Windows NTLM Authentication on SAP 4.6c (Platform AIX)

Similar Messages

• Prerequisites for Using Windows NTLM Authentication

  Hi,
  One of the prerequisites for using Windows NTLM Authentication, mentioned on help.sap.com documentation, is:
  - The user’s Web browser must be a Microsoft Internet Explorer
  This means that users not using Internet Explorer can’t authenticate using other web browser (Firefox and Netscape).
  In PAM, SAP says that web browser based on mozzila 1.7.x is also supported, and from this version on, Firefox and Netscape, both, support NTLM.
  NTLM Authentication in portal, still be supported with IE web browser?
  Thanks and Regards,
  Paul

  Hi Paul,
  I suspect that although it may not be officially supported, it will work.  The main thing is that a frontend web server perform the NTLM authentication and pass the header variable back to the J2EE engine.  By the time the header gets back to the J2EE engine, I dont think the portal has any idea how the header REMOTE_USER was generated, just that it was.
  Not positive though, as I havent tested the scenario you describe below..just thought I'd throw in my two cents.
  Marty

• How to do HTTP getRequest() with windows NTLM authentication from OBPM..??

  Hello All,
  Please share your expert ideas how me can do HTTP getRequest() with windows NTLM authentication from OBPM..??
  I am not sure even whether its possible or not, if not what could be the alternative way to do integration with MS SharePoint ??
  Version : Oracle BPM v 10.3.1
  Cheers
  Parveen Jaswal

  You are only as secure as web browsing to the LogMeIn website is (which appears to use HTTPS). If your login on that site is compromised, they will have a list of your computers that they can attempt to connect to. As long as you don't save the login credentials, they would then also need to know what username and password to use to connect to the computer. Granted, a little social engineering, and they could probably get some good ideas what to try for those, but if you chose to make your computers secure with complex and hard to guess passwords then it should be fine.
  I've been using LogMeIn from my Mac to my mom's Windows XP system from July 2009, and to my wife's Thinkpad running Win 7 since Oct 2009. None of the computers involved have had any security issues at all, let alone any caused by LogMeIn. For my wife's PC, it sits behind our NAT Firewall in our LinkSys Router (although I did have it behind a CheckPoint VPN Edge router for a while). My Mom's PC sits behind a Netgear Router providing its NAT Firewall. When my Mac isn't at home, it's generally behind that CheckPoint VPN router at my office now. It all works nicely from behind one router to behind another. The Piece that you install on the PC will log it into the LogMeIN website and that is how it gets through the router to the PC. You login to the website, select the PC to control, then login to that PC.

• Windows Integrated Authentication to SAP R/3

  Hi,
  I dont know weather this issue has to be posted here or in WAS or GUI.
  Is there any way to do the Integrates Windows Authentication to SAP R/3. Once the Users logs in to the Network domain adn then to SAP GUI, the User should not prompt for User id and should directlt take in to the Role Menu.
  I know for Portal it is possible, but i am not sure for R/3. Please let me know if there is any documentation for the same.
  Thanks & Regards
  Sumanth

  Sumath,
  there are various variants to do so:
  If your R/3 is running on Windows (and in the same / trusted domain), you can use SNC with either NTLM or Kerberos authentication
  Otherwise you can log on with SAP Logon Tickets. You mentioned already that you know NTLM/Kerberos is feasible with EP. Now, if you simply integrate your R/3 systems in EP by means of SAP logon tickets you have essentially a smooth SSO for your users.
  Finally, you can use ITS up to 6.20 on Windows to SSO to R/3 (the latter on not neccessarily on Windows, too). Simply setup webgui, active SAP logon tickets and configure the PAS service to use Windows authentication.
  Whatever you decide on, al alternatives are a piece of cake to set up.
  Regards,
  Dominik

• Windows AD Authentication for Business Objects BI Platform

  Currently we are running our installation of Business Objects BI Platform on a Windows 2008 r2 server with Tomcat. We understand that it is recommended that in order to authenticate with Windows AD you need to use Kerberos authentication, and this is true for SiteMinder authentication from this application as well. If this is wrong please let me know.
  Because of the security restrictions on our environment we can not run the needed scripts on the AD server in order to use Kerberos. But also because of the security restriction we have to use SiteMinder against AD.
  Is there any suggestion of what we can do to get this authentication to work? Thanks ahead of time!

  Kerberos is a very secure protocol, compared to others.
  Creating SPNs and enabling the delegation option is required for kerberos to work.
  These steps are suggested by Microsoft for kerberos to work and are not controlled by SAP BO.
  Kerberos also allows you to perform SSO to the DB to view reports on demand.
  However if you wish to use Siteminder, you can pull Active directory users using the AD plug-in and then use Siteminder with Trusted Authentication to pass the username authenticated by Siteminder to BO and BO can use the user name passed to create a session.
  Note: As the user is already authenticated by Siteminder, BO would not perform the authentication again.
  Please go thorough the below SAP Note, that helps setting up Trusted Authentication SSO.
  1422248    Setting up Trusted Authentication in XI 3.x for Infoview and Opendocument using QUERY_STRING
  1603002 - Setting up Trusted Authentication in BI4 for BIlaunchPad and Opendocument using HTTP_HEADER
  Cheers,
  Vikram.V

• Issue using Flash IDE with Mac OS and Windows Web Service using NTLM authentication?

  I have an existing application that I developed on a Windows machine using CS5.  It uses a local intranet web service written in .NET using NTLM authentication.  The web service does multiple things such as read data from an SQL database, provide the user's username, and test for write/read access to a local company fileshare.  When my company upgraded, I went to a Mac with Flash CC which is great.  However, Mac's don't handle HTTP Authorization Challenge Blocks like Windows machines.  In Safari, Chrome, etc. it will pop up a little username and password box and proceed on without issue.  The issue is in Flash development.  When running the exact same application in Flash testing all script access fails with HTTP Status 401 errors.  I have searched the AS3 documentation, but the only thing built in to handle http challenge requests is in AIR not Flash.  The server admin's and I have tried all method's of cross domain policy files and access changes with no luck at all.  Does anyone have a solution to this issue?

  Did you check Apple Support Boot Camp article?
  iMac displays a black screen during installation of Windows 7
  http://www.apple.com/support/bootcamp/
  Installation Guide
  Instructions for all features and settings.
  Boot Camp FAQGet answers to commonly asked Boot Camp questions.
  Windows 7 FAQAnswers to commonly asked Windows 7 questions.

• Installation issue: Authentication: AWS for Windows NTLM returns error

  We are rebuilding our STG with Plumtree 5.0.4. After I installed Optional Enterprise Web Components, the Authentication: AWS for Windows NTLM returns error. I am wondering if anyone has the similar experience and could help to fix the issue. I have located error with the virtual directory but unable to fix it.
  <b>Symptons</b>
  When try to access
  http://servername/ntaws/RemoteSynchService.asp, got 404 page/folder not found error.
  <b>Log Error:</b>
  The message returned from the IIS creation of virtual directory ntaws on the Default Web Site
  web site for D:\Program Files\plumtree\ptntaws\5.0\webapp\ntaws\www is:
  <message>
  Error
  Error
  </message>
  <b>Solution Tried:</b>
  1. Manually Create the virtual directory - didn't work
  2. Reinstalled the Optionsal web service AWS portal, and re-migrate the ntaws.pte - didn't work.
  I appreciate your help.
  Hao Pan
  [email protected]

  from bi_server.out:
  default etypes for default_tkt_enctypes: 17 23 3 1 23.
  Pre-Authenticaton: find key for etype = 3
  AS-REQ: Add PA_ENC_TIMESTAMP now
  >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
  >>> KrbAsReq calling createMessage
  >>> KrbAsReq in createMessage
  >>> KrbKdcReq send: xxxx  timeout=30000, number of retries =3, #bytes=270
  >>> KDCCommunication: kdc=xxxx #bytes=270
  >>>DEBUG: TCPClient reading 106 bytes
  >>> KrbKdcReq send: #bytes read=106
  >>> KrbKdcReq send: #bytes read=106
  >>> KdcAccessibility: remove xxxxx
  >>> KDCRep: init() encoding tag is 126 req type is 11
  >>>KRBError:
           sTime is Wed Apr 15 13:32:41 EDT 2015 1429119161000
           suSec is 553936
           error code is 14
           error Message is KDC has no support for encryption type
           realm is xxxx
           sname is krbtgt/xxxxx
           msgType is 30
                  [Krb5LoginModule] authentication failed
  KDC has no support for encryption type (14)
  Any insight???

• Single Sign On Authentication on SAP EP 6.0 SP15+ base on Novell

  Hi all,
  I saw that starting from NW SP15, the kerberos authentication for SSO on the Enterprise Portal is suggested instead of NTLM authentication with IISproxy using Windows AD as user repository.
  Now I have to investigate the possibility to achieve Enterprise Portal authentication in SSO against a Novell infrastructure.
  On my network users authenticates themselves using UserID/password stored in Novell eDirectory repository. I wonder if SAP certifies the SSO kerberos authentication also on the Novell environment and what are the requirements in terms of needed software pieces on Novell side (ex NMAS) and network infrastructure (Windows, Netware, other).
  Briefly I'd like to know:
  - Is there the possibility to achieve SSO authentication for EP if using Novell eDirectory? Is it a SAP certified solution? Is it supported for production sites? Are there available papers on configuration activities to be done?
  - Is the kerberos authentication the right way to achieve this?
  I'd like to add another piece of complexity. In reality I have a complicated network where a group of users (belonging to a company division) authenticates on a Novell realm using eDirectory, and a second group of users (belonging to another company division) authenticates on a standard Windows AD. The new interesting question is:
  - Can the EP SSO be configured with kerberos authentication using a multiple realms configurated in a priority list? I'd like to have to possibility to configure a list of KDC to be contacted on cascade one after the other to authenticate login requests.I gave a look to the WAS J2EE krb5.conf file and it seems that nothing prevent to configure the J2EE engine to configure multiple kerberos realm. I just wonder if it is supported.
  If some SAP EP gurus could give an answer I would really appreciate VERY much.
  Thank you,
  Giampietro.

  Hi Giampietro
  We are about to have a look on the same issue: Providing Kerberos-based (SPNego) SSO to the SAP NW portal using eDirectory.
  Reading the online help it seems that SAP only has testet this on Active Directory and I cannot see it as a certified solution nor find any configuration documents on this.
  However in 3 or 4 weeks we will try to use the "standard configuration" (from the online help) against eDirectory and basically the directory (AD, eDirectory etc) just have to provide a keytab file, userstore and a service user - this must be possible for Novell eDirectory as well as for MS AD. Of cause we expect some challenges, but it should be possible!
  If you gain any information or gain some experiences trying - please infor us.
  I will update this when we get any new information.
  BR
  Tom Bo

• Authenticator not being invoked - NTLM authentication against IIS 6.0 !!

  Hi Folks,
  I am trying to access Microsoft Reporting Service running on IIS 6.0 through a Web Proxy (a simple application running in an App Server) using the NTLM authentication. This is what i am doing
  Authenticator.setDefault(new ReportAuthenticator());
  HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection();.
  As i understand, the authentication is to magically work with the IIS Server requesting my web proxy for the credentials on connect whcih should involke the Authenticaor class.
  Howver this is not happening at the moment. The authenticator object never gets invoked and even then my web proxy is being able to chat to IIS. The Sun app server hosting my web proxy is somehow passing my windows credentials to IIS and since my account has sufficient previliges on IIS, i am able to get through the initial connection.
  When i debug the urlConnection object, i can see that the connection recognises that this is an NTLM authentication but is obviously not using the Authenticator credentials.
  Is the Authenticator object meant to be invoked automatically or do i need to set some header information in the urlConnection??
  Any help is greatly appreciated.
  P.S: I am using JDK 1.5, IIS 6.0, Sun App Server 9.0 (platform edition)
  best regards
  Dushy

  Hi,
  we had the same problem, but we got support
  from readme.txt
  Bug#: 6789020
  Agent type: All Agents
  Description: In CDSSO mode non enforced POST requests cannot be accessed
  Bug#: 6736820
  Agent type: IIS 6 Agent
  Description: IIS 6 agent doesn't work properly with ASP pages in CDSSO mode
  Both bugs should be fixed in this version:
  Sun Java System Web Agents 2.2-02 hotpatch2

• Web Dispatcher with Windows Intgrated Authentication

  Hello,
  We are setting up the relay of Browser ==> IISProxy ==> Web Dispatcher ==> Cluster.  We plan to use Windows Integrated Authentication and terminate the SSL connection at the IIS.  We are wondering how smoothly this will go as we have read differences in the order between IISProxy and WebDispatcher (in these forums) and have found nothing on the combination with SSL.  I assume that the IISProxy will encrypt, authenticate, provide the cookie and then forward the request to the Web Dispatcher for further routing to the cluster.
  Needless to say, has anyone done this successfully?  Can anyone provide information, warnings, caveats, etc... so that we can decide to use the Web Dispatcher or another software-based NLB solution.  We understand the technical benefits - especially in an SAP shop, but if there are richer features for authentication in latter releases we may consider putting it on hold and going with a known solution.
  We have seen some appliances that can perform the SSL termination, 3rd party authentication, etc, etc,... are there any plans for the Web Dispatcher to be able to perform the authentication with windows (NTLM or Kerberos)?
  All of the other features are grat and a breeze to work with however authentication on the MS domain is a must here and it may be the missing functionality.
  Thanks and kind regards,
  Judson

  Hi Judson,
  currently there is no plan to enhance web dispatcher into that direction. Instead we started to work together with network technology providers to offer the funtcionality of web dispatcher together with additional security and authentication stuff.
  network is not our business, so there are no plans to boldly go into that direction. Because of that such combinations like authentication with wd are sometimes hard to do.
  If you want a tip for the future I'd say, what you will see is boxes that have everything in there and two plugs for the internet and the sap network -everything else (firewalls, authentication, load balancing with automatic recognition of the sap cluster) would be in the box.
  Regards,
  Benny

• Windows Integrated Authentication on an ABAP data source

  Dear Experts,
  I have to implement Windows Integrated Authentication in my portal. By using Kerberos & SPNEGO, we can implement very easily if portal user id & windows (ADS) user id is same. But my scenario is windows id & portal id is different & data source is already configured as ABAP. Can you suggest me how we can achieve this requirement.
  Regards,
  VENU

  Hi,
  isnt the property krb5principalname used to define the mapping of the user ID when you cannot use the AD standard samaccountname?
  I think that the mapped user ID (as provided by krb5principalname) must be identically with the ABAP userID. When the ABAP user ID isn't present in the LDAP information, SSO won't be possible. Somehow he needs to publish the ABAP user ID into the AD.
  SAP Help:
  http://help.sap.com/SAPHELP_NW70EHP1/helpdata/EN/43/4c363ac31e30f3e10000000a11466f/frameset.htm
  http://help.sap.com/SAPHELP_NW70EHP1/helpdata/EN/43/4c3725aeaf30b4e10000000a11466f/frameset.htm
  br,
  Tobais

• Ntlm authenticated apps fails after 3.1.1 upgrade

  I upgraded my apex instance to 3.1.1 on Friday without any issues. I can log into application builder without any problems and the version 3.1.1.00.09.
  Everything in app builder works as expected. However, when I try to run my NTLM authenticated application, I get errors and the page fails to load.
  Furthermore, this only happens on my 11g database.
  The exact same app, using the same NTLM authentication works just fine on 10g.
  The Apache errors log states:
  mod_plsql: /pls/apex/f HTTP-404 ORA-03113: end-of-file on communication channel\n
  mod_plsql: Unable to reset state for mode 0: Err 3114 url=>/pls/apex/f           I have PlsqlErrorStyle          DebugStyle set, so the page returns a fair amount of data.
  Wed, 28 May 2008 14:07:17 GMT
  ORA-03113: end-of-file on communication channel
    DAD name: apex
    PROCEDURE  : f
    URL        : http://ecydblcyorwqt03.ecy.wa.lcl:80/pls/apex/f?p=127:51:339228564056494:::::
    PARAMETERS :
    ===========
    p:
     127:51:339228564056494:::::
    ENVIRONMENT:
    ============
      PLSQL_GATEWAY=WebDb
      GATEWAY_IVERSION=2
      SERVER_SOFTWARE=Oracle-Application-Server-10g/10.1.3.1.0 Oracle-HTTP-Server
      GATEWAY_INTERFACE=CGI/1.1
      SERVER_PORT=80
      SERVER_NAME=ecydblcyorwqt03.ecy.wa.lcl
      REQUEST_METHOD=GET
      QUERY_STRING=p=127:51:339228564056494:::::
      PATH_INFO=/f
      SCRIPT_NAME=/pls/apex
      REMOTE_HOST=
      REMOTE_ADDR=165.151.57.100
      SERVER_PROTOCOL=HTTP/1.1
      REQUEST_PROTOCOL=HTTP
      REMOTE_USER=ECY\taus461
      ORACLE_SSO_USER=
      OSSO_IDLE_TIMEOUT_EXCEEDED=
      OSSO_USER_GUID=
      HTTP_CONTENT_LENGTH=
      HTTP_CONTENT_TYPE=
      HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
      HTTP_HOST=ecydblcyorwqt03
      HTTP_ACCEPT=text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
      HTTP_ACCEPT_ENCODING=gzip,deflate
      HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5
      HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7
      HTTP_COOKIE=WEBWPLCS_USER=TAUS461; WEBWPLCS_LAST=04.29.2008 11:41:38; ORA_WWV_R1=%23ALL; ORA_WWV_R2=%23ALL; ORA_WWV_R3=%23ALL; ORA_WWV_REMEMBER_UN=ADMIN:webwplcs; ORACLE_PLATFORM_REMEMBER_UN=ADMIN:webwplcs; ORA_WWV_USER=3B1A5D9EA835D646; WWV_CUSTOM-F_1021906798187125_122=9F806B35C3D9AF51
      HTTP_IF_MODIFIED_SINCE=
      HTTP_REFERER=http://ecydblcyorwqt03/pls/apex/f?p=4000:4150:339228564056494::NO:::
      HTTP_SOAPACTION=
      HTTP_ORACLE_ECID=1211983633:165.151.5.125:6156:6252:488,0
      HTTP_ORACLE_CACHE_VERSION=
      HTTP_AUTHORIZATION=NTLM  xyz
      WEB_AUTHENT_PREFIX=
      DAD_NAME=apex
      DOC_ACCESS_PATH=docs
      DOCUMENT_TABLE=wwv_flow_file_objects$
      PATH_ALIAS=
      REQUEST_CHARSET=AL32UTF8
      REQUEST_IANA_CHARSET=UTF-8
      SCRIPT_PREFIX=/pls
      HTTP_IF_MATCH=
      HTTP_CACHE_CONTROL=
      SOAP_BODY=
      HTTP_X_ORACLE_DEVICE_CLASS=
      HTTP_X_ORACLE_DEVICE_ORIENTATION=
      HTTP_X_ORACLE_DEVICE_MAXDOCSIZE=
      HTTP_X_ORACLE_DEVICE=
      HTTP_X_ORACLE_ORIG_ACCEPT=
      HTTP_X_ORACLE_ORIG_USER_AGENT=
      HTTP_X_ORACLE_USER_LOCALE=
      HTTP_X_ORACLE_USER_NAME=
      HTTP_X_ORACLE_USER_DISPLAYNAME=
      HTTP_X_ORACLE_USER_USERKIND=
      HTTP_X_ORACLE_USER_AUTHKIND=
      HTTP_X_ORACLE_USER_DEVICEID=
      HTTP_X_ORACLE_USER_LOCATION_ADDRESSLINE1=
      HTTP_X_ORACLE_USER_LOCATION_ADDRESSLINE2=
      HTTP_X_ORACLE_USER_LOCATION_ADDRESSLASTLINE=
      HTTP_X_ORACLE_USER_LOCATION_BLOCK=
      HTTP_X_ORACLE_USER_LOCATION_CITY=
      HTTP_X_ORACLE_USER_LOCATION_COMPANYNAME=
      HTTP_X_ORACLE_USER_LOCATION_COUNTY=
      HTTP_X_ORACLE_USER_LOCATION_STATE=
      HTTP_X_ORACLE_USER_LOCATION_POSTALCODE=
      HTTP_X_ORACLE_USER_LOCATION_POSTALCODEEXT=
      HTTP_X_ORACLE_USER_LOCATION_COUNTRY=
      HTTP_X_ORACLE_USER_LOCATION_TYPE=
      HTTP_X_ORACLE_USER_LOCATION_X=
      HTTP_X_ORACLE_USER_LOCATION_Y=
      HTTP_X_ORACLE_SERVICE_HOME_URL=
      HTTP_X_ORACLE_SERVICE_PARENT_URL=
      HTTP_X_ORACLE_HOME_URL=
      HTTP_X_ORACLE_MODULE_CALLBACK_URL=
      HTTP_X_ORACLE_MODULE_CALLBACK_LABEL=
      HTTP_X_ORACLE_CACHE_USER=
      HTTP_X_ORACLE_CACHE_SUBID=
      HTTP_X_ORACLE_CACHE_AUTH=
      HTTP_X_ORACLE_CACHE_DEVICE=
      HTTP_X_ORACLE_CACHE_LANG=
      HTTP_X_ORACLE_CACHE_ENCRYPT=
      HTTP_X_ORACLE_ASSERT_USER=There are no invalid objects in the FLOWS schema and the page sentry function I use for NTLM is also valid.
  There isn't a database connection issue since both builder and SQL Plus works.
  Here is my NTLM Page Sentry which is a slightly modified version of the GreenIT version
  CREATE OR REPLACE FUNCTION modNtlmPageSentry(pApexUser IN VARCHAR2 DEFAULT 'APEX_PUBLIC_USER')
  RETURN BOOLEAN
  IS
    vAuthenticatedUsername  VARCHAR2(512);
    vCurrentSessionId       NUMBER;
    l_cnt binary_integer :=0;
  BEGIN
    -- Get Authenticated User.
    vAuthenticatedUsername := UPPER(owa_util.get_cgi_env('REMOTE_USER'));
    vAuthenticatedUsername := substr(vAuthenticatedUsername,instr(vAuthenticatedUsername,'\')+1);
    if to_char(v('APP_ID')) = '127' -- WebWPLCS
    then
         apex_util.set_session_state('P18_USERNAME',vAuthenticatedUsername);
    elsif to_char(v('APP_ID')) = '124' --TMS
    then
    -- check to see if they are a listed TMS manager or overall admin
        select sum(cnt) into l_cnt
        from (
             select count(0) cnt
             from tms_managers
             where username=vAuthenticatedUsername
             union
             select count(0) cnt
             from tms_admin
             where username=vAuthenticatedUsername
             union
             select count(0) cnt
             from web_admin
             where username=vAuthenticatedUsername
        if l_cnt < 1
        then
       return FALSE;
        end if;
    end if;
    -- Check to ensure that we are running as the correct database user.
    IF USER ^= UPPER(pApexUser) THEN
      RETURN FALSE;
    END IF;
    IF vAuthenticatedUsername IS NULL THEN
      RETURN FALSE;
    END IF;
    -- Get SessionId.
    vCurrentSessionId := wwv_flow_custom_auth_std.get_session_id_from_cookie;
    -- Check Application Session Cookie.
    IF wwv_flow_custom_auth_std.is_session_valid THEN
      apex_application.g_instance := vCurrentSessionId;
      -- Check Authenticated User --> Username from wwv_flow_session$ for
      --   current Session.
      IF vAuthenticatedUsername = wwv_flow_custom_auth_std.get_username THEN
        wwv_flow_custom_auth.define_user_session(p_user => vAuthenticatedUsername,
          p_session_id => vCurrentSessionId);
        RETURN TRUE;
      ELSE
        -- Unset the Session Cookie and redirect back here to take other branch.
        wwv_flow_custom_auth_std.logout(p_this_flow => v('FLOW_ID'),
          p_next_flow_page_sess => v('FLOW_ID') || ':' || NVL(v('FLOW_PAGE_ID'), 0)
          || ':' || vCurrentSessionId);
        -- Tell Apex Engine to quit.
        apex_application.g_unrecoverable_error := TRUE;
        RETURN FALSE;
      END IF;
    ELSE
      -- Application Session Cookie not valid --> Define a new Apex Session.
      wwv_flow_custom_auth.define_user_session(p_user => vAuthenticatedUsername,
        p_session_id => wwv_flow_custom_auth.get_next_session_id);
      -- Tell Apex Engine to quit.
      apex_application.g_unrecoverable_error := TRUE;
      IF owa_util.get_cgi_env('REQUEST_METHOD') = 'GET'  THEN
        wwv_flow_custom_auth.remember_deep_link(p_url => 'f?' ||
          wwv_flow_utilities.url_decode2(owa_util.get_cgi_env('QUERY_STRING')));
      ELSE
        wwv_flow_custom_auth.remember_deep_link(p_url => 'f?p=' ||
          TO_CHAR(apex_application.g_flow_id) || ':' ||
          TO_CHAR(NVL(apex_application.g_flow_step_id, 0)) || ':' ||
          TO_CHAR(apex_application.g_instance));
      END IF;
      -- Register the Session in Apex Sessions Table, set Cookie, redirect back.
      wwv_flow_custom_auth_std.post_login(p_uname => vAuthenticatedUsername,
        p_session_id => nv('APP_SESSION'), p_flow_page => apex_application.g_flow_id
        || ':' || NVL(apex_application.g_flow_step_id, 0));
      RETURN FALSE;       
    END IF;   
  END modNtlmPageSentry;Does anyone have any ideas on where to look next?
  Regards, Tony
  <b>Update</b>
  For kicks, I added the page sentry function to the list in the <b>wwv_flow_epg_include_mod_local</b> function.
  I bounced both the HTTP Server and the database.
  None of these actions solved the problem.

  Joel -
  The alert log states that there is a 7445 error now from Apache
  host_id='ECYDBLCYORWQT01' host_addr='165.151.5.123' module='Apache.exe'
  pid='416'>
  <txt>Exception [type: ACCESS_VIOLATION, UNABLE_TO_READ] [ADDR:0x0] [PC:0x69A2AB3, _pfrinstr_BRNCCOND()+39]
  msg_id='1422874948' type='INCIDENT_ERROR' group='Access Violation'
  level='1' host_id='ECYDBLCYORWQT01' host_addr='165.151.5.123'
  prob_key='ORA 7445 [pfrinstr_BRNCCOND()+39]' upstream_comp='' downstream_comp=''
  ecid='' errid='12252' ORA-07445: exception encountered: core dump [pfrinstr_BRNCCOND()+39] [ACCESS_VIOLATION] [ADDR:0x0] [PC:0x69A2AB3] [UNABLE_TO_READ] []The trace file just states the same 7445 error:
  ORA-07445: exception encountered: core dump [pfrinstr_BRNCCOND()+39] [ACCESS_VIOLATION] [ADDR:0x0] [PC:0x69A2AB3] [UNABLE_TO_READ] []The incident trace file states that the current SQL was:
  ----- Current SQL Statement for this session (sql_id=bng4udk9mvtsh) -----
  declare function x return boolean is begin
  return mergedwplcs.modNtlmPageSentry; return false; end;
  begin
  wwv_flow.g_boolean := x; end;
  ----- PL/SQL Stack -----
  ----- PL/SQL Call Stack -----
    object      line  object
    handle    number  name
  2B6ACD34      1020  package body FLOWS_030100.WWV_FLOW_CUSTOM_AUTH_STD
  2B6ACD34       662  package body FLOWS_030100.WWV_FLOW_CUSTOM_AUTH_STD
  2B6BB44C        59  function MERGEDWPLCS.MODNTLMPAGESENTRY
  2B6BBD1C         2  anonymous block
  2B6BBD1C         4  anonymous block
  2B6BC674      1815  package body SYS.DBMS_SYS_SQL
  2B6BD29C       296  package body SYS.WWV_DBMS_SQL
  2B70B5D0      1352  package body FLOWS_030100.WWV_FLOW_SECURITY
  2B70B5D0      1158  package body FLOWS_030100.WWV_FLOW_SECURITY
  2B71BA2C      8847  package body FLOWS_030100.WWV_FLOW
  2B72FB04       255  procedure FLOWS_030100.F
  2B7E4F1C        31  anonymous blockWhich makes sense given that I was trying to log into the application. All of these functions and packages are valid.

• Event ID 6038 LsaSrv NTLM authentication warning

  Searching the internets we haven't found any other references to this particular Event ID Warning message. 
  It's likely new in Windows Server 2012, we are part of an Active Directory that is at Forest Functional Level:
   Windows Server 2008, but out Child Domain is at Domain Functional Level:
   Windows Server 2012 (3 Domain Controllers in our Child Domain). 
  Clicking on the URL in the Description of the Event ID just link to a ‘Windows Server Future Resources’ placeholder page. 
  The full Event ID is pasted in below.
  We would like to know how to complete these checks, and if possible, raise our NTLM Authentication to Kerberos. 
  How are these tasks accomplished on Windows Server 2012 Domain Controllers? 
  Thanks in advance for any help! 
  Log Name:      System
  Source:        LsaSrv
  Date:         
  12/27/2012 6:00:01 PM
  Event ID:      6038
  Task Category: None
  Level:        
  Warning
  Keywords:      Classic
  User:         
  N/A
  Computer:      <server
  FQDN>
  Description:
  Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
  NTLM is a weaker authentication mechanism. Please check: 
        Which applications are using NTLM authentication?
        Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
        If NTLM must be supported, is Extended Protection configured? 
  Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.

  Thank you for your reply, your links above address Kerberos vs. NTLM specifically for IIS.
  I did more digging and found this TechNet link that deals with Kerberos vs. NTLM for Domain Controllers. 
  It looks to be the best/only article I can find from Microsoft on how to audit NTLM usage, and eventually get to the point of using the group policy settings - Network Security: Restrict NTLM. 
  So until they update/activate the URL in the 6038 Event ID description to something better/more concise, this TechNet link will have to do: 
  Auditing and restricting NTLM usage guide
  http://technet.microsoft.com/en-us/library/jj865674(v=ws.10).aspx
  Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
  This guide for the IT professional introduces the steps required to reduce NTLM usage in your environment by using available tools and the restrict NTLM audit and blocking policies, which were introduced in the Windows Server 2008 R2 and Windows 7 operating
  systems.
  With the advent of more secure authentication protocols, such as Kerberos, industry requests for the ability to better manage the NTLM protocol in their environments have increased. Reducing the usage of the NTLM protocol in an IT environment requires both
  the knowledge of deployed application requirements on NTLM and the strategies and steps necessary to configure computing environments to use other protocols. New tools and settings have been added to help you discover how NTLM is used in order to selectively
  restrict NTLM traffic.
  This guide only addresses how to collect and analyze events by using functionality found in the Windows operating environment.

• Re: How to enable NTLM authentication in OSB???

  Hi all,
  We have the same problem trying to integrate OSB with and asmx service that uses NTLM.
  We try an alternative, we have created the artifacts of asmx service using wsimport and we created a little java project using these artifacts. We also added a class with a static method in this project in order to be used by OSB java callout mechanism. When this project if used standalone (through eclipse) works fine and as the environment is windows server, it sends automatically to the client the credentials of user that is logged on windows domain. On the other hand when we deploy this java project in OSB as jar for callout we receive : Response: '401: Unauthorized' exactly at the point that the produced artifact class invokes the constructor of javax.xml.ws.Service in order to create an instance of the service.
  Can it be the same problem stated by 830428?
  The stack trace:
  com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:172),
    com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:153),
    com.sun.xml.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:284),
    com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:246),
    com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:197),
    com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:187),
    weblogic.wsee.jaxws.spi.WLSServiceDelegate.<init>(WLSServiceDelegate.java:73),
    weblogic.wsee.jaxws.spi.WLSProvider$ServiceDelegate.<init>(WLSProvider.java:515),
    weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:103),
    weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:95),
    weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:71),
    javax.xml.ws.Service.<init>(Service.java:56),
    org.tempuri.EDoc.<init>(EDoc.java:46),
  after that (actually before) is just our code which calls the  @WebServiceClient Class (the local artifacts which are used to call the actual web service).

  Kuppusamy.V.,
  We experiened the same issue as you and managed to find a solution to the problem.
  The OSB does not support NTLM authentication, so you are quite correct in stating you must write a Java class and use a Java callout from an OSB Proxy Service.
  Our Java class worked fine from the Unix commandline, but failed when deployed to the OSB and invoked by the proxy service with the dreaded '401 Unauthorised' error.
  On closer inspection, the proxy service stack trace revealed:
  java.io.FileNotFoundException: Response: '401: Unauthorized' for url: 'http://your.domain.here/default.aspx' at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:474)
  We noticed that the exception was being thrown from the WebLogic 'weblogic.net.http.HttpURLConnection' class and not the Sun 'java.net.HttpURLConnection' as we expected (and our Java code explicitly imported)!
  We couldn't understand why a different HTTP handler was being invoked, but it got us thinking. And thinking. And raising an Oracle support ticket. And waiting.
  Tired of waiting, we revisited the problem and chanced across the Javadoc for the 'java.net.URL' class and noticed one of the constructors allows you to specify a HTTP handler!
  Instead of opening our URL with this typical usage:
  URL url = new URL(yourURL);
  HttpURLConnection http = (HttpURLConnection) url.openConnection();
  We used:
  URL url = new URL(null, yourURL, new sun.net.www.protocol.http.Handler());
  HttpURLConnection http = (HttpURLConnection) url.openConnection();
  And, hey presto!, it worked a treat.
  And we closed the Oracle service ticket. And stopped waiting :)
  Regards,
  Jerome

• Authentication tab SAP - BOxi Ent 3.1 and Int kit on AIX

  Hello
  Installation of BO-XI Enterprise 3.1 and SAP integration kit 3.1 on AIX. 
  Both products installed successfully. But on CM Console in authentication tab SAP
  is not appearing. Also when we try to  create new connection using universe designer
  from clients (Windows) we get following error
  u201CDBD: A runtime exception has occurred. (Licensed key checked failed.
  Check that you are licensed to access SAP data source)
  Regards
  Upendra

  Dear Stratos
  version libsapjco3 is 64 bit for aix
  eb components automatically deployed.
  At present we are using temporary license key.
  Following description may clear scenario.
  BO-XI Enterprise 3.1 and SAP integration kit 3.1 on AIX installed successfully.
  We are trying to create new connection to SAP BW system as data source using universe
  designer from clients (Windows) we get error from one client
  "DBD: An error occurred while trying to load the provider for transport sap.
  Failed to load library MDA_SAP. System error message u201Cthe specified module could not be foundu201D 
  From another client (PC) error come as
  u201CDBD: A runtime exception has occurred. (Licensed key checked failed. Check that you are licensed to access SAP data source)
  when we checked on CM Console in authentication tab SAP is not appearing.
  In short our BO system is not able to communicate with BW system.