VPN user management via VMS

Similar Messages

• FAQ: BC-LDAP-USR (Directory Interface for User Management via LDAP )

  Version: 20060317
  Q: Where can i find more information to the BC-LDAP-USR interface ?
  A: Have a look on our ICC webpage in the SDN:
  SAP NetWeaver AS - Directory Interface for User Management via LDAP (BC-LDAP-USR)[1] [original link is broken]
  Q: What costs a arising when we want our product to be certified ?
  A: See also our SDN page under the headline "Price List".
  Q: Is there a link/page for the already certified products for this interface ?
  A: Sure, have a look on our ICC page under the headline "Certified Solutions"
  Q: Who can we ask in case of general question ?
  A: Have a look at our general ICC forum:
  SAP Integration and Certification Center (SAP ICC)
  Of course, if you have urgent requests you can send them also directly to our local ICC's:
  ICC Walldorf in Germany: [email protected]
  ICC Palo Alto in USA: [email protected]
  ICC Bangalore in India: [email protected]
  Q: Who can we ask in case of technical questions ?
  A: This depends on the state of your certification project.
  1.) If the certification contracts have been signed then you can ask in this forum and if this does not solve your question go back to your assigned integration consultant.
  2.) When the certification contracts have not been signed then you can ask questions in this forum.

  I distinguish it using the passwordExpirationTime(or something like that, i don't have code here with me).
  This is possible if after password is expired user has at least one more access.It is a user policy that can be set in the Ldap server.
  If it is possible, user can still login and perform operations.You chan search the passwordExpirationTime attribute and determine if password is expired, and the send a message to the user, telling him to change it.(If only one access is allowed and you change the password with the same application or service then do not close context, else you should not be able to connect again.) Instead, if you use an external script, then the last acces should not give you problems.
  Hope i made myself clear.

• User Management via Web Services

  Hi,
  We are investigating building a user management application that will control user creation and management across a range of applications, including SAP ECC6 and BW.  The idea is to use web services to interact with the systems.  I have seen that a range of BAPIs exist for managing users (e.g. BAPI_USER_CREATE, BAPI_USER_CHANGE) - does anyone have any experience in using these BAPIs via web services that they would be willing to share?
  Thanks

  HI Colin,
  We did that successfully. It was webservice/infopath based Interactive . net form which would do user management and also Workflow funtionality. In summary from my experience
  - Initial cost would be cheaper, however ongoing maintainance on whole infrastructure should be considered.
  - SAP BAPI/FM/webservice development was very easy
  - Integration with Infopath was challange
  - Fronted development was pain as you would need other people to do that for you
  - Once operational, was very easy to managed
  - Future enhancement was limitless
  - Limitation of integration to other technology
  - Should only be justifiable in absence of IDM solution
  - Too much custom development
  - Change management in SAP was easy (Transport, testing, QA etc) however Infopath and Frontend change Management was not easy
  Let me know what other information you need. Finding BAPI's and designing in SAP is the easy part, you should think more about how you are going to deploy Webservice to end users.
  However if your IT department has more bucks to spend, think about more longer term solution and towards IDM or product such as GRC etc.

• Securing AnyConnect VPN user access via specific LDAP groups in Active Directory?

  Is there a brief tutorial on how to secure AnyConnect VPN access using Active Directoty security groups?
  I have AAA LDAP authentication working on my ASA5510, to authenticate users against my internal AD 2008 R2 server, but the piece I'm missing is how to lock down access to AnyConnect users ONLY if they are a member of a specific Security Group (i.e. VPNUsers) within my AD schema.

  This looks fairly complete
  http://www.compressedmatter.com/guides/2010/8/19/cisco-asa-ldap-authentication-authorization-for-vpn-clients.html
  Sent from Cisco Technical Support iPad App

• Exposing Portal's User Management functionality via Web Service issue

  Dear experts,
  I am trying to create and deploy a web service that will tap into User Management functionality (UMFactory) of the Portal. I created a Java project with a Java class with one of the methods exposed via Web Service. Since this is a Java project and not a Web Dynpro project, a number of external jars and libraries, but I don't know how to add WD_RUNTIME and I am guessing that my problem is related to that.
  When trying to run the application, I receive the following error message when trying to envoke UMFactory:
  java.lang.NoClassDefFoundError: com/sap/tc/logging/Location
       at com.sap.security.api.UMFactory.<clinit>(UMFactory.java:166)
       at com.hollister.getusers.GetPortalUsers.getPortalUsers(GetPortalUsers.java:75)
       at com.hollister.getusers.GetPortalUsers.main(GetPortalUsers.java:39)
  Please, help.
  Thanks,
  Alex

  Container Managed Authentication. Does everything you need.

• User Managed Hot Backup via Sql

  Hi being a bit old school - I am trying to understand the steps required for a Hotbackup managed via Sql ( sorry all RMAN fans ! )
  I understand that I can backup each tablespace in turn ( via the necessary ALTER TABLESPACE <x> BEGIN BACKUP and then take it out of backup)
  I presume also that I simply take a backup of my control file ( wither as binary or as trace if need be )
  I am also guessing that you do not backup the Redo Logs ( since you will reset these on any recovery anyway )
  The bit I am not sure about is the Undo Tablespace - can it be backup in eactly the same way as any of the other tablespaces ?
  Are there any other components that I need to backup ( apart from archive logs )
  thanks,
  Jim

  EdStevens wrote:
  Jim Thompson wrote:
  Hi being a bit old school - I am trying to understand the steps required for a Hotbackup managed via Sql ( sorry all RMAN fans ! )
  I understand that I can backup each tablespace in turn ( via the necessary ALTER TABLESPACE <x> BEGIN BACKUP and then take it out of backup)
  I presume also that I simply take a backup of my control file ( wither as binary or as trace if need be )
  I am also guessing that you do not backup the Redo Logs ( since you will reset these on any recovery anyway )
  The bit I am not sure about is the Undo Tablespace - can it be backup in eactly the same way as any of the other tablespaces ?
  Are there any other components that I need to backup ( apart from archive logs )
  thanks,
  JimI'm old school too. Been in this business over 30 years. Still prefer a command line interface.Me too.
  >
  But c'mon .... user managed backups? How about dictionary managed tablespaces? initialization parameter files instead of spfiles? Ok, I'll give you the DMT (old skool hippies should be lol now). But user managed backups do have their place, and seriously, I think plain old parameter files are in many cases better than strange binary things that need special software to manipulate and require you to remember arbitrary things. I cuss at regedit every time...
  >
  What is the business or technical justification for not going with rman?
  I can still remember my grandfather arguing with the guy at the tire store, insisting they put inner tubes in those "newfangled" tubeless tires . . .My last lawn tractor had much better luck with tubed replacement tires than tubeless with puncture sealant. Naturally as soon as I bought a new tractor I got a puncture, it doesn't come with sealant. Anyone who's ever struggled with a bead that doesn't set in without a high pressure air pump will appreciate grandpa's point of view. As well as sew-ups.

• DHCP Client List doesn't list VPN Users - 10.5.4

  Hello,
  When I had Tiger 10.4.11 running, it would usually list every DHCP client on the system. Including those outside the subnet in the VPN range. Now that we are running Leopard Server 10.5.4, client no longer appear in the DHCP client list under server manager.
  Thus;
  DHCP range; 192.168.2.1 - 192.168.2.147 - subnet- 255.255.255.0
  VPN range; 192.168.2.148 - 192.168.2.255
  I noticed I had to change DHCP clientIDs and change the printer machine names to get them to show up in the DHCP client list.
  Even if I modify the DHCP client ID on the VPN users machines and change the machine name, I still can't get anything to show up.
  Does the DHCP client list no longer list the VPN users?
  Thanks!
  ATF

  Hello,
  An additional note. When I VPN into the server, I no longer can access the clients via ARD like I used to under Tiger.
  Seems to gel that if the DHCP server and can see local clients over the gigabit network, but can't see the VPN clients that I also can't see the internal clients via VPN.
  AGGGH.
  Suggestions?
  ATF

• Adding a domain user to the admin role within the local user management breaks all metro apps for all users!!

  Hi,
  I have posted this in another large thread under the "Windows 8 General" group but have not had any appropriate feedback from MS.
  After hours of testing and working with other users I have managed to isolate a simple situation that breaks all metro ui applications within Windows 8 for all users on the machine. Here are my exact steps and notes.
  Before continuing if you are running Avast then your solution may be to turn of the behaviour shield functionality as this also breaks metro apps. This is NOT the problem we are having!
  I have performed 3 cleans installs after isolating the problem and am able to reproduce the issue every time using the same steps on two different machines. 
  First thing to say is that for us it has nothing to do with simply joining the domain, domain/group policies nor does it appear to have anything to do with the software we installed, the problem here is much more simple but the result is pretty terrible.
  Here are my exact steps of what I did to reproduce our problem:
  Complete format of HDD in preperation for a clean install
  Clean install performed
  Set up the machine initially with a local account
  Test metro apps - all working fine
  Open control panel from the desktop, click on System, change the system to join the domain, click reboot
  Log into the system using my domain account
  Test metro apps - all working fine
  Here's were the problem starts. I need my domain account to have admin rights on the local machine so I can install programs without the IT men having to come over and enter their password every 5 mins.
  I go to control panel via the desktop and click on User Accounts. From with here I then click on "Manage User Accounts". This requires the IT guys to enter their details to give me access to such functionality. This is fine
  In the dialog box that opens I can only see the local user that was initially created during setup. The "Group" for this local account shows as "Administrators" - Image included below (important to note that metro apps are working at this point)
  I click add and then add my domain account - also giving it administrator access
  Sign off or reboot to ensure the new security is applied
  Sign back in to the domain account
  Test metro - ALL BROKEN
  Sign out
  Sign in as local account
  Test Metro - NOW ALL BROKEN FOR THIS USER ALSO
  So as soon as I add my domain account to the local user accounts and set it as admin it breaks all metro apps for all users. This is on a totally clean install with nothing at all installed other than the OS.
  Annoyingly if I go back and change the domain account to a standard user or if I totally remove the domain account from the local account management system the problem does not go away for either user. basically it is now permanently broken. The only fix I
  could fathom was a full re install and not giving the domain user admin access to the local  machine.
  Screen one - this is the local user accounts window AFTER joining the domain and logging in with my domain account (All metro apps working at this point)
  Screen 2: User accounts AFTER joining the domain and AFTER adding domain account to local user management (METRO BROKEN)
  I have isolated my machine from all group policies so nothing like that is affecting me. Users I have spoken to in different companies have policies that automatically add users to the local user management. This means that metro apps break as
  soon as they join the domain which leads them to wrongly think it is group policies causing the error. Once they isolate themselves from this they can reproduce following my steps.
  Thanks

  Hi Juke,
  Thank you for the response and apologies for the delay in getting back to you. My machine was running a long task so I couldn't try your suggested solution.
  I had already tried running the registry merge suggested at the top of the thread to no avail. I had not tried deleting the OLE key totally so I did that and the problem still exists. I will post all the errors I see in event viewer below. For
  your info, since posting my initial comment I have sent out my steps to 7 different people and we can all reproduce the problem. This comes to 10 different machines (3 of them mine then the other guys) in 3 different businesses / domains. We see the same errors
  in event viewer.
  Under "Windows Logs" --> "Application" : I get two separate error events the first reads "Activation of app winstore_cw5n1h2txyewy!Windows.Store failed with error: The app didn't start. See the Microsoft-Windows-TWinUI/Operational log for additional
  information." The second arrives in the log about 15 seconds after the first and reads "App winstore_cw5n1h2txyewy!Windows.Store did not launch within its allotted time."
  Under "Windows Logs" --> "System" : I get one error that reads "The server Windows.Store did not register with DCOM within the required timeout."
  Under "Applications And Services Logs" --> "Microsoft" -->  "Windows" --> "Apps" --> "Microsoft-Windows-TWinUI/Operational" : I get one error that reads "Activation of the app winstore_cw5n1h2txyewy!Windows.Store for the
  Windows.Launch contract failed with error: The app didn't start."
  If you require any further information just let me know and I will provide as much as I can.
  Thanks

• Fixed ip for vpn user- aaa authenticated

  Hi all,
  i am using asa 5520 as my vpn box. All vpn users login to vpn box associated with a aaa server. The authenticaltion takes place on aaa server. If i use local database for user login, i can assign fixed static ip to the user via its vpn properties. But now i am using aaa for authentication and i want to assign fixed statix IP for some users. How can i do this?

  with local aaa authentication
  go to the user atributes
  like username vpnuser attributes
  vpn-framed-ip-address 192.168.50.1 255.255.255.255
  this will give that ip to that user
  if u are useing cisco ACS
  under the user setting
  go to :
  Assign static IP address-If a specific IP address should be used for this user, click this option and type the IP address in the text box. The IP address assignment in User Setup overrides the IP address assignment in Group Setup
  and the following link give step-by step intstruction to configure cisco ACS AAA
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007e6a6.html
  good luck
  please, if helpful Rate

• User Management (for dummies?)

  reposting from a different forum...
  I'm trying to use User Management and my head hurts...
  ...I'm on 11.5.10.2 ATG RUP5 and I've tried to connect all the dots referencing the User Management Admin Guide. I'm trying to create a role that I could grant to an apps user, allowing the user to grant a subset of possible responsibilities to other users - essentially a delegated user admin, as I understand it. I get close, but I'm always off - either I can't limit the role to just the single 'Search/Edit Users' functions, or I can't get any menu functions to display, or something else. <cry>
  In one place, the Admin Guide gives steps for defining user administration privileges for roles; in another place, it talks about role inheritance hierarchies; in another place, separating navigation menus and access control. Via the forms interface, I tried looking at the definition of the menu 'User Management: Top Level Menu' -- it seems to contain submenus that contain redundant submenus. Once again, a bit confusing to me. For example, what do I keep / delete when I only want a delegated user admin responsibility to have an HTML navigation with just 1 subtab for 'users'? Do I use this menu and prevent access to the other 'tabs' or functions by a security policy or do I need to build a new menu?
  I'm thinking the seeded roles have all the components needed (functions, security policies, menu navigations, etc.) to demonstrate an integrated example -- but I haven't been able to put it all together.
  Could someone help with a clear, simple, example?

  Hello,
  In one place, the Admin Guide gives steps for defining user administration >privileges for roles; in another place, it talks about role inheritance hierarchies; >in another place, separating navigation menus and access control.
  Could someone help with a clear, simple, example? I am working on something relative maybe helpful in which it has decided to make delegate administrators (local administrators) the departmental heads but obviously training them might be a different story.
  Normally not many new menus are used as there are many seeded menus that can be used instead atleast in my case it has been. Instead of creating new meuns trying altering the current ones.
  Try to understand role inheritance hierarchies as follows there are two roles sales person and a sales manager (this is a simple example), sales manager being the higher role will have (all functions, security policies, menu navigations, etc) of the role sales person. Mangement of users can be much easier.
  Normally using on exclusions of functions works for me. Please ask if there any confusions or doubts?
  Adith

• Default Gateway address for multiple VPN users/clients

  Hello,
  We need some help with a VPN setup for a school project.
  What we want to do:
  We would like to have aprox. 10 different VPN uses that can connect to our Windows Server 2012 R2 which is setup as a VPN server, by the Role called Remote access. And the VPN server is working and we are able to connect to it from another location/computer.
  Our current setup:
  We have a Cisco router, that are configured with 10 Vlans, from Vlan 10 to Vlan 20, and a managament Vlan called Vlan 100.
  The Cisco router is also acting as DHCP server, so inside each Vlan the DHCP gives IP addresses to that specific Vlan, Ex: Vlan 10 has a 192.168.10.0/24 network. Vlan 11 has a 192.168.11.0/24 network, and so on. Vlan 100 has 192.168.100.0/24 This Vlan 100
  has connection to all the Vlans.
  We have internet connection on the Router on port 0 and each Vlan are connected to the internet.
  We have setup the VPN server with a static IP configuration so it is inside Vlan 100 with a Default gateway, like 192.168.100.1 So the VPN server is connected to the internet.
  In AD we have created a User and assigned a static IP address in the user properties, under the Dial-In tab. Here we give this user this IP 192.168.10.225
  Now when we connect to the VPN server useing this user, we have no connection to any of the Vlans (ping) and no internet. When we in cmd write ipconfig we can see that our VPN connection has this IP 192.168.10.225 but a Subnet called 255.255.255.255 and
  a Default gateway called 0.0.0.0
  We would like the user to recieve the correct IP settings like: If we connect with our user, it should recieve the IP as it does, but also a subnet called 255.255.255.0 and a default gateway called 192.168.10.1
  How is this achieved?
  The reason we want this is: We want to create a VPN user for each Vlan. So a user with permission to access Vlan 10 but are not able to see the other Vlans, and then a new user to access Vlan 11 but not able to see the other vlans, and so on.
  Hope someone is able to help us to understand how this is done.
  Thank you in advance.

  Hi,
  In brief, we can't achieve this. Normally, we would not do this.
  Usually, we use firewall or ACL to restrict the remote users.
  For example, 192.168.10.100 is assigned to user1 and 192.168.10.101 is assigned to user2. We can use firewall to restrict 192.168.10.100 to access 192.168.10.0/24 and 192.168.10.101 to access 192.168.11.0/24.
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Unable to create a test  via Content Management via Content Administration

  I am unable to create a test or survey via Content Management via Content Administration because insufficient privileges message. I create the folder and enter the test information for creating a test and then I after I click apply. I get message “You have insufficient privileges for the current operation. Please contact your System Administrator”.
  The System Administrator viewed the profile being tied to the responsibility and thinks there is no problem. Somebody please!!!!!!!!!!!!!!
  Help……

  Hi, James.
  If you add the main "Learning Administrator" role (UMX|OTA_LRNG_ADMIN), it will include all child roles for the Administrator, including the Learning Content Administrator, Learning Catalog Administrator, Learning Enrollment Administrator, Learning Finance Administrator, Learning Resource Administrator, and Learning Setup Administrator. If you don't have all of these roles, there are functions you will not have access to under the Learning Administrator responsibilities.
  The "Learning Instructor - Update" role only allows users that have the Learning Instructor Self-Service responsibility to update enrollment statuses for Learners that have attended classes that they are set as a resource for and won't impact the Administrator functionality.
  Anne
  Edited by: anne2 on Jun 5, 2013 2:09 AM (Fixed code for Learning Administrator role - Just noticed it was listed as the Enrollment Administrator role instead of the main Learning Administrator role)

• Disabling Management via Wireless - is there any point?

  Hey guys.
  Firstly, yes, I do know that allowing management of controllers over an unsecured WLAN is a bad idea (although even that would be SSL-secured by default, but open to brute-forcing I'd guess).
  Secondly, let's assume that Management via Dynamic Interfaces is disabled too (why anyone would want to enable that is a bit beyond me too?).
  This 1 little tickbox manages to justify an entire page in the GUI, so it definitely looks pretty darn important!
  The problem is that in a multi-controller environment the only controller that knows you're connecting over wireless is the one that you're connecting through. Any other controller will be happy to accept the management connection on it's management interface address because it sees it as coming from the wired network. To prevent this from happening I think you could do either of two things...
  1) Apply a CPU ACL that blocks the client IP ranges, which will work equally well for wireless and wired-side connections, i.e. it's the equivalent of the "management via wireless" setting but works for all controllers simultaneously. You'd have to remember to keep this updated though if ever your WLANs and client ranges change.
  2) Put the management interfaces of all controllers in an isolated management VLAN (which will potentially complicate all your supporting services access, e.g. DHCP/RADIUS/etc.). That'll stop the undesirable "wired" access on the n-1 controllers and then the mgmt-via-wireless will take care of the wireless access to the other 1 controller.
  So the setting seems rather pointless on it's own in anything other than in a single-controller environment. I'm sure I've read somewhere that the controllers do tell each other about their current clients (for things like CCKM and rogue management), so wouldn't it be cool if this centralised awareness logic was applied to management connections?
  What are the experiences out there with this feature? Is it generally seen as worthwhile, or does it really need some extra planning and possible augmentation via other features to be of any value?
  In general, other than popular paranoia about wireless being "less secure" than wired access, what are the compelling reasons for denying management via wireless? As I mentioned above, even over a completely non-secured WLAN you'd still have SSL/SSH security if you configure your allowed management protocols right.
  Thanks,
  Justin

  Yes "It makes the auditors happy" is definitely a good and valid reason.
  I've just co-incidentally come across this in the 5.0.148 release notes:
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn501480.html#wp234100
  "Preventing Clients from Accessing the Management Network on a Controller
  To prevent or block a wired or wireless client from accessing the management network on a controller (from the wireless client dynamic interface or VLAN), the network administrator should ensure that there is no route through which to reach the controller from the dynamic interface or use a firewall between the client dynamic interface and the management network."
  That makes sense, but do many folks out there do it that way? Generally there's not much control between the management VLAN and the users' VLAN because the latter is usually where the wireless-supporting services reside.

• User Management for e-Commerce ERP

  Hello Experts,
  I am working on e-Commerce ECC6.0 version.
  Had some questions in the area of user management:
  A)
  The scenario is that the e-commerce application needs to be integrated to Poral, now my doubt is which userType option is the best to be chosen for such cases.
  Is it mandatory to use user type "ERP e-Commerce logon via UME"?
  I have not worked with UME before and hence if you can also share some links / pointers in that area?
  what other SSO logon options are available?
  B) In case there is no portal and e-Commerce is working as standalone application:
  There is already a ECC6.0 system in place where until now customers have been maintained. The client has been using a custom Online Store application on which login was via the customer id. Now they want to use e-Commerce for ERP, but still want the logon to be via the customer id only. In such case the only option that I can think of is via "R3_SU05Customer_LoginCustomerNo" userType. But since su05 type is not recommended now, I was wondering if there could be some other option as well? Can you guide..
  Thanks

  A
  Is it mandatory to use user type "ERP e-Commerce logon via UME"?
  UME makes the user management simple and central to the Security / System group.
  have not worked with UME before and hence if you can also share some links / pointers in that area?
  UME is not something any developer / functional analyst will do. We should leave that to the security group. If you insist, here is a starter [Help on UME.|http://help.sap.com/saphelp_nw04/helpdata/en/e5/618a3eacd49076e10000000a114084/frameset.htm]
  B
  See section 2.6 of this [E-Commerce with ERP Business Configuration Guide|https://websmp205.sap-ag.de/~sapdownload/011000358700002100812006E/Config_Guide_ECO_ERP_50.pdf]
  There are some steps on migrating from SU05 to SU01. You can always have the current customer number as the alias for the internet user.
  Easwar Ram
  http://www.parxlns.com

• Using ISE to assign ACL's for VPN users

  Hi,
  I've just implemented ISE into our environment using various documents and videos found online but have not been able to find anything about using ISE to Authenticate remote users via VPN and assigning them the ACL's created for thewir level of network access.
  Does anyone know of a good document or training video knocking about that I can use?
  Thanks
  Jason

  Jason,
  If the ACL is present on the ASA you can use the "filter-id" radius attribute to reference the acl to the user's session. You can make this work by configuring an authorization profile and tying this in with your authorization policy for vpn users.
  If you want to push an acl then my recommendation is to use the cisco-av-pairs to push the acls since the username is associated with the acl that is applied to the username of the vpn session.
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1763743
  Thanks,
  Tarik Admani
  *Please rate helpful posts*