0xC000005E
      Process Information:
          Caller Process ID:    0x0
          Caller Process Name:    -
      Network Information:
          Workstation Name:    -
          Source Network Address:    -
          Source Port:        -
      Detailed Authentication Information:
          Logon Process:        Kerberos
          Authentication Package:    Kerberos
          Transited Services:    -
          Package Name (NTLM only):    -
          Key Length:        0
      This event is generated when a logon request fails. It is generated on the computer where access was attempted.
      The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
      The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
      The Process Information fields indicate which account and process on the system requested the logon.
      The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
      The authentication information fields provide detailed information about this specific logon request.
          - Transited services indicate which intermediate services have participated in this logon request.
          - Package name indicates which sub-protocol was used among the NTLM protocols.
          - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  Which looks to me like a blank authentication request is being sent? (I've not deleted any machine/domain names, they're just not present)
  Any suggestions? Do you think I'm barking up the wrong tree?
  Thoughts and comments gratefully received

  Hi,
  What’s your guest system platform, base on my experience that must be the not supported guest system issue, the generation 2 vm only support the Windows 8 or 8.1 platform.
  The related KB:
  Generation 2 Virtual Machine Overview
  http://technet.microsoft.com/en-us/library/dn282285.aspx
  Hope this hleps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.