Weblogic Console Access Denied - Admin Role group question
I need to grant access to a user that is authenticated via OAM.
My authentication is succeeding and I am getting the following back as my Principal:
<weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 3
Principal = class weblogic.security.principal.WLSUserImpl("IdentityGuardAppID")
Principal = class weblogic.security.principal.WLSGroupImpl("cn=FUNC-LDAP-Browse,ou=secure,o=admin")
Principal = class weblogic.security.principal.WLSGroupImpl("cn=FUNC-IDV-APP,ou=secure,o=admin")
My authorization is failing and I think it's because I cannot figure out how to add the groups returned above to the Admin role in WLS.
Normally, this is a breeze - I simply add it from the Realm Role under the Roles and Policies tab in myrealm.
In this case, my group looks like a subject DN (i.e., it contains commas).
Does anyone know how to add a group that contains a comma to the Admin Role?
Hi Sameer Gawde,
Would you please let me know complete error messages when use RSAT and PowerShell?
In addition, the RSAT is based on MMC console. Please check if you have enabled group policy setting to restrict
MMC snap-ins? In GPME, please refer to the path: User Configuration-> Policies-> Administrative Templates-> Windows Components-> Microsoft Management Console-> Restrict users to the explicitly permitted list of snap-ins. Meanwhile, please check
if you configure the Don't run specified Windows applications setting (path:
User Configuration-> Policies-> Administrative Templates-> System-> configure) to limit RSAT and apply to the domain admin group. This issue is really strange. Just please check and confirm. Thanks for understanding.
Please logon DC via Admin account, then navigate to: ADUC-> Users. Please select and right click Domain
Admins group and select Properties. Please select Member Of tab and check which did this group member of.
Meanwhile, please open Component Services and expand “Component Services-> Computers-> My Computer”.
Then right click My Computer and select Properties. In COM Security tab, under Access Permissions, please check how configure the “Edit Limit”.
By the way, please navigate to Event Viewer and check if can find some related clues.
Hope this helps.
Best regards,
Justin Gu
Similar Messages
-
ADF application deployed on Weblogic..access denied error
I have deployed an ADF application on WebLogic Server. My ADF application is using multiple application modules. I have also created a datasource using Oracle XA driver to connect to the database. Now I am able to login to my application and on one page getting the details from the database. This makes sure that there is no problem with database connectivity. However, when I click on a hyperlink I get a jspx page which only shows the field names. I am not getting any field values and ADF BC table row shows "Access Denied" message. This did not happen on Oracle AS. I am using examplesServer (Admin) server of weblogic. I have deployed my application on other machines and also tried to connect to different databases but all leading to the same problem. Also, If I click on any link after that, I get this error:
oracle.jbo.common.ampool.ApplicationPoolException: JBO-30003: The application pool (oracle.apps.aia.bsr.admin.model.BsrAdminAMLocal) failed to checkout an application module due to the following exception:
at oracle.jbo.common.ampool.ApplicationPoolImpl.doCheckout(ApplicationPoolImpl.java:2002)
at oracle.jbo.common.ampool.ApplicationPoolImpl.useApplicationModule(ApplicationPoolImpl.java:2793)
at oracle.jbo.common.ampool.SessionCookieImpl.useApplicationModule(SessionCookieImpl.java:453)
at oracle.jbo.http.HttpSessionCookieImpl.useApplicationModule(HttpSessionCookieImpl.java:233)
at oracle.jbo.common.ampool.SessionCookieImpl.useApplicationModule(SessionCookieImpl.java:424)
at oracle.jbo.common.ampool.SessionCookieImpl.useApplicationModule(SessionCookieImpl.java:419)
at oracle.adf.model.bc4j.DCJboDataControl.rebuildApplicationModule(DCJboDataControl.java:1543)
at oracle.adf.model.bc4j.DCJboDataControl.beginRequest(DCJboDataControl.java:1404)
at oracle.adf.model.binding.DCDataControlReference.getDataControl(DCDataControlReference.java:99)
at oracle.adf.model.BindingContext.get(BindingContext.java:457)
at oracle.adf.model.binding.DCUtil.findSpelObject(DCUtil.java:280)
at oracle.adf.model.binding.DCUtil.findSpelObject(DCUtil.java:248)
at oracle.adf.model.binding.DCUtil.findContextObject(DCUtil.java:383)
at oracle.adf.model.binding.DCIteratorBinding.(DCIteratorBinding.java:127)
at oracle.jbo.uicli.binding.JUIteratorBinding.(JUIteratorBinding.java:60)
at oracle.jbo.uicli.binding.JUIteratorDef.createIterBinding(JUIteratorDef.java:87)
at oracle.jbo.uicli.binding.JUIteratorDef.createIterBinding(JUIteratorDef.java:51)
at oracle.adf.model.binding.DCIteratorBindingDef.createExecutableBinding(DCIteratorBindingDef.java:277)
at oracle.adf.model.binding.DCBindingContainerDef.createExecutables(DCBindingContainerDef.java:296)
at oracle.adf.model.binding.DCBindingContainerDef.createBindingContainer(DCBindingContainerDef.java:425)
at oracle.adf.model.binding.DCBindingContainerReference.createBindingContainer(DCBindingContainerReference.java:54)
at oracle.adf.model.binding.DCBindingContainerReference.getBindingContainer(DCBindingContainerReference.java:44)
at oracle.adf.model.BindingContext.get(BindingContext.java:483)
at oracle.adf.model.BindingContext.findBindingContainer(BindingContext.java:313)
at oracle.adf.model.BindingContext.findBindingContainerByPath(BindingContext.java:633)
I have already installed ADF run time libraries on Weblogic server.
Any help would be really appreciated.
Thanks.
Message was edited by:
Vivek RautAlso,
I checked the "monitoring" window of my datasource on weblogic server and saw that there are no failed database connections. So, the problem of a broken database connectivity can be ruled out.
--Vivek -
SharePoint 2010 - Claims Based Authentication - Access Denied for AD Group members
We're in the process of migrating our SharePoint 2003 system to 2010 and have used Metavis to migrate the data. We had to do the data migration in a lab environment and then move/attach the content database to our production server. The database attached successfully
and I, as a site collection administrator, can see all sites and the data therein. We are using claims-based auth with ADFS 2.0 as the provider.
My users, however, get access denied trying to go anywhere on the site. I have added the Active Directory groups to the appropriate SharePoint groups and have confirmed the groups are appearing with the c:0-.t|adfs|group_name syntax. If I add them as individual
users (i:05.t|adfs|[email protected]) they can authenticate fine, but not by AD group membership.
I enabled ADFS tracing and I see that the claim being provided includes the SIDs for all the groups the user belongs to. Using ULS Viewer I can see that SharePoint sees the correct number of claims (it doesn't show what those claims are, just the number) but
it doesn't seem to be connecting the SIDs passed to the group name used in the permissions list. I have also updated the portalsuperreader and portalsuperuser accounts after the database was moved, just in case there was something weird there.
The ADFS and SharePoint servers are all in the same AD domain, so they should be able to resolve SIDs ok. I suspect the issue is somehow related to the migration of the content database from a separate
environment (different domain), but I can't figure out for the life of me how to get the group authentication to work.
Thoughts?Brilliant idea. Unfortunately that didn't work - I can get to the new site as the site collection owner, but members of groups to which I assigned permissions still get Access Denied. :-(
-
Simple (dumb) role/group question
Hi all,
I see in a number of places where I can define roles using a
"principal-name". Can I use a realm group here as well as a single user?
What I'm looking for is a method where I can set up my roles in my web appps
and ejbs and then on the fly grant users rights by adding them to a group.
Certainly seems possible but I must be missing something.
Consider the following example (from the weblogic documentation) and let me
know if I can use realm groups for the section attributed to the
weblogic.xml file. (I marked it with ***).
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureOrdersEast</web-resource-name>
<description>
Security constraint for resources in the orders/east directory
</description>
<url-pattern>/orders/east/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>constraint for east coast sales</description>
<role-name>east</role-name>
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role> <description>east coast sales</description>
<role-name>east</role-name></security-role>
<security-role> <description>managers</description>
<role-name>manager</role-name></security-role>
weblogic.xml entries *** Can these come from the realm????????***
<security-role-assignment> <role-name>east</role-name>
<principal-name>tom</principal-name>
<principal-name>jane</principal-name>
<principal-name>javier</principal-name>
<principal-name>maria</principal-name> </security-role-assignment>
<security-role-assignment> <role-name> manager </role-name>
<principal-name>peter</principal-name>
<principal-name>georgia</principal-name></security-role-assignment>I am not sure what exactly you are looking for. Here is what I can tell you.
For EJBs you can defind a group in NDS and map this group to a role in EJB deployment
descriptor xml file. Then every one in the group will be authenticated to access
the EJB by WLS.
Yong
"Ilango Maragathavannan" <[email protected]> wrote:
>
I am facing the same problem. To add the version of Weblogic it is WLS6.0sp1.
I would appreciate any help.
"Kent Mitchell" <[email protected]> wrote:
Hi all,
I see in a number of places where I can define roles using a
"principal-name". Can I use a realm group here as well as a singleuser?
What I'm looking for is a method where I can set up my roles in my web
appps
and ejbs and then on the fly grant users rights by adding them to agroup.
Certainly seems possible but I must be missing something.
Consider the following example (from the weblogic documentation) and
let me
know if I can use realm groups for the section attributed to the
weblogic.xml file. (I marked it with ***).
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureOrdersEast</web-resource-name>
<description>
Security constraint for resources in the orders/east directory
</description>
<url-pattern>/orders/east/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>constraint for east coast sales</description>
<role-name>east</role-name>
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role> <description>east coast sales</description>
<role-name>east</role-name></security-role>
<security-role> <description>managers</description>
<role-name>manager</role-name></security-role>
weblogic.xml entries *** Can these come from the realm????????***
<security-role-assignment> <role-name>east</role-name>
<principal-name>tom</principal-name>
<principal-name>jane</principal-name>
<principal-name>javier</principal-name>
<principal-name>maria</principal-name> </security-role-assignment>
<security-role-assignment> <role-name> manager </role-name>
<principal-name>peter</principal-name>
<principal-name>georgia</principal-name></security-role-assignment> -
Custom Security Manager or Security Event Interception from WebLogic Console
Hello,
I have built my own Security Manager and implemented custom preference/property mechanism for every Principal, so when I use my Swing client to create new User and new Group, as well as addMember to a Group, I know what to do with those properies/preferences.
Now, I want to use WebLogic Console to manage users and groups. I want to intercept events in my Security Manager about new User or Group creation or changing their memberships as Principals in order to handle their Preference/properties stuff myself...
I wonder what should I "listen" in order to understand that someone has changed membership of Users or Groups or about creation of new User or Group?
I use Weblogic Server 6.0 sp2
sergeHi Daniel,
> a custom security manager for the standard CM Repository
And this dictates you indeed to use the old API, as the CMRepositoryManager itself is using the old API.
The standard AclSecurityManager is implemented by com.sapportals.wcm.repository.manager.generic.security.AclSecurityManager. If you check out Configuration - Content Management - Repository Managers - Security Manager, you will see "ACL Security Manager" (the one from above) and "ACL Security Manager (for new Manager-API)". This is implementing / using the new API, but needs also a RM using the new API.
> java.lang.NoSuchMethodException: MySecurityManager.<init>
This exception only complains about a missing constructor!? Have you implemented a default constructor?!
> If this is the case, where can I find the API for IUMPrincipal? It is not included in any provided API because of deprecation.
The methods of the old EP5 user management are more or less similar to the new UME, so using the old deprecated API should be more or less straight forward.
There are also transformer methods for example to transform a "new" user object to an old EP5 one, see https://forums.sdn.sap.com/thread.jspa?threadID=235656&tstart=0
Hope it helps
Detlev -
Read only access to Admin Console in WL 6.1
Hi,
I've seen a couple of questions already posted about this... but so far no answers!
Does anyone know how to grant read only access to the WL 6.1 Admin Console? The
supplied user "guest" doesn't seem to have any access, so I was wondering what
needs to be edited to enable this.... I've tried adding ACL's with "read" permission,
but that doesn't seem ot help.
Any thoughts would be most appreciated.
JimBrown,
This functionality is not available in 6.1. The newest version of wls
8.1 has this feature depending on the role that the user is in.
~satya
Mr. Brown wrote:
Is there a way to restrict a user to read-only priv. on the weblogic
console? Either by using acl's or other means.
Thanks in advance,
Brown -
Error while Accessing OIF admin Console
Hi All,
This is Pokuri i installed OIF 10g and to fix some error i also installed one patch p6157821 after that i tried to login to OIF admin console but showing error
" 500 Internal server error
Servlet error: Error instantiating servlet 'uix' (servlet class not found, make sure it exists at C:\oracle\OIF\cotelligent\j2ee\OC4J_FED\applications\fed\admin/WEB-INF/classes/oracle/security/fed/admin/console/servlet/OSFS_UIX_Servlet.class, in a jar in C:\oracle\OIF\cotelligent\j2ee\OC4J_FED\applications\fed\admin/WEB-INF/lib/, in an orion-web.xml specified classpath or global server classpath)"
Please any one give the solution for this error
Thank you & Regards
PokuriTry the following:
Restart "Windows Management Instrumentation" service in your service tray where this admin console is installed.
Or restart the admin console, if possible restart the machine and try again.
If the user (who is accessing the admin console) is to perform administrative tasks either through the BizTalk Administration console make sure user is part
of BizTalk Server Administrators group or BizTalk Server Operators group for
low privileged role that only has access to monitoring and troubleshooting actions
If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply. -
Hi All,
I have followed dozens of tutorials to set up roles for Hyper-V, but I keep coming up short. I have no problem managing the five domain-joined 2012 R2 Core Hyper-V servers we have remotely from my Windows 8.1 PC, but I have a lab box I would like to grant
specific permissions to some Help Desk users on.
The key tutorial I have followed is from John Howard (http://blogs.technet.com/b/jhoward/archive/2008/04/01/part-4-domain-joined-environment-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspx),
but it still does not allow a non-admin account to use Hyper-V Manager remotely. Without his tutorial, I get access denied with my "TestUser" account. After following his steps, Hyper-V Manager appears to connect to the server, but says "The
Virtual Machine Management service is not available." Even using his HVRemote with the /show flag, everything shows as PASSED.
Digging deeper, I see dozens of failed audit Event Viewer logs saying "TestUser" is requesting READ to Service Control Manager. That sent me searching, and I found
http://arnoutboer.nl/weblog/?p=300 and http://msdn.microsoft.com/en-us/library/windows/desktop/aa374928(v=vs.85).aspx.
After granting "AU" (Authenticated Users) every permission resembling "read", Hyper-V Manager now shows "There are no virtual machines to show" (or something along those lines); even though I know there are about 30 VMs on this
host. I try to create a new VM (out of curiosity, and now that those options actually appear), and I get permission denied immediately after the create VM wizard pops up.
Why is this such a convoluted process? I would appreciate any help creating Roles for Hyper-V 2012.
Thank you in advance!Hi Eric (cool name BTW!)
Putting them in Hyper-V Administrators is definitely not an option.
I absolutely believe Microsoft would do something to push you into buying their software; just as we had to purchase Windows 8.1 Pro to remotely manage our 2012 R2 servers. However, as far as I am seeing, AzMan is still in 2012 R2. Whether it works or not
is another story, but AzMan.msc is still there and I can run it on any of our 2012 R2 GUI installs.
Actually just found this:
http://technet.microsoft.com/en-us/library/dn303411.aspx. According to that, it has not yet been removed, but it has been deprecated. From what I am seeing, the Hyper-V portion of it is definitely broken.
I will look into the remote endpoints solution you mentioned. Thank you for the suggestion. I just recently took the plunge into learning C++, so maybe a Hyper-V manager of sorts will be an app to
attempt to write, haha.
Eric Christensen -
Getting the error access denied trying to modify the workbook with identifier in Disocverer Admin
Hi All,
I have exported a workbook created by business user as an .eex file logging in as discoverer admin from a Production enviornment (transactional databse) and trying to import it to a different environment called reporting environment ( non transactional databse) and getting a warning 'WFS GTP REPORT SINAPORE.eex:Access denied trying to modify the workbook with identifier 'WFS_GTP_REPORT_SINGAPORE'.
It says Files Partially Imported so clicked on Finish to complete the import.
The report has been imported under the user account but the sharing to the different responsibilities/Users has not been imported. I need to import the report with the sharing of the responsibilities/users as well.
I do not have an option login into discoverer administratore using the user account, i can only login using the administator account ( i know loging in as the business user it self will allow you to import the sharing). But our DBA's oppse this is a security threat for the users as you are logging in as the user in production environment.
Please help with this issue.I have the same problem, and I figured out that my windows is installed in french, and every users groups are created in french also, groups like Everyone don't exists and i can't change by console.
Regards, Roberto Borges please remember to mark the replies as answers if they help and unmark them if they provide no help. -
Admin Console access with custom providers
Hello,
I am using a custom authentication and authorization providers that
work just fine with my applications, but i have problems using Admin
Console with them (WL Server 7.0). The server is successfully started
with a user that has been given rights to '<svr>.myserver.boot' etc.
Logging into Console is successful as well and most Console pages can
be viewed as usual. But when i'm trying to save any changes, or if i
try to just view certain Console pages, i get
'weblogic.management.NoAccessRuntimeException'. For example:
weblogic.management.NoAccessRuntimeException: Access not allowed for
subject: principals=[MyPrincipalImpl: Admin Weblogic], on
ResourceType: JDBCTxDataSource Action: write, Target: PoolName
or
weblogic.management.NoAccessRuntimeException: Access not allowed for
subject: principals=[MyPrincipalImpl: Admin Weblogic], on
ResourceType: Security:Name=MyRealmMyAuthenticator Action: execute,
Target: listGroups
When viewing most console pages, the custom provider is called by
WebLogic, resource information is parsed, then found from the
Principal and permission is granted. But as seen above, in some cases
WebLogic itself tries to find something non-existing from my
Principal, totally bypassing my custom provider implementation.
Obviously i am missing something here :).
Is there a way to direct all Console security checks to my custom
provider, or could this perhaps be a matter of configuration?
Any and all help is greatly appreciated!
- Andy -"Andy" <[email protected]> wrote in message
news:[email protected]..
Hello,
I am using a custom authentication and authorization providers that
work just fine with my applications, but i have problems using Admin
Console with them (WL Server 7.0). The server is successfully started
with a user that has been given rights to '<svr>.myserver.boot' etc.
Logging into Console is successful as well and most Console pages can
be viewed as usual. But when i'm trying to save any changes, or if i
try to just view certain Console pages, i get
'weblogic.management.NoAccessRuntimeException'. For example:
MBean operations need a user with Admin role. -
Regedit Permissions -"Access Denied" or "Error while deleting key" EVEN AS ADMIN!
Anyone tried deleting a registry key in Windows 7? Got "access denied" or "Error while deleting key"?
The usual response is, "You need to run regedit as an administrator". but I *AM* logged in as Administrator, and running regedit as administrator, trying to assign administrator full permissions on that registry key in order to delete it!!
Am I mistaken, or isn't Administrator supposed to be able to administer and control all the settings on the computer, in order to set it up for the "Average Joe" user?
So, under the permissions menu of that key, go to advanced, change the owner from System to Administrator, and try again. It's no longer saying "access denied", but "Cannot delete xxxxxx. Error while deleting key".
The scenario: Basically, the wireless has stopped working on a laptop. The device does not show up in Device Manager, but is in the registry, so the normal procedure is to delete the registry entry for the device in HKLM/System/CurrentControlSet (and /ControlSet001) /Enum/PCI ,then attach the device or restart the computer, it finds the "new" hardware and reinstalls it. Easy!...
Not with permission restrictions on the administrator account it's not! So I need to give myself permission, to give myself permission, to do a simple task like delete a single registry key! Why, Microsoft, why???!!! Please just make the Administrator account a hidden "God mode" account that can do anything, and make the lives of us techies much easier in the process!
/RANT
Now, where did I put that XP disc?!....Hi,
I explain you:
Administrator does not mean "you get all rights to do anything." Administrator happens to be an account (or in your case, most likely the Local Administrators group) which by default is given some sensitive privileges like SeDebugPrivilege and
similar. However, as far as the security subsystem is concerned, it is just an account. (Very much unlike root in
Unix-like operating systems) If you aren't the owner of the key in question, and your account does not have WRITE_DAC access
to the registry key in question, then you won't be able to change the access control list on the key in question.
Try taking ownership first. By default, the local administrators group has SeTakeOwnershipPrivilege,
which allows taking ownership of any object even without the WRITE_OWNER permission
being granted by the object's discretionary access control list. Once you are the owner, you should be implicitly granted READ_CONTROL (which
allows you to read the security descriptor on the object in question), and WRITE_DAC (which
allows you to write to the DACL on the key in question). (Assuming the OWNER_RIGHTS SID
isn't in use; that's extremely unlikely) -
Access denied when adding people to SharePoint group
Hi all,
I've been having problems with my SharePoint 2010 deployment that wasn't deployed by me. Sound familiar? Anyways, here is my problem: I try to add people to a SharePoint group and I'm getting:
Access Denied.
You do not have permission to perform this action or access this resource.
Troubleshoot issues with Microsoft SharePoint Foundation.
Correlation ID: 930333d7-64dc-4135-8f51-686303a9847c
Date and Time: 7/29/2014 2:21:11 PM
I've been having problems with pulling AD members in one of my site collections for awhile now. Been troubleshooting with what information I can find online. One step I took was to blank out the LDAP search string for each site collection so that it's not
limited to certain OUs.
Also I am getting security log entries that my farm account is trying to authenticate as a privileged [administrative permissioned] account for an employee that is no longer with us. Coincidentally enough he's the one that deployed this SharePoint solution
originally.
I need help in tracking down why I cannot add users to groups in this one site collection; but my root site collection I can add people no problem.
Environment:
Server1: SQL 2008 R2 on Windows Server 2008 R2
Server2: SharePoint 2010 with Enterprise CALs on Server 2008 R2
Current event viewer entries of note:
Load control template file /_controltemplates/TaxonomyPicker.ascx failed: Could not load the assembly ';Microsoft.SharePoint.Portal, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c'. Make sure that it is compiled before accessing the page.
Object Cache: The super user account utilized by the cache is not configured. This can increase the number of cache misses, which causes the page requests to consume unneccesary system resources.
To configure the account use the following command 'stsadm -o setproperty -propertyname portalsuperuseraccount -propertyvalue account -url webappurl'. The account should be any account that has Full Control access to the SharePoint databases but is not an application pool account.
Additional Data:
Current default super user account: SHAREPOINT\system
A logon was attempted using explicit credentials.
Subject:
Security ID: domain\farm_account
Account Name: farm_account
Account Domain: domain
Logon ID: 0x79c13
Logon GUID: {e25efc28-8db1-ea76-9a8e-6d0143a681d9}
Account Whose Credentials Were Used:
Account Name: former_admin_employee
Account Domain: domain
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: domain_controller.domain.net
Additional Information: domain_controller.domain.net
Process Information:
Process ID: 0x13b0
Process Name: C:\Windows\System32\inetsrv\w3wp.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.Hello,
> he's the one that deployed this SharePoint solution originally.
Are you trying to add user by custom solution? If so then it seems your code is using the impersonate method to run code with admin privileged (i.e. RunWithElevatedPrivileges or User token).
If this is the case then you have to first add new account as site collection in site then change that web application pool identity on IIS. Go to IIS-->select your web app pool-->then go to properties and verify which account is been used
there. If it is old then replace with your account.
Let us know your result
Hemendra:Yesterday is just a memory,Tomorrow we may never see
Please remember to mark the replies as answers if they help and unmark them if they provide no help -
Trying to email a group of all our members and I keep getting an error message.
he original message was received at Tue, 18 Nov 2014 13:50:51 -0500
from d154-20-241-245.bchsia.telus.net [154.20.241.245]
----- The following addresses had permanent fatal errors -----
<[email protected]>
(reason: 554 5.7.1 <[email protected]>: Relay access denied)
----- Transcript of session follows -----
... while talking to scariboochamber.org.:
>>> RCPT To:<[email protected]>
<<< 554 5.7.1 <[email protected]>: Relay access denied
554 5.0.0 Service unavailableHowever, I added "allowpercenthack = no" to main.cf
and that seemed to allow postfix to not attempt to
process it itself and let my application do the
work.
However, if I now send mail now to my server (from
another server) destined to
user%[email protected], I (and my
log) gets:
Hardly ever had a need for this, but if I remember correctly you will need to set:
allowuntrustedrouting = yes
in main.cf
(No need for allowpercenthack (I think))
or you could create a hash table before rejectunauthdestination to return OK based on your needed patterns.
I think the first method will work though.
Side question: I placed `rejectnon_fqdnsender'
after rejectunauthdestination destination because I
didn't want to bother checking the sender unless I
confirmed the recipient was at my server. Does that
comment that it doesn't work after
checkrelaydomains, mean that it also doesn't get
processed after
checkrelaydomains is deprecated
You can place rejectnon_fqdnsender anywhere you like or even omit it, but I don't see why you would have to. -
Role- group in weblogic-ejb-jar.xml?
How do I map a security role, defined in ejb-jar.xml, to a group (e.g., not just a single Principal)?
For example, I'd like to have the following in weblogic-ejb-jar.xml:
<security-role-assignment>
<role-name>EJBAdministrator</role-name>
<principal-name>admins</principal-name>
</security-role-assignment>
where 'admins' is a user group in my directory.
I'm using the Active Directory authenticator on WLS7, and when I set 'principal-name' to a user-type entry, it works fine. But I really don't want to hardcode all the authorized usernames into the weblogic-ejb-jar.xml. Is there a way around it?Just use the name of the group instead of the user. Remember a group is
a principal too. so in your example:
<security-role-assignment>
<role-name>EJBAdministrator</role-name>
<principal-name>admin group</principal-name>
</security-role-assignment>
Hope that helps...
Kitten wrote:
How do I map a security role, defined in ejb-jar.xml, to a group (e.g., not just a single Principal)?
For example, I'd like to have the following in weblogic-ejb-jar.xml:
<security-role-assignment>
<role-name>EJBAdministrator</role-name>
<principal-name>admins</principal-name>
</security-role-assignment>
where 'admins' is a user group in my directory.
I'm using the Active Directory authenticator on WLS7, and when I set 'principal-name' to a user-type entry, it works fine. But I really don't want to hardcode all the authorized usernames into the weblogic-ejb-jar.xml. Is there a way around it? -
Creating users for admin console access
When I install the web server onto my system part of the installation is to create an admin user and password. I'd like to create another user to log into the web server admin console with the same or limited permissions. I don't want to have to hand out the 'admin' password to multiple people, I'd prefer to create new accounts for each person that needs to administer some part of the webserver and set permissions for each. Can't seem to find out how this is done in the admin guide.
"Andy" <[email protected]> wrote in message
news:[email protected]..
Hello,
I am using a custom authentication and authorization providers that
work just fine with my applications, but i have problems using Admin
Console with them (WL Server 7.0). The server is successfully started
with a user that has been given rights to '<svr>.myserver.boot' etc.
Logging into Console is successful as well and most Console pages can
be viewed as usual. But when i'm trying to save any changes, or if i
try to just view certain Console pages, i get
'weblogic.management.NoAccessRuntimeException'. For example:
MBean operations need a user with Admin role.
Maybe you are looking for
-
How can I make a song into my ringtone? I have a new iphone 3GS.
How can I make a song my ringtone?
-
New iPod touch issues. not recognizing in iTunes
i just got a new ipod touch and installed everything and itunes will not recognize the ipod. I went on support and tried what it said by holding down the sleep button and the home button at the same time until the apple appeared and then closing out
-
Billing issue in case of stock transport between different company codes
Hi all, In my project there are 2 different company codes - C001 & C002. C001 has plant K101 & C002 has plant K201. I am trying for the cross company code stock transfer. The plant K201 issues a stock transport order to plant K101. Now I created a de
-
How do you get a list of your contacts nick names and their phone numbers on line and print them out? I've been trying to figure out how to get the list to print out but I can't even find a complete list to view on Verizon's web site. Does anyone k
-
Seasonal Time Change Bug crashes Dreamweaver 9 (CS3)- still no fix?
The fact that Adobe has produced a new version of CS3 does not in my opinion give them a reason not to fix the CS3 bug that causes Dreamweaver to crash when any attempt is made to edit the ASP or PHP components of a file. This bug is caused by dayli