Apologies for yet another AD integration question :)
I've got a fresh install of JasperReports Server 5.2 on Windows Server 2008 R2 and I'm trying to configure AD authentication but logins always fail.
I've copied the sample applicationContext-externalAuth-LDAP.xml file into the WEB-INF folder and customised it:
<bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg><ref local="ldapContextSource"/></constructor-arg>
<property name="userSearch" ref="userSearch"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
<constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>
<constructor-arg index="1"><value></value></constructor-arg>
<property name="groupRoleAttribute" value="cn"/>
<property name="groupSearchFilter" value="((member={0})(objectClass=group))"/>
<property name="searchSubtree" value="true"/>
<!-- Can setup additional external default roles here <property name="defaultRole" value="LDAP"/> -->
</bean>
</constructor-arg>
</bean>
<bean id="userSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0">
<value></value>
</constructor-arg>
<constructor-arg index="1">
<value>((sAMAccountName={0})(objectClass=user))</value>
</constructor-arg>
<constructor-arg index="2">
<ref local="ldapContextSource" />
</constructor-arg>
<property name="searchSubtree">
<value>true</value>
</property>
</bean>
<bean id="ldapContextSource" class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource">
<constructor-arg value="ldap://hostname:389/dc=domain,dc=local"/>
<!-- manager user name and password (may not be needed) -->
<property name="userDn" value="Administrator"/>
<property name="password" value="password"/>
</bean>
Actual Hostname, Domain name and Password have been removed in the above, our AD is set up a bit strangely in that users are spread across several OUs so I've left the branch DN properties empty and attempted to limit the search to entries with a certain objectClass (user or group).
I've enabled debug level logging for org.springframework.security and com.jaspersoft.jasperserver.api.security but I'm not getting anything particularly informative in the logs:
2013-09-03 10:12:32,882 DEBUG BaseAuthenticationProcessingFilter,http-bio-80-exec-6:252 - Request is to process authentication
2013-09-03 10:12:32,884 DEBUG ProviderManager,http-bio-80-exec-6:183 - Authentication attempt using org.springframework.security.providers.ldap.LdapAuthenticationProvider
2013-09-03 10:12:32,888 DEBUG FilterBasedLdapUserSearch,http-bio-80-exec-6:109 - Searching for user 'username', with user search [ searchFilter: '((sAMAccountName={0})(objectClass=user))', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2013-09-03 10:12:32,905 DEBUG SpringSecurityLdapTemplate,http-bio-80-exec-6:197 - Searching for entry in under DN 'dc=domain,dc=local', base = '', filter = '((sAMAccountName={0})(objectClass=user))'
2013-09-03 10:12:32,933 DEBUG ProviderManager,http-bio-80-exec-6:183 - Authentication attempt using com.jaspersoft.jasperserver.api.security.internalAuth.InternalDaoAuthenticationProvider
2013-09-03 10:12:32,940 WARN LoggerListener,http-bio-80-exec-6:60 - Authentication event AuthenticationFailureBadCredentialsEvent: username; details: org.springframework.security.ui.WebAuthenticationDetails#21a2c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: F8EA36A4CF952E3DE41E7211B4EB529D; exception: Bad credentials
2013-09-03 10:12:32,941 DEBUG BaseAuthenticationProcessingFilter,http-bio-80-exec-6:406 - Updated SecurityContextHolder to contain null Authentication
2013-09-03 10:12:32,941 DEBUG BaseAuthenticationProcessingFilter,http-bio-80-exec-6:412 - Authentication request failed: org.springframework.security.BadCredentialsException: Bad credentials
2013-09-03 10:12:32,943 DEBUG HttpSessionContextIntegrationFilter,http-bio-80-exec-6:255 - SecurityContextHolder now cleared, as request processing completed
Any suggestions gratefully received, I've played around with the settings in the externalAuth XML file but nothing seems to make a difference to the log or the login failures.
Cheers, Matt
Generally speaking when doing ldap searches on AD the only time a baseless search will work is when talking to the GC.
Try putting in the base of DC=domain,DC=local this should still search over your entire domain .
Also in your user and group searches it appears you are missing the & needed after the first (.
e.g.
<property name="groupSearchFilter" value="(&(member={0})(objectClass=group))"/>
and
<constructor-arg index="1">
<value>(&(sAMAccountName={0})(objectClass=user))</value>
</constructor-arg>
One last thing that I have seen that helps with the Spring LDAP is to use the DN for the bind account.
e.g.
HTH
Related
I have a Spring app that runs in Tomcat and connects okay to a JNDI configured datasource. I'm trying to get my Apache Camel app to do the same.
Tomcat context.xml
<ResourceLink global="jdbc/deapplication-datasource" name="jdbc/deapplication-datasource" type="javax.sql.DataSource"/>
Tomcat server.xml
<Resource name="jdbc/deapplication-datasource"
auth="Container"
type="javax.sql.DataSource"
maxTotal="50" maxIdle="30" maxWaitMillis="10000"
username="yada" password="nada"
driverClassName="oracle.jdbc.driver.OracleDriver"
url="jdbc:oracle:thin:#//test-cluster:1521/foo.bar.ca"/>
camel-config.xml
<!-- JNDI connection fails with Tomcat localhost (works in our testing/WebLogic environment -->
<bean id="dataSourceHello" class="org.springframework.jndi.JndiObjectFactoryBean">
<property name="jndiName" value="java:comp/env/jdbc/deapplication-datasource"/>
</bean>
<!-- manual config works
<bean id="dataSourceHello" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="oracle.jdbc.OracleDriver" />
<property name="url" value="jdbc:oracle:thin:#//test-cluster:1521/foo.bar.ca" />
<property name="username" value="yada" />
<property name="password" value="nada" />
</bean>
-->
Java/Camel code:
from("direct:healthCheckDb")
.log("0")
.setBody(simple("select * from dual"))
.log("1")
.to("jdbc:dataSourceHello")
.log("2")
Tomcat log:
2022-06-13 12:07:49,879 INFO - 0
2022-06-13 12:07:49,881 INFO - 1
2022-06-13 12:07:50,444 ERROR - Failed delivery for (MessageId: ID-IT-DEV-VM-112-1655147269874-0-1 on ExchangeId: ID-IT-DEV-VM-112-1655147269874-0-1). On delivery attempt: 0 caught: org.apache.camel.CamelExecutionException: Exception occurred during execution on the exchange: Exchange[ID-IT-DEV-VM-112-1655147269874-0-1]
2022-06-13 12:07:50,456 ERROR - null org.apache.camel.CamelExecutionException Exception occurred during execution on the exchange: Exchange[ID-IT-DEV-VM-112-1655147269874-0-1]
Tomcat and the app start up okay, but when I hit the restful path to test healthCheckDb it fails after log 1 but before log 2 (as you probably noticed above). The same statement works if I use the manual configured datasource. But I'd prefer to use the same setup as we use for WebLogic so I don't have to keep uncommenting and commenting the camel-config.xml file.
(Side note: after hours of research, have not seen 2 web pages agree on how to configure Tomcat JNDI for a datasource).
Possible to get Camel working with JNDI?
I am trying to implement a distributed transaction (XA) in JBoss EAP 6.2 application server so that multiple datastores can be accessed in a single coordinated atomic transaction. To be more precise, I'd like my transactional service method to write to a database table and to a message queue in such a way that these two operations are either both committed or both rolled back consistently (all or nothing).
My approach is based on the following:
Use Spring JTA Transaction Manager
Configure the entity manager to use an XA JDBC datasource, defined in JBoss application server and accessed via a JNDI name
Use ActiveMQ XA Connection Factory for messaging
The problem I am facing is that only the database operation is rolled back. The message written to ActiveMQ queue is always commited regardless of the transaction being rolled back or not.
Key elements of my configuration:
<tx:jta-transaction-manager/>
<bean id="entityManagerFactory"
class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="jtaDataSource" ref="xaDataSource" />
...
<property name="jpaProperties">
<props>
...
<prop key="hibernate.transaction.manager_lookup_class">org.hibernate.transaction.JBossTransactionManagerLookup</prop>
</props>
</property>
</bean>
<jee:jndi-lookup id="xaDataSource" jndi-name="xaDataSource"/>
<bean id="xaConnectionFactory" class="org.apache.activemq.ActiveMQXAConnectionFactory">
<property name="brokerURL">
<value>tcp://localhost:61616</value>
</property>
</bean>
<bean id="jmsTemplate" class="org.springframework.jms.core.JmsTemplate">
<property name="connectionFactory" ref="xaConnectionFactory" />
<property name="defaultDestinationName" value="TEST_QUEUE" />
<property name="sessionTransacted" value="true"/>
</bean>
I finally got this working. The key was to configure the JMS connection factory within a JBoss Resource Adapter. Detailed steps below:
1. Install Apache ActiveMQ
Version used: 5.11.3
Detailed install instructions can be found here.
Once ActiveMQ installed, Create a queue named TEST_QUEUE (use admin console: http://127.0.0.1:8161/admin/index.jsp)
2. Set up Spring application context
Key elements:
Use Spring JTA Transaction Manager tag: this will prompt the use of
the app server transaction manager;
Configure the datasource bean to use the XA datasource defined in the app server (see XA JDBC datasource setup);
Wire the jtaDataSource attribute of the Entity Manager Factory to the XA datasource;
Set Hibernate property manager_lookup_class to JBossTransactionManagerLookup;
Configure the connection factory bean to use the XA connection factory bean defined in the app server (see XA Connection Factory setup);
Set property transactedSession of connection factory bean to false.
e
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:jpa="http://www.springframework.org/schema/data/jpa"
xmlns:jms="http://www.springframework.org/schema/jms" xmlns:jee="http://www.springframework.org/schema/jee"
xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/data/jpa http://www.springframework.org/schema/data/jpa/spring-jpa.xsd
http://www.springframework.org/schema/jms http://www.springframework.org/schema/jms/spring-jms.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee.xsd">
<jpa:repositories base-package="com.company.app.repository" />
<context:component-scan base-package="com.company.app" />
<tx:annotation-driven transaction-manager="transactionManager"/>
<tx:jta-transaction-manager/>
<bean id="entityManagerFactory"
class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="jtaDataSource" ref="xaDataSource" />
<property name="packagesToScan" value="com.company.app.domain" />
<property name="persistenceProviderClass" value="org.hibernate.ejb.HibernatePersistence" />
<property name="jpaVendorAdapter">
<bean class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
<property name="databasePlatform" value="org.hibernate.dialect.Oracle10gDialect" />
</bean>
</property>
<property name="jpaProperties">
<props>
<prop key="hibernate.transaction.manager_lookup_class">org.hibernate.transaction.JBossTransactionManagerLookup</prop>
</props>
</property>
</bean>
<jee:jndi-lookup id="xaDataSource" jndi-name="jdbc/xaDataSource"/>
<bean id="xaConnectionFactory" class="org.springframework.jndi.JndiObjectFactoryBean">
<property name="jndiName" value="activemq/ConnectionFactory" />
</bean>
<bean id="jmsTemplate" class="org.springframework.jms.core.JmsTemplate">
<property name="connectionFactory" ref="xaConnectionFactory" />
<property name="defaultDestinationName" value="TEST_QUEUE" />
<property name="sessionTransacted" value="false"/>
</bean>
3. Set up application server (JBoss)
For a distributed transaction to work, all the datasources involved must be of type XA. JBoss supports JDBC XA datasource (xa-datasource tag) out of the box. The XA configuration for JMS datasource is achieved by defining appropriate Resource Adapter.
3.1. XA JDBC datasource
In standalone.xml under <subsystem xmlns="urn:jboss:domain:datasources:1.1"> <datasources> add an XA JDBC datasource:
<xa-datasource jndi-name="java:/jdbc/xaDataSource" pool-name="jdbc/xaDataSource" enabled="true">
<xa-datasource-property name="URL">
jdbc:oracle:thin:#<hostname>:<port_number>/<SID>
</xa-datasource-property>
<xa-datasource-class>oracle.jdbc.xa.client.OracleXADataSource</xa-datasource-class>
<driver>ojdbc6-11.2.0.3.jar</driver>
<security>
<user-name>db_user</user-name>
<password>password</password>
</security>
</xa-datasource>
3.2. XA Conncection Factory
Resource adapters are a concept from the J2EE Connector Architecture (JCA) and are used to interface with Enterprise Information Systems, i.e. systems external to the application server (e.g., relational databases, mainframes, Message-Oriented Middleware, accounting systems, etc.).
First you need to install ActiveMQ RAR (Resource adapter ARchive) in JBoss, by dropping the appropriate RAR file from maven central under \standalone\deployments. Then, in standalone.xml, under <subsystem xmlns="urn:jboss:domain:resource-adapters:1.1"> add the following:
<resource-adapters>
<resource-adapter id="activemq-rar.rar">
<archive>
activemq-rar-5.11.3.rar
</archive>
<transaction-support>XATransaction</transaction-support>
<config-property name="Password">
admin
</config-property>
<config-property name="UserName">
admin
</config-property>
<config-property name="ServerUrl">
tcp://localhost:61616?jms.rmIdFromConnectionId=true
</config-property>
<connection-definitions>
<connection-definition class-name="org.apache.activemq.ra.ActiveMQManagedConnectionFactory" jndi-name="java:/activemq/ConnectionFactory" enabled="true" pool-name="ConnectionFactory">
<xa-pool>
<min-pool-size>1</min-pool-size>
<max-pool-size>20</max-pool-size>
<prefill>false</prefill>
<is-same-rm-override>false</is-same-rm-override>
</xa-pool>
</connection-definition>
</connection-definitions>
</resource-adapter>
</resource-adapters>
For further details about installing ActiveMQ RAR in JBoss, refer to RedHat documentation.
4. Make your Service method Transactional
#Service
public class TwoPhaseCommitService {
#Autowired
private EmployeeRepository employeeRepository;
#Autowired
private JmsTemplate jmsTemplate;
#Transactional
public void writeToDbAndQueue() {
final Employee employee = new Employee();
employee.setFirstName("John");
employee.setLastName("Smith");
// persist entity to database
employeeRepository.save(employee);
// write message to TEST_QUEUE
jmsTemplate.send(new MessageCreator() {
public Message createMessage(Session session) throws JMSException {
return session.createTextMessage(employee.getFirstName());
}
});
// To test rollback uncomment code below:
// throw new RuntimeException("something went wrong. Transaction must be rolled back!!!");
}
}
I am using Websphere mq v 7.5. When I try to send message to Queue, I get following error :
JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED')
Provided Username and password are wrong.
I don't have any credentials to provide as it doesn't ask at time of installation. My camel-context configuration is given below:
<bean id="webspheremq" class="org.apache.camel.component.jms.JmsComponent">
<property name="connectionFactory" ref="myConnectionFactory"/>
</bean>
<bean id="myConnectionFactory" class="com.ibm.mq.jms.MQQueueConnectionFactory">
<property name="hostName" value="mqhost"/>
<property name="port" value="1417"/>
<property name="queueManager" value="QM1"/>
<property name="channel" value="SYSTEM.DEF.SVRCONN"/>
<property name="transportType" value="1"/>
</bean>
The 2035 error you received will have more information to explain it in the queue manager error log. The fact that the JMS error message mentions a user ID and password is misleading, it could be one of a number of security failures, not necessarily that one, I suspect you are being caught by a default security rule (CHLAUTH rule) that bans the use of SYSTEM channels.
Look in your queue manager AMQERR01.LOG and then read the following post for more help on how to deal with a failure caused by a CHLAUTH rule.
I'm being blocked by CHLAUTH - how can I work out why?
I'd like to know if somebody has successfully got ESB connecting to a BAM that uses LDAP for authentication, and how. In other words: what're the necessary permissions to publish events in a BAM server?
We've installed ESB 4.6.0 and BAM 2.2.0, and both of them are configured to use LDAP (it's an Active Directory) for user management.
We've followed as much as possible this documentation (has some outdated/wrong instructions though) http://docs.wso2.org/wiki/display/ESB450/Configuring+External+User+Stores
Since ESB sends events to BAM, there is a BAM Profile created, that needs a valid user and password to connect to BAM Server. Therefore we've created specific users for that. Those users where configured to belong to the admin group by adding them to the default admin role (the one specified in the user-mgt.xml file shown below) but the connection between ESB and BAM fails with:
TID: [0] [BAM] [2013-05-07 12:50:58,802] INFO {org.wso2.carbon.databridge.core.DataBridge} - wso2_dev_server connected {org.wso2.carbon.databridge.core.DataBridge}
TID: [0] [BAM] [2013-05-07 12:50:58,847] ERROR {org.wso2.carbon.databridge.core.internal.authentication.Authenticator} - wrong userName or password {org.wso2.carbon.databridge.core.internal.authentication.Authenticator}
while direct login into the Management Console (same credentials) works:
TID: [0] [BAM] [2013-05-07 14:10:48,570] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'wso2_dev_server#carbon.super [-1234]' logged in at [2013-05-07 14:10:48,570+1200] from IP address 172.26.34.38 {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil}
To make it even funnier, communication between ESB and BAM works if I use MY credentials instead.
Thanks in advance.
This is our user-mgt.xml file:
<UserManager>
<Realm>
<Configuration>
<AdminRole>wso2_admin</AdminRole>
<AdminUser>
<UserName>gherrera</UserName>
<Password></Password>
</AdminUser>
<EveryOneRoleName></EveryOneRoleName> <!-- By default users in this role sees the registry root -->
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
<Property name="MultiTenantRealmConfigBuilder">org.wso2.carbon.user.core.config.multitenancy.SimpleRealmConfigBuilder</Property>
</Configuration>
<UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
<Property name="ReadOnly">true</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="ConnectionURL">ldap://activedirectoryserver:389</Property>
<Property name="ConnectionName">CN=someadminuser,OU=Service Accounts,OU=mycompany Users,DC=mycompany,DC=co,DC=nz</Property>
<Property name="ConnectionPassword">someadminuserpassword</Property>
<Property name="passwordHashMethod">PLAIN_TEXT</Property>
<Property name="UserSearchBase">DC=mycompany,DC=co,DC=nz</Property>
<Property name="UserNameListFilter">(objectClass=person)</Property>
<Property name="UserNameAttribute">sAMAccountName</Property>
<Property name="ReadLDAPGroups">true</Property>
<Property name="GroupSearchBase">OU=mycompany Groups,DC=mycompany,DC=co,DC=nz</Property>
<Property name="GroupNameListFilter">(objectClass=group)</Property>
<Property name="GroupNameAttribute">cn</Property>
<Property name="MembershipAttribute">member</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
<Property name="maxFailedLoginAttempt">3</Property>
</UserStoreManager>
<AuthorizationManager
class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
<Property name="AdminRoleManagementPermissions">/permission</Property>
<Property name="AuthorizationCacheEnabled">true</Property>
</AuthorizationManager>
</Realm>
</UserManager>
I am trying to do LDAP authentication using spring security 2.0.3
Here is my configuration
<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://IP:3268"/>
<property name="base" value="dc=alliance",dc=com,OU=Users,OU=India"/>
<property name="userDn" value="sAMAccountName=username" />
<property name="password" value="password" />
</bean>
<bean id="ldapProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
<sec:custom-authentication-provider/>
<constructor-arg>
<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg ref="contextSource"/>
<!--<property name="userSearch" ref="ldapSearchBean"/>-->
<property name="userDnPatterns">
<list><value>sAMAccountName={0}</value></list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="contextSource"/>
<constructor-arg value="ou=groups"/>
<property name="groupSearchFilter" value="member={0}"/>
<property name="groupRoleAttribute" value="ou"/>
<property name="rolePrefix" value="ROLE_"/>
<property name="searchSubtree" value="true"/>
<property name="convertToUpperCase" value="true"/>
</bean>
</constructor-arg>
</bean>
Maven entry set is as below
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>2.0.3</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap</artifactId>
<version>1.2.1</version>
</dependency>
Exception I am getting is
[BindAuthenticator,2329165#qtp-24103634-0] - Failed to bind as sAMAccountName=csepena: org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
Where should i mention domain name?
If you search online for the error message, you will find something like this page of Active Directory errors, which lists your error at the top:
Common Active Directory LDAP bind errors:
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
HEX: 0×525 – user not found
DEC: 1317 – ERROR_NO_SUCH_USER (The specified account does not exist.)
NOTE: Returns when username is invalid.
So according to AD, the user doesn't exist. You've tried to use sAMAccountName attribute as part of a DN pattern, which won't work as it is an LDAP attribute. You need to use a search to first locate a user by the value of this attribute. There are examples on how to do that elsewhere on this site and on the web. It looks like you already tried, since you commented out a search bean. If that didn't work you should have explained what went wrong in your question.
In fact, it seems likely that it failed because there are some things wrong with your context source. The value for the userDn property is wrong. It needs to be a valid distinguished name in the directory, which "sAMAccountName=username" is not. The "base" property also looks incorrect. It should generally be a tree where the root (dc=mycompany,dc=com is at the end). So it should probably be ou=mygroup,ou=mycountry,dc=mycompany,dc=com.
Finally, you shouldn't be using version 2.0.3. It has known security vulnerabilities. Always keep up to date with patches and new versions of libraries you are using - number 6 in the OWASP "top ten". It also makes sense to check the latest version in case you're encountering a bug which has been fixed.