PIA with domain authentication token.

Similar Questions

• connection problems with an authentication token.

  I have a test application that creates a House of Java. It generates the following authentication token.

  String roomName = "dynamically_created_room1";
  
  Contact collabAcctMngr = new AccountManager (CollaborationConstants.COLLABORATION_ACCT_URL);
  collabAcctMngr.login (CollaborationConstants.COLLABORATION_ACCT_ID, CollaborationConstants. COLLABORATION_ACCT_PASSWORD);
  collabAcctMngr.createRoom (roomName, true); / /: removes the room to the exit
  Session collabSession = collabAcctMngr.getSession (roomName);
  collabSession.secret = CollaborationConstants.COLLABORATION_ACCT_SHARED_SECRET;
  
  String token = collabSession.getAuthenticationToken (CollaborationConstants.COLLABORATION_ACCT_SHARED_SEC PENSION,
  ("jeff -" + "-phelps", "uid1", UserRoles.PUBLISHER);
  
  log.info ("token =" + token);

  The room is created fine.

  I then run my flex app CollaborationTest

  " < = xmlns:fx s:WindowedApplication ' http://ns.Adobe.com/MXML/2009 "
  xmlns:s = "library://ns.adobe.com/flex/spark".
                         xmlns:rtc=" http://ns.Adobe.com/RTC "
  xmlns:MX = "library://ns.adobe.com/flex/mx" >
  < fx:Declarations >
  <! - Place non-visual elements (e.g., services, items of value) here - >
  "< rtc:AdobeHSAuthenticator id ="auth"userName =" "password =" "protocol ="rtmfp"authenticationKey ="{AUTH_KEY}"/ >
  < rtc:RoomSettings id = "roomSettings" self-promotion = "true" guestsMustKnock = "false" / >
  < / fx:Declarations >
  
  < fx:Script >
  
  <! [CDATA]
  
  public const COLLABORATION_ACCT_URL:String = " " https://collaboration.adobelivecycle.com/endlessmind ";
  
  public const AUTH_KEY:String = 'exx = eDpqZWZmLS1waGVscHM6OmVuZGxlc3NtaW5kOnVpZDE6ZHluYW1pY2FsbHlfY3JlYXRlZF9yb29tMTo1MDo 0YTI4NmFjN2FkYzk4ZTI3YTZkNWYwMmVhYWE5ZTgwNzUwYjRiZjFl';
  
  private var testRoomURL:String = " " https://collaboration.adobelivecycle.com/endlessmind/dynamically_created_room1 ";

  protected function button1_clickHandler(event:MouseEvent):void {}
  cSession.roomURL = testRoomURL;
  cSession.login ();
  }

  []] >
  < / fx:Script >
  
  < mx:Panel title = "Test the ability to connect to a room with an authentication key" >
  < s:Button label = "PUSH THE LOGIN" click = "button1_clickHandler (event)" / >
  < rtc:ConnectSessionContainer authenticator = initialRoomSettings '{auth}"="{roomSettings}"id ="cSession' width = '100% '.
  Height = "100%" autoLogin = "false" >
  
  < / rtc:ConnectSessionContainer >
  < / mx:Panel >
  
  < / s:WindowedApplication >

  When I push the button to connect, I got the following exception

  requestInfo https://collaboration.adobelivecycle.com/endlessmind/dynamically_created_room1?Exx=eDpqZWZ mLS1waGVscHM6OmVuZGxlc3NtaW5kOnVpZDE6ZHluYW1pY2FsbHlfY3JlYXRlZF9yb29tMTo1MDo0YTI4NmFjN2FkY zk4ZTI3YTZkNWYwMmVhYWE5ZTgwNzUwYjRiZjFl & mode = x & xml = 0.6030149115249515
  11:51:46 GMT - 0600 #THROWING ERROR # bad authentication key
  Error: Invalid username or password: login again
  at com.adobe.rtc.authentication::AbstractAuthenticator/onLoginFailure() [/ users/arun/work/apo nnusa_theoden.corp.adobe.com_1666/depot/branches/connect/1104/cocomoPlayer10.1/src/com/ado be/rtc/authentication/AbstractAuthenticator.as:200]
  at com.adobe.rtc.authentication::AbstractAuthenticator/onAuthorizationFailure() [/ Users/arun/Work/aponnusa_theoden.corp.adobe.com_1666/depot/branches/connect/1104/cocomoPlayer10.1/src com/adobe/rtc/authentication/AbstractAuthenticator.as:215]
  at com.adobe.rtc.session.sessionClasses::MeetingInfoService/onComplete() [/ users/arun/work/ap onnusa_theoden.corp.adobe.com_1666/depot/branches/connect/1104/cocomoPlayer10.1/src/com/ad obe/rtc/session/sessionClasses/MeetingInfoService.as:331]
  at flash.events::EventDispatcher/dispatchEventFunction()
  at flash.events::EventDispatcher/dispatchEvent()
  at flash.net::URLLoader/onComplete()

  Any help is greatly appreciated.

  Thank you.

  Jeff

  I watched the news and I see a lot of message about invalid tokens. The main reason is usually that the 'shared secret' you use is bad. If please, check the value for the secret shared in the DevPortal and make sure it is what you use in your application.

  Also, remember that the external authentication tokens are 'one shot': they are valid for the duration of a single session of the specified room, so if you start a room, stop it and start it again, you will have to generate new tokens.

• Custom authentication tokens

  "Adobe Flash Access Overview on protected streaming" white paper States the following:

  Flash Access supports the business logic of the licensing stage decoupling based on the chips in use with Flash Media Server deployments. For example, when users visit a web portal for rental or to subscribe to the content, they may need to authenticate by providing a user ID and password to confirm their registration. They might also need a financial transaction. The web portal enters the results of these operations in an authentication token that is sent to the client application. The customer can then include the token in the licence application. The license server checks the authenticity of the token before issuance of the licence. Check token is stateless and was completed independently by each server without reference to a database or another shared state. Token is based on a secret or public key shared infrastructure (PKI).

  This raises the following questions:

  • How the web portal must generate the token?  This is a serialized AuthenicationToken or some other binary token?
  • If it's an AuthenicationToken, then how the web portal must generate a token such as this feature is part of the license server?
  • How the chips are based on a shared secret or PKI? What is incorporated into the class AuthenticationToken ?

  As I read, the paragraph refers to the regime "of custom authentication", not the authentication scheme name of user/password supported and as such, it is not to use serialized Flash Access AuthenticationTokens.  What is meant by "custom authentication" is quite honestly, not very clear in the documentation. I believe that the following scenerios should work, if I would be interested in your comments from anyone:

  In the first scenario, the "portal" should generate a custom binary token and pass this token to the client flash in response. How the token is passed is an exercise left to the reader. It could be loaded via a cookie, JavaScript or ActionScript. It doesn't really matter. Nevertheless, the token is eventually read by the Flash client and applied using the DRMManager.setAuthenticationToken (...) method. The license server must then retrieve the token by using RequestMessageBase.getRawAuthenticationToken (...).  In this case, the token format is completely defined by the developer or provider. The flash never access client issues a query for the authentication License Server Manager (/flashaccess/authentication/v1 / *).

  A second case, which I am not sure would work, would be the flash client requests a token for authorization as usual, using DRMManager.authenticate (...), but the license server authentication requests handler returns a token custom instead of a serialized AuthenticationToken. The workflow would then proceed as described in the first case.

  A third case, the Flash client is able to authenticate with the name of user and password standard schema, but the license server may ignore the username/password real name (data can be same passwords and usernames dummy). The license server would generate an AuthenticationToken, but would benefit from ApplicationProperies to store its information "custom token. The token would be then sent back to the customer and in turn transmitted to the same license server. The license server then inspect AuthenticationToken.getCustomProperties to determine the appropriate course of action.

  No matter what scenario is used, I have a few concerns with custom authentication tokens:

  First of all, this forum has several questions about custom authentication tokens. The documentation is not clear on what is intended and how exactly these tokens must be produced, transferred and consumed. It would be very useful for Adobe to provide an example with its reference implementation code.

  Second, as developers of server Flash Access License remain to design their own authentication scheme customized, there is a real concern that the invented approach can be precarious, allowing re-use of authentication tokens. A published set of best practices would help to ensure custom tokens are generated in a way that does not leak the information, allow attacks by replay or session hijacking.

  Finally, there seems to be some confusion about the use of tokens for authentication and authorization. The reference implementation clearly only use them for authentication, as the RefImplLicenseReqHandler makes additional checks the database for the authenticated user is allowed (subscriber) to access the content.  However, the paragraph quoted above suggests using these tokens for authentication and authorization. At least, that's what I understand by the notion that "audit token is stateless and was completed independently by each server without referring to a database or other shared state. I don't see how that's possible, unless the token contains authentication and authorization information. I'm wrong?

  I appreciate the thoughts of someone else on the custom authentication tokens. Thank you.

  -Aaron J

  The workflow for "custom authentication" is exactly what you described in your first scenario.  Namely, the client application gets a token through certain channels and calls DRMManager.setAuthenticationToken (...) to provide the token. When the client requests a license from the license server, this token is included in the request. The server application calls RequestMessageBase.getRawAuthenticationToken (...) for the access token and perform any validation is required for this type of token before issuing the permit. With a custom authentication, the SDK AuthenticationToken class is not used - this class is only used to represent the authentication tokens issued by using the name of user and password Flash Access authentication scheme.  A custom authentication token can be binary data - the Flash Access SDK is not involved in the generation or to consume these chips - it's your server implementation to manage the following steps.

  The motivation behind the 'custom authentication' scheme is not to force content providers to invent a new way to authenticate users, but to allow you to take advantage of all infrastructure you already have in place.  For example, if you are already running the SAML tokens to authenticated users, you can continue to do so, and you would just plug the SAML validation code in your license server. As a general rule, an authentication token is signed to prevent tampering. It would be possible to generate a signature using a symmetric key or with a private key. Then, checking on the server would involve checking the signature, either by using the same shared symmetric key or with the public key corresponding to the private key. (This is what is meant by 'token is based on a secret or public key shared infrastructure (PKI) ")

  Although the API reference to "authentication tokens", it would also be possible to take advantage of this authorization mechanism. For example, if you have a web portal to access the information on which a user is allowed to access the content, the Portal could issue an authorization token that says that the user X is allowed to play the content Y and Z. When the license server receives this token in a license application for content, simply, check the token is still valid and that the token States it is allowed to grant access to the content Y. This workflow, the license server doesn't have access to the database that contains authorization information, making it easier to deploy the server in a highly scalable way.

  Is this address your questions and concerns?

• Creation of rooms with external authentication

  My application works like this: each user has its own bathroom, and I needed to let them publish and subscribe, but do not have (and does so not sup rooms). So they connect on my site, get an auth token of LCC, and then create a ConnectSession with this authentication token. But unless I have getAuthenticationToken with 100 owner privileges, it fails with

  not sufficient permissions to create a new CollectionNode. You must be the OWNER of the room to add new multiuser features to it. Connect with the developer credentials to do this.

  So what I need to know is how

  (A) create a room for the user by using external authentication

  (B) allow the user to connect to this room with Publisher privileges after obtaining an auth token.

  (C) allow other users to connect to this room with Publisher privileges after having received the same authentication token.

  Any help greatly appreciated and samples of code please!

  
  

  Hello

  That certainly should not. We will ignore all aspects of authentication

  here and just assumed that you always come as an EDITOR, since this

  should be able to work.

  I just crossed the workflow using the Console from the room and was able to

  get this to work. A couple of control points:

  (1) can you log in the templateroom room in the Console room and check on

  the Explorer tab it has a CollectionNode put in place for the cat? (it will be

  named "xxx_SimpleChat")

  (2) I am reading this right, you have named the new model

  "templateroom" as well? Maybe try to name "templateapp" instead?

  (3) once you have created a templateapp in the Console room, try adding a new

  room to it via the Console (the button "Add" in the column of rooms). Sign in to

  the new room, you just created and check his tab Explorer - just it

  with the collectionNode you saw in your style room?

  I'm sure that we will find explanations - thank you for hanging there!

  Nigel

• ASA: group lock with NT domain authentication.

  Hello!

  We have an ASA5510. I put two group for remote VPN, and both use NT domain authentication. How can I define tunnel-group lock for users in both group.

  How can I lock the user to the group. Is there a configuration in Active Directory to set the Group of users.

  I don't know what the solution is, I found nothing.

  Please help, thanks!

  Gabor

  The field 'Department' as I spoke with would be an attribute assigned to the user account in Active Directory.

• ACS 5.2 PEAP with the authentication of the computer

  Can someone point me in the direction of a good guide for configuring PEAP with Machine authentication to connect to the domain?

  This is a clean install on a new installation of 5.2.

  We move from 4.X to 5.2 and I want to make sure I don't miss anything.

  Thanks in advance for any help.

  Basics of infrastructure;

  • 440 x & 5508
  • ACS 5.2 VMWare
  • AD is used as the external database for the PEAP and Machine auth.

  This link might help.  I would like to know if that's what you're looking for.  It is not the exact game until you use but should be a grand of the directive.

  http://wnbu-press.Cisco.com/files/2010/09/CUWN_PEAPv1.PDF

  Grace and peace,

  Robert Roulhac Jr E

• Cross domain authentication does not?

  Hello community,

  I ran into a problem with authentication and am confused if it's something that in our configuration, or if it is seen elsewhere as well?

  Scenario:
  1. a service account for installation used, who has access to read for the 3 areas in question. The account itself is one of the 3 areas (not sure if this is the origin of the question, but somehow in doubt).

  2. a single tenant with 3 mounting identity, one for each region stores, all configured exactly the same way;

  Question:
  
  

  Users not in the same domain as the systems (which is also the same domain as the service account), cannot connect. There is no error thrown to the logon screen, after a moment of the authentication attempt, the user is with the login screen allowed out again. If I add accounts, which are not members of a handful of groups, they can identify.

  According to the guidelines of VMware, the problem with no authentication is possible that if a user is a member of about 100 nested groups should be solved with update 1, we have applied as well.

  Device name: VMware vCAC device
  Version of the device: 6.0.1.0 build 1569764

  Device name: identity of VMware Appliance
  The unit version: 2.0.1.0 build 1545089

  Thanks for any advice you may have.

  Bij

  Solved this problem by changing the configuration to use only the tenant default and thereby using Native AD authentication. I hope that it might help others who see similar problems.

• Development Center of V with domain Senario

  Hello

  Creating im V Center 5 with domain Senario as he said VMWare recommends.

  In our environment, we have a domain but I build a windows 2008 r2 with the domain role.

  My question was... what happens if the domain is not available or the accident.

  I could connect Center v and to work normally with the local account of v Center Server can.

  Because in this senario, I have to keep availability high for both machines.

  Infact, that both are a physical machine for the reason that I've read about problems of Virtual center with VDS environment v.

  Thanks in advance

  My question was... what happens if the domain is not available or the accident.

  In general, we have several role in AD, there will be a minimum of 2 DC (primary and child) to avoid the single point of failure.

  some common question:

  1. If the domain is not available, fails to domain-based user authentication, users will be unable to connect to the server.

  2. If the DNS is intergarated with domian, internal dns resolution will not work. ESXi solve with this DNS cut temporary if dns with domain name is configured and that you have not entered in the resolve.conf host.

  3 problem of synchronization time if time is configured for direct current.

  Any resource using ad authentication will not abe accessible.

  I could connect Center v and to work normally with the local account of v Center Server can.

  Yes, you should even be able to connect via IP and local accont Vcenter and also databases to your server must be authenticated through sql authentication.so database authentication will not have questions.

  Infact, that both are a physical machine for the reason that I've read about problems of Virtual center with VDS environment v.

  Just a note:

  This should not be a problem, all the virtual machine running, only thing is vds will not be able to manage and you can will a migration of the vds to vss without interruption for virtual machines. and this about AD down, you VM goes upward, but dns, ad authentication question will be there.

  refer to this link below from vds - test failure vcenter - I did this test and vcenter failure, this should not be an obstacle for the virtual machines to work.

  http://www.yellow-bricks.com/2012/02/08/distributed-vSwitches-and-vCenter-outage-whats-the-deal/

• user with external authentication

  Hello!
  
  The DB is running on AIX.
  AIX uses the single sign on with MS Active Directory.
  
  Is it possible for users to start the application on a Windows PC here and connect to the DB using MS AD password here?
  Or even without any password at all?
  
  I created a user ops$ myuser, myuser is an AIX user authenticated via MS AD.
  I can connect to AIX with "sqlplus / ' without being prompted to enter the password.
  
  But when I try to connect to the DB with this my Windows PC user authentication does not work.
  
  Someone at - it experience with this constellation?
  
  BTW, we do not have Oracle Internet Directory
  
  BR
  Daniel
  
  Published by: user641444 on May 19, 2011 06:04

  I have a similar setup and it had worked, connect Windows 'sqlplus /@connect_string_database' worked well against the database unix/vms.

  Maybe problem with domains or subdomains or database such as remote_os_authent parameter (set it true)

  HTH
  Antonio NAVARRO

• Computer format Microtour HP Pro 3010: Hp Support Assistant and LAN with Proxy authentication

  Dear friends,

  I would only know if and how I can 'use' Hp Support Assistant in my office desktop pc, because my desktop pc itself works in the breast of a LAN with proxy authentication.

  Thank you, Paolo ([Personal Information Removed)

  Hello

  Welcome to the HP Support forum!

  Yes, you can use it as long as the desktop PC is HP branded.

• Change password with the password token does not work

  My mother lost her password. So, we asked an e-mail with a password token and clicked on the link in the mail. Responses from the site sorry this token of password is not recognized, please try retyping or get password another token. Then we have copied and pasted the token giving the same result.

  We did this three days after another. So every day we ask you an email with a password token, and every day the site said us sorry this token of password is not recognized, please try retyping or get password another token.

  The system of resetting password with a token does not, at least not in the Netherlands. Does anyone have an idea how to solve this problem?

  Sorry, but the mentioned page asks you to connect with your name Skype and password, so that we cannot further. My mother has a balance of Skype credit that she doesn't use anymore.

  What is the problem with the password reset procedure?

  OK, after a very good conversation with Cherry B we discovered that the account is a Windows Live account, then we should change the password in Windows Live. The password reset procedure could mention this...

• Authentication Radius Cisco with Windows NAP with encrypted authentication

  I need authentication radius configuration for Cisco IOS devices for device management. My radius server is on Windows 2008 R2.

  Can I implement this with encrypted authentication? In the attached diagram, can what protocol I use for encrypted authentication?

  According to some sites, we need activate authentication in clear text. All those put in place secure as MSCHAP authentication?

  Hello

  You activate the text authentication (PAP) clear. Don't forget Ray sends the username in clear but encrypts the password. You can confirm this take a wireshark capture. You will also get the RADIUS encryption using a key to Ray long and complex.

  If you want to encrypt the user name and password, then you would use GANYMEDE

  Thank you

  John

• Call the web service with Digest authentication

  Hello

  I JDevelper 12.2.4, I need build the java class to call the web service with Digest authentication.

  Any suggestion?

  Refer to:

  http://StackOverflow.com/questions/14896324/consuming-WCF-service-with-Digest-authentication-from-Java

• form with smtp authentication

  When muse updated it contact form with smtp authentication, must that cause of change encoding manually is a big problem for a lot of people I've read about community support for third party servers. I wish that adobe would add this feature in the Muse as soon as possible. We took muse especially if we could not do coding

  Muse requires PHP sendMail to be supported. Please feel free to add to our ideas section.

  Thank you

  Sanjit

• Problems with external authentication!

  Hi all!

  I tried to experiment with external authentication with PHP using the examples provided with the LCCS SDK Navigator.

  I changed the page "index.php" to include all my account info. and checked twice!  However, when I download on my server, I get the following error every time I click on the button send the form:

  Warning: fopen() [function.fopen]: URL file-access is disabled in the server configuration in /home/tueslcom/public_html/LoginTest2/lccs.php on line 690

  Warning : fopen (https://collaboration.adobelivecycle.com/myusername? mode = xml & accountonly = true &) [function.fopen]: failed to open stream: no suitable wrapper could be found in/home/tueslcom/public_html/LoginTest2/lccs.php on line 690

  Fatal error : Eception exception 'RTCError' with the message "connection failed" in /home/tueslcom/public_html/LoginTest2/lccs.php:695 trace stack: #0 home/tueslcom/public_html/LoginTest2/lccs.php(587): RTC::http_get('https://collabo...', Array) #1 home/tueslcom/public_html/LoginTest2/lccs.php(254): RTCAccount-> do_initialize() #2 home/tueslcom/public_html/LoginTest2/index.php(33): RTCAccount-> __construct ('https://collabo...') #3 {main} thrown in /home/tueslcom/public_html/LoginTest2/lccs.php on line 695

  I have some experience with PHP, however, through lccs.php and trying to reverse engineer everything to know what is happening is a bit beyond my skill level!  Any idea what could be past/missing here?  It seems that this should be a no-brainer!

  Thanks in advance for any help that anyone can give.

  Matt

  No, it's really that on a certain system curl works and waterways only and on some curl does not work.

  I chose the 'flow' as a default way because that's what worked on my machine

  There is really no difference in how the two methods work, they are all two the same way https requests and curl is one of the best clients available http anyway.

  -Raffaele