Kerberos Authentication ignores expired credentials?

JDK: J2SE 1.4.2
OS: Win 2000
I have an app that uses JAAS Kerberos for Authentication and it seems that the reference implementation from sun for Krb5LoginModule is not respecting when the credentials cache has expired.
Without the useTicketCache="true" option in my login context config file, my app always pops up SWING dialogs to capture the user id and password to authenticate to the Kerberos KDC. This works fine. When using the "useTicketCache" option I can then use the kinit program to create the TGT cache which stores my credentials for future use. This works fine also. And when I run my app, the sun Kerberos reference implementation correctly finds the credentials cache and uses that and doesn't prompt me for a userid and password--single sign on heaven!
However, once the credentials have expired, the sun ref impl is still allowing authentication to continue and my app to run when it SHOULD be telling me that my TGT has expired and I need to do another "kinit".
Can anyone help me here? This issue defeats one of the key strengths of Kerberos--that of timed sessions. I'm hoping it is all just a configuration error on my part...
Below are config file, credentials cache file name, krb5.ini, and a listing of principals from my Kerberos KDC:
My config file looks like this:
com.apisconsulting.ucped.UCPEDApplication {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache="true";
in my client code, I have a corresponding call like this:
lc = new LoginContext("com.apisconsulting.ucped.UCPEDApplication", new DialogCallbackHandler());
My credentials cache is stored in the default location in:
${user.home}/krb5cc_${user.name}
which on my Win2k client is:
C:\Documents and Settings\Administrator\krb5cc_Administrator
and my krb5.ini file is also stored in the default location for windows (c:\winnt) and is the following:
------------------------ start of file krb5.ini ---------------
[libdefaults]
default_realm = NEUHAUS.WILTON-ASSOCIATES.COM
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
forwardable = true
proxiable = true
[realms]
NEUHAUS.WILTON-ASSOCIATES.COM= {
kdc = kerberos.wilton-associates.com:88
admin_server = kerberos.wilton-associates.com
default_domain = wilton-associates.com
[domain_realm]
.wilton-associates.com = NEUHAUS.WILTON-ASSOCIATES.COM
wilton-associates.com = NEUHAUS.WILTON-ASSOCIATES.COM
[login]
krb4_convert = true
krb4_get_tickets = true
================== end of file krb5.ini =============================
and when I do a "listprincs" on the Kerberos kdc, it lists the following test principals:
kadmin.local: listprincs
K/[email protected]
admin/[email protected]
[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
root/[email protected]
and when I do "kinit" on my client it authenticates me as:
[email protected]
and when I do a "klist" I see something like the following:
Credentials cache: C:\[snip]...\krb5cc_Administrator
Default principal: [email protected], 1 entry found.
[1] Service Principal: krbtgt/[email protected]
Valid starting: Aug 27, 2003 16:19
Expires: Aug 28, 2003 02:19
But after the "Expires" date, the SUN ref impl still uses these stored credentials. Any ideas...?
bauhaus9

Not certain but this could be an issue of renewable tickets. Windows 2000 issues a renewable krbtgt so you be getting an updated tickets. Does this still happen if you leave it for at least a day (24 hours)?

Similar Messages

  • Kerberos authentication prompting for credentials in Sharepoint 2013

    Hello all,
    I think I’m a bit confused on what I should expect out of Kerberos and sharepoint.
    Following the steps located in
    http://blog.blksthl.com/2012/09/26/the-first-kerberos-guide-for-sharepoint-2013-technicians/ , I’ve setup Kerberos in my Sharepoint 2013 environment. My hope was that configuring kerberos authentication would solve the issue of users being prompted for
    credentials when they access sharepoint. I know that one way to address this problem is to tweak the IE settings by adding the site to the local intranet or trusted zones, but am I wrong in thinking that Kerberos should also authenticate the user on to the
    site? Here’s my situation:
    Previously, I had our sharepoint URL in the trusted zone and had IE set to pass my credentials through, and that worked. After configuring Kerberos, I can see the tickets on my system using klist and the security log on our web front-end shows that I authenticated
    using Kerberos.
    However, if I then remove the sharepoint URL from the trusted zone in IE, I still get prompted for credentials. If I cancel the credential prompt, I get a 401 error and the security log on the server shows a NTLM login attempt.
    As soon as I put the URL back in the trusted zone, I can access the site and the server log shows a Kerberos authentication.
    I’m I wrong in thinking that if Kerberos was working properly then I shouldn't need to have the URL in the trusted zone?
    Thanks
    Bill

    Thanks for the quick reply, Alex. At least it’s good to know it appears to be working as designed.
    Thanks again,
    Bill

  • BO XI Release 2 - NLTM versus Kerberos Authentication

    Hello,
    I have some problem with Authentication. At first time I set up only in CMS Kerberos Authentication, but now I would like to change it to NLTM, but if I clear the Use Kerberos authentication and I mark off Use NTLM authentication and I set up update, it doesn´t work.
    Authentication Options
    Use NTLM authentication 
    Use Kerberos authentication
             Cache security context (required for SSO to database) 
           Service principal name:  
    Thank you very much for your answer,
    unhappy:( Marika

    You can set up kerberos for both, it's required for java. .net will support both kerberos and NTLM although unless you are trying to delegate credentials all the way to your DB, then it usually isn't desired in .net because the configuration is far more complex
    You can simple look at your logon url to figure out if you are hitting IIS (urls end in aspx and no port #) or tomcat(urls end in .do and port 8080).
    Regards,
    Tim

  • Kerberos Authentication between Sharepoint 2013 Foundation - SSRS 2012 - Oracle 11g failing with ORA-12638: Credential retrieval failed

    I have set up SharePoint 2013 Foundation, SharePoint Reporting Services and SQL Server 2012 in a single server. I then created a Data Connection to Oracle 11g. Upon testing the connection, it throws the error “ORA-12638: Credential retrieval failed”.
    Given below are the steps of installation and configuration.
    Installation till basic authentication:
    The installation has been done in a
    single server.
    Installed SQL Server 2012 (Developer version).
    Selected only the following features:
    Database Engine Services
    Analysis Services
    Reporting Services – SharePoint
    Reporting Services Add-in for SharePoint Products
    Management Tools – Basic
    - Management Tools - Complete
      2. Installed SQL Server 2012 SP1.
      3. Installed SQL Server 2012 SP2.
      4. Installed SharePoint Foundation 2013.
      5. Created web application (without Kerberos; we did not even create the SPNs).
          The application pool has been configured to use Reporting Services account since it is a single server installation. This account has been registered as a managed
    account.
      6. Created Site Collection.
      7. Verified that Reporting Services is not installed.
      8. Installed SharePoint Reporting Services from SharePoint 2013 Management Shell.
      9. Verified that Reporting Services is installed.
     10. Created a new SQL Server Reporting Services Service Application and associated the Web Application to the new SQL server Reporting Services Service Application.
      11. Verified that SQL Server Reporting Services Service Application and its proxy have started. Reset IIS.
      12. Created a Site.
      13. Created a Data Connection library with “Report Data Source” content type.
      14. Created a Report Model library with “Report Builder Model” content type.
      15. Created a Report library with “Report Builder Report” content type.
      16. Uploaded an SMDL to the Report Model library.
      17. Added the top level site to Local Intranet instead of as a Trusted Site in the browser settings.
      18. Able to create and save a report using Report Builder.
    Hence, basic authentication is working and SSRS is able to connect to Oracle database.
    Next we have to configure Kerberos settings between SharePoint and SQL Server.
    Implementation of Kerberos authentication
    In the Report Server machine, opened the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\WebServices\Reporting\rsreportserver.config  and added the Authentication Types of RSWindowsNegotiate
    and RSWindowsKerberos.
     2.  Set up the following SPNs.
                   a) SQL Server Database Engine service (sqlDbSrv2):
                    setspn -S MSSQLSvc/CER1110:1433 CERDEMO\sqlDbSrv2
                    setspn -S MSSQLSvc/CER1110.cer.demo.com:1433 CERDEMO\sqlDbSrv2
                 In the Delegation tab of the account, selected "Trust this user for delegation to any service (Kerberos only)".
    b) Account: SharePoint Setup Admin account (spAdmin2)
         setspn -S HTTP/CER1110:9999 CERDEMO\spAdmin2
                    setspn -S HTTP/CER1110.cer.demo.com:9999 CERDEMO\spAdmin2
                    In the Delegation tab of the account, selected "Trust this user for delegation to any  service
    (Kerberos only)".
    c) Account: SQL Server Reporting Service account (sqlRepSrv2)
                       setspn -S HTTP/CER1110 CERDEMO\sqlRepSrv2
                       setspn -S HTTP/CER1110.cer.demo.com CERDEMO\sqlRepSrv2
                       In the Delegation tab of the account, selected "Trust this user for delegation to any service
    (Kerberos only)".
      3. Configure the Web Application to use “Negotiate (Kerberos)”.
      4. Logged in as SharePoint Administrator to the SharePoint server and opened the top level site in the IE browser.
         The Event Viewer logged the login process for the SharePoint Administration account as
    Negotiate and not Kerberos.
      5. Implemented Kerberos for Oracle database and client.
         Able to connect to the Oracle database via Kerberos authentication using SQL Plus.
      6. Turn on Windows Firewall.
      7. While testing the site's data connection using Kerberos settings, got the error
    “Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials.”
          Note: The Data Connection for basic authentication still worked.
      8. Created a Claims to Windows Token Service account (spC2WTS2).
      9. Started the Claims to Windows Token Service.
     10. Registered the Claims to Windows Token Service account as a Managed Account.
     11. Changed the Claims To Windows Token Service to use the above managed account.
     12. Verified that the Claims to Windows Token Service account (spC2WTS2) is automatically added to the WSS_WPG local group on the SharePoint box.
          Note: The Reporting Services service account is also a part of the WSS_WPG local group.
     13. Added the Claims to Windows Token Service account (spC2WTS2) to the Local Admin Group on the machine having the SharePoint App Server.
     14. In the SharePoint box, added the Claims to Windows Token Service account (spC2WTS2) in the Act as part of the operating system policy right.
     15. The Claims to Windows Token Service account (spC2WTS2) has the WSS_WPG group configured.
          When the C2WTS service was configured to use the managed account Claims to Windows Token Service account (spC2WTS2) earlier, the spC2WTS2 account was automatically
    added to the WSS_WPG local group on the SharePoint box. The WSS_WPG group in turn is configured in c2wtshost.exe.config file.
     16. Verified that the Reporting Services account is a managed account and part of the WSS_WPG group.
     17. Earlier Service Application Pool - SQL Server Reporting Services App Pool service was associated with the SharePoint Admin account.
          Changed this to associate the Reporting Service account with the Service Application Pool - SQL Server Reporting Services App Pool service.
     18. Changed the delegation of the Reporting Service account to constrained delegation with Protocol Transitioning. This is because we are transitioning from one authentication scheme (Claims) to another (Windows Token).
          For this, the delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use
    any authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
          Note: The Reporting Service account already had an HTTP SPN.
     19. Next, the goal was to make the Claims To Windows Token Service account match the Reporting Service account.
           For this, we created a fake SPN for the Claims To Windows Token Service account since the delegation tab was missing.
           The delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use any
    authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
     20. Restarted the SharePoint server.
     21. Tested the data connection with the Kerberos settings again.
           Got the error
    “ORA-12638: Credential retrieval failed”.
    Can anyone tell me what is wrong with this setup?

    http://www.freeoraclehelp.com/2011/10/kerberos-authentication-for-oracle.html
    Problem4: ORA-12638: Credential retrieval failed
    Solution:  Make sure that SQLNET.KERBEROS5_CC_NAME is set in sqlnet.ora and okinit has been run before attempting to connect to the database.
    Do check 
    http://webcache.googleusercontent.com/search?q=cache:5a2Pf3FH7vkJ:externaltable.blogspot.com/2012/06/kerberos-authentication-and-proxy-users.html+&cd=5&hl=en&ct=clnk&gl=in
    If this helped you resolve your issue, please mark it Answered. You can reach me through http://itfreesupport.com/

  • Updating hybrid configuration failed - Kerberos authentication: The network path was not found

    I'm configuring Exchange 2010 SP3 as a Hybrid server with Exchange Online. This is a single server running Exchange roles Mailbox, Client Access, Unified Messaging and Hub Transport.
    When I run the Manage Hybrid Configuration, I receive the following error:
    Updating hybrid configuration failed with error
    'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: The network
    path was not found.
    The full text from the Hybrid Configuration log file (C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration)
    [1/5/2014 21:21:1] INFO:Opening runspace to
    http://[servername]/powershell?serializationLevel=Full
    [1/5/2014 21:21:1] INFO:Disconnected from On-Premises session
    [1/5/2014 21:21:1] ERROR:Updating hybrid configuration failed with error 'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following
    error occured while using Kerberos authentication: The network path was not found. 
     Possible causes are:
      -The user name or password specified are invalid.
      -Kerberos is used when no authentication method and no user name are specified.
      -Kerberos accepts domain user names, but not local user names.
      -The Service Principal Name (SPN) for the remote computer name and port does not exist.
      -The client and remote computers are in different domains and there is no trust between the two domains.
     After checking for the above issues, try the following:
      -Check the Event Viewer for events related to authentication.
      -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
     Note that computers in the TrustedHosts list might not be authenticated.
       -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
       at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
       at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
       at System.Management.Automation.Runspaces.RunspacePool.Open()
       at System.Management.Automation.RemoteRunspace.Open()
       at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.Connect(PSCredential credentials, CultureInfo sessionUiCulture)
       at Microsoft.Exchange.Management.Hybrid.Engine.Execute(ILogger logger, String onPremPowershellHost, PSCredential onPremCredentials, PSCredential tenantCredentials, HybridConfiguration hybridConfiguration)
       at Microsoft.Exchange.Management.SystemConfigurationTasks.UpdateHybridConfiguration.InternalProcessRecord()'.
    I have sought help, posting on the forum at community.office365.com -
    http://community.office365.com/en-us/forums/158/t/212265.aspx. But I've got to a point where I believe the problem is more to do with how PowerShell is operating on the on-prem Exchange server.
    Has anyone else come across this problem running the Hybrid Configuration Wizard?

    Hello Darrell,
    Have you verified the settings of Powershell virtual directories for the on-premises Exchange Servers? The following article has a list of some common issues with that virtual directory and how to correct them:
    http://technet.microsoft.com/en-us/library/ff607221(v=exchg.80).aspxI would take a look at the one titled "Configure Kerberos Authentication" specifically to ensure everything
    looks good.
    As the article states you can run the Exchange BPA and it will check if any of these exist as well.

  • Question about Java GSS-Kerberos authentication

    Hi,
    I am new to GSS API. I have a client requirement to use Java GSS Kerberos Authentication instead of using IIS for Integrated Windows Authentication. In IWA, the IE browser automatically picks up the logged-in windows user credentials and passes it to IIS, which authenticates you against Active Directory and returns SUCCESS.
    We are planning to write a Servlet/JSP code on Apache Tomcat on Solaris 10, which uses Java GSS API to do Kerberos Authentication and return SUCCESS to the user. When I look at the examples:
    http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/AcnOnly.html#RunAc
    it says:
    "You will be prompted for your Kerberos user name and password, and the underlying Kerberos authentication mechanism specified in the login configuration file will log you into Kerberos. If your login is successful, you will see the following message: Authentication succeeded!"
    Does this mean that in Kerberos Authentication using Java GSS API, the user will have to enter his windows credentials for authentication? Is there a way for the credentials to be passed from Windows automatically to the API, without user intervention?
    Any links detailing the procedure would be of great help.
    Thanks,
    shetty2k

    We are having a similar requirement from our end. To make situation worst I do not even have an idea about an approach.
    What are the ways that we can use windows credentials to authenticate against IIS with tomcat?
    any help is greatly appreciated.
    R.

  • Error=49 from the LDAP server for GSSAPI Kerberos authentication

    I am trying to find solution for ldapsearch failure with GSSAPI Kerberos authentication . I am running Sun Directory Server 5.2 P4 on a Solaris-9 sparc machine..
    Steps :
    bash-2.05# kinit tester1
    Password for [email protected]:
    bash-2.05#
    When I do ldapsearch , I am getting following logs on the server :
    tail -f /var/Sun/mps/slapd-bf1r-dsun-1/logs/access
    [22/Feb/2007:01:44:16 -0700] conn=32 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
    [22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
    [22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
    [22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
    [22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
    [22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
    [22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
    [22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=4 - UNBIND
    [22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=-1 - closing - U1
    [22/Feb/2007:01:44:17 -0700] conn=32 op=-1 msgId=-1 - closed.
    [22/Feb/2007:01:45:50 -0700] conn=33 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
    [22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
    [22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
    [22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
    [22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
    [22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
    [22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
    [22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=4 - UNBIND
    [22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=-1 - closing - U1
    [22/Feb/2007:01:45:51 -0700] conn=33 op=-1 msgId=-1 - closed.
    I am using default Identiy Mapping and the ldif file looks like this :
    dn: cn=default,cn=GSSAPI,cn=identity mapping,cn=config
    objectClass: dsIdentityMapping
    objectClass: nsContainer
    objectClass: dsPatternMatching
    objectClass: top
    cn: default
    dsMatching-pattern: ${Principal}
    creatorsName: cn=directory manager
    createTimestamp: 20070220045812Z
    dsMatching-regexp: uid=(.*)
    dsSearchBaseDN: ou=people,dc=test1,dc=com
    dsMappedDN: uid=${Principal},ou=people,dc=test1,dc=com
    modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
    t
    modifyTimestamp: 20070221082740Z
    Following is the snoop for LDAP on the server :
    bash-2.05# !snoop
    snoop -v port 389 | grep LDAP
    Using device /dev/eri (promiscuous mode)
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation *[APPL 0: Bind Request]
    LDAP: [Version]
    LDAP: [Object Name]
    LDAP: uid=tester1,ou=people,dc=test1,d
    LDAP: c=com
    LDAP: Authentication: SASL *[3]
    LDAP: [OctetString]
    LDAP: GSSAPI
    LDAP: [OctetString]
    LDAP: *** NOT PRINTED - Too long value ***
    LDAP:
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation *[APPL 1: Bind Response]
    LDAP: [Result Code]
    LDAP: SASL Bind In Progress
    LDAP: [Matched DN]
    LDAP: [Error Message]
    LDAP: SASL Credentials [7]
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation *[APPL 0: Bind Request]
    LDAP: [Version]
    LDAP: [Object Name]
    LDAP: uid=tester1,ou=people,dc=test1,d
    LDAP: c=com
    LDAP: Authentication: SASL *[3]
    LDAP: [OctetString]
    LDAP: GSSAPI
    LDAP:
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation *[APPL 1: Bind Response]
    LDAP: [Result Code]
    LDAP: SASL Bind In Progress
    LDAP: [Matched DN]
    LDAP: [Error Message]
    LDAP: SASL Credentials [7]
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation *[APPL 0: Bind Request]
    LDAP: [Version]
    LDAP: [Object Name]
    LDAP: uid=tester1,ou=people,dc=test1,d
    LDAP: c=com
    LDAP: Authentication: SASL *[3]
    LDAP: [OctetString]
    LDAP: GSSAPI
    LDAP: [OctetString]
    LDAP:
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation *[APPL 1: Bind Response]
    LDAP: [Result Code]
    LDAP: 1
    LDAP: Invalid Credentials
    LDAP: [Matched DN]
    LDAP: [Error Message]
    LDAP: SASL(-1): generic failure:
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation [APPL 2: Unbind Request]
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    Please help me on how to fix this issue.
    Thanks,
    Radhakrishnan

    I did reply on the other thread of yours...
    Ludovic

  • Kerberos authentication for Excel Services

    Hi,
    I am configuring Keberos for Excel Service Application and facing some issue. Things i have done so far:
    Configured web application to use Kerberos: Verified it from server authentication logs, klist and net mon that web application is using kerberos.
    Excel service Account: domain\ExcelSVA
    SQL server service account: domain\SQLSERV
    C2WTS account : domain\C2wts
     set spn on in using setspn - s sp/excelservices domain\ExcelSVA and delegated constarined authentication to domain\SQLSERV
    then setspn - s sp/c2wts domain\C2wts and delegated constrained authentication to domain\SQLSERV.
    C2WS account has impersonate identity ,logon as service and act as part of OS rights in app servers where excel and c2wt are running 
    Now when i try to refresh data i get error :The data connection uses Windows Authentication and user credentials could not be delegated.
    The following connections failed to refresh: SQLServername port, databasename
    http://technet.microsoft.com/en-us/library/ff487975.aspx
    First 3 errors don't apply to me since i cant see these errors in SP log files and my sharepoint and database servers are in same domain.
    For UPN, there is a email id assoisated with account that i am using and i have been using that email id to logon to other services in my company so UPN should be done too.
    The Excel Services service account must have Active Directory permissions to query the object. Now this got me confusing. Where do i actually
    give this? In sql server or AD? Which object does it need to query? The excel database in sql server. If it is so, then the permission needs to be granted on sql .
    Also this link http://social.msdn.microsoft.com/Forums/en-US/99a3cf4f-dabc-4ac9-9ea8-afa677199ffa/kerberos-and-excel-services?forum=sharepointgeneralprevious
    Microsoft solution described here is weired. I don't think sql server has c2wts or excel service application started on it. And from drop down list that is i don't know what is the solution talking of.
    Does any one have any idea if i am missing any delegation or any step?
    sachin

    Any idea??
    sachin

  • Kerberos Authentication on an NT machine.

    I have this config file:
    MyAuth {
    com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true doNotPrompt=true;
    I want to authenticate a user using an already existing Kerberos Cache. This works fine on a sun box, but fails on an NT. I think I need to set the TicketCache attribute for the NT machine, but can't find out how designate the memory cache. Anyone have any idea how to do this (which enables single signon)?

    A listing of the Exception would have been good, however, l can give you a few tips on where to look.
    (1) Check your runtime arguments that you supply to the JAAS login module. They should include:
    % java -Djava.security.manager
    -Djava.security.krb5.realm=<your_realm>
    -Djava.security.krb5.kdc=<your_kdc>
    -Djava.security.auth.login.config=jaas.conf JaasLogin
    Namely check that your realm and kdc parameters are pointing to the correct addresses.
    (2) Make sure that Kerberos Authentication Protocol is used on the NT Domain server.
    I have found that and application called KerbTray has been very useful in providing useful information. This program allows you to view the Credential Information stored in the Credentials Cache. This application can be found at the Microsoft site.
    For further reference.. check out the information on :
    http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorials/AcnOnly.html
    Goodluck.

  • Kerberos Authentication Not Working on OS X 10.6

    Using FF version 20.0, on OS X 10.6.8, I can not get it to use Kerberos authentication to allow SSO to a SharePoint web site.
    On OS X 10.8, with the same configuration in the about:config, everything works fine - the user is not prompted for credentials.
    I have put the necessary entires in network.negotiate-auth.delegation-uris and network.automatic-ntlm-auth.trusted-uris, network.negotiate-auth.gsslib is set to true.
    When I have setup to log the errors from the authentication module, I find in the log file "Fail to load gssapi library".
    Interestingly on 10.8, when I start Firefox from the command line the Kerberos authentication does not work. When I start it via the icon, it does. What is the difference? Are the preferences not being loaded when launching via the command line?
    Thanks for any help,
    Richard

    Found the solution:
    Was a combination of kinit being run on login (apparently a known 10.6 bug). Our Mac team were able to alter the appropriate plist file so that this does happen on login.
    We also had to add an extra SPN for the actual server, as well as the DNS name of the SharePoint site we were trying to access with Kerberos authentication - although this may have something to do with using host-named site collections at the SharePoint end.
    Main problem was the kinit thing though.

  • GSSAPI Kerberos authentication and WS-Security

    Hi,
    We have a requirement to perform Kerberos authentication to a web service.
    The client is to be written in C# using Microsoft's Web Services
    Enhancements (WSE 3.0). WSE (which uses SSPI) has support for
    Kerberos authentication. The application server does not support Kerberos.
    The intention is to use the Java GSSAPI on the web service side to process
    a limited part of the WS-Security header.
    I've successfully processed the <wsse:BinarySecurityToken> to performed
    the actual authentication, I'm now left with checking the signatures.
    The values of the <DigestValue> and <SignatureValue> appear to always be
    20 bytes long (when decoded from Base64) which suggests they're the
    output from SHA1.
    The outputs from GSSContext.getMIC and GSSContext.wrap always start
    with the ASN.1 value 0x60. The <SignatureValue> donen't, therefore
    attempting to use verifyMIC or unwrap fail with:
    "GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)"
    It appears that the digest algorithm is SHA1 and the signature algorithm is
    HMAC-SHA1. So the <DigestValue> is probably just the SHA1 of the
    Canonical XML of the SOAP:Body. The HMAC algorithm requires access to
    the Kerberos private session key, which doesn't appear to be made
    available through the GSSAPI interface, so implementing our own functions
    doesn't seem to be an option.
    I've included the portion of the SOAP header I'm looking at below, apologies
    if the format's messed up.
    So what I'm looking for is:
         1) A way of Canonicalising the SOAP:Body so I can feed it into SHA1           
              (java.security.MessageDigest).
         2) A way of getting at the Kerberos session key through the GSSAPI so I
              can produce the <SignatureValue> from the <DigestValue> for      
              verification (javax.crypto.Mac).
    Any ideas ?
    Cheers
    Phil
    <wsse:Security soap:mustUnderstand="1">
    <wsu:Timestamp wsu:Id="Timestamp-343caad4-454a-4dcd-b206-3e6bf4ad0116">
    <wsu:Created>2006-04-27T13:00:48Z</wsu:Created>
    <wsu:Expires>2006-04-27T13:05:48Z</wsu:Expires>
    </wsu:Timestamp>
    <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-2c5a4b4a-4408-4ee8-8e32-9378c063d422">YIIB1AYJKoZIh<snip>==</wsse:BinarySecurityToken>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
    <Reference URI="#Id-73b189ca-2ddd-4fcb-a60e-025e71857802">
    <Transforms>
    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
    <DigestValue>BRyjTgrnalo2YXtWUi80pzgoVso=</DigestValue>
    </Reference>
    </SignedInfo>
    <SignatureValue>ddTO413OprTwFPWj3NDx94PidZc=</SignatureValue>
    <KeyInfo>
    <wsse:SecurityTokenReference>
    <wsse:Reference URI="#SecurityToken-2c5a4b4a-4408-4ee8-8e32-9378c063d422" ValueType="http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ" />
    </wsse:SecurityTokenReference>
    </KeyInfo>
    </Signature>
    </wsse:Security>

    Hi Osman,
    Hope this blog will answer your Query: /people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter
    Documentation SOAP adapter - http://help.sap.com/saphelp_nw04/helpdata/en/69/a6fb3fea9df028e10000000a1550b0/content.htm
    Security settings for SOAP adapter - http://help.sap.com/saphelp_nw04/helpdata/en/56/992d4142badb2be10000000a1550b0/content.htm
    Regards
    Pothana

  • Kerberos authentication with Apache Kerberos Module

    Hi,
    Using the Java GSS tutorials, I have been able to create code to successfully authenticate with our KDC server or from a local ticket cache.
    However, I have been unsuccessful in using the obtained credentials to perform client authentication with a web server running Apache using Kerberos for authentication (mod_kerberos).
    I have tried to use an SSLSocket to connect to the server, which works fine. To request a page that requires client side authentication, I have passed the necessary client headers, over the socket connection e.g.
    GET: http://www.myhost.com/protected_page.html
    HOST: www.myhost.com
    AUTHENTICATE: negotiate XXXXX
    However, I do not know what to put in place of XXXXX. Using some PHP code and Firefox, I have been able to observe what Firefox is passing to the web server to perform client side authentication. It is clearly passing a base64 encoded string, which is related to the cached Kerberos credentials.
    Can anyone tell me, how I can use Java and GSS to perform client side authentication with an Apache web server that is using the Kerberos authentication module? I know it is possible to do so using SPEGNO in a Windows environment, but this is a Linux/Unix environment, so it is not an option.
    Thanks for any help or advice,
    Neil.

    Here are your options:
    1) Configure Krb5LoginModule programmatically.
    If the environment variable KRB5CC_NAME points to the ticket cache location,
    (which is updated each time), you can configure the Krb5LoginModule
    programmatically and set the "ticketCache" option to the value obtained
    from KRB5CC_NAME.
    Refer to following docs for details:
    http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/LoginConfigFile.html
    http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
    http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/AppConfigurationEntry.html
    2) Use native Kerberos from the platform
    Java SE 6 provides support for native GSS/Kerberos on Solaris/Linux platforms.
    NOTE: If native GSS/Kerberos on your platform does not have support for SPNEGO,
    you will not be able to use this option.
    For details refer to following docs:
    http://download.java.net/jdk6/docs/technotes/guides/security/jgss/jgss-features.html
    Seema

  • Kerberos Authentication with Duet

    Hi Experts,
    I'm trying to configure Kerberos authentication on WAS 6.40.
    I've used the SPNego wizard and it completed successfully, however, when testing the authentication on the duet server by going to http://duet.server:port/osp/TicketIssuer, the page just hangs. There's no error, but nothing happens either.
    I then used the Diagnostics Tool provided by SAP and found the following strange thing:
    ====================================================
    7.com.sap.engine.config.diagtool.tests.authentication.krb.Krb5ClientTest
    2008/03/27 15:05:49 class com.sap.engine.config.diagtool.tests.authentication.krb.Krb5ClientTest
    This test is supposed to act as a browser that tries to access application* on
    the J2EE engine that requires SPNego/Kerberos authentication. It expects as an
    input username and password of a Windows user. With these credentials using
    the Kerberos configuration of the J2EE engine the test acquires Kerberos token
    for this user that is wrapped afterwards into SPNego token. This SPNego token
    is then used for the HTTP requests to the J2EE engine. Before starting the
    requests the severities of the following trace locations on the J2EE engine
    are set to ALL: "com.sap.security.core.server.jaas", "System.out" and
    "System.err". After the requests are executed all trace messages generated in
    this time span and with the above mentioned trace locations are collected and
    added to the output of the test.
    - The test currently supports only User Admin application and Portal.
    This test is applicable only for SUN JDK.
    Unable to resolve host: dmin
    Please, enter J2EE host name ( not IP and not localhost ): 
    Please, enter Windows user for <<domain>>: 
    Please, enter password for <<user>>: 
    Debug is  true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
    [Krb5LoginModule] user entered username: <<user>>
    ====================================================
    The green underlined line is the problem and is highlighted in yellow in the diagtool's output. 
    The J2EE hostname is not "dmin"
    Could someone tell me where this value is stored so I can fix it?
    <removed_by_moderator>
    Thanks.
    Edited by: Julius Bussche on Mar 28, 2008 9:01 AM

    Hi Marcel,
    You are correct. We managed to resolve the problem a few days ago.
    The problem was on the AD side where the duet user did not have the correct SPN.
    Thanks.
    Kind regards,
    Viven

  • Portal Drive Single Sign On and Kerberos Authentication

    Hi,
    We are using NW2004s SP10 Portal and we have successfully configured Kerberos authentication with Windows Active Directory 2003. To access the KM Content in windows explorer format, we are using Portal Drive but Portal Drive still asks for authentication i.e. SSO is not working for Portal Drive. I have understood from the forums and sap help site that SSO from portal drive will work only for NTLM authentication and client certificates. Can you please help regarding below questions.
    1. Can Kerberos and NTLM authentication be configured together.
    2. If yes, what are the steps to configure NTLM authentication for NW2004s SAP Portal and Active Directory 2003.
    3. Any other approach to make Portal Drive SSO work.
    Helpful answers will be rewarded.
    Regards,
    Chandra

    Hi Gregor,
    I did two things:
    first i made a change in the portalapp.xml in the PAR file "com.sap.km.cm.par". In the section authentication scheme for "docs" I changed the authentication scheme to "default" to make sure that documents are opened using the default authentication scheme (SPNego) instead of basic authentication
    second, I used the SPNego wizard to configure SPNego. So I didn't adjust anything in the Visual Admin or the authentication template apart from adding the Template to the Ticket policy configuration.
    Again, this only worked after installing the latest vesion.
    Hope this helps
    Marcel

  • WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.

    I have two forests with a transitive on-way trust between them: PROD -> TEST (test trusts PROD). I had previously had kerberos authentication working with winrm from PROD to machines in TEST. I have verified the trust is healthy, I also verified users
    in TEST can use WINRM with kerberos just fine. Users from PROD cannot connect via kerberos to machines in TEST with winrm.
    I have verified the service has registered the appropriate SPNs. I ran dcdiag against all my PROD and TEST domain controllers and didn't find anything that would prevent kerberos from happening. I even tried disabling the firewall entirely on my TEST dcs
    but that didn't gain me anything.
    I've enabled kerberos logging but only see the expected errors such as it couldn't find a PROD SPN for the machine, which it shouldn't from what I understand, it should go to the TEST domain and find the SPN from there.
    I'm really out of next steps before I call PSS and hope someone here has run into this and could provide me some next steps.
    PowerShell Error:
    Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
     Possible causes are:
      -The user name or password specified are invalid.
      -Kerberos is used when no authentication method and no user name are specified.
      -Kerberos accepts domain user names, but not local user names.
      -The Service Principal Name (SPN) for the remote computer name and port does not exist.
      -The client and remote computers are in different domains and there is no trust between the two domains.
     After checking for the above issues, try the following:
      -Check the Event Viewer for events related to authentication.
      -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
     Note that computers in the TrustedHosts list might not be authenticated.
       -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
        + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
        + FullyQualifiedErrorId : PSSessionStateBroken
    winrs Error:
    Winrs error:
    WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
     Possible causes are:
      -The user name or password specified are invalid.
      -Kerberos is used when no authentication method and no user name are specified.
      -Kerberos accepts domain user names, but not local user names.
      -The Service Principal Name (SPN) for the remote computer name and port does not exist.
      -The client and remote computers are in different domains and there is no trust between the two domains.
     After checking for the above issues, try the following:
      -Check the Event Viewer for events related to authentication.
      -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
     Note that computers in the TrustedHosts list might not be authenticated.
       -For more information about WinRM configuration, run the following command: winrm help config.

    Hi Adam,
    I'm a little unclear about which SPNs you were looking for, in which case could you confirm you were checking that on the computer object belonging to the actual destination host it has the following SPNs registered?
    WSMAN/<NetBIOS name>
    WSMAN/<FQDN>
    If you were actually trying to use WinRM to connect to the remote forest's domain controllers, then what you said makes sense, but I was caught between assuming this was the case or you meant another member server in that remote forest.
    Also, from the client trying to connect to this remote server, are you able to telnet to port 5985? (If you've used something other than the default, try that port)
    If you can't, then you've got something else like a firewall (be that the Windows firewall on the destination or a hardware firewall somewhere in between) blocking you at the port level, or the listener on the remote box just isn't working as expected. I
    just replied to your other winrm post with steps for checking the latter, so I won't repeat myself here.
    If you can telnet to it and the SPNs exist, then you might be up against something called selective authentication which has to do with how the trust was defined. You can have a read of
    this to learn a bit more about selective trusts and whether or not it's affecting you.
    Cheers,
    Lain

Maybe you are looking for

  • Safari hangs and goes blank on my ipad

    when i go to any bookmark or type in a www it hangs for a few seconds then shows a blank page? tried rebooting and removing from tool bar, help please

  • Delivery costs with shipment costs

    Dear Sir, I want to capture the delivery costs from shipment cost document. I did all bellow mentioned settings: For freight cost to be transfered as delivery cost, the Purchase order need to have a freight condition with zero value. Also the freight

  • Safari 8 not responding

    When I start Safari 8.0 on Yosemite, it uses 100% CPU.  If I try to load any web page, Safari stops responding (spinning wheel of death) before anything is rendered.  This includes pure HTML pages (no javascript, flash, etc.). Immediately after launc

  • Selection for infoobject with TEXT

    Hi All, I have an infoobject ZCustomer which is having a navigational  attribute 'ZROLE' which may have concatenated text value. eg., LOC_INT or INT or LOC_PIC. Now i have to keep selection/filter to the report where user should have a selection opti

  • Kodak Gallery (ofoto) and iPhoto 6

    I am using iPhoto 6 on a relatively new imac with 3gigs RAM. My wife wants only to be able to use her photos in the way she used to on the PC, and we can't get the photo upload to work at Kodak Gallery, which is where she has years of photos already