Windows Native Authentication

Similar Messages

• Windows Native Authentication with 2 (multiple) AD domains

  I have managed to get Windows Native Authentication for Oracle Application Server 10g (9.0.4) on Windows working. The following has been done and works in a test environment:
  Phase 1) Active Directory (AD) to Oracle Internet Directory (OID) Synchronization
  Phase 2) Configure a Kerberos Service Account for the Single Sign-on
  Currently all the above setup points to a single windows active directory server, i.e. active1.uk.oacle.com. This is acceptable for a test environment, but before the changes can be deployed to production I need to incorporate some disaster recovery.
  The active directory is replicated across multiple servers – i.e. active1.uk.oacle.com, active2.uk.oacle.com. In the event that the primary active directory server is unavailable Oracle users should still be able to access applications. I need to incorporate active2.uk.oacle.com into the above setup.
  Questions:
  1)Can I get away with not incorporating active2.uk.oacle.com into phase 1. If the users have been pulled into OID then we are not particular concerned with pulling in new users in a disaster situation.
  2)Can I configure the Oracle side of the Kerberos setup to use multiple realms with an order or precedence – i.e. try active1.uk.oacle.com, then try active2.uk.oacle.com. I would generate a keytab file from each server.
  Ideally I would like to just modify the Kerberos setup to check active1.uk.oacle.com then active2.uk.oacle.com. Is this a workable approach? If yes how do I proceed? I believe the krb5.ini and opmn.xml need to be amended.
  Thanks

  Does anyone have any ideas on how to do this????

• Windows Native Authentication from Windows 7

  Has anyone successfully tested SSO with Windows Native authentication from a windows 7 client ?
  I have a working setup with SSO on OID 10.1.4.3 but with windows 7 client I get the fallback login prompt instead of automatic login.
  I have got a workaround from support but it still does not work:
  - on the client Windows7 PC to to PC security policies (Policies -> Network Security -> Configure encryption types allowed for Kerberos) and select all of them EXCEPT the “Allow future types” option;
  - change the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SuppressExtendedProtection = REG_DWORD with a value of 3 (please take a backup of the registry settings before any change).
  Thanks // Kerstin

  Apply patch 6915917 solves the problem

• Windows Native Authentication with 2 AD domains

  I have installed 10g infrastructure on win2k server. I completed the steps in note 282074.1 and WNA is working for the first domain (norris.intra). I now want to have this work for a second domain (shoremont.intra). These 2 AD domains are in separate forests (no global catalog server). I have sync'd the second domain with OID and configured external authentication. According to note 190312.1 you can merge kerberos Keytabs. I have setup the following krb5.ini files on the domain control in each domain:
  File: krb5.ini on AD server monroe2k.norris.intra
  [libdefaults]
  default_realm = NORRIS.INTRA
  clockskew = 300
  [realms]
  NORRIS.INTRA= {kdc = monroe2k.norris.intra:88}
  SHOREMONT.INTRA= {kdc = swtp_fileserver.shoremont.intra:88}
  [domain_realm]
  .norris.intra = NORRIS.INTRA
  norris.intra = NORRIS.INTRA
  .shoremont.intra = SHOREMONT.INTRA
  shoremont.intra = SHOREMONT.INTRA
  File: krb5.ini on AD server swtp_fileserver.shoremont.intra
  [libdefaults]
  default_realm = SHOREMONT.INTRA
  clockskew = 300
  [realms]
  SHOREMONT.INTRA= {kdc = swtp_fileserver.shoremont.intra:88}
  NORRIS.INTRA= {kdc = monroe2k.norris.intra:88}
  [domain_realm]
  .shoremont.intra = SHOREMONT.INTRA
  shoremont.intra = SHOREMONT.INTRA
  .norris.intra = NORRIS.INTRA
  norris.intra = NORRIS.INTRA
  Are the above entries correct? Once I generate and merge the keytab files I will copy the merged file to the OSS server. Following note 282074.1 what other changes need to be made to the various .xml files to implement this configuration? Thanks.

  Does anyone have any ideas on how to do this????

• How to get the SSO user from PL/SQL with Windows native authen

  I connect to a 10g daabase using SSO through Windows Native Authentication wher the OID user mapps to a single Database user.
  I need to get the SSO user from pl/sql
  My fornt end is Portal & Forms

  Hmm, I see.
  Well your problem boils down to being in the database and needing to have access to web environment variables. The SSO sets specific variables in the environment but your stored procedure is not privy to them.
  Now having said that, note that the mod_plsql Web Toolkit has a utility for accessing cgi variables. For instance,
  owa_util.get_cgi_env('Osso-User-Dn')
  If your web application cannot capture the SSO info and pass it to the stored proc in a parameter, OWA may be the only way.
  Check out the Single Sign-On Developers Guide, specifically the part about developing statically protected PLSQL applications.
  Hope this helps.
  regards,
  tt

• SSO and Windows Native Mode Benefits?

  Hi All
  We currently run EP7 SP8 and I need to find out what the benefits are if we move to Win2000 or Win2003 Native mode. Also if we can use SSO with Win2000 or Win 2003.
  Does anyone have any information which would help me weigh up the pros and cons of implementing this.
  Many Thanks for your help
  Phil

  thank you for your reply,
  Metalink note 277382.1 is a good document how to configure OID External Authentication Plugin for Authentication Via Microsoft Active.
  configure OID for import users and External Authentication Plugin are a prerequisites steps for SSO WNA. but WNA must more other steps not descript in this metalink note
  N.B: WNA "Windows Native Authentication" is a feature for Oracle SSO which enables Microsoft Internet Explorer users to automatically authenticate to their web applications using their desktop credentials.
  thanks

• Can't see Native Authentication Provide while configuing Load Balance Manag

  I am configuring Load Balance Manager in FDM 11.1.1.3. I followed the steps as per Oracle, and am setting my local Windows 2003 default Adminstrator account as the username for everything. Everything worked fine upto the point where I specify the authentication provider. I wanted to use Native Authentication, but when I try to "add" an authentication provider, the only option I have is to add Shared Services, Visual Basic Script Authentication and Visual Basic SSO. Can't figure out why Native authentication is not there.
  to be completely honest, I don't care what mode it uses as long as it works. What are the implications of using Native vs Shared Services. Say I choose Shared services, do I have to do anything in shared services as part of the configuration?
  I am running Hyperion Planning, Essbase.

  When you say "native authentication" are you referring to the shared services native directory or are you expecting to see NTLM, MSAD, or LDAP as available authentication providers?
  All authentication is now handled via shared services in 11.1.1.3. You will need to specify the provider as shared services and then add your MSAD or LDAP providers within shared services and provision the users for the FDM application(s).
  NTLM is no longer supported and has been removed from the FDM list of providers as well as an available external provider option in shared services.

• Windows domain authentication on Oracle Secure Global Desktop

  Hello,
  I made an upgrade of my oracle secure global desktop 4.62 version to 5.1 version.
  The problem is, I was using Windows Domain Authentication in 4.62 and this kind of authentication is not available in the 5.1 version.
  So now, my users cannot log in the application.
  Do you have a solution ?
  Thanks

  What are you authenticating to specifically?  An AD server?  Are you using any of the supported authentication mechanisms now supported?
  http://docs.oracle.com/cd/E41492_01/E41495/html/sgd-authentication.html#system-authentication-mechanisms-table

• Windows Integrated Authentication on an ABAP data source

  Dear Experts,
  I have to implement Windows Integrated Authentication in my portal. By using Kerberos & SPNEGO, we can implement very easily if portal user id & windows (ADS) user id is same. But my scenario is windows id & portal id is different & data source is already configured as ABAP. Can you suggest me how we can achieve this requirement.
  Regards,
  VENU

  Hi,
  isnt the property krb5principalname used to define the mapping of the user ID when you cannot use the AD standard samaccountname?
  I think that the mapped user ID (as provided by krb5principalname) must be identically with the ABAP userID. When the ABAP user ID isn't present in the LDAP information, SSO won't be possible. Somehow he needs to publish the ABAP user ID into the AD.
  SAP Help:
  http://help.sap.com/SAPHELP_NW70EHP1/helpdata/EN/43/4c363ac31e30f3e10000000a11466f/frameset.htm
  http://help.sap.com/SAPHELP_NW70EHP1/helpdata/EN/43/4c3725aeaf30b4e10000000a11466f/frameset.htm
  br,
  Tobais

• Adobe AIR HTML/JS application and Windows Native Installer

  Hi,
  I am building an Adobe AIR application with HTML and Javascript and I would like to know how to make an Windows Native Installer.
  I am trying to build it with Flash Pro but it keeps returning the error 'Invalid SWF file'. At the application.xml file the <content> points to my index.html file. I don't use any SWF file. When I change this to point to the SWF it does build tha installer but the application loads the SWF.
  Is there any way to build a Windows Native Installer and the initial content be an HTML file?
  p.s. I tried to extract the files from the installer file and edit the application.xml there to point to the index.html. But I can't repackage the files to a valid air native installer.
  Thank you.

  Hi,
  Thank you for reporting this. The internal bug number for the issue is #2740755. The issue is currently under review and will be investigated by one of AIR team members.
  Regards,
  Catalin

• Pasting HTML to the clipboard to be used by Windows native apps

  I'm having problems creating a DataFlavor that will allow me to write a
  string to the clipboard in html format so that a windows native app (e.g.
  MS Word) can recognise this format and allow me the option of
  pasting as html rather than just plain text.
  I've found that if I alter my code to first get the contents off the
  clipboard (some html I copy from an Internet Explorer-viewed web page), I
  can extract the html DataFlavor from the Transferable object that IE has
  placed on the clipboard. If I then use this "stolen" DataFlavor to write my
  contents to the clipboard, I find that I can successfully paste as HTML in a
  windows native app.
  However, since I can't rely on grabbing some html from IE just to get a
  suitable DataFlavor each time I need to use my copy function, I have been
  attempting to construct my own DataFlavor to match the characteristics of
  the IE example flavour.
  The problem is that, having set the representation class, MIMEType and human
  presentable name to match the IE flavor, when I call DataFlavor.equals() to
  compare the two flavours it returns false, and my constructed flavour
  subsequently fails to show up as a paste option in any native apps. Having
  compared every possible property of both flavours, I've concluded that the
  only difference between the two is that the IE flavour has the charset
  parameter set as utf-8, whereas my constructed flavour has no charset
  parameter specified. I have found no way to manually set the charset. So
  calling getMimeType() on each flavour gives:
  IEDataFlavor.getMimeType() = text/html; class=java.io.InputStream; charset=utf-8
  MyOwnDataFlavor.getMimeType() = text/html; class=java.io.InputStream
  Using the Windows Clipboard viewer I have observed that my constructed
  DataFlavor does exist on the clipboard, however whereas the IE flavour's
  visible name is "HTML Format", mine is "JAVA_DATAFLAVOR: text/html;
  class=java.io.InputStream"
  and I think this is the reason that native windows apps are failing to
  recognise my DataFlavor as a valid option for display.
  I'm using jdk 1.3.1
  If anyone has ever encountered this problem or can think of a solution I'd
  be extremely grateful for your help.
  Thanks,
  Steve White

  I have a similar problem:
  IE actually put the "HTML Format"(CF_HMTL) flavor into the clipboard, with some additional info, such as SourceURL as the description.
  see
  http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/clipboard/htmlclipboard.asp
  How will this information be available to Java clipboard?
  Main question, for HTML data pasted by IE into the clipboard, how to get the source url.
  I know some Windows native apps could get that info nicely.
  Thanks!

• Prerequisites for Using Windows NTLM Authentication

  Hi,
  One of the prerequisites for using Windows NTLM Authentication, mentioned on help.sap.com documentation, is:
  - The user’s Web browser must be a Microsoft Internet Explorer
  This means that users not using Internet Explorer can’t authenticate using other web browser (Firefox and Netscape).
  In PAM, SAP says that web browser based on mozzila 1.7.x is also supported, and from this version on, Firefox and Netscape, both, support NTLM.
  NTLM Authentication in portal, still be supported with IE web browser?
  Thanks and Regards,
  Paul

  Hi Paul,
  I suspect that although it may not be officially supported, it will work.  The main thing is that a frontend web server perform the NTLM authentication and pass the header variable back to the J2EE engine.  By the time the header gets back to the J2EE engine, I dont think the portal has any idea how the header REMOTE_USER was generated, just that it was.
  Not positive though, as I havent tested the scenario you describe below..just thought I'd throw in my two cents.
  Marty

• Over-ride Windows NT Authentication

  Hi All,
  I want to know something about Windows NT Authentication.
  What is the URL when the user is directly logged in to the Portal. Can I parameterize the URL. Is it possible to override the Windows NT Authentication by giving the user parameter in URL. If yes, then what should be the user parameter.
  Regards
  Nikhil Bansal

  Hi,
  Check the below link it will be useful....
  http://help.sap.com/saphelp_nw04/helpdata/en/a3/e5a0404dd52b54e10000000a1550b0/frameset.htm
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/ee62e690-0201-0010-a480-870c17642aac
  http://help.sap.com/saphelp_nw04s/helpdata/en/8f/ae29411ab3db2be10000000a1550b0/frameset.htm

• Establish Windows NT authentication

  Hi,
  I would be interested in establish a Windows NT authentication method my Hyperion EPM system. I have been checking the EPM Security Guide and I haven't foind any reference to this method. Do you know if it is possible configure this kind of authentication?

  Is your web/app java? Such as tomcat? There is no NT option in tomcat or other java app server. You must set up AD authentication and kerberos to use AD on a java/app.
  Migrating an existing istallaion from NT o AD is much simplier than i would seem. There are SAP notes on the subject or you can open a case with he authentication team. Basically rename your goups and remapp them into AD(using the original name). Then configure kerberos to login.
  Regards,
  Tim

• Login error with windows AD authentication in IDT (Infomation Desugn Tool)

  HI,
  In IDT (Information Design Tool) I was not able to publish objetcs ( OLAP connections, Business View layer etc) to corresponding repository using windows AD authentication, but with enterprise I was able to do so.
  With the same AD authentications I was able to open universe design tool, BI launch pad .
  Please advise how to correct
  Error----
  Error:
  Failed to log on host com.crystaldecisions.sdk.exception.SDKException$SecurityError: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)
  cause:java.lang.SecurityException: Unable to locate a login configuration
  detail:Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006) Unable to locate a login configuration
  Cause of Error:
  Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)
  Error----
  Thanks in advance
  Regards
  Krishna

  Had the same problem and found note '1588487 - Active Directory authentication failed with InfoDesignTool'
  Problem solved for me.