Active Directory multi forest Kerberos authentication Tomcat
Sorry. It is wrong forum. I forwarded my question to Business Objects forum.
Hi,
I have Business Objects Enterprise XI R2 with Tomcat installed on Windows 2003. My BO server and users are placed in different Active Directory forests (BO domain x forest A, users domain y forest B). I would like to authenticate users from domain y in my BO using Kerberos.
There is a trust between whose domains. I also set SPN and configured "Windows AD" tab in Central Management Console.
I can add AD group from domain y and list users from that domain in Central Mangement Console. But when user from domain y tries to logon to BO he gets error java.lang.NullPointerException. Due to this error, he is unable to connect.
There is also an error logged in Tomcat stdout.log file:
70051106 [http-8080-Processor22] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
If anyone has come across this situation, please share the solution.
Thanks & Regards,
Piotr
Edited by: Piotr Heise on Mar 27, 2009 2:08 PM
Hi
Is your enterprise is configured to a Java Active Directory?
Then there can bemultiple causes:
- The Java and the Central Management Server (CMS) are using encryption types that do not match.
- The Service Principal Name in the CMC is incorrect
Then to resolve this perform the following steps:
- In the Central Configuration Manager, double-click the CMS, and note the service account used.
- In Windows Domain users and computers, go to account properties for the CMS service account.
- Select Use DES encryption types for this account. In large AD deployments this change can take time to propagate.
- Login to the CMC and verify (Authentication -> Active Directory -> Service Principal Name) is in the format BOBJCentralMS/HOSTNAME.DOMAIN.COM
- Restart the CMS server and log on.
In a clustered CMS environment ensure that all CMS's are running under the same domain account.
Hope this helps!!!
Regards
Sourashree
Similar Messages
-
Help with Active Directory Integration and kerberos
Hello,
Im encountering a bug preventing me to use Active Directory integration with kerberos :
Our domain name is CORP.DOMAIN.COM.
When we request the GC in this domain :
bash-3.00# nslookup -query=any gc.tcp.corp.domain.com
Server: 1.2.1.6
Address: 1.2.1.6#53
** server can't find gc.tcp.corp.domain.com: NXDOMAIN
there is no answer.
But when we request without corp, we find the servers :
bash-3.00# nslookup -query=any gc.tcp.domain.com | grep sis
gc.tcp.domain.com service = 0 100 3268 serveur02.corp.domain.com.
gc.tcp.domain.com service = 0 100 3268 serveur01.corp.domain.com.
bash-3.00#
Is-it possible to add the possibility to enter the domain name where reside the gc.tcp ?
Thank you.Hello
the domain.com domain exist, but it's not our domain.
so, when I put domain.com, it search with no result (nothing appends).
our kdc.conf :
[kdcdefaults]
kdc_ports = 88,750
[realms]
CORP.DOMAIN.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
krb.conf
[libdefaults]
default_realm = CORP.DOMAIN.COM
default_checksum = rsa-md5
[realms]
CORP.DOMAIN.COM = {
kdc = dc01.corp.domain.com
kdc = dc02.corp.domain.com
[domain_realm]
.corp.domain.com = CORP.DOMAIN.COM
corp.domain.com = CORP.DOMAIN.COM
in every domain, I think the GC are in corp.domain.com. but in my company, it's in domain.com...
Thank you, -
Active Directory cross forest trust which are deployed in separate subscription
Hi All,
I know that this is not Azure forum, but I have a question related to Active Directory, Appreciate your understanding and letting me know your concerns about AD cross forest between two subscriptions of Azure.
We have two separate subscriptions of Windows Azure under one Global Account, previously these two subscriptions are treated as a separate company and they are having separate forest and separate domain, these two companies does not have any site to
site VPN with each other over the wan, but these two companies are having site to site connection with Azure for their own subscription respectively.
Additional domain controller for both subscriptions are deployed in Azure in order to authenticate those servers which are already deployed in Azure
Due to some reasons these companies are merging together and due to some reasons they want to have cross forest trusts between these two companies. As we do not have any WAN connection between these two companies the questions has been raised that can we
do a cross forest trust between two Active Directories because these two are deployed in Azure and both companies active directories are deployed in Azure.
Can we achieve this and how we can achieve this, I know that we can expose servers in Azure over the internet by creating endpoints and allow ACL in order to get connection from specific public IPs.
My question is can we achieve this, does it supported from Microsoft. if yes then is there any thing we have to consider before deploying it.
Thanks
If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft LyncNo, i am not using Windows Azure Active Directory at all, i have deployed additional domain controllers from each forest on each subscription.
For example in subscription 1 we have additional domain controller of forest 1 and in subscription 2 we have additional domain controller of forest 2.
Thanks
If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync -
Active Directory Cross Forest Domain Migration
Dear All,
We are in the process to rebuild new Active Directory infrastructure. Multiple single forest domains in organization which needs to be consolidated/migrated on single Active Directory Domain. For this consolidation, have some queries to be addressed before
going to start consolidation.
What is the best practices and what tool should we use for domain migration/consolidation
Active directory is on Windows 2003, forest and domain level is on Windows 2003, this will support to Windows 2012 R2 forest and domain functional level, will be migrated
directly from windows 2003 to windows 2012?
When move users to new domain, how will they access the other resources on the network. For e.g. Printer, File server, local web base application
After moving some computers to new domain would be possible to access remaining computers on old domain?
How the file server data will be moved? Best practices with NTFS folder permissions and users rights?
Is there any policy to register network printers on new Active Directory domain?
How users would be access web base application on new domain as their FQDN would be define with old domain name? Any option to change old domain FQDN with new domain that would be describe with any URL link?
Kindly give your valuable input to meet the desire result.
Thanks in Advance.Dear Lucky,
Ya you can Migrate contents from multiple forest domain. Using ADMT (Active Directory Migration Tool)is the best way to migrate AD content. But you can't migrate from Windows Server 2003 to Windows Server 2012 R2, cause in Windwos Server 2012 R2 don't
have the supportebility of Windows Sever 2003.And not only users you can also migrate all others info (i.e. Computer object info, groups info, Exchange mailbox info, security info).You can migrate users face by face, means which peoples are in old domain they
can access old domain and new users are in new domain.For more info please follow the given link:
http://technet.microsoft.com/en-us/library/cc974332(v=WS.10).aspx
Mithun Dey Web: http://cloudmithun.wordpress.com If this may give your necessary resolution please mark it as Answre. -
Multi-Forest LDAP Authentication
Hi Guys
We are trying to implement authentication and import across multiple domains
We originally tried to build our own custom code but this has failed due to some unforseen errors.
I have revert back to the inbuilt ciac option for import person and EUA
The import for one domain is working however, i wish use multiple forests and to add a unique identifier to the login name to avoid login name clashes
for example
ASE\#sAMAccountName#
or
#userPrincipalName#
When i try to add this i receive the error that no person fround in the result of the LDAP getperson search
I have tried the format for EUA as
uid=#LoginId#,dc=ase,dc=internal
DomainName\#LoginId#
#LoginId#
Any help will be greatly apreciated
Regards,
MattIf you are logging into java (i.e. tomcat55) and have set up a krb5.ini. All users that are not in the default domain need to logon with username @FQDN.COM where FQDN.COM is their fully qualified domain name in all caps. That FQDN.COM should be entered in the krb5.ini (in all caps) with at least 1 KDC defined.
Do a search on SMP (look at the forum sticky for the link) for rules for krb5.ini and I have a more in depth explanation for multi forest and multi domain as it pertains to the krb5.ini.
To verify AD connectivity is ok use a client tool like deski/designer/business views. Since there tools don't use java you can logon with domain\user (no case sensitivity).
Also to note urgently issues should open cases with support the forums are not the place and it is against the rules of engagement (also in the sticky post )
Regards,
Tim -
Search Active Directory Entries without password authentication
JNDI, Active Directory
I am newbie to JDNI and Active Directory.
I am trying to create a Web Application
which provides domain users with the information
of the Active Directory group user are belonging.
I know how to access Active Directory and search Entries
with JNDI like below codes.
Hashtable env = new Hashtable();
env.put(Context.PROVIDER_URL, "LDAP://URL:389");
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION,"none");
env.put(Context.REFERRAL, "follow");
env.put("java.naming.ldap.version" , "3" );
env.put(Context.SECURITY_PRINCIPAL, "uid=admin,ou=system");
env.put(Context.SECURITY_CREDENTIALS, "secret");
.....But I want know how to search Entries without Active Directory password
because I don't tell users their Active Directory password.
I don't have any idea. Could you give me good idea?
Sorry for my English. Thank you.
DannoIt means to allow "Anonymous LOGON" and "Everyone" users to search entries in AD, I think.Sorry, can't help. In OpenLDAP it meansallow * searchor possiblyallow * auth
You mean that if I do it, will the codes below be unnecessary in Java?That's not only what I meant, it is what I said, concerning the principal and credentials lines.
You don't need the SECURITY_AUTHENTICATION line, I never use it with LDAP whether I'm providing credentials or not (and in the cases where you are supplying the principal and credentials, it certainly doesn't make any sense to specify 'none'.) -
Active Directory, SSO, Integrated Windows Authentication
Hi,
I have to setup a NW BPM environment using Windows/Active Directory SSO.
In the desired scenario, I would use UME to create BPM specific roles and/or groups and then I would associate:
- specific AD users to UME groups or roles, and/or
- associate AD groups to UME groups or roles.
Is it possible? I would really appreciate any directions/hints on how to do that.
Thanks in advance,
Ricardo GiacominIt is possible you have the xml configuration file in the administration of ume and you need to edit that one in order to link it to your AD. if you're using LDAPs to connect you will also have to load the certificates in NWA before the first connection.
-
Multi Forest AD Authentication
Hi ,
I think I messed up some where in the web.xml . The problem is like this:
1. I have users across geography.
2. In AD they are in different domains for example : Europe , Asia , NA etc.
3. Logon the general way is
<Domain>\ <Username>
But when I am supplying domain name its throwing an error. But when I login with just the username it logs in fine. But that is only for one domain. The users of other domains are not able to login.
So please advise where to change in the XML so that they can supply the domain name.
Regards
Sid
Urgently required. So please all a quick response will be very helpful .If you are logging into java (i.e. tomcat55) and have set up a krb5.ini. All users that are not in the default domain need to logon with username @FQDN.COM where FQDN.COM is their fully qualified domain name in all caps. That FQDN.COM should be entered in the krb5.ini (in all caps) with at least 1 KDC defined.
Do a search on SMP (look at the forum sticky for the link) for rules for krb5.ini and I have a more in depth explanation for multi forest and multi domain as it pertains to the krb5.ini.
To verify AD connectivity is ok use a client tool like deski/designer/business views. Since there tools don't use java you can logon with domain\user (no case sensitivity).
Also to note urgently issues should open cases with support the forums are not the place and it is against the rules of engagement (also in the sticky post )
Regards,
Tim -
BOXI r2 - SSO in Active Directory multi domain
Hi all,
I have a customer with XI r2 on windows and infoview deployed on Tomcat. Security is (OK until yesterday) sedWinAD with SSO via Vintela. Yesterday they have add a new domain in krbc5.ini and new domain's users cannot login. Tomcat trace reports the following:
INFO: Server startup in 8516 ms
24625 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.GSSManager - No Subject found on the current thread
24641 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - GSS: Acceptor supports: KRB5
24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - Ticket service name is: HTTP/svrcrmboprod.sti.stg***STI.STG
24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - GSS name is: HTTP/svrcrmboprod.STI.STG***STI.STG
24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - Using keytab entry for: HTTP/svrcrmboprod.STI.STG***STI.STG
24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - ** decrypting ticket .. **
with key
Principal: HTTP/svrcrmboprod.STI.STG***STI.STG
Type: 1
TimeStamp: Thu Jan 01 01:00:00 CET 1970
KVNO: 6
Key: [3, a8 7f 51 1a f1 40 e3 19 ]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - decrypted ticket:
Ticket:
encryption type: 3 (DECRYPTED OK)
service principal: HTTP/svrcrmboprod.sti.stg***STI.STG
TransitedEncoding:
client: Quattri***BFP.STG
session key: [3, 9e 46 40 31 df a8 68 1 ]
ticket flags: forwardable renewable ok-as-delegate preauthent
valid from: Thu Sep 24 17:19:40 CEST 2009
valid till: Fri Sep 25 03:19:40 CEST 2009
valid for:
all addresses
auth data:
[1, 30 82 3 62 30 82 3 5e a0 4 2 2 0 80 a1 82 3 54 4 82 3 50 4 0 0 0 0 0 0 0 1 0 0 0 c0 2 0 0 48 0 0 0 0 0 0 0 a 0 0 0 18 0 0 0 8 3 0 0 0 0 0 0 6 0 0 0 14 0 0 0 20 3 0 0 0 0 0 0 7 0 0 0 14 0 0 0 38 3 0 0 0 0 0 0 1 10 8 0 cc cc cc cc b0 2 0 0 0 0 0 0 0 0 2 0 15 d6 9d 6f 2a 3d ca 1 ff ff ff ff ff ff ff 7f ff ff ff ff ff ff ff 7f c2 f0 21 d3 2f 2d ca 1 c2 70 86 cb c2 44 ca 1 c2 70 4f bc e8 73 ca 1 e 0 e 0 4 0 2 0 20 0 20 0 8 0 2 0 0 0 0 0 c 0 2 0 0 0 0 0 10 0 2 0 44 0 44 0 14 0 2 0 4 0 4 0 18 0 2 0 45 6 0 0 de 4 0 0 1 2 0 0 3 0 0 0 1c 0 2 0 20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 14 0 16 0 20 0 2 0 6 0 8 0 24 0 2 0 28 0 2 0 0 0 0 0 0 0 0 0 14 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 0 0 0 2c 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 7 0 0 0 0 0 0 0 7 0 0 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 0 0 10 0 0 0 0 0 0 0 10 0 0 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 20 0 4c 0 6f 0 72 0 65 0 64 0 61 0 6e 0 61 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 22 0 0 0 0 0 0 0 22 0 0 0 5c 0 5c 0 73 0 76 0 72 0 62 0 66 0 70 0 66 0 73 0 68 0 66 0 2e 0 62 0 66 0 70 0 2e 0 73 0 74 0 67 0 5c 0 48 0 4f 0 4d 0 45 0 24 0 5c 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 2 0 0 0 0 0 0 0 2 0 0 0 4d 0 3a 0 3 0 0 0 1 2 0 0 7 0 0 0 9a 4 0 0 7 0 0 0 48 e 0 0 7 0 0 0 b 0 0 0 0 0 0 0 a 0 0 0 53 0 56 0 52 0 42 0 46 0 50 0 44 0 43 0 30 0 32 0 4 0 0 0 0 0 0 0 3 0 0 0 42 0 46 0 50 0 0 0 4 0 0 0 1 4 0 0 0 0 0 5 15 0 0 0 3b c2 da 85 8 fa d1 16 fe 9b 47 2f 4 0 0 0 30 0 2 0 7 0 0 0 34 0 2 0 7 0 0 0 38 0 2 0 7 0 0 0 3c 0 2 0 7 0 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 82 8b a6 28 4b 2c bc 1a 7 e5 3b 2b 36 40 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 82 8b a6 28 4b 2c bc 1a 7 e5 3b 2b 99 33 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 82 8b a6 28 4b 2c bc 1a 7 e5 3b 2b d0 12 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 9b 11 b 6a 91 78 ec 27 6b 53 ee 1b 7a c 0 0 0 0 0 0 0 8e 60 6f 2a 3d ca 1 e 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 76 ff ff ff 16 15 71 e5 8 76 59 2a 0 de 13 b9 f8 a3 c4 94 0 0 0 0 76 ff ff ff a6 9f 99 90 c7 63 41 c6 4a b4 f 8d c2 70 44 9f 0 0 0 0 ]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.GSSContext - Setting context expiry to [1253841580000]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.GSSContext - Current wall time is [1253805580586]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - ** decrypting application request .. **
with key
[3, 9e 46 40 31 df a8 68 1 ]
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - decrypted application request:
++++ KRB-AP-REQ Message ++++
encryption type: 3 (DECRYPTED OK)
ap options: mutual-required
Ticket:
encryption type: 3
service principal: HTTP/svrcrmboprod.sti.stg***STI.STG
client: Quattri***BFP.STG
subkey: [3, da 34 d3 4 8f f2 e9 b9 ]
client time: Thu Sep 24 17:19:40 CEST 2009
cusec: 1546
sequence number: 1846075710
++++++++++++++++++++++++++++
24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - Got delegated credential
24703 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker - Delegated credential:
++++ KRB-CRED Message ++++
encryption type: 0 (DECRYPTED OK)
sender address: null
receiver address: null
nonce: -1
timestamp: null
credentials:
Credential
client: Quattri***BFP.STG
session key: [3, 1 62 43 b3 a2 15 1f 70 ]
service principal: krbtgt/BFP.STG***BFP.STG
valid from: Thu Sep 24 17:19:40 CEST 2009
valid till: Fri Sep 25 03:19:40 CEST 2009
renewable till: Thu Oct 01 17:19:40 CEST 2009
Ticket:
encryption type: 23
service principal: krbtgt/BFP.STG***BFP.STG
ticket flags: forwardable forwarded renewable preauthent
valid for: all addresses
++++++++++++++++++++++++++++
24703 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - ** creating application response .. **
with key
[3, 9e 46 40 31 df a8 68 1 ]
24703 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - created application response:
++++ KRB-AP-REP Message ++++
encryption type: 3
sequence number: 162921799
sub session key: null
client time: Thu Sep 24 17:19:40 CEST 2009
cusec: 1546
++++++++++++++++++++++++++++
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker -
GSS: Initiator supports: KRB5
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker -
GSS: Initiator TGS key type:
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker - 3
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker -
Found acceptor realm: null
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker - GSS: Initiator getting service ticket for: BO_Admin
26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos - ** requesting service ticket .. **
with credentials:
Credential
client: Quattri***BFP.STG
session key: [3, 1 62 43 b3 a2 15 1f 70 ]
service principal: krbtgt/BFP.STG***BFP.STG
valid from: Thu Sep 24 17:19:40 CEST 2009
valid till: Fri Sep 25 03:19:40 CEST 2009
renewable till: Thu Oct 01 17:19:40 CEST 2009
Ticket:
encryption type: 23
service principal: krbtgt/BFP.STG***BFP.STG
ticket flags: forwardable forwarded renewable preauthent
valid for: all addresses
for service principal: BO_Admin
at realm: BFP.STG
26250 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.impl.DefaultKdcResolver - Resolving KDC for realm: BFP.STG
26250 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Resolver -
UDP attempt #0 to DNS server svrstidc01.sti.stg/172.20.1.103
26250 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Resolver - Data sent:
0d 20 01 00 00 01 00 00 00 00 00 00 09 5f 6b 65 72 62 65 72
6f 73 04 5f 75 64 70 03 42 46 50 03 53 54 47 00 00 21 00 01
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Resolver - Data received:
0d 20 81 80 00 01 00 01 00 00 00 01 09 5f 6b 65 72 62 65 72
6f 73 04 5f 75 64 70 03 42 46 50 03 53 54 47 00 00 21 00 01
c0 0c 00 21 00 01 00 00 01 c6 00 1a 00 00 00 64 00 58 0a 73
76 72 62 66 70 64 63 30 32 03 62 66 70 03 73 74 67 00 c0 3a
00 01 00 01 00 00 00 00 00 04 ac 15 01 66
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response - params: 1000000110000000
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response - Query sent:
Qname: _kerberos._udp.BFP.STG
Qtype: 33
Qclass: 1
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response -
Record
Name: _kerberos._udp.BFP.STG
Class: 1
TTL: 454
Type: SRV
Priority: 0
Weight: 100
Port: 88
Target: svrbfpdc02.bfp.stg
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response -
Record
Name: svrbfpdc02.bfp.stg
Class: 1
TTL: 0
Type: A
IP Address: 172.21.1.102
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.impl.DefaultKdcResolver - Available KDC found: svrbfpdc02.bfp.stg/172.21.1.102:88
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Sending message to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Sending UDP request: svrbfpdc02.bfp.stg/172.21.1.102:88
26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - --- got 79-byte response, initial byte = 0x7e
26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Message sent sucessfully to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
26297 [http-8080-Processor25] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database)
26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/logon/logon.jsp, pathInfo=null, queryString=null, name=null
26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/common/bannerheader.jsp, pathInfo=null, queryString=null, name=null
26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/logon/_logon.jsp, pathInfo=null, queryString=null, name=null
26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
Do yuo have any tips?
Thanks in advance
FabrizioSorry,
I noticed that the trace is too long, so I put the most important
Thanks
F.
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response -
Record
Name: svrbfpdc02.bfp.stg
Class: 1
TTL: 0
Type: A
IP Address: 172.21.1.102
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.impl.DefaultKdcResolver - Available KDC found: svrbfpdc02.bfp.stg/172.21.1.102:88
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Sending message to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Sending UDP request: svrbfpdc02.bfp.stg/172.21.1.102:88
26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - --- got 79-byte response, initial byte = 0x7e
26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler - Message sent sucessfully to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
26297 [http-8080-Processor25] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction - LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database)
26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/logon/logon.jsp, pathInfo=null, queryString=null, name=null
26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/common/bannerheader.jsp, pathInfo=null, queryString=null, name=null
26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include
26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - servletPath=/InfoView/logon/_logon.jsp, pathInfo=null, queryString=null, name=null
26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher - Path Based Include -
Authentication against Active Directory Forest
Hello Everyone,
I am new to JNDI programming and would appreciate any help in the following problem.
I am planning to write a program using JNDI APIs to authenticate users against an Active Directory (AD) forest.
Target AD forest contains multiple domains with two-way transitive trust between them. There are several users created in each of these domains.
I would like to know what should be the general approach for authenticating users against such a topology.
I have a working program which uses JNDI APIs to authenticate users against single Domain.
A sample topology would contain domains like these.
- abc.corp.net
- xyy.corp.net
- pqr.xyz.corp.net
- hrdev.xyz.corp.net
- lmn.corp.net
Thanks in advance for any help
SandeepHi,
How does this relate to Sun Directory Server ?
Regards,
Ludovic -
Solaris 10 authentication on Windows 2008 Active Directory
Hi,
Does anyone done it?
I've do it against a Windows 2003 R2 Active Directory and now in production environment i'm having some issues with the password.
I'm using only the Active Directory LDAP without Kerberos.
I'm able to su to the user, getent passwd but everything that as password fails.
I guess is some configuration issue in active directory, some sync stuff becouse the ldap bind is correctly done, is after the bind that fails.
Bellow the sshd log with wrong user password.
sshd[23965]: [ID 293258 auth.error] libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
sshd[23965]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
And with the correct user password.
sshd[23965]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
As you can see the bind is done but windows guys says everything is ok. This is a new implemantation both in Solaris side and Windows side.
This is how ldapclient is configured.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= CN=User Funcional Login de maquinas Unix CQ,OU=Utilizadores-Servicos,OU=Servicos-Transversais,OU=DOM,DC=Example,DC=com
NS_LDAP_BINDPASSWD= {NS1}a1493f3c77c616
NS_LDAP_SERVERS= 192.168.1.140, 192.168.1.141
NS_LDAP_SEARCH_BASEDN= ou=dom,dc=example,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=dom,dc=example,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=dom,dc=example,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=dom,dc=example,dc=com?sub
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
The nsswitch.conf has files ldap on both passwd and groups.
Best regards and thanks for the help you can giveThe problem was in pam.conf that had the module pam_ldap last in the order and it shouldn't be.
This is how it should be.
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password sufficient pam_ldap.so.1
other password required pam_authtok_store.so.1
Authentication against 2008 Active Directory working fine now. -
Hi,
I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
Error is enclosed & here is the port configuration.
Port Configuration.
interface GigabitEthernet0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30
Please help.The error message means that Active Directory server Reject the authentication attempt
as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
Event Logs why did the user account got locked.
Under Even Viewers, You can find it out
Regards
Minakshi (Do rate the helpful posts) -
WLS6.0 sp1 and MS Active Directory
Hi,
Is it possible to configure WLS' LDAP security realm to use MS' Active
Directory to authenticate users? A quick yes or no would be appreciated -
I'll worry about the finer details of how later!!
Regards
Laura AllenCustom realm of course with the weblogic....ldaprealmv2.LDAPRealm
implementation class.
We did not use Kerberos authentication - just the plain password
authentication in "cleartext". Our servers are inside a secure data center -
no encryption required. That's why we did not need jdk1.4.
"Marc Carrion" <[email protected]> wrote in message
news:[email protected]...
>
Are you telling that you configured the ldap realm of WL to use activedirectory?
or you used your custom realm?
To use the authentication with Kerberos you need to use GSS-API and it'snot
included in jdk1.3 neither in jaas, that's why I needed to use jdk1.4
Can you explain how did you do that?
Thanks,
Marc
"Roy Cornell" <[email protected]> wrote:
Hi Laura:
No, BEA did not confirm the compatibility. We did our own investigation
and
found that the two systems work well together. One of the highlights
of the
research was the fact that the configuration of the WLS custom realm
for
Active Directory was more similar to Netscape Directory or Open LDAP
than to
the MS Site Server.
I am attaching the sample settings for the LDAP realm:
server.host=<some-ip-or-name>
server.principal=CN=wlsadmin001,OU=WLSMEMBERS1,DC=company,DC=com
user.filter=(&(cn=%u)(objectclass=user))
user.dn=OU=WLSMEMBERS1,DC=company,DC=com
group.filter=(&(cn=%g)(objectclass=group))
group.dn=OU=WLSGROUPS1,DC=company,DC=com
membership.filter=(&(member=%M)(objectclass=group))
We used the AD for authenticating the users and for authorizing the EJB
methods. AD contained the users and their security roles and the
deployment
descriptiors of the EJB's contained the permissions for the security
roles.
We ran repeated tests and were more or less satisfied.
Regards
P.S.
we used WLS 6.1 Jdk 1.3
----- Original Message -----
Sent: Tuesday, September 18, 2001 5:40 AM
Subject: WLS6.0 and Active Directory
Forgive me contacting you directly, but did you recieve a reply fromBEA
as
to whether WLS supports interaction with Active Driectory? And wereyou
attempting to use Active Directory just for user authentication? Anyinfo
on how WLS and Active Directory interact would be appreciated!
Regards
Laura Allen
The information in this e-mail and any attached files is confidential.It
is intended solely for the use of the addressee. Any unauthorised
disclosure or use is prohibited. If you are not the intended
recipient
of
the message, please notify the sender immediately and do not disclosethe
contents to any other person, use it for any purpose, or store or copythe
information in any medium. The views of the author may not necessarily
reflect those of the Company.
"Laura Allen" <[email protected]> wrote in message
news:[email protected]...
Hi,
Is it possible to configure WLS' LDAP security realm to use MS' Active
Directory to authenticate users? A quick yes or no would be
appreciated
I'll worry about the finer details of how later!!
Regards
Laura Allen -
Active Directory 2003 and Sun One Directory Server 5.2
I just installed Sun One Directory Server 5.2 on a Linux machine. I want to configure LDAP on that machine so that it can be authenticated on Active Directory 2003. How do I go about doing this?
Active Directory server is a "directory server" (and kerberos server.) If your linux client authenticates against Active Directory it doesn't have to involve the Sun Directory Server at all. You have several general approaches you could investigate:
1. Linux client gets accounts and and authentication via LDAP from Active Directory
If you use AD to handle unix LDAP authentication (opt 1) you may need to extend schema in AD to add the unix password field. I haven't tried it yet, but hope to.
2. Linux client gets accounts from AD LDAP and authorization from AD Kerberos.
There should be docs on support.microsoft.com on enabling kerberos support for non-Win clients.
3. Linux client (with samba client installed, with winbind or pam_smb to support unix level services) gets accounts and authentication as a "Windows" client from Active directory "Windows server"
Check the samba.org docn or forums- I think this is a pretty common solution.
4. Linux client gets account information from Sun Directory server but uses kerberos (against active directory) for authentication.
There should be docs on support.microsoft.com on enabling kerberos support for non-Win clients.
5 Linux client gets account and authorization from Sun Directory server, which the sun Directory server configured to use Active Directory as a Kerberos server.
Probably incredibly complex. -
Third Party Load Balancing Active Directory
We have serveral applications that target individual Active Directory domain controllers for authentication. If the domain controller goes down then that service stops working.
I'm interested in using a Citrix Netscaler to load balance authentication requests.
What I want to know is, "Does Microsoft support the use of an external load balancer", not from the perspective of third party device support obviously, rather functionally. Will AD work and be supported when using the Netscaler.
IT ManagerIf you simply plan to use the Citrix NetScaler to load balance say, reading LDAP on port 389 as an example, you will be OK.
Rather than pointing the app to a single DC, why not create multiple DNS records with the same host name, different IPs and use Round Robin. Not as sophistacted, but it isnt going to cost you tens of thousands of dolllars in load balancing.
Visit: anITKB.com, an IT Knowledge Base.
Have you actually tested and used this in a production environment? If I understand correctly, what you are suggesting is to take existing (hypothetical) domain controller DNS entries:
A record: dc1.contosso.com, 10.1.1.10
A record: dc2.contosso.com, 10.1.1.11
And add the following entries to create quasi fault tolerance?
A record: dc3.contosso.com, 10.1.1.10
A record: dc3.contosso.com, 10.1.1.11
I honestly don't think it will work, because of a few things, such as DC registration occurs every 60 min, including the netlogon service overwriting whatever static entries created for the quasi load balancing, and possibly Kerberos auth failing due to a different
IP authenticating from a different SPN. I know the hardware load balancers have options to preserve session cookies, which work fine for IIS implementations, such as Exchange HUB, and especially for CAS access, otherwise Outlook will not accept it if it sends
an auth request on one IP and another backend responds, which the LB help preserve this, however with AD LDAP, RPC, etc, I *don't* think it will work, due to Kerberos failing it thinking it's a spoof. If you get it working, I would be very curious to see the
documented implementation, settings, results, etc.
Ace
Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Maybe you are looking for
-
Long time to open second or third PDF
Ever since I installed Adobe Reader X it has slowed my system considerably. Opening the first PDF document is no problem, but when I try to open a second of third document it takes around 20 seconds or more to open each doc. The old version instantly
-
i have been workin on an application for Palm OS which deals with a lot of database.the application is workin fine and the data also seems to be consistent. however the problem started when i started to work with conduit for tha application. can some
-
Hi Friends, While converting PR(Purchase Requisition) to contract, text is not being copied. Most of our PR are of not with Material, so that we maintain maually at item text while creating PR. We are using Item text. I checked in Customisation for D
-
3D repousse objects and linking / rotation question
In Photoshop CS5 Ext, I have 4 layers, each with a 3D repousse object on them. I want to somehow link them, so that I can rotate the object as a whole (or the camera), but also want to still be able to manipulate the objects separately (like rotate a
-
Compress Pdf in C# Need Code
Hello, I want to compress pdf... Can any one tell me how can i compress the pdf in c# point me to some article. I have the License Copy of Adobe Professional. I am using the Adobe Version X. so any one please assist me how can i compress the pdf. Le