Windows single sign on

Similar Messages

• Wireless Network Policy Single Sign On Issue with Windows 8.1 only

  I'll try to set this up as best I can. I have a laptop with a fresh Windows 8.1 install on it. It is on my domain, and I have a single GPO applied to it. In the GPO under Computer Configuration -> Windows Settings -> Security Settings ->
  Wireless Network Policies I have created a Windows Vista or later policy. In the policy I have configured single sign on.  I log into a local account on the laptop and plug it into a wired connection. I then run gpupdate on it. At that point I unplug
  the network cable, and log off. Now, from the login screen I click Other user, and it looks like the screenshot below.
  Notice that "Windows will try to connect to" is present. I can login using domain credentials, and single sign on works perfectly. Now if I reboot the machine, the "Windows will try to connect to" is gone and single sign
  on does not work. If I log in with a local account and log out. The "Windows will try to connect to" is present again. I can login normally using domain credentials, and single sign on works perfectly again.
  One other note: I installed a fresh copy of Windows 7 on the same model laptop, and put it in the same OU with that single GPO. Single sign on works perfectly with the Windows 7 machine every time. Including after reboots. Thank you, in advance,
  for any advice or comments. I will be happy to provide additional information if it is needed.

  I managed to get this to work properly in my environment. I realized that I needed to export the wireless profile from the Group Policy editor and import it on the client (by using Group Policy). I realized this while reading through this article:
  https://technet.microsoft.com/en-gb/magazine/2007.11.cableguy.aspx
  You can see the "Export..." button in the screenshot posted by keyserag above. Select the profile name, in the Group Policy editor Properties dialog, i.e. the item that keyserag has blurred in his screenshot, then click the "Export..."
  button. You will be prompted to save the XML file. 
  I use Computer Configuration > Preferences > Windows Settings > Files to copy the XML file to the clients:
  Destination: %WindowsDir%\WirelessProfileExportFileName.XML
  I then use Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks to run netsh and import the profile:
  Action: netsh wlan add profile filename="%WindowsDir%\WirelessProfileExportFileName.XML"
  The PCs using my policies are now ready to logon without any need for additional manual actions.
  I've left out some detail here, I assume everyone will do something a little different anyway. Let me know if you need more help with this.

• Windows 2008 R2 + Remote Desktop Web Access + Single Sign-On + 2 servers

  Hi
  First sorry for my English. I have got problem with run SSO with RDWeb. I configured everything follow this instructions:  http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx
  and http://blogs.technet.com/b/mrsnrub/archive/2010/03/22/remote-desktop-services-websso.aspx. After logon to RDWeb web page I click application icon. Then I see dialog box for credentials - SSO not working.
  I have got 2 servers with Windows Server 2008 R2 Standard:
  Server OL-AP1 with role Remote Desktop Session Host (RDSH) and certificate for digital sign RemoteApps
  Server OL-AP04 with ONLY Remote Desktop Web Access (RD Web) with certificate for https
  Client PC: Windows 7 SP1 with installing certificate for OL-AP01 witch I used for digital sign RemoteApps
  All certificates created by enterprise domain CA - Active Directory Certificate Services (AD CS)

  Hi,
  Thank you for posting in Windows Server Forum.
  Do you have RD Gateway setup in your environment?
  Have you configure RD Connection Broker and set the Fully Qualified Domain Name (FQDN) of the RD Connection Broker server in case of RD Connection Broker mode. In RD Session mode, it is set to the FQDN of the RD Web Access server. 
  Client operating systems must trust the certificate with which the RemoteApp programs are signed. Suggest to install RDP 8.1 for client OS.
  Do you have a trusted certificate with a matching name configured on your RDSH server in RD Session Host Configuration? (Means cert must match the name that clients use to connect to it for running the RemoteApp).
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• OBIEE 11G with Single Sign-On and Active Directory

  Hi guys,
  Release Version: Oracle Business Intelligence 11.1.1.5.0
  Patch applied: 11.1.1.5.0 BP3 (Patch 13832750)
  OBIEE Server operating system: Windows Server 2008 SP2 (32-bits Operating System).
  We are trying to configure Single Sign-On according to TechNote_WNA_SSO_AD_V4.0.doc.
  Our krb5login.conf:
  com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="[email protected]"
  keyTab=cgdkobi2.keytab
  useKeyTab=true
  storeKey=true
  debug=true
  com.sun.security.jgss.krb5.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="[email protected]"
  keyTab=cgdkobi2.keytab
  useKeyTab=true
  storeKey=true
  debug=true
  We generate de keytab file:
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.24\bin\ktab.exe -k cgdkobi2.keytab -a [email protected]
  Password for [email protected]:XXXXXXX
  Done!
  Service key for [email protected] is saved in cgdkobi2.keytab
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\kinit -k -t cgdkobi2.keytab cgdkobi2
  New ticket is stored in cache file C:\Users\cgdkobi2\krb5cc_cgdkobi2
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\klist -k -t cgdkobi2.keytab
  Key tab: cgdkobi2.keytab, 1 entry found.
  [1] Service principal: [email protected]
  KVNO: 1
  Time stamp: Mar 15, 2013 10:34
  C:\OracleBI11g\user_projects\domains\bifoundation_domain>klist
  Current LogonId is 0:0x406163f5
  Cached Tickets: (0)
  We re-start the services and logon into analytics web and SSO doesn't work but there's not an error. It runs successfully with and Active Directoy user and password. Seems like SSO wasn't enabled, but I checked is enabled.
  Any suggestion?
  Thanks in advanced

  Follow the posts : OBI 11.1.1.6.SSO and You are not currently signed in to Oracle BI Server" for OBIEE 11.1.1.6 SSO do the troubleshooting mentioned there.
  Also check your logs for error like the one below:
  [2012-03-09T16:42:36.000-05:00] [OBIPS] [NOTIFICATION:1] [] [saw.securitysubsystem.checkauthentication.runimpl] [ecid: 6c98b5cce1f24814:2a613331:135f95fbdff:-8000-0000000000005b7a,0:1:1] [tid: 5932] Authentication Failure.
  Odbc driver returned an error (SQLDriverConnectW).
  State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
  [nQSError: 43113] Message returned from OBIS.
  [nQSError: 13039] The impersonator does not exist in the BI Security Service. (08004)[[
  If you are getting this when you login to OBIEE :      You are not currently signed in to Oracle BI Server"
  then you need to apply this patch : 13553428 QA:BLK:DELIVER TO CORP. OID LDAP USERS FAILED WITH IMPERSONATOR DOES'NT EXIST. 11.1.1.6.0 Generic Platform (American English) General Oracle BI Suite EE Apr 5, 2012 799.4 KB
  Let us know the updates. Hope this helps. Mark if it does.!
  Thanks,
  SVS

• Authentication between Single Sign-On and Web based applications

  Hi everyone,
  I need to create a way in Portal 10g (10.1.2.0.2) that allow me to do the following:
  Once the user is logged on Portal (against Single Sign-On - SSO) he doesn't need to retype his username/password when he access a web based application throught the portal, in my case, an ASP application (not .NET, just ASP).
  I made a test creating a External Application in SSO and after publishing this portlet (external application) inside portal.
  It worked, BUT I was prompted to inform username/password to log on the aplication.
  So, the user end up entering his password twice.
  Does anybody know a way to acomplish this task?
  The documentation I'm researching is:
  Oracle Application Server Single Sign-On
  Administrator's Guide
  10g Release 2 (10.1.2)
  B14078-02
  Oracle Application Server Single Sign-On
  Security Guide
  10g Release 2 (10.1.2)
  B13999-03
  Thank you very much,
  Diogo Santos.

  have figured out how to secure any HTML, ASP, PHP, CFM, etc. web page again Portal / OID using the PDK toolkit.
  Using AJAX (Asynchronous JavaScript and XML) and one Oracle Stored Procedure just adding a simple Javascript call to any HTML, ASP, PHP, etc. web page can secure it via Oracle SSO (OID). Access to any secured web page will require that it to be linked from an authenticated Portal session or a page opened in an authenticated Portal session.
  This process can be easily modified to add in group security etc. This is just my starting point.
  1) Create a stored procedure
  # Make sure it has access to portal.wwctx_api.is_logged_on
  CREATE OR REPLACE PROCEDURE login_ajax_check (
  display_error IN number default NULL) AS
  BEGIN NULL;
  If portal.wwctx_api.is_logged_on = false then
  htp.prn('DENY');
  ELSE
  htp.prn('ALLOW');
  END IF;
  Exception when others then htp.p('DENY');
  END;
  2) Use this Javascript in any page you wish to secure.
  <-- Begin Paste Here -->
  <script>
  var allowgo=2
  function ajaxCallRemotePage(url)
  if (window.XMLHttpRequest)
  // Non-IE browsers
  req = new XMLHttpRequest();
  req.onreadystatechange = processStateChange;
  req.open("GET", url, false);
  req.setRequestHeader("If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT");
  req.send(null);
  else if (window.ActiveXObject)
  // IE
  req = new ActiveXObject("Msxml2.XMLHTTP");
  req.onreadystatechange = processStateChange;
  req.open("GET", url, false);
  req.setRequestHeader("If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT");
  req.send();
  else
  return; // Navigateur non compatible
  // process the return of the "ajaxCallRemotePage"
  function CheckPortal()
  ajaxCallRemotePage('[Your page calling the procedure from above]');
  function processStateChange()
  if (req.readyState == 4)
  if (req.status == 200)
  if (req.responseText.substring(0,4) == 'ALLO')
  allowgo = 0;
  else
  allowgo = 1;
  function doPage()
  if (allowgo==1)
  window.location='[Your login or error page]';
  CheckPortal();
  doPage();
  </script>
  <-- End Paste Here -->
  That's it!!! Super easy. It works great too.
  Larry Schenavar
  [email protected]

• Starting single sign-on and directory service

  i am trying to install oracle 9i infrastructure on my clean win2000 box with 2.4 GHz proc and 1GB RAM.
  i am getting falilure messages for the following:
  infrastructure instance configuration assistant: failed
  oracle 9i application server randomize password: failed
  single sign on configuration assistant: failed
  infrastructure mod-osso configuration assistant: failed
  OPMN configuration assistant: failed
  log file says:
  Configuration failed for IAS
  IAS Instance creation failed
  Configuration failed for JAZN
  JAZN configuration failed: unable to establish a directory context.
  Configuration succeeded for IASProperty
  Configuration failed for IAS
  Configuration failed for JAZN
  after which single sign-on and directory service dont start. which means no connectivity :(
  can somebody please guide me about how to avoid this failure in installation or how to manually start these after installation.
  it would be a great help
  ashish

  Hi,
  we're having exactly the same problem.
  Could you tell me what the problem is with the network ?
  You say configure it properly but what do you mean ?
  It's installed on a Windows 2000 Server machine, it's own DNS.
  Thanks,
  Yuri Arts

• Single Sign On and user security with IS

  We have installed Information Steward 4.1 SP1 Patch 1 with Data Services 4.1 SP1 Patch 2 on Information Platform Services 4.0 SP 5 patch 6.  The Information Steward system is installed on it's own server.  We are connecting IS to our SAP Netweaver 7.3 system. 
  I have set up Single Sign On using Windows AD authentication.  The connection to the SAP system uses a service account. 
  Because the SAP system has our payroll information on it, we want to restrict Information Steward users based on their SAP security profiles.  We don't want to have to maintain security settings in both SAP and Information Steward. 
  Does anyone know if there's a way to set up Single Sign On so it passes the user credentials from SAP to Information Steward?  Then restrict the users on Information Steward based on their SAP security settings?
  Any advice would be appreciated!

  Hi,
  You can use Windows AD or SAP Authentication and configure it with SSO. However this should be done in the BI/IPS plaftorm and not IS. See the BI admin guide (http://help.sap.com/bobip40) section "Authentication options in BI platform". Please let me know if that's what you wanted.
  thanks

• Single sign-on and custom DBLoginModule

  Hi,
  I need help in making sso work. I have Application Server version 10.1.3.1.0, I've developed application in JDeveloper 10.1.3.3. that uses form based login and when deployed to server I can normally login/logout. Now I want to enable single sign on, so I've changed security provider of javasso to the one I'm using in my application (oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule) and started javasso, added my application to participating applications, and restarted the instance.
  When I try to access my application, login page of javasso is shown but I cannot login, always get incorrect username/password. The strange thing is that logs are empty, so i guess that dblogin module is never fired.
  Also I've changed my login method so it supports identity callback, like described in here .
  This Re: Custom Login Module and JavaSSO said that orion-application.xml of my application and javasso should be the same, I haven't figured out what should I do with javasso orion-application.xml and how sould it look like.
  this is orion-application.xml of my application
  <?xml version = '1.0' encoding = 'windows-1250'?>
  <orion-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd">
  <library path="./adf"></library>
  <jazn location="./jazn-data.xml" provider="XML"/>
      <data-sources path="./data-sources.xml"/>
  <jazn-loginconfig>
       <application>
            <name>secure-web-app</name>
            <login-modules>
                 <login-module>
                      <class>oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule</class>
                      <control-flag>required</control-flag>
                      <options>
                           <option>
                                <name>data_source_name</name>
                                <value>jdbc/WMSPortalDS</value>
                           </option>
                           <option>
                                <name>debug</name>
                                <value>true</value>
                           </option>
                           <option>
                                <name>plsql_procedure</name>
                                <value>PK_SECURITY.GET_USER_AUTHENTICATION</value>
                           </option>
                           <option>
                                <name>log_level</name>
                                <value>ALL</value>
                           </option>
                      </options>
                 </login-module>
            </login-modules>
       </application>
  </jazn-loginconfig>        
  </orion-application>this is orion-application.xml of javasso
  <?xml version = '1.0' encoding = 'utf-8'?>
  <orion-application
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd"
      schema-major-version="10"
      schema-minor-version="0"
      component-classification="internal">
  <security-role-mapping name="{{PUBLIC}}">
      <group name="{{PUBLIC}}" />
  </security-role-mapping>
  <jazn provider="XML">
  </jazn>
  </orion-application>Please help, this is very urgent to me, all advices and guide lines are more than welcome.
  Thanks in advance,
  Tomislav.

  To be clear maybe someone will help.
  I have a cluster topology, with one application server and 3 oc4j instances.
  I've done following steps and without success, on my test instance:
  1. Deployed application with custom DBLogin (I'm using: oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule)
  2. Sucessfully login / logout -> so I guess DBLogin is working fine
  3. Stopped the java sso application
  4. Changed the javasso Security Provider to my custom DBLogin with following parameters:
  class: oracle.sample.dbloginmodule.DBProcLM.DBProcOraDataSourceLoginModule
  data_source_name - jdbc/WMSPortalDS
  log_level - ALL
  plsql_procedure - PK_SECURITY.GET_USER_AUTHENTICATION
  debug - true
  5. Added Connection Pool and Data Source in javasso Administration -> JDBC -> tested connections and it was sucessful
  6. Started javasso application
  7. Then I went to Java SSO Configuration -> Participating applications -> checked my application
  8. Restarted instance
  9. Try to login -> invalid username / password
  In enerprise manager Log files -> javasso -> there are only messages regarding starting and stopping application
  Questions:
  1. orion-application.xml for javasso -> what exactly needs to be specified inside, currently I have following:
  <?xml version="1.0"?>
  <orion-application  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd"  deployment-version="10.1.3.1.0" default-data-source="jdbc/OracleDS" component-classification="internal"
    schema-major-version="10" schema-minor-version="0" >
          <web-module id="javasso-web" path="javasso-web.war" />
          <security-role-mapping name="{{PUBLIC}}">
                  <group name="{{PUBLIC}}" />
          </security-role-mapping>
          <persistence path="persistence" />
          <jazn provider="XML">
                  <property name="custom.loginmodule.provider" value="true" />
                  <property name="role.mapping.dynamic" value="true" />
          </jazn>
          <log>
                  <file path="application.log" />
          </log>
          <data-sources path="./data-sources.xml" />
  </orion-application>2. orion-application.xml for my application
  <?xml version="1.0"?>
  <orion-application  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/orion-application-10_0.xsd"  deployment-version="10.1.3.1.0" default-data-source="jdbc/OracleDS" see-parent-data-sources="false" component-classification="external"
    schema-major-version="10" schema-minor-version="0" >
          <web-module id="Portal" path="Portal.war" />
          <persistence path="persistence" />
          <library path="./adf" />
          <jazn provider="XML" location="jazn-data.xml" default-realm="jazn.com" >
                  <property name="custom.loginmodule.provider" value="true" />
                  <property name="role.mapping.dynamic" value="true" />
                  <jazn-web-app auth-method="CUSTOM_AUTH" />
          </jazn>
          <log>
                  <file path="application.log" />
          </log>
          <data-sources path="./data-sources.xml" />
  </orion-application>3. How to get any information into logs, I cannot find out what I'm doing wrong since there's no output in logs for javasso and my application.
  Please help, I'm really stuck and I have to resolve this as soon as possible.
  Thanks in advance,
  Tomislav.

• SSO (single sign on) on NetWeaver 7.0 Enterprise Portal based on spnego with Microsoft Active Directory

  Hi,
  we are using SAP Netweaver Enterprise Portal 7.0 (SP25) based on Windows 2008 R2/Oracle 11g.
  When we setup the Portal, we used the UME of the ECC - ABAP.
  The portal is used internally only.
  Now we want to provide SSO.
  User authenticate against Windows Active Directory (Windows 2003).
  We thought SSO via spnego would be the best solution.
  Any better alternates, we should use?
  We are following the SAP documentation:
  SAP-Bibliothek - Benutzerauthentifizierung und Single Sign-On
  We still want to create users in ABAP and assign them the portal roles. LDAP access should only have read access, to verify the security token from Active Directory.
  When we setup the portal from scratch using ABAP as its UME, in the system configuration, LDAP can't be selected/add as data source.
  In case we understand the documentation correctly, we would now need to add LDAP via the configtool for read access.
  What is not clear to us, when we active now LDAP via config tool, if we would now lose the ABAP connection.
  Is there a tutorial for SSO Netweaver 7.0 EP, like for EP 7.3, available?
  In 7.3 SSO is pretty simple to get it running, thanks to the many tutorials here and on the internet.
  Thanks for your help.
  Best regards
  Carlos Behlau

  Hi,
  I was able to generate the key via ktab program.
  But when I am enable SSO, nothing is happening when I try to log-on via SSO to the portal.
  I installed WebDiag tool on the portal server and ran trace.
  The users are located in domain: company.com of activate directory.
  The Java AS are located in domain: sap.company.com of activate directory.
  The sap.company.com domain acts as child of company.com.
  When I check the WebDiag trace, I see for the SPNegoLoginModule - the entry "... no key (etype: 23) for realm sap.company.com available ..."
  I would except company.com as realm key, as the keytabs have been generated on the domain controller of company.com.
  Is it possible to get SSO with child domain running?
  Based on the statement of the network folks, child and father domain having a trust.
  Thanks for your help.
  Best regards
  Carlos

• Cannot get end-to-end single sign-on to work in CR XI

  Post Author: yarg
  CA Forum: Authentication
  Hello,
  I'm looking for some help please.  I have used Crystal Reports XI fairly extensively over the past year (designing reports mainly), and have now been tasked with getting CR Server XI up and running so that team members can view reports pertaining to them via a web browser.  I have installed CR Server XI on a Windows Server 2003 VM and have followed every single step in the admin guide on pg285 about how to implement end-to-end single sign-on using Kerberos.
  However, every time I try to access InfoView I get prompted for AD credentials.  Single sign-on just is not working and there are no visible error messages to indicate why.  Could anyone please offer suggestions?  Even telling me whether there is any sort of log file which I can check to see what's happening behind the scenes would be very helpful.
  Many thanks in advance,
  Graeme

  Post Author: colin mackenzie
  CA Forum: Authentication
  Hello Graeme.
  Have you tested it with using the user settings under the Enterprise Authentication?
  Does your reports and objects work for the user when connected with the "Enterprise Authentication Type?

• Proper security structure for Single Sign on Server

  We are all used to how we design security structure for vCenter Server if you have had an existing VMware environment prior to 5.1.  Who should have administrative privileges in vCenter Server, what roles, permissions, and so on should be assigned to what users and groups - these questions have already been addressed in our current configuration.
  Now Single Sign on introduces a significant new point of consideration for determining issues of access and authentication.
  I'd like to get some ideas on how this should be handled.  For example, should previous VMware administrators by definition become Single Sign on Administrators? Should the administrators of the Active Directory domain now start to get involved with the Single Sign on Server?
  For example, Single Sign on now forces VMware administrators to configure things like:
  -Password Complexity Policy for SSO
  -Password Expiration for SSO
  -Lockout Policy
  We already probably have these things tightly controlled in AD and locked down with group policy, but you can't apply group policy directly to an SSO server and make it receive a GPO from Active Directory.  (You can make the Windows OS that SSO is running on have a GPO applied, but it won't configure SSO itself, just the OS).
  VMware admins are looking at a new set of questions relating to authentication and authorization.  Someone has to have written something or will be writing something to help us get the big picture of what is changing with SSO if anything and how we need to look at SSO from a security design and best practices.
  Should we just make existing vCenter Server admins SSO admins or do we need to take a step back and reconsider?

  Hello,
  Actually, yes. SSO is fairly robust in 5.5. It has a few limitations around email of expired passwords, but that is mainly because some people do not use them. I use SSO to provide the usernames and passwords for all my VMware vCenter and related product service accounts. I.e. an account for vdp, Horizon, vCops, Log Insight, etc.  This is more about keeping systems segregated once more with no real need for AD for services. But AD via SSO is used by users.
  Read the documentation, and determine how SSO fits into your current password policy and take a long hard look at your virtualization management environment. Is there a 1 service account per service talking directly to vCenter? If not, SSO can help you implement that. The key is to match its functionality to your security policy.
  Best regards,
  Edward L. Haletky
  VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014
  Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
  Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

• Single Sign On (SSO) Issue

  We are running Business Objects Enterprise XI 3.1, SP2 (BOBJ) in a Windows environment and have implemented single sign on for Windows AD.  Randomly single sign on does not work for some of our users when either accessing InfoView or when executing a WebI report via an OpenDocument call.  These users can log into InfoView using the Windows ID and Password manually.  The users also have the u201CEnable Integrated Windows Authenticationu201D option checked in IE.
  We have checked the InfoViewApp web.xml and OpenDocument web.xml settings and everything appears to be setup correctly for using sso and vintela (per SAP Note 1251945).  Required SPN entries appear to have been made.  The maxHttpHeaderSize setting in the Tomcat server.xml is set to 16384.  We do tend to make substantial use of Windows AD Groups within our security model.
  When the users are unable to login via sso, here is the error stack that appears in the Tomcat stdout.log:
  SEVERE: Servlet.service() for servlet action threw exception
  java.lang.IllegalStateException
       at org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:418)
       at javax.servlet.http.HttpServletResponseWrapper.sendError(HttpServletResponseWrapper.java:117)
       at com.businessobjects.sdk.credential.WrappedServletResponse.sendError(WrappedServletResponse.java:30)
       at com.wedgetail.idm.sso.AbstractAuthenticator.setUnauthorizedResponse(AbstractAuthenticator.java:1328)
       at com.wedgetail.idm.sso.MechChecker.authenticate(MechChecker.java:144)
       at com.wedgetail.idm.sso.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:1060)
       at com.wedgetail.idm.sso.AbstractAuthenticator.authenticateServiceTicket(AbstractAuthenticator.java:998)
       at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthentication(AbstractAuthenticator.java:953)
       at com.wedgetail.idm.sso.AuthFilter.doFilter(AuthFilter.java:122)
       at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.doFilter(WrappedResponseAuthFilter.java:66)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
       at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
       at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
       at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
       at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
       at java.lang.Thread.run(Thread.java:595)
  Before we go about installing SP3 in an effort to resolve the problem, can anyone look at the above error stack and tell us what might be going on here?  Would the above error stack be consistent with an Httpheader getting truncated?
  Thanks in advance for your help.
  Wendell Giedeman

  That error is part of a logging bug and not related to your issue. If SSO is working consistently from infoview then it probably is not a web.xml setting either. The most common problems with opendoc have been related to sessions. Are the users using a new IE window or possibly one that had previous documents open? If it is the session issue then SP3 may help as some work has been done in that area. If you are sure the users are using new IE windows for the opendoc calls then more troubleshooting may be required to identify the problem.
  Regards,
  Tim

• Single Sign-on with Multiple Servlets and JSPs

  I am in the midst of attempting to logically tie together a number of our
            web applications under a single sign-on "umbrella". What we want is the
            following: for any n applications a user may have access rights for up to n
            of them. Once signed in, she has rights to visit any app to which she has
            permissions as long as her session is valid. Unfortunately, I'm having
            trouble seeing how to make this work given the documentation that I have.
            I've read thru the newsgroup in search of a solution, but I haven't seen
            anything geared toward this specific approach.
            Currently, each "application" (servlet) has a list of valid users via ACLs
            (we've implemented a RealmExtender, so we're not going via props file
            entries), and we let the browser pop-up window enforce the sign-on. This
            has worked exactly as we wish (single sign-on, etc.), for testing, but we'd
            really rather have our own form-based sign-on for production.
            To that end, we've done the following:
            1) implemented a JSP form-based sign-on (basically ripped off from the
            example provided by BEA), which does a "ServletAuthentication.weak()" check
            to confirm identity.
            2) placed the following code (essentially) within the service() method of
            our servlet superclass, which I thought would force another check. My
            intention is to disallow the user from "jumping into" an app thru a
            shortcut, and thereby bypassing security.
            HttpSession session = request.getSession(true);
            if (session.isNew()) {
            response.sendRedirect(welcomeURL);
            However, we can't get the form-based approach to mimic the functionality of
            the default browser pop-up: the sign-in doesn't seem to "follow" the user
            the way it did with the pop-up. Instead, when I come in thru our login
            page, the browser pop-up is still appearing when I click the link for an
            app for which to which I have permissions.
            Is the default browser pop-up doing something different that I should know
            about? Seems like this should be simple to do, but it's surprisingly subtle
            (or maybe I'm just clueless).
            TIA
            

  Well, if you want to hear my personal opinion:
  better stick to the cookie specification (http://wp.netscape.com/newsref/std/cookie_spec.html) and accept the constraint that cookies will only be send to domains that tail-match the domain-constraint specified in the set-cookie http response.
  Although this specification is not an official internet standard most browsers are implementing the cookie mechanism according to this specification.
  Unfortenately there's no option to specify that a cookie should be send to a list of servers and/or sub-domains.
  However one physical server can have multiple (FQDN) hostnames. So if you intend to send the cookie to a group of servers the best approach is to create a new (DNS) (sub-)domain exclusively for those servers.
  Theoretically (and also practically) it is possible to set cookies for multiple domains (by using a webservice that will set cookies on request of a caller). But that approach is dangerous:
  (1) not the server but the http client is defining the content of the cookie (= part of the http server response)
  (2) (unintended) many servers can obtain the cookie which will be send to all servers that reside in all (tail-matching sub-)domains; although most likely only one or two servers of each domain are intended recipients
  Regards, Wolfgang

• How do i create a single sign on environment from scratch?

  setting up a single mac mini 10.6.6 server in a small law firm and want to create a sso environment from scratch. i have currently got everything working fine as an open directory master, but every reference to sso that i can find, talks about joining an existing sso environment, or joining ad, creating a triangle, but never a stand alone od master to create the sso. am i missing something, or is it not possible or practical to do in such a small office with just a few users?
  thanks for any help understanding this.

  i appreciate your input Rikakiah, although i am glad i don't have to pronounce your alias out loud
  anyway, that's starting to sound like something i might want to try, because so much of what i want to do is not really working the way i'm doing it. it had crossed my mind, but wasn't sure i was going to avoid problems by using network home folders instead of mobile accounts. at this point, i have only one of the four workstations bound to the server, which was purchased as a mac mini snow leopard server with the dual internal drives, and was set up as a mirrored raid with the 2 internal 500 gig drives.
  i am seeing what seems to me like some odd behavior with network accounts working with the log in screen (all the users show up in the log in screen properly as network accounts, but only one account, the one that matches exactly the local account user name and password and allows log in) and auto mounting group shares are not seeming to work at all. what seems odd, is that management of the local account seems to be working great, and has merged management with the local account. the user still has all their existing documents and settings, but i can see that the things like the control panels i locked them out of are grayed out. so to be try to be clear here, i have 4 network accounts set up in wgm, and on the log in screen, i see 3 network accounts with the typical network user icon, and what looks like the original account with the original icon. i can only log in using that account, but when i get in there, it's managed ok. i expected to see the original local account and 4 network accounts, but evidently using the same user name on the server as the local account caused this. when i try to log in with one of the other network accounts, the login screen shakes it head no.
  for the record, from another post talking about network log in issues, on the local system, setting System Preferences>Accounts>Login Options>Allow network users to log in at login window>Options>Only these network users: can mess this up, but my settings there are fine, since i had never messed with that. it says "allow all network users" or something like that.
  here's what i am trying to get to: auto mounting group shares and single sign on for afp group folders and ichat, and as you said to allow the users to move around from workstation to workstation as needed. as you know, there's a myriad of settings to make this all happen. i don't see how anyone can help me fix the 2 things that aren't working, unless i give a long winded explanation of what my settings in workgroup manager and server admin are, so here goes…
  i have dns and open directory running fine, a static map of ip addresses so that i can do authenticated directory binding, which seems great so far. in wgm, i have under preferences / computer list the one computer i have bound - computername$ and under window checked always, heading - directory status, list of users, show local users, network users, computer administrators, and other. under options checked always, enable fast user switching, computer administrators may refresh or disable management, and start screen saver after 5 minutes. under access checked always, clicked the gear button once which caused network users - allow - * to appear in the access control list, local only users may log in, local only users use available workgroup settings, and combine available workgroup settings. scripts and items have never checked.
  then for workgroup folders to auto mount, i have set afp auto mounts for each of my 2 groups, partner admin and support staff in server admin / afp. under accounts / groups / support staff / group folder, the support staff auto mount is selected, and the user i am working with is obviously a member of that group under the members tab. finally, under preferences / groups / support staff / items, always and add group is checked and the support staff volume shows up in the list. authenticate selected share point with user's login name and password is grayed out and not checked, and merge with user's items is grayed out and checked. i'm not sure what i am missing to get auto mounting group folders here. btw, the user can for sure log into the group folder with the same user name password that she logs into the workstation with, if she does so manually under the go / connect to server menu.
  oh, and ichat seems to work as expected. she gets sso there! sweet!
  if i do end up trying to go for network home folders, (i would like to see auto mounting group folders working first, before i try) i found something that looks like a no-brainer to add to the mix…
  http://tools.mconserv.net/NHR.html
  thanks everyone for your interest in helping me deploy this server.

• Getting an ntvdm error while using single sign-on

  HI!
  When I run GssExample from the tutorial, I get an ntvdm error in a requester, saying "Error while setting up environment for the application. Choose 'Close' to terminate the application.".
  Then I can klick on "Close" or "Ignore". Either way, it takes some seconds and then GssExample is working as expected. But this requester is of course annoying. I get it every time I start GssExample.
  This only happens with single sign-on (useTicketCache=true).
  Using JDK 1.4.0 on Windows 2000 SP2.
  Any ideas?
  Thanks!
  Regards,
  Thomas

  OK.. the error goes away when using jdk1.4.1 but still the system is unable to get the user credentials from the cache :-(