Active Directory multi forest Kerberos authentication Tomcat

Similar Messages

• Help with Active Directory Integration and kerberos

  Hello,
  I’m encountering a bug preventing me to use Active Directory integration with kerberos :
  Our domain name is CORP.DOMAIN.COM.
  When we request the GC in this domain :
  bash-3.00# nslookup -query=any gc.tcp.corp.domain.com
  Server: 1.2.1.6
  Address: 1.2.1.6#53
  ** server can't find gc.tcp.corp.domain.com: NXDOMAIN
  there is no answer.
  But when we request without corp, we find the servers :
  bash-3.00# nslookup -query=any gc.tcp.domain.com | grep sis
  gc.tcp.domain.com service = 0 100 3268 serveur02.corp.domain.com.
  gc.tcp.domain.com service = 0 100 3268 serveur01.corp.domain.com.
  bash-3.00#
  Is-it possible to add the possibility to enter the domain name where reside the gc.tcp ?
  Thank you.

  Hello
  the domain.com domain exist, but it's not our domain.
  so, when I put domain.com, it search with no result (nothing appends).
  our kdc.conf :
  [kdcdefaults]
  kdc_ports = 88,750
  [realms]
  CORP.DOMAIN.COM = {
  profile = /etc/krb5/krb5.conf
  database_name = /var/krb5/principal
  admin_keytab = /etc/krb5/kadm5.keytab
  acl_file = /etc/krb5/kadm5.acl
  kadmind_port = 749
  max_life = 8h 0m 0s
  max_renewable_life = 7d 0h 0m 0s
  default_principal_flags = +preauth
  krb.conf
  [libdefaults]
  default_realm = CORP.DOMAIN.COM
  default_checksum = rsa-md5
  [realms]
  CORP.DOMAIN.COM = {
  kdc = dc01.corp.domain.com
  kdc = dc02.corp.domain.com
  [domain_realm]
  .corp.domain.com = CORP.DOMAIN.COM
  corp.domain.com = CORP.DOMAIN.COM
  in every domain, I think the GC are in corp.domain.com. but in my company, it's in domain.com...
  Thank you,

• Active Directory cross forest trust which are deployed in separate subscription

  Hi All,
  I know that this is not Azure forum, but I have a question related to Active Directory, Appreciate your understanding and letting me know your concerns about AD cross forest between two subscriptions of Azure.
  We have two separate subscriptions of Windows Azure under one Global Account, previously these two subscriptions are treated as a separate company and they are having separate forest and separate domain, these two companies does not have any site to
  site VPN with each other over the wan, but these two companies are having site to site connection with Azure for their own subscription respectively.
  Additional domain controller for both subscriptions are deployed in Azure in order to authenticate those servers which are already deployed in Azure
  Due to some reasons these companies are merging together and due to some reasons they want to have cross forest trusts between these two companies. As we do not have any WAN connection between these two companies the questions has been raised that can we
  do a cross forest trust between two Active Directories because these two are deployed in Azure and both companies active directories are deployed in Azure.
  Can we achieve this and how we can achieve this, I know that we can expose servers in Azure over the internet by creating endpoints and allow ACL in order to get connection from specific public IPs.
  My question is can we achieve this, does it supported from Microsoft. if yes then is there any thing we have to consider before deploying it.
  Thanks
  If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

  No, i am not using Windows Azure Active Directory at all, i have deployed additional domain controllers from each forest on each subscription.
  For example in subscription 1 we have additional domain controller of forest 1 and in subscription 2 we have additional domain controller of forest 2.
  Thanks
  If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

• Active Directory Cross Forest Domain Migration

  Dear All,
  We are in the process to rebuild new Active Directory infrastructure. Multiple single forest domains in organization which needs to be consolidated/migrated on single Active Directory Domain. For this consolidation, have some queries to be addressed before
  going to start consolidation.
  What is the best practices and what tool should we use for domain migration/consolidation
  Active directory is on Windows 2003, forest and domain level is on Windows 2003, this will support to Windows 2012 R2 forest and domain functional level, will be migrated
  directly from windows 2003 to windows 2012?
  When move users to new domain, how will they access the other resources on the network. For e.g. Printer, File server, local web base application
  After moving some computers to new domain would be possible to access remaining computers on old domain?
  How the file server data will be moved? Best practices with NTFS folder permissions and users rights?
  Is there any policy to register network printers on new Active Directory domain?
  How users would be access web base application on new domain as their FQDN would be define with old domain name? Any option to change old domain FQDN with new domain that would be describe with any URL link?
  Kindly give your valuable input to meet the desire result.
  Thanks in Advance.

  Dear Lucky,
   Ya you can Migrate contents from multiple forest domain. Using ADMT (Active Directory Migration Tool)is the best way to migrate AD content. But you can't migrate from Windows Server 2003 to Windows Server 2012 R2, cause in Windwos Server 2012 R2 don't
  have the supportebility of Windows Sever 2003.And not only users you can also migrate all others info (i.e. Computer object info, groups info, Exchange mailbox info, security info).You can migrate users face by face, means which peoples are in old domain they
  can access old domain and new users are in new domain.For more info please follow the given link:
  http://technet.microsoft.com/en-us/library/cc974332(v=WS.10).aspx
  Mithun Dey Web: http://cloudmithun.wordpress.com If this may give your necessary resolution please mark it as Answre.

• Multi-Forest LDAP Authentication

  Hi Guys
  We are trying to implement authentication and import across multiple domains
  We originally tried to build our own custom code but this has failed due to some unforseen errors.
  I have revert back to the inbuilt ciac option for import person and EUA
  The import for one domain is working however, i wish use multiple forests and to add a unique identifier to the login name to avoid login name clashes
  for example
  ASE\#sAMAccountName#
  or
  #userPrincipalName#
  When i try to add this i receive the error that no person fround in the result of the LDAP getperson search
  I have tried the format for EUA as
  uid=#LoginId#,dc=ase,dc=internal
  DomainName\#LoginId#
  #LoginId#
  Any help will be greatly apreciated
  Regards,
  Matt

  If you are logging into java (i.e. tomcat55) and have set up a krb5.ini. All users that are not in the default domain need to logon with username @FQDN.COM where FQDN.COM is their fully qualified domain name in all caps. That FQDN.COM should be entered in the krb5.ini (in all caps) with at least 1 KDC defined.
  Do a search on SMP (look at the forum sticky for the link) for rules for krb5.ini and I have a more in depth explanation for multi forest and multi domain as it pertains to the krb5.ini.
  To verify AD connectivity is ok use a client tool like deski/designer/business views. Since there tools don't use java you can logon with domain\user (no case sensitivity).
  Also to note urgently issues should open cases with support the forums are not the place and it is against the rules of engagement (also in the sticky post )
  Regards,
  Tim

• Search Active Directory Entries without password authentication

  JNDI, Active Directory
  I am newbie to JDNI and Active Directory.
  I am trying to create a Web Application
  which provides domain users with the information
  of the Active Directory group user are belonging.
  I know how to access Active Directory and search Entries
  with JNDI like below codes.
  Hashtable env = new Hashtable();
  env.put(Context.PROVIDER_URL, "LDAP://URL:389");
  env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.SECURITY_AUTHENTICATION,"none");
  env.put(Context.REFERRAL, "follow");
  env.put("java.naming.ldap.version" , "3" );
  env.put(Context.SECURITY_PRINCIPAL, "uid=admin,ou=system");
  env.put(Context.SECURITY_CREDENTIALS, "secret");
  .....But I want know how to search Entries without Active Directory password
  because I don't tell users their Active Directory password.
  I don't have any idea. Could you give me good idea?
  Sorry for my English. Thank you.
  Danno

  It means to allow "Anonymous LOGON" and "Everyone" users to search entries in AD, I think.Sorry, can't help. In OpenLDAP it meansallow * searchor possiblyallow * auth
  You mean that if I do it, will the codes below be unnecessary in Java?That's not only what I meant, it is what I said, concerning the principal and credentials lines.
  You don't need the SECURITY_AUTHENTICATION line, I never use it with LDAP whether I'm providing credentials or not (and in the cases where you are supplying the principal and credentials, it certainly doesn't make any sense to specify 'none'.)

• Active Directory, SSO, Integrated Windows Authentication

  Hi,
  I have to setup a NW BPM environment using Windows/Active Directory SSO.
  In the desired scenario, I would use UME to create BPM specific roles and/or groups and then I would associate:
  - specific AD users to UME groups or roles, and/or
  - associate AD groups to UME groups or roles.
  Is it possible? I would really appreciate any directions/hints on how to do that.
  Thanks in advance,
  Ricardo Giacomin

  It is possible you have the xml configuration file in the administration of ume and  you need to edit that one in order to link it to your AD. if you're using LDAPs to connect you will also have to load the certificates in NWA before the first connection.

• Multi Forest AD Authentication

  Hi ,
  I think I messed up some where in the web.xml . The problem is like this:
  1. I have users across geography.
  2. In AD they are in different domains for example : Europe , Asia , NA etc.
  3. Logon the general way is
  <Domain>\ <Username>
  But when I am supplying domain name its throwing an error. But when I login with just the username it logs in fine. But that is only for one domain. The users of other domains are not able to login.
  So please advise where to change in the XML so that they can supply the domain name.
  Regards
  Sid
  Urgently required. So please all a quick response will be very helpful .

  If you are logging into java (i.e. tomcat55) and have set up a krb5.ini. All users that are not in the default domain need to logon with username @FQDN.COM where FQDN.COM is their fully qualified domain name in all caps. That FQDN.COM should be entered in the krb5.ini (in all caps) with at least 1 KDC defined.
  Do a search on SMP (look at the forum sticky for the link) for rules for krb5.ini and I have a more in depth explanation for multi forest and multi domain as it pertains to the krb5.ini.
  To verify AD connectivity is ok use a client tool like deski/designer/business views. Since there tools don't use java you can logon with domain\user (no case sensitivity).
  Also to note urgently issues should open cases with support the forums are not the place and it is against the rules of engagement (also in the sticky post )
  Regards,
  Tim

• BOXI r2 - SSO in Active Directory multi domain

  Hi all,
  I have a customer with XI r2 on windows and infoview deployed on Tomcat. Security is (OK until yesterday) sedWinAD with SSO via Vintela. Yesterday they have add a new domain in krbc5.ini and new domain's users cannot login. Tomcat trace reports the following:
  INFO: Server startup in 8516 ms
  24625 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.GSSManager  - No Subject found on the current thread
  24641 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker  - GSS: Acceptor supports: KRB5
  24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker  - Ticket service name is: HTTP/svrcrmboprod.sti.stg***STI.STG
  24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker  - GSS name is: HTTP/svrcrmboprod.STI.STG***STI.STG
  24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker  - Using keytab entry for: HTTP/svrcrmboprod.STI.STG***STI.STG
  24657 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos  - ** decrypting ticket .. **
    with key
    Principal: HTTP/svrcrmboprod.STI.STG***STI.STG
    Type: 1
    TimeStamp: Thu Jan 01 01:00:00 CET 1970
    KVNO: 6
    Key: [3,  a8 7f 51 1a f1 40 e3 19 ]
  24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos  -   decrypted ticket:
  Ticket:
    encryption type: 3 (DECRYPTED OK)
    service principal: HTTP/svrcrmboprod.sti.stg***STI.STG
    TransitedEncoding:
    client: Quattri***BFP.STG
    session key: [3,  9e 46 40 31 df a8 68 1 ]
    ticket flags: forwardable renewable ok-as-delegate preauthent
    valid from: Thu Sep 24 17:19:40 CEST 2009
    valid till: Fri Sep 25 03:19:40 CEST 2009
    valid for:
      all addresses
    auth data:
      [1,  30 82 3 62 30 82 3 5e a0 4 2 2 0 80 a1 82 3 54 4 82 3 50 4 0 0 0 0 0 0 0 1 0 0 0 c0 2 0 0 48 0 0 0 0 0 0 0 a 0 0 0 18 0 0 0 8 3 0 0 0 0 0 0 6 0 0 0 14 0 0 0 20 3 0 0 0 0 0 0 7 0 0 0 14 0 0 0 38 3 0 0 0 0 0 0 1 10 8 0 cc cc cc cc b0 2 0 0 0 0 0 0 0 0 2 0 15 d6 9d 6f 2a 3d ca 1 ff ff ff ff ff ff ff 7f ff ff ff ff ff ff ff 7f c2 f0 21 d3 2f 2d ca 1 c2 70 86 cb c2 44 ca 1 c2 70 4f bc e8 73 ca 1 e 0 e 0 4 0 2 0 20 0 20 0 8 0 2 0 0 0 0 0 c 0 2 0 0 0 0 0 10 0 2 0 44 0 44 0 14 0 2 0 4 0 4 0 18 0 2 0 45 6 0 0 de 4 0 0 1 2 0 0 3 0 0 0 1c 0 2 0 20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 14 0 16 0 20 0 2 0 6 0 8 0 24 0 2 0 28 0 2 0 0 0 0 0 0 0 0 0 14 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 0 0 0 2c 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 7 0 0 0 0 0 0 0 7 0 0 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 0 0 10 0 0 0 0 0 0 0 10 0 0 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 20 0 4c 0 6f 0 72 0 65 0 64 0 61 0 6e 0 61 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 22 0 0 0 0 0 0 0 22 0 0 0 5c 0 5c 0 73 0 76 0 72 0 62 0 66 0 70 0 66 0 73 0 68 0 66 0 2e 0 62 0 66 0 70 0 2e 0 73 0 74 0 67 0 5c 0 48 0 4f 0 4d 0 45 0 24 0 5c 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 2 0 0 0 0 0 0 0 2 0 0 0 4d 0 3a 0 3 0 0 0 1 2 0 0 7 0 0 0 9a 4 0 0 7 0 0 0 48 e 0 0 7 0 0 0 b 0 0 0 0 0 0 0 a 0 0 0 53 0 56 0 52 0 42 0 46 0 50 0 44 0 43 0 30 0 32 0 4 0 0 0 0 0 0 0 3 0 0 0 42 0 46 0 50 0 0 0 4 0 0 0 1 4 0 0 0 0 0 5 15 0 0 0 3b c2 da 85 8 fa d1 16 fe 9b 47 2f 4 0 0 0 30 0 2 0 7 0 0 0 34 0 2 0 7 0 0 0 38 0 2 0 7 0 0 0 3c 0 2 0 7 0 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 82 8b a6 28 4b 2c bc 1a 7 e5 3b 2b 36 40 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 82 8b a6 28 4b 2c bc 1a 7 e5 3b 2b 99 33 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 82 8b a6 28 4b 2c bc 1a 7 e5 3b 2b d0 12 0 0 5 0 0 0 1 5 0 0 0 0 0 5 15 0 0 0 9b 11 b 6a 91 78 ec 27 6b 53 ee 1b 7a c 0 0 0 0 0 0 0 8e 60 6f 2a 3d ca 1 e 0 51 0 75 0 61 0 74 0 74 0 72 0 69 0 76 ff ff ff 16 15 71 e5 8 76 59 2a 0 de 13 b9 f8 a3 c4 94 0 0 0 0 76 ff ff ff a6 9f 99 90 c7 63 41 c6 4a b4 f 8d c2 70 44 9f 0 0 0 0 ]
  24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.GSSContext  - Setting context expiry to [1253841580000]
  24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.GSSContext  - Current wall time is [1253805580586]
  24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos  - ** decrypting application request .. **
  with key
  [3,  9e 46 40 31 df a8 68 1 ]
  24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos  -   decrypted application request:
  ++++ KRB-AP-REQ Message ++++
  encryption type: 3 (DECRYPTED OK)
  ap options: mutual-required
  Ticket:
    encryption type: 3
    service principal: HTTP/svrcrmboprod.sti.stg***STI.STG
  client: Quattri***BFP.STG
  subkey: [3,  da 34 d3 4 8f f2 e9 b9 ]
  client time: Thu Sep 24 17:19:40 CEST 2009
  cusec: 1546
  sequence number: 1846075710
  ++++++++++++++++++++++++++++
  24688 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker  - Got delegated credential
  24703 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ServerHandShaker  - Delegated credential:
  ++++ KRB-CRED Message ++++
  encryption type: 0 (DECRYPTED OK)
  sender address: null
  receiver address: null
  nonce: -1
  timestamp: null
  credentials:
  Credential
  client: Quattri***BFP.STG
  session key: [3,  1 62 43 b3 a2 15 1f 70 ]
  service principal: krbtgt/BFP.STG***BFP.STG
  valid from: Thu Sep 24 17:19:40 CEST 2009
  valid till: Fri Sep 25 03:19:40 CEST 2009
  renewable till: Thu Oct 01 17:19:40 CEST 2009
  Ticket:
    encryption type: 23
    service principal: krbtgt/BFP.STG***BFP.STG
  ticket flags: forwardable forwarded renewable preauthent
  valid for: all addresses
  ++++++++++++++++++++++++++++
  24703 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos  - ** creating application response .. **
    with key
  [3,  9e 46 40 31 df a8 68 1 ]
  24703 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos  - created application response:
  ++++ KRB-AP-REP Message ++++
  encryption type: 3
  sequence number: 162921799
  sub session key: null
  client time: Thu Sep 24 17:19:40 CEST 2009
  cusec: 1546
  ++++++++++++++++++++++++++++
  26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker  -
  GSS: Initiator supports: KRB5
  26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker  -
  GSS: Initiator TGS key type:
  26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker  - 3
  26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker  -
  Found acceptor realm: null
  26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.gssapi.ClientHandShaker  - GSS: Initiator getting service ticket for: BO_Admin
  26235 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.Kerberos  - ** requesting service ticket .. **
    with credentials:
  Credential
  client: Quattri***BFP.STG
  session key: [3,  1 62 43 b3 a2 15 1f 70 ]
  service principal: krbtgt/BFP.STG***BFP.STG
  valid from: Thu Sep 24 17:19:40 CEST 2009
  valid till: Fri Sep 25 03:19:40 CEST 2009
  renewable till: Thu Oct 01 17:19:40 CEST 2009
  Ticket:
    encryption type: 23
    service principal: krbtgt/BFP.STG***BFP.STG
  ticket flags: forwardable forwarded renewable preauthent
  valid for: all addresses
    for service principal: BO_Admin
    at realm: BFP.STG
  26250 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.impl.DefaultKdcResolver  - Resolving KDC for realm: BFP.STG
  26250 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Resolver  -
  UDP attempt #0 to DNS server svrstidc01.sti.stg/172.20.1.103
  26250 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Resolver  -  Data sent:
              0d 20 01 00 00 01 00 00 00 00 00 00 09 5f 6b 65 72 62 65 72
              6f 73 04 5f 75 64 70 03 42 46 50 03 53 54 47 00 00 21 00 01
  26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Resolver  - Data received:
              0d 20 81 80 00 01 00 01 00 00 00 01 09 5f 6b 65 72 62 65 72
              6f 73 04 5f 75 64 70 03 42 46 50 03 53 54 47 00 00 21 00 01
              c0 0c 00 21 00 01 00 00 01 c6 00 1a 00 00 00 64 00 58 0a 73
              76 72 62 66 70 64 63 30 32 03 62 66 70 03 73 74 67 00 c0 3a
              00 01 00 01 00 00 00 00 00 04 ac 15 01 66
  26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response  - params: 1000000110000000
  26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response  - Query sent:
    Qname: _kerberos._udp.BFP.STG
    Qtype: 33
    Qclass: 1
  26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response  -
      Record
        Name: _kerberos._udp.BFP.STG
        Class: 1
        TTL: 454
        Type: SRV
        Priority: 0
        Weight: 100
        Port: 88
        Target: svrbfpdc02.bfp.stg
  26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response  -
      Record
        Name: svrbfpdc02.bfp.stg
        Class: 1
        TTL: 0
        Type: A
        IP Address: 172.21.1.102
  26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.impl.DefaultKdcResolver  - Available KDC found: svrbfpdc02.bfp.stg/172.21.1.102:88
  26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler  - Sending message to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
  26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler  - Sending UDP request: svrbfpdc02.bfp.stg/172.21.1.102:88
  26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler  - --- got 79-byte response, initial byte = 0x7e
  26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler  - Message sent sucessfully to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
  26297 [http-8080-Processor25] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction  - LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database)
  26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher  - servletPath=/InfoView/logon/logon.jsp, pathInfo=null, queryString=null, name=null
  26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher  -  Path Based Include
  26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher  - servletPath=/InfoView/common/bannerheader.jsp, pathInfo=null, queryString=null, name=null
  26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher  -  Path Based Include
  26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher  - servletPath=/InfoView/logon/_logon.jsp, pathInfo=null, queryString=null, name=null
  26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher  -  Path Based Include
  Do yuo have any tips?
  Thanks in advance
  Fabrizio

  Sorry,
  I noticed that the trace is too long, so I put the most important
  Thanks
  F.
  26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.dns.Response  -
      Record
        Name: svrbfpdc02.bfp.stg
        Class: 1
        TTL: 0
        Type: A
        IP Address: 172.21.1.102
  26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.impl.DefaultKdcResolver  - Available KDC found: svrbfpdc02.bfp.stg/172.21.1.102:88
  26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler  - Sending message to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
  26282 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler  - Sending UDP request: svrbfpdc02.bfp.stg/172.21.1.102:88
  26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler  - --- got 79-byte response, initial byte = 0x7e
  26297 [http-8080-Processor25] DEBUG com.dstc.security.kerberos.DefaultKerberosMessageHandler  - Message sent sucessfully to KDC: svrbfpdc02.bfp.stg/172.21.1.102:88
  26297 [http-8080-Processor25] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction  - LoginContext failed. Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database)
  26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher  - servletPath=/InfoView/logon/logon.jsp, pathInfo=null, queryString=null, name=null
  26313 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher  -  Path Based Include
  26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher  - servletPath=/InfoView/common/bannerheader.jsp, pathInfo=null, queryString=null, name=null
  26438 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher  -  Path Based Include
  26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher  - servletPath=/InfoView/logon/_logon.jsp, pathInfo=null, queryString=null, name=null
  26453 [http-8080-Processor25] DEBUG org.apache.catalina.core.ApplicationDispatcher  -  Path Based Include

• Authentication against Active Directory Forest

  Hello Everyone,
  I am new to JNDI programming and would appreciate any help in the following problem.
  I am planning to write a program using JNDI APIs to authenticate users against an Active Directory (AD) forest.
  Target AD forest contains multiple domains with two-way transitive trust between them. There are several users created in each of these domains.
  I would like to know what should be the general approach for authenticating users against such a topology.
  I have a working program which uses JNDI APIs to authenticate users against single Domain.
  A sample topology would contain domains like these.
  - abc.corp.net
  - xyy.corp.net
  - pqr.xyz.corp.net
  - hrdev.xyz.corp.net
  - lmn.corp.net
  Thanks in advance for any help
  Sandeep

  Hi,
  How does this relate to Sun Directory Server ?
  Regards,
  Ludovic

• Solaris 10 authentication on Windows 2008 Active Directory

  Hi,
  Does anyone done it?
  I've do it against a Windows 2003 R2 Active Directory and now in production environment i'm having some issues with the password.
  I'm using only the Active Directory LDAP without Kerberos.
  I'm able to su to the user, getent passwd but everything that as password fails.
  I guess is some configuration issue in active directory, some sync stuff becouse the ldap bind is correctly done, is after the bind that fails.
  Bellow the sshd log with wrong user password.
  sshd[23965]: [ID 293258 auth.error] libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials
  sshd[23965]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
  And with the correct user password.
  sshd[23965]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
  As you can see the bind is done but windows guys says everything is ok. This is a new implemantation both in Solaris side and Windows side.
  This is how ldapclient is configured.
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_BINDDN= CN=User Funcional Login de maquinas Unix CQ,OU=Utilizadores-Servicos,OU=Servicos-Transversais,OU=DOM,DC=Example,DC=com
  NS_LDAP_BINDPASSWD= {NS1}a1493f3c77c616
  NS_LDAP_SERVERS= 192.168.1.140, 192.168.1.141
  NS_LDAP_SEARCH_BASEDN= ou=dom,dc=example,dc=com
  NS_LDAP_AUTH= simple
  NS_LDAP_SEARCH_SCOPE= sub
  NS_LDAP_CACHETTL= 0
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=dom,dc=example,dc=com?sub
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=dom,dc=example,dc=com?sub
  NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=dom,dc=example,dc=com?sub
  NS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn
  NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
  NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
  NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
  NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
  NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
  The nsswitch.conf has files ldap on both passwd and groups.
  Best regards and thanks for the help you can give

  The problem was in pam.conf that had the module pam_ldap last in the order and it shouldn't be.
  This is how it should be.
  other password required pam_dhkeys.so.1
  other password requisite pam_authtok_get.so.1
  other password requisite pam_authtok_check.so.1
  other password sufficient pam_ldap.so.1
  other password required pam_authtok_store.so.1
  Authentication against 2008 Active Directory working fine now.

• Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

  Hi,
  I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
  Error is enclosed & here is the port configuration.
  Port Configuration.
  interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30
  Please help.

  The error message means that Active Directory server Reject the authentication attempt
  as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
  Event Logs why did the user account got locked.
  Under Even Viewers, You can find it out
  Regards
  Minakshi (Do rate the helpful posts)

• WLS6.0 sp1 and MS Active Directory

  Hi,
  Is it possible to configure WLS' LDAP security realm to use MS' Active
  Directory to authenticate users? A quick yes or no would be appreciated -
  I'll worry about the finer details of how later!!
  Regards
  Laura Allen

  Custom realm of course with the weblogic....ldaprealmv2.LDAPRealm
  implementation class.
  We did not use Kerberos authentication - just the plain password
  authentication in "cleartext". Our servers are inside a secure data center -
  no encryption required. That's why we did not need jdk1.4.
  "Marc Carrion" <[email protected]> wrote in message
  news:[email protected]...
  >
  Are you telling that you configured the ldap realm of WL to use activedirectory?
  or you used your custom realm?
  To use the authentication with Kerberos you need to use GSS-API and it'snot
  included in jdk1.3 neither in jaas, that's why I needed to use jdk1.4
  Can you explain how did you do that?
  Thanks,
  Marc
  "Roy Cornell" <[email protected]> wrote:
  Hi Laura:
  No, BEA did not confirm the compatibility. We did our own investigation
  and
  found that the two systems work well together. One of the highlights
  of the
  research was the fact that the configuration of the WLS custom realm
  for
  Active Directory was more similar to Netscape Directory or Open LDAP
  than to
  the MS Site Server.
  I am attaching the sample settings for the LDAP realm:
  server.host=<some-ip-or-name>
  server.principal=CN=wlsadmin001,OU=WLSMEMBERS1,DC=company,DC=com
  user.filter=(&(cn=%u)(objectclass=user))
  user.dn=OU=WLSMEMBERS1,DC=company,DC=com
  group.filter=(&(cn=%g)(objectclass=group))
  group.dn=OU=WLSGROUPS1,DC=company,DC=com
  membership.filter=(&(member=%M)(objectclass=group))
  We used the AD for authenticating the users and for authorizing the EJB
  methods. AD contained the users and their security roles and the
  deployment
  descriptiors of the EJB's contained the permissions for the security
  roles.
  We ran repeated tests and were more or less satisfied.
  Regards
  P.S.
  we used WLS 6.1 Jdk 1.3
  ----- Original Message -----
  Sent: Tuesday, September 18, 2001 5:40 AM
  Subject: WLS6.0 and Active Directory
  Forgive me contacting you directly, but did you recieve a reply fromBEA
  as
  to whether WLS supports interaction with Active Driectory? And wereyou
  attempting to use Active Directory just for user authentication? Anyinfo
  on how WLS and Active Directory interact would be appreciated!
  Regards
  Laura Allen
  The information in this e-mail and any attached files is confidential.It
  is intended solely for the use of the addressee. Any unauthorised
  disclosure or use is prohibited. If you are not the intended
  recipient
  of
  the message, please notify the sender immediately and do not disclosethe
  contents to any other person, use it for any purpose, or store or copythe
  information in any medium. The views of the author may not necessarily
  reflect those of the Company.
  "Laura Allen" <[email protected]> wrote in message
  news:[email protected]...
  Hi,
  Is it possible to configure WLS' LDAP security realm to use MS' Active
  Directory to authenticate users? A quick yes or no would be
  appreciated
  I'll worry about the finer details of how later!!
  Regards
  Laura Allen

• Active Directory 2003 and Sun One Directory Server 5.2

  I just installed Sun One Directory Server 5.2 on a Linux machine. I want to configure LDAP on that machine so that it can be authenticated on Active Directory 2003. How do I go about doing this?

  Active Directory server is a "directory server" (and kerberos server.) If your linux client authenticates against Active Directory it doesn't have to involve the Sun Directory Server at all. You have several general approaches you could investigate:
  1. Linux client gets accounts and and authentication via LDAP from Active Directory
  If you use AD to handle unix LDAP authentication (opt 1) you may need to extend schema in AD to add the unix password field. I haven't tried it yet, but hope to.
  2. Linux client gets accounts from AD LDAP and authorization from AD Kerberos.
  There should be docs on support.microsoft.com on enabling kerberos support for non-Win clients.
  3. Linux client (with samba client installed, with winbind or pam_smb to support unix level services) gets accounts and authentication as a "Windows" client from Active directory "Windows server"
  Check the samba.org docn or forums- I think this is a pretty common solution.
  4. Linux client gets account information from Sun Directory server but uses kerberos (against active directory) for authentication.
  There should be docs on support.microsoft.com on enabling kerberos support for non-Win clients.
  5 Linux client gets account and authorization from Sun Directory server, which the sun Directory server configured to use Active Directory as a Kerberos server.
  Probably incredibly complex.

• Third Party Load Balancing Active Directory

  We have serveral applications that target individual Active Directory domain controllers for authentication. If the domain controller goes down then that service stops working.
  I'm interested in using a Citrix Netscaler to load balance authentication requests.
  What I want to know is, "Does Microsoft support the use of an external load balancer", not from the perspective of third party device support obviously, rather functionally. Will AD work and be supported when using the Netscaler.
  IT Manager

  If you simply plan to use the Citrix NetScaler to load balance say, reading LDAP on port 389 as an example, you will be OK.  
  Rather than pointing the app to a single DC, why not create multiple DNS records with the same host name, different IPs and use Round Robin.  Not as sophistacted, but it isnt going to cost you tens of thousands of dolllars in load balancing.
  Visit: anITKB.com, an IT Knowledge Base.
  Have you actually tested and used this in a production environment? If I understand correctly, what you are suggesting is to take existing (hypothetical) domain controller DNS entries:
  A record: dc1.contosso.com, 10.1.1.10
  A record: dc2.contosso.com, 10.1.1.11
  And add the following entries to create quasi fault tolerance?
  A record: dc3.contosso.com, 10.1.1.10
  A record: dc3.contosso.com, 10.1.1.11 
  I honestly don't think it will work, because of a few things, such as DC registration occurs every 60 min, including the netlogon service overwriting whatever static entries created for the quasi load balancing, and possibly Kerberos auth failing due to a different
  IP authenticating from a different SPN. I know the hardware load balancers have options to preserve session cookies, which work fine for IIS implementations, such as Exchange HUB, and especially for CAS access, otherwise Outlook will not accept it if it sends
  an auth request on one IP and another backend responds, which the LB help preserve this, however with AD LDAP, RPC, etc, I *don't* think it will work, due to Kerberos failing it thinking it's a spoof. If you get it working, I would be very curious to see the
  documented implementation, settings, results, etc.
  Ace
  Ace Fekay
  MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.