ACS 5.2 permission controls

Similar Questions

• Set of permission controls Shell ACS 4.1 - configuration of VLAN

  I'm looking to limit some users to VLANs, they set on the switch ports.  I have configured the custom of "switchport" the following:

  deny access vlan 11
  allow access vlan 10
  allow access vlan 13
  allow access vlan 40
  allow access vlan 50
  allow access vlan 60
  allow access vlan 101

  But it is allowing to the ' switchport access vlan 11 ' to be a viable command in this group.  I have "not allow unparalleled args" checked and I have the game of 'Unmatched orders' to refuse.  It's as if the part 'switchport access' is the acknowledgement, but the rest is ignored.  Can you put only one argument by command?  If this is the case, I tried to add a "vlan" command and also limit in the same way to deny 11 and leave the rest, but that did not work.

  Since you already have "unparalleled commads' set to REFUSE and"allowed unparalleled args"is the uncheceked that you don't need explicit" deny access vlan 11 "." Can you withdraw from there and try again.

  In case it does not, please obtain the following information:

  Debug aaa authentic

  Debug of the aaa authorization

  debugging Ganymede

  Connect GBA > reports and activities > Ganymede administration > check what is the format of the command to come here.

  Kind regards

  Jatin kone

  * Make the rate of useful messages *.

• Anyone know of a doc covering using ACS 5.3 to control the VLAN using GANYMEDE?

  Hello

  If someone could help with this, I'd appreciate it.

  I configured a system ACS 5.3 and all my groups etc fucniton corrcetly both for network access and for the Administration of the unit.

  However I am stuck trying to allow clients to authenticate on the page web of the router or the Web authentication, using GANYMEDE + between the router and the ACS5.3.

  I watched this and I need to configure a custom attribute of 'service' with the type bound and in relation to a permission policy.

  I think that the custom configuration attributes is where I'm stuck.

  Once agin thanks for any help

  Brian

  Your best bet is to use the RADIUS, ACS supports RADIUS and most of the time you try to users access to the network of your admins of device segment, and the best way to do that is using RADIUS versus Ganymede.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Problem of GANYMEDE ACS 4.2 NDG and shell permission sets

  Hi all

  I am trying to solve this problem without success so far. I have fresh GBA 4.2.15 patch 5 ACS installation and I am tryng to deploy to our environment. So I configured a 2960 S to be my test client and everything works well. Problem is when I try to create strategies to fine grains using groups of network devices and shell permission sets.

  I created called ReadOnly and FullAccess authorization of shell games. I also created NDG called FloorSwitches and added my 2960. I have 2 groups of users called FloorSwitchesReadOnly and FloorSwithcesFullAccess. Now, if I have set up a FloorSwitchesFullAccess group and assign the set of permission controls Shell by NDG and then log in to the switch, all my orders are rejected as unauthorized.

  One thing I noticed, is that if I give the command shell permission set it to any device (in the settings of user group) works fine. Or if I create binding with DEFAULT NDG to the Group of users that works too. My conclusion is therefore that the ACS for some reason any does not associate my passage to correct group but is instead the DEFAULT group for some reason any.

  Someone at - it had the similar problem, or is there something I'm doing wrong? Is there another way to achieve such a thing without use of NDG?

  Thank you all...

  Please upgrade to patch 6, there is a bug in the patch 5 and you can see the release notes or the Readme for more information.

  Which is the user setting on while you test command authorization, do you have it set on the group setting?

  Thank you

  Tarik Admani

• Dashboard ASA ASDM Cisco ACS

  Hi all

  We use CiscoSecure ACS 4.2 for AAA.

  In our ASA 8.2.5 ASDM 7.3 (1) 101, if connect us with user group privilege 5, we would be unable to see the dashboard of firewall for Top 10 Services / Sources / Destinations.

  Someone knows how to have the privilege of established, essentially the Group of users that we have only in read-only, but can see the Top 10 services/sources/destinations edge ASDM

  Thank you very much

  Hi David,

  Yes you are right with privilege 5 you would be able to make these changes.

  You can use one of two methods of authorization in order to work around this limitation:

  Local database: configure command on the security privilege levels
  device. When a local user authenticates with the enable command (or logs
  with the command login), the security apparatus put this user in the
  level of privilege that is defined in the local database. The user can then
  access controls at and below the user privilege level.

  Note You can use the authorization of local control without all the users in local
  without CLI and database or enable authentication. Instead, when you enter
  enable command, you enter the enable password and security
  device puts you in level 15. You can then create enable passwords for
  all levels, so that when you enter enable n (2 to 15), security
  device puts you in the level n. These levels is not used, unless you put
  local command authorization (see "setting up order Local
  Authorization ".
  http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa80/configuration/gu...

  GANYMEDE + server: GANYMEDE Server + (ACS), to configure the controls that can be used by a user or a group after they authenticate to access CLI. All the commands that a user enters in the CLI are verified with the GANYMEDE server +:

  http://www.Cisco.com/c/en/us/support/docs/security/secure-access-control...

  It will be useful.

  Kind regards

  Aditya

  Please evaluate the useful messages.

• ACS SE - domains Windows AD

  Can I use groups of network devices ACS to have one device acting as authenticator ACS two Windows domains to 802. 1 x for a single switch?

  Hope the question makes sense but to put it a little more meat on the issue:

  I have a single ACS device that I try to use for authentication of 802. 1 x on a switch. The problem is that I want to have the part of allocation of VLAN implementation allocated through the ACS server on the control dependant users with an account domain, but we have two domains without trust between them. the remote agent in ACS to should not be installed on servers in different domains and that two agents available are for resiliance only, so does not fit this unfortunatley.

  That's why I finished watching with several groups of devices.

  someone at - it ideas if this will work or if there is another way to make this work.

  Hello

  ACS cannot authenticate 'natively' in 2 different domains that do not have a defined relationship. If this is not possible, then you must make 2 ACS servers, one in each area. Configure the ACS 'primary' to the 'secondary' server proxy queries based on the provided field.

  This would require a second server ACS be set upwards (you will probably pay an additional fee for the second ACS server). You do not want to configure a proxy distribution table. This would require the user explicitly indicate the domain name with their user name.

  Kind regards

  ~ JG

  Please evaluate the useful messages

• ACS - monitor Services

  Hello

  Currently using Windows ACS 4.0 and 1113 Ver4.2 with SNMP patch to allow ping.

  We want control services using Solarwinds APM, you fix the template above, you can see details of SNMP from the ect server and Services.  But it seems to require a user name and password to monitor services, which is not a Windows user name and password.  I tried to add Administrators user name and the password of the ACS, but does not control the services.

  Is there a certain procedure to monitor the Services of the CSA with a 3rd party like Solarwinds product?

  Concerning

  Craig

  The ACS SE 1113 is a server, locked in order to describe how the services are done with a third-party utility, it would very probably install some type of agent to look/monitor/or even send traps SNMP for the ACS Services (that are installed on the operating system).

  ACS already does in itself, if you go to the System Configuration > ACS Service Management > you could configure ACS to contact you in the event of a service failure. You may also send the report of these alerts to a Syslog server: System Configuration > Logging > change the case report.

  Just realized that there is also an SNMP Agent (System Configuration-> Configuration of the device--> SNMP Agent), this could provide some additional information:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCBasic.html#wp288047

  Keep in mind:

  Documentation of the ACS CSCsj18497 device doesn't not list SNMP MIB support

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsj27225

  Hope this helps,

• ACS 4.2 install question - need help

  Hello

  Once installed the 4.2 of the ACS, the ACS HTML interface leave empty when accessd locally using the icon from the desktop or by typing http://127.0.01:2002, so I'm not able to configure the user name and password.

  When I accessd GBA from another host by: http:// 10.1.115.222:2002 (the 10.1.115.222 is the ACS server address), the prompt "username" and "password" appeared. But not able to loggin as I don't have username and password configured.

  When I tried to access locally by: http://10.1.115.222:2002, IE still leave empty.

  Note: OS: Server 2003 in vmware esx, IE 8.0, Java,.

  Thanks in advance!

  Please go to ACS--> Admin---> political Session control and uncheck--> allow local access auto connection

  Now try to connect.

  Kind regards

  ~ JG

  Note the useful messages

• Approval of order

  I have ACS solution engine, I asked authorization from command located on the user, under the reference is set of permission controls

  See command

  version license

  permit from aaa

  permit config

  interface license

  allow xlate

  nat permit

  global license

  permit access list

  Road permits

  IP route help

  permit of vlan brief

  ping permit

  Clear command

  version license

  permit from aaa

  permit config

  interface license

  allow xlate

  nat permit

  global license

  permit access list

  Road permits

  IP route help

  permit of vlan brief

  activate the command

  ping permit

  now the problem is that the user is able to connect successfully and is going to activate the mode, but no way, he is able to ping the network.

  Although I welcomed the command ping, but user error

  ping 172.28.95.2

  Command authorization failed

  I want to allow the user to ping anywhere in the network.

  Please tell me how to do this.

  It should be

  configure---> on the left box

  allowed to terminal---> on the right box.

• Why run this program as administrator gray out on properties Compatibility tab?

  Hello

  This option seems to have dimmed recently...

  If I right click, properties, compatibility, run it as admin is now gray.

  I am the only account here, I'm logged on as administrator, I can right click and run as administrator, but not set the compatibility properties checkbox.

  Vista 32 bit Home Premium SP1

  Hi JH1970,

  With UAC, there is no need to raise/permission control to a Director more.  Therefore, I think that's why options will be extinguished with UAC as well.  Try it and let us know if it work.

  Looking forward to hear from you, Kevin
  Microsoft Answers Support Engineer
  Visit our Microsoft answers feedback Forum and let us know what you think.

• How can you deny the command enable.

  On our current setup, we have this...

  AAA new-model

  AAA authentication login default group Ganymede + local

  AAA authorization config-commands

  AAA authorization exec default group Ganymede + local

  AAA authorization commands 15 default group Ganymede + authenticated if

  In Ganymede, we have each user in a group. Each group requires a set of permission controls. In the entire order, we refused enable, but we are still able to run to turn them on. Other commands that we test work fine. Any suggestions? Are able to deny we allow at all?

  Thank you

  Andrew

  Hi André,.

  Add the following commands on the device:

  AAA authorization commands 0 default group Ganymede + authenticated if

  AAA authorization commands 1 default group Ganymede + authenticated if

  Rgds

  somishra

• AAA for switch Cat OS

  Hello

  I had a problem on the creation of a Shell command authorization for my cat OS switches. My GBA version is 3.3

  Help you enjoy

  Thank you

  Jong

  Jong,

  Here are the commands CAT OS

  Defined in function-

  Console > (enable) the RADIUS server [IP] [primary] value

  the value of Ganymede [key]

  resolve attempts Ganymede [number] (optional)

  Set the privilege of localuser [user] [password] 15

  local define authentication login

  define authentication login Ganymede [all | console | http | telnet] [primary]

  allow to Set authorization Ganymede exec + [deny | no] [console | telnet | time]

  activate the Set permission controls [config | all] Ganymede + [deny | no] [console |]

  Telnet | the two]

  Here is the link for establishing the command authorization, this example is for IOS, but you understand the concept, you should be able to set up on the BONE of cat.

  http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

  Kind regards

  ~ JG

  Note the useful messages

• Restriction of VPN AnyConnect Source (Caller-ID)

  Hi all

  I was wondering if it is possible on the Association or ASA to restrict access to a political group according to IP address, they come? For example, if I wanted to home users to connect to the external interface of the firewall to authenticate with a token, but if they are in the Office to connect to the internal interface and just use LDAP. The two work these options but this does not prevent someone from home to authenticate off the coast of LDAP of the House. I know that Ray has the Caller-ID field that has the IP address of the authentication device. I was wondering if it is possible to use this information on the ASA or ACS to add the control, I need. Any ideas?

  Kind regards

  Mike

  Hi Michael,

  you have several options:

  -l'ASA indeed sends 2 attributes to a Radius server that contains the ip address of the client. It's 'debug RADIUS' when I connect from a client with the ip 192.168.0.98:

  RADIUS: Type = 31 (0x1F) Calling-Station-Id
  RADIUS: Length = 14 (0x0E)
  RADIUS: Value (String) =
  31 39 32 2e 31 36 38 30 2 2 39 38 |  192.168.0.98
  ...

  RADIUS: Type = 66 Tunnel-Client-Endpoint (0x42)
  RADIUS: Length = 14 (0x0E)
  RADIUS: Value (String) =
  31 39 32 2e 31 36 38 30 2 2 39 38 |  192.168.0.98

  Now if you configure ACS to generate a different response based on the value of Calling-Station-Id or Tunnel-Client-Endpoint, I don't know (I mean I'm sure you can, but it's been a while since I have anything fancy on ACS) you can ask this question in the forum of AAA.

  -If you want ASA to make the decision, you can do this with CSD (Cisco Secure Desktop - requires a license). CSD to create policies based on the features of endpoint (client) as the version of the antivirus installed, but also the ip address of the client. You may need to use in combination with DAP (dynamic access policy) to allow/deny access to a certain group, based on criteria of CSD endpoint.

  - but for the scenario specific you describe, you might be able to solve this problem by simply specifying interface in the Group of authentication servers.

  That is, if you currently have

  attributes global-tunnel-group-of-inside
  authentication-server-group MyLDAP

  can change this:

  attributes global-tunnel-group-of-inside
  authentication-server-group (inside) MyLDAP

  This will cause LDAP to be used only for connections from the inside. Other connections will use the LOCAL (so anyone with an account on the SAA will be always able to connect outside this group - in order to avoid that you can create a new aaa server group with a non-existent server and use it for external authentication).

  Or maybe merge with your existing 2 groups into a single,

  tunnel-group of no matter where-global attributes
  authentication-server-group (inside) MyLDAP

  authentication-server-group (outside MyTokenServer)

  HTH

  Herbert

• Connector for Microsoft SharePoint - invalid parameters

  Hi, can anyone helpme, when use the connector for Microsoft SharePoint and SharePoint Server hostname, username, password, and domain name, throws this error.

  Note: the user I assign permission controls impersonation identity and is an Active Directory user.
  

  Invalid parameters

  Error: Invalid user ID or user password - adep.spconnector

  See for more information the stack trace

  org. Apache.Axis2.AxisFault: Transport error: error 401: unauthorized to org.apache.axis2.transport.http.HTTPSender.handleResponse(HTTPSender.java:296) to org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:190) to org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:75) to org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons (common sHTTPTransportSender.java:371) org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke (CommonsHTTPTransportSen der.java:209) at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:448) at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:401) at org.apache.axis2.description.OutInAxisOperationClient.executeImpl (OutInAxisOperation.java:228) to org. Apache.Axis2.client.OperationClient.Execute (OperationClient.Java:163) at com.microsoft.schemas.sharepoint.soap.AuthenticationStub.Mode (AuthenticationStub.java:317) at com.adobe.livecycle.crc.sharepoint.session.SessionProvider.isAuthenticationModeForms (Sess ionProvider.java:121) at com.adobe.livecycle.crc.sharepoint.session.SessionProvider.authenticateStub (SessionProvid er.java:68) at com.adobe.livecycle.crc.sharepoint.session.SessionProvider.testSharePointConnection (Sessi onProvider.java:239) at com.adobe.livecycle.crc.sharepoint.MSSharePointCRCServiceImpl.testSharePointConnection at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke () (MS SharePointCRCServiceImpl.java:1552) DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.adobe.idp.dsc.component.impl.DefaultPOJOInvokerImpl.invoke (DefaultPOJOInvokerImpl.jav one: 118) at com.adobe.idp.dsc.interceptor.impl.InvocationInterceptor.intercept (InvocationInterceptor. java: 140) at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed (RequestInterceptor ChainImpl.java:60) at com.adobe.idp.dsc.interceptor.impl.DocumentPassivationInterceptor.intercept (DocumentPassi vationInterceptor.java:53) at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed (RequestInterceptor ChainImpl.java:60) to com.adobe.idp.dsc.transaction.interceptor.TransactionInterceptor$ 1.doInTransaction (Transa ctionInterceptor.java:74) to com.adobe.idp.dsc.transaction.impl.ejb.adapter.EjbTransactionCMTAdapterBean.execute (EjbTr ansactionCMTAdapterBean.java:357) at com.adobe.idp.dsc.transaction.impl.ejb.adapter.EjbTransactionCMTAdapterBean.doSupports (Ej bTransactionCMTAdapterBean.java:227) at sun.reflect.GeneratedMethodAccessor721.invoke (unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.invocation.Invocation.performCall(Invocation.java:386) at org.jboss.ejb.StatelessSessionContainer$ ContainerInterceptor.invoke (StatelessSessionConta iner.java:233) at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke (CachedConnectionI nterceptor.java:156) at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke) StatelessSessionInstance Interceptor.java:173) at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:63) at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:121) at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:378) at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:181) at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:228) at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:211) at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:97) à org.jboss.ejb.plugins.security.PreSecurityInterceptor.invoke (PreSecurityInterceptor.java: 81) at org.jboss.ejb.plugins.LogInterceptor.invoke (LogInterceptor.java: 205) to) org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke (ProxyFactoryFinderInterceptor. Java: 138) to org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:650) to org.jboss.ejb.Container.invoke(Container.java:1092) to org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invoke(BaseLocalProxyFactory.java:436) to org.jboss.ejb.plugins.local.StatelessSessionProxy.invoke(StatelessSessionProxy.java:103) to $Proxy348.doSupports (unknown Source) at com.adobe.idp.dsc.transaction.impl.ejb.EjbTransactionProvider.execute (EjbTransactionProvi der.java:104) at com.adobe.idp.dsc.transaction.interceptor.TransactionInterceptor.intercept (TransactionInt erceptor.java:72) at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed (RequestInterceptor ChainImpl.java:60) at com.adobe.idp.dsc.interceptor.impl.InvocationStrategyInterceptor.intercept (InvocationStra tegyInterceptor.java:55) to com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed (RequestInterceptor ChainImpl.java:60) at com.adobe.idp.dsc.interceptor.impl.InvalidStateInterceptor.intercept (InvalidStateIntercep tor.java:37) at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed (RequestInterceptor ChainImpl.java:60) at com.adobe.idp.dsc.interceptor.impl.AuthorizationInterceptor.intercept (AuthorizationInterc eptor.java:165) at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed (RequestInterceptor ChainImpl.java:60) at com.adobe.idp.dsc.interceptor.impl.JMXInterceptor.intercept(JMXInterceptor.java:48) at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed at com.adobe.idp.dsc.engine.impl.ServiceEngineImpl.invoke (RequestInterceptor ChainImpl.java:60)) ServiceEngineImpl.java :121) to com.adobe.idp.dsc.routing.Router.routeRequest(Router.java:131) to com.adobe.idp.dsc.provider.impl.base.AbstractMessageReceiver.routeMessage (AbstractMessage Receiver.java:93) at com.adobe.idp.dsc.provider.impl.vm.VMMessageDispatcher.doSend (VMMessageDispatcher.java:22 5) to com.adobe.idp.dsc.provider.impl.base.AbstractMessageDispatcher.send (AbstractMessageDispat dear .java: 66) to com.adobe.idp.dsc.clientsdk.ServiceClient.invoke(ServiceClient.java:208) to com.adobe.livecycle.sharepoint.adminui.config.ejb.SPConfigSessionBean.testSharePointConne ction(SPConfigSessionBean.java:415) to com.adobe.livecycle.sharepoint.adminui.config.ejb.SPConfigSessionBean.setConfigBean (SPCon figSessionBean.java:110) at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke) NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.invocation.Invocation.performCall(Invocation.java:386) at org.jboss.ejb.StatelessSessionContainer$ ContainerInterceptor.invoke (StatelessSessionConta iner.java:233) at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke (CachedConnectionI nterceptor.java:156) at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke (StatelessSessionInstance Interceptor.java:173) at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:63) at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:121) at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions) TxInterceptorCMT.java:350) at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:181) at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:228) at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:211) at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:97) à org.jboss.ejb.plugins.security.PreSecurityInterceptor.invoke (PreSecurityInterceptor.java: 81) at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:205) at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke (ProxyFactoryFinderInterceptor). Java: 138) to org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:650) to org.jboss.ejb.Container.invoke(Container.java:1092) to org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invoke(BaseLocalProxyFactory.java:436) to org.jboss.ejb.plugins.local.StatelessSessionProxy.invoke(StatelessSessionProxy.java:103) to $Proxy316.setConfigBean (unknown Source) at com.adobe.livecycle.sharepoint.adminui.admin.SPUiConfigBean.commitConfigToEJB (SPUiConfigB ean.java:58) at com.adobe.livecycle.sharepoint.adminui.admin.UpdateAction.execute(UpdateAction.java:60) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196) at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.j ava: 290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.adobe.livecycle.sharepoint.adminui.admin.LocaleFilter.doFilter(LocaleFilter.java:92) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.j ava: 235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.adobe.livecycle.sharepoint.adminui.admin.SetAdminFilter.doFilter (SetAdminFilter.java: 50) to org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.j ava: 235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.adobe.framework.SetCharacterEncodingFilter.doFilter (SetCharacterEncodingFilter.java:1, 73), at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.j ava: 235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.j ava: 235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.adobe.idp.um.auth.filter.CSRFFilter.doFilter) CSRFFilter.java:57) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.j ava: 235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.j ava: 235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke (SecurityAssociationValve.ja goes: 183) at org.jboss.web.tomcat.security.JaccContextValve.invoke) JaccContextValve.java:95) at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process (SecurityContextEs tablishmentValve.java:126) at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke (SecurityContextEst ablishmentValve.java:70) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke (CachedConnectionValve.java: 158) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:436) at org.apache.coyote.ajp.AjpProtocol$ AjpConnectionHandler.process) AjpProtocol.java:384) to org.apache.tomcat.util.net.JIoEndpoint$ Worker.run (JIoEndpoint.java:451) at java.lang.Thread.run(Thread.java:662)

  
  

  How can I solve it?

  Thank you.

  
  

  Please check the values you are trying to put inside /AdminUI.

  should be like

  HostName: sharepoint.test.com:80

  username: domain\user

  password: *.

  domain: test.com

  This user didn't even need to be in the server of the ADEP. A member of sharepoint user will do.

  
  

• SSO and calculations of the Application

  Having a problem with the application and SSO level calculations. Here's what's happening. I have an application with some elements of application level which must be calculated (say an identification number of a certain type) in order for my projects of security clearance at the level of the work page. I'm having a severe setback when people try to access a specific page in the application vs. the public home page. He gets permission controls appear to be pulled before the essential application-level calculations to do their job. I have check and the fields are null session (yet they inhabit very well when I leave a public page). I tried before and after the page header, as well as the new session and nothing works, fields always end null and the person who made it gets an error message mean denying them access. Can anyone offer ideas here? Perhaps a thought for the next version of the APEX, but add a point of transformation for essential operations that says "Prior authorization checks" that would cause them must be assessed and ran before trying to check your access to pages or the application level.
  
  Thank you
  David Pulliam

  One option that might work is to initialize the necessary application objects for authorizations in a process of "Message authentication" instead of a calculation of "new instance".

  CITY