Authenticating agains AD with Kerberos, by a user with an explicit UPN

Similar Messages

• "Authentication failed" - exceeding Airport Extreme's max users with less than 10 devices connected?

  I am running an Airport Extreme with two Airport Expresses on my network.  There are two macbook pros, two iphones, two ipads, a PS3 and a chromecast in the household, a max of probably 5 or 6 of which are turned on at any given time.  Normally everything works perfectly, but occasionally my wife or I will get an "authentication failed" message while trying to log onto our home network, and after wasting time resetting the router, checking settings, etc, the only sure fire way to reconnect seems to be to make sure the chromecast and a couple of the iphones are turned off. 
  If I remember correctly, the max number of connections to an airport extreme is 50?  Obviously not ideal but it shouldn't be refusing connections when 6 or 7 devices are trying to hook up.  We have had the same issue when firends come to visit.  I can't find any obvious problems in the airport setup, and I have my DHCP range set from xx.xx.xx.2 to 200. 
  Any ideas?

  is it the same device generating the error
  i have had up to 40 devices on a single extreme maybe with 10 actively working others when needed with no issue

• What is the best way to manage multiple devices with one iMac - different users with seperate itunes accounts or one mac user with different itune logons and libraries?

  Hello
  I have just purchased an imac which I am very happy with.  In our household we also have two iphones (one mine and one husbands) and one ipod (my sons). We all have individual itunes accounts set up on our previous computer (not a mac). We have sepereate apps and music, although there may be the odd occasion where we would like to share a song (if this is possible) across devices.
  I am just wondering the best way to manage these devices using the new imac.  Should I create individual accounts to logon to the imac, then from within these launch our own itunes accounts and sync our devices with these.  Or should I be using one version of itunes, logging on to this with our different itunes usernames and storing things in libraries.
  Any help would be greatly appreciated. 
  Thanks

  I am presuming that we cannot share downloaded apps and music between accounts because of the copyright issue,
  Though I'm no copyright lawyer, as long as it's within a household, you can share content among users. Such sharing is, absent specific language preventing it not present in the iTunes Store terms of use, generally considered to be "personal use". So you can share apps and music amongst your users on your computer and with their devices. You just can't give any of that content to friends or relatives who don't live with you.
  What I am not clear on, it making sure that this appears in each itunes account - is it easy to find the file storage folders that match the itunes accounts and what would these be?
  The iTunes library and files are by default in a user's Home/Music folder. But you don't have to find the folder; in fact putting a file into the folder yourself won't add the file to iTunes. Just drag the file into the iTunes window. iTunes will copy it to the correct location.
  Regards.

• With SSMS Can a user with VIEW DEFINITION permissions on a procedure, see its source?

  Is there a way directly within the GUI itself to see the definition of a procedure if a user has VIEW DEFINITION permissions (as well as EXECUTE), or will they need to use sp_helptext?

  Yes, there is a way. Right-click procedure from Object Explorer and select Script from the context menu.
  Erland Sommarskog, SQL Server MVP, [email protected]

• Can I communicate with a non apple user with iSight?

  How can we get family back in the USA up and running so we can have video chats? (Other than buying them a new iMac?)
  G5 and Powerbook G4   Mac OS X (10.4.6)  

  In addition to Neils fine comments, you'll need AIM 5.9 for the PC and a little fine tuning.
  AIM 5.9 can be found here: http://www.aim.com/getaim/win/otherwin.adp?aolp=
  And the fine tuning overview here: http://www.mvldesign.com/videoconferencetutorial.html

• Kerberos Authentication - more than one user with same sAMAccountName

  I am configuring Kerberos Authentication on SAP AS Java. The single-domain SSO is done and working. Now I need to configure multiple domains in a domain forest. How to resolve issue regarding multiple users with same account ID (same sAMAccountName) under different domains?

  We thought about using the userprincipalname, but decided against it once we had the realization that if SPNego failed for any reason, and the user had to logon manually, they would not know their userprincipalname.  This was a wise decision, as SPNego does fail for a variety of reasons.  The most common is that there appears to be a 1-2 day timeout of the Kerberos ticket, and if a user leaves their computer on for that long, it will challenge them to logon manually.
  Andrew Castillo

• Remote PowerShell Connection to Lync Server With Kerberos authentication Fails

  Hi everyone ,
  Remote PowerShell to Lync Server With Kerberos authentication Fails .. Is there any reason for not being able to connect when authentication specified as Kerberos . But exactly same code works when Authentication is specified as "Negotiate"
  E.g :
  Error -
  $session=New-PSSession -ConfigurationName Microsoft.Powershell -ConnectionUri https://serverName.lync.com/ocspowershell/ -Credential $cred -Authentication Kerberos
  [serverName.lync.com] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. The authentication mechanism requested by the client is not supported by the server or unencrypted traffic is disabled in
  the service configuration. Verify the unencrypted traffic setting in the service configuration or specify one of the authentication mechanisms supported by the server.  To use Kerberos, specify the computer name as the remote destination. Also verify
  that the client computer and the destination computer are joined to a domain.To use Basic, specify the computer name as the remote destination, specify Basic authentication and provide user name and password. Possible authentication mechanisms reported by
  server:   Digest Negotiate For more information, see the about_Remote_Troubleshooting Help topic.
      + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
     eption
      + FullyQualifiedErrorId : PSSessionOpenFailed
  Works  -
  $session=New-PSSession -ConfigurationName Microsoft.Powershell -ConnectionUri https://serverName.lync.com/ocspowershell/ -Credential $cred -Authentication Negotiate

  Hi,
  Please double check if Windows Update is the latest version, if not, please update and then test again.
  Please also ensure that the workstation you are using has network access to the Certificate Authority that signed the certificate.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Exchange Management Console couldn't start with Kerberos authentication failed

  When I was making changes to Client Access\owa settings, chaning from Basic authentication to Form authentication (upn name) then changed to Basic again. It was ok after changing to Form authentication but moment after changing back to Basic, I couldn't
  no longer access owa (blank page when one vertical line) and in Exchange Management Console, I got "Initialization failed" - The following error occured while attempting to connect to the specified Exchange server 'sgp-ex1.mydomain.com':
  The attempt to connect to http://sgp-ex1.mydomain.com/powershell using "Kerberos" authentication failed: Connecting to the remote server failed with the following error message: The WinRM client cannto process
  the request. It cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalid. For more information, see the about_Remote_Troubleshooting Help topic.
  I tried the troubleshooting tool from Exchange team blog:
  http://blogs.technet.com/b/exchange/archive/2010/12/07/3411644.aspx. It give 3 possible causes for this error: 1. WSMan module entry is missing from global module section of c:\Windows\System32\InetSrv\Config\ApplicationHost.config; 2. Kerbauth module shows
  up as Managed module or has been loaded in the Default Web Site Level; 3. The Path of the Powershell virtual directory has been modified.
  I checked carefully, all the 3 causes do not apply to my situation as WSman entry is in order, the Kerbauth is native and local and the path of Powershell virtual directory is correct.
  I find that in Application log, there are Event 2297 and 2307 dumped at the time of failure:
  The worker process for application pool 'MSExchangeSyncAppPool' encountered an error 'Confiugration file in not well-formed XML' trying to read configuration data from file '\\?\C:\inetpubl\temp\apppools\MSExchangeSyncAppPool\MSExchangeSyncAppPool.config',
  line number '2'. The data field contains the error code.
  Help is very much appreciated.
  Valuable skills are not learned, learned skills aren't valuable.

  Unfortunately, all the links you provided didn't help.
  The first link contains 3 methods:1 Removing WinRM feature and reinstalling. 2 Rename the web.config file in location C:\inetpub\wwwroot 3 Have you installed Microsoft Dynamics CRM 4. I?
  As my server is Windows 2008 R2, the first method does not apply. I couldn't find any web.config in c:\Inetpub\wwwroot. The web.config however is found in many times in .netframework and winsxs directories. The 3rd method doesn't apply as I don't have CRM.
  The 2nd link contains 3 possible causes. The first 2 are the same as the ones I mentioned in my initial post. I couldn't verify the last cause because when open Exchange Management Shell, I got this error: [sgp.ex1.mydomain.com] connecting to remote server
  failed with the following server failed with the following error message: The WinRM client cannot process the request, it cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalide. For more
  information, see the about_Remote_Troubleshooting Help topic.
  I do not think the user is not remote powershell enabled because the problem happened suddenly, while I was making changes to Authentication settings of OWA(default) in Client Access in Exchange Management Console. If the user account is not remote powershell
  enabled, then I couldn't event connect to EMC in the first place.
  The last link didn't help because I could open up modules under PowerShell virtual directory in IIS.
  I think since the event log is saying MSExchangeSyncAppPool.config and DefaultAppPool.config not well-formed XML, that might be a clue.
  In the event id 2307 this is the message:
  The worker process for application pool 'DefaultAppPool' encountered an error 'Configuration file is not well-formed XML
  ' trying to read configuration data from file '\\?\C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config', line number '2'.  The data field contains the error code.
  Valuable skills are not learned, learned skills aren't valuable.

• Need MBAM 2.5 Helpdesk and selfservice sites to open for authenticated users with no password prompt

  I Need MBAM 2.5 Helpdesk and self service sites to open for authenticated users with no password prompt. I just cant seem to get this to work. The account used in the application pool has its SPN registered and delegation set. I can use that account to login
  to the sites but am prompted for a password. That said anyone I add into the helpdesk users group cannot negotiate the sites. Only the account I have set in the application pool can. I want domain authenticated users that have been added to the MBAM Help Desk
  Users group to negotiate the site with NO password challenge at all.
  tconners

  This generally means that your SPN is not set up correctly.  Let's say the web server you installed the SSP on is lance.contoso.com and your app pool creds are corp\lance.  You should set an SPN similar to setspn -s http/lance.contoso.com
  corp\lance.  In your browser, you should now be able to access the SSP without prompts.  However, if you still get prompted, generally that means that your local intranet zone in IE does not have an entry for *.contoso.com.  Since you are entering
  an FQDN in your browser, IE interprets the "." to mean "on the internet" which breaks Kerberos authentication.  By adding *.contoso.com to your local intranet zone, you are telling it that lance.contoso.com is on the intranet, so use
  Kerberos.
  I can confirm, that I have exact configuration and I always get the password promt for the very first time. We have 2 server (1xIIS and 1xSQL) infrastructure in production with SPN set like it should and I get the password prompt.

• De-authenticating users with multiple active sessions

  Hi guys,
  I haven't posted much, but I've lurked for a long time and, until now, always found
  the answer to my questions, but this one has me stumped. I've implemented the
  Session Timeout utility successfully,
  but I would like to add another function that would exchange a transaction_id between
  the user and the server, as mentioned
  Re: diallow multiple logins.
  When I try to use this new function, the initial cookie gets set and the value is
  inserted into the table. However, when I try to navigate to a second page, the value
  in the cookie is not the same as the value in the table. When I keep all of the records
  and compare them to all of the set-cookie calls, it appears that the
  table is being updated more often than the cookies. I would really appreciate some
  input on this problem or another way to validate that the user is active in
  only one session.
  Thanks,
  Art
  This is the process to create the initial cookie on Page 101-->
  declare
    l_magic_number number;
    l_new_number number;
  begin
    select to_number(to_char(sysdate, 'WDDHHMISS')) into l_magic_number from dual;
    dbms_random.seed(l_magic_number);
    l_new_number := dbms_random.random;
    delete from transaction_cookies where trans_user = owa_cookie.get('LOGIN_USERNAME_COOKIE').vals(1);
    insert into transaction_cookies (trans_user, transaction_id)
                    values (owa_cookie.get('LOGIN_USERNAME_COOKIE').vals(1), l_new_number);
    owa_cookie.send(
        name    => 'HTMLDB_SESSION_TRANSACTION',
        value   => to_char(l_new_number),
        expires => null,
        path    => '/',
        domain  => null
  end;And the validation function is here-->
  function check_transaction_id return boolean as
  cursor c_select_number(user_name varchar2) IS
          select transaction_id
          from   transaction_cookies
          where  trans_user = user_name;
  l_cookie_exists   boolean       := true;
  l_selected_number number;
  l_cookie_number   number;
  l_new_number      number;
  user_id        varchar2(256);
  begin
      if htmldb_custom_auth.get_user is null then
          return true;
      end if;
      begin
          l_cookie_number := to_number(owa_cookie.get('HTMLDB_SESSION_TRANSACTION').vals(1));
          exception when no_data_found then
              l_cookie_exists := false; -- no cookie set, assume first page visit after login
      end;
      user_id := owa_cookie.get('LOGIN_USERNAME_COOKIE').vals(1);
      open  c_select_number(user_id);
      fetch c_select_number into l_selected_number;
      close c_select_number;
      if l_cookie_exists and l_cookie_number <> l_selected_number then
          delete from transaction_cookies where trans_user = user_id;
          OWA_COOKIE.REMOVE(
              name    => 'HTMLDB_SESSION_TRANSACTION',
              val   => to_char(l_cookie_number),
              path    => '/');
          wwv_flow.g_unrecoverable_error := true;
          owa_util.redirect_url('f?p='||wwv_flow.g_flow_id||':'||l_invalid_session_page);
          return false;
      elsif not g_other_cookie_already_sent then
          select to_number(to_char(sysdate, 'WDDHHMISS')) into l_magic_number from dual;
          dbms_random.seed(l_magic_number);
          l_new_number := dbms_random.random;
          delete from transaction_cookies where trans_user = user_id;
          insert into transaction_cookies values(user_id, l_new_number);
            /* The timeout function opened the HTTP header...*/
          owa_cookie.send(
              name    => 'HTMLDB_SESSION_TRANSACTION',
              value   => to_char(l_new_number),
              expires => null,
              path    => '/',
              domain  => null
          owa_util.http_header_close; /* Since this is called after the timeout function, THIS one will close the header*/
          g_other_cookie_already_sent := true;
      end if;
      return true;
  end check_transaction_id;

  Art - Thanks for the detailed problem description (with code). The problem you're seeing is due, in part, to the fact that an application's session verification function is run on every page show and page submit. Based on your function's logic, when you show a page, a cookie is sent (after you purge the table and do an insert). Then you submit the page and it runs again, purging the table, inserting a new value into the table, and sending that value in the cookie. Then the page branches to the next page (usually doing a URL redirect. Here's where it messes you up. Whenever a redirect is done, apex clears the HTTP header, so the cookie doesn't get to your browser. When the next show page request is handled (as a result of the branch), the function checks if the browser's cookie matches the value in the table. It doesn't.
  The solution will involve having the function not do its thing if a page "submit" is being processed. There might be better ways to detect this but here is some could you could try:    if owa_util.get_cgi_env('REQUEST_METHOD') = 'GET' and
         lower(owa_util.get_cgi_env('PATH_INFO')) = '/f' then ......which would be true for show requests only (f?p URLs). I have to tell you though, that with some of the newer request types (ppr pagination, csv/fop output, on-demand/ajax invoked processes, ...), you may have to tinker quite a bit.
  Also, in your code I see you use the LOGIN_USERNAME_COOKIE cookie to identify the user. This will not be reliable if a user is using the same browser to run more than one application. You really should use v('APP_USER') to identify the user (authenticated or not). And if your user is running multiple apps in the same browser, your other cookie needs a name unique to the application lest one app's cookie overwrites the other's.
  Scott

• Business Management Error: You are attempting to create a user with a domain logon that does not exist. Select another domain logon and try again.

  Hello,
  Suddenly the working CRM is being stopped for some group of users.
  I drilled down to the issue and have checked that the users from Domain in which CRM is installed are having CRM access.
  But for other domain user having problem to access CRM.
  I tried to add a user from a domain which is not of CRM domain then it gives following error.
  "Business Management Error: You are attempting to create a user with a domain logon that does not exist. Select another domain logon and try again.
  <Message>LookupAccountNameW failed with error</Message> "
  The change is made - AD group have upgraded Activer Directory server to 2012 R2
  Please help as the Production CRM is not working for other domain user.

  We have Activer Directory Structure like below.
  One Root Domain says A
  and there are multiple child domain like B,C,D etc...
  B,C and D are all in same level,they are child of A domain.
  There are two way transitive trusts between A and all the child Domain.
  But there is no trust in between B and C and so on.
  Our CRM server is in B domain and B domain's user can access CRM but users of Domain C,D and so on can not access CRM.
  If this post answers your question, please click &quot;Mark As Answer&quot; on the post and &quot;Mark as Helpful&quot;

• Presenting users with authentication menu

  Hi,
  I have a need to present the users with the option to either authenticate with LDAP or RADIUS. All the users go through a gateway. The only way I understand to do this is to prepend "&authlevel=0" at the end of the URL. I am wondering if there is a way to have the gateway do this automatically.
  The user would enter: https://host.domain.com and this would present the user with the authentication menu for the selected modules.
  We are using JES 2003Q4 (portal 6.2).
  any help would be appreciated,
  wiggam

  Hmm, the authentication method can be choosen using "module, e.g.
  input type="hidden" name="module" value="LDAP"
  in the login form.
  You could put a dropdownbox there or something like that.
  hth Chris

• Windows AD with Kerberos authentication not supported for NW AS JAVA 7.1

  The Admin guide for BO 3.1 states that Windows AD with Kerberos authentication is not supported on NetWeaver AS.
  Can anybody suggest & confirm on this???

  I know we haven't been receiving cases for it, but I think in theory it should work fine. BO doesn't really care what web/app kerberos comes from as the manual authentication uses the java SDK (i.e tomcat 5.5 would use Sun JDK 1.5), and SSO kerberos (vintela) uses 3rd party libraries. It's possible our 3rd party libraries may not support netweaver yet. If I hear anything else I'll post.
  Regards,
  Tim

• How to setup Oracle OCI Driver with Kerberos Authentication in Eclipse

  Hello I am trying to setup a connection to Oracle Server with kerberos authentication.
  I am able to connect using SQL Developer but it seems impossible to do the same through the eclipse plugin any pointers?

  Currently there is no support for Kerberos authentication on OEPE DB support. I'll open an enhancement request.

• Authentication of portal users with uid on oid/ldap

  All works fine with authenticating users created on DAS that have
  dn: cn=%LDAP_USER%,cn=users,dc=edmunds,dc=com
  When I migrated user to portal schema, the auth fails. The portal schema has user dn string
  uid=%LDAP_USER%, ou=people, dc=edmunds, dc=com
  I got this dn string from export to ldif file. The portal user can log in to DAS.
  We are using HTMLdb 1.6 and I used
  LDAP Host[LDAP Test Tool] at /htmldb/f?p=4000:802 to test the parameters.
  How to make this uid dn work with AppEx?
  Thanks.

  Kenny,
  I would forget about using the is_member function for authentication until you achieve what you need directly with dbms_ldap. You can experiment with an anonymous block in SQL*Plus starting with this sample code until you can get the simple_bind_s to work with your parameters:set serveroutput on
  declare
      l_retval      pls_integer;
      l_retval2      pls_integer;
      l_session     dbms_ldap.session;
      l_ldap_host   varchar2(256);
      l_ldap_port   varchar2(256);
      l_ldap_user   varchar2(256) := 'FIRSTNAME_LASTNAME'; -- enter username in this format
      l_ldap_passwd varchar2(256) := 'PASSWORD';           -- enter password
      l_ldap_base   varchar2(256);
  begin
      l_retval                := -1;
      dbms_ldap.use_exception := TRUE;
      l_ldap_host               := 'ldap-host.some-domain.com';
      l_ldap_port               := '389';
      l_ldap_user               := 'cn='||l_ldap_user||',l=amer,dc=oracle,dc=com';
      l_session := dbms_ldap.init( l_ldap_host, l_ldap_port );
      l_retval  := dbms_ldap.simple_bind_s( l_session, l_ldap_user, l_ldap_passwd );
      dbms_output.put_line( 'Return value: ' || l_retval );
      l_retval2  := dbms_ldap.unbind_s( l_session );
      exception when others                                                                                                  
       then 
            dbms_output.put_line (rpad('ldap session ',25,' ')  || ': ' ||
                 rawtohex(substr(l_session,1,8)) ||     '(returned from init)');
            dbms_output.put_line( 'error: ' || sqlerrm||' '||sqlcode );
            dbms_output.put_line( 'user: ' || l_ldap_user );                                                        
            dbms_output.put_line( 'host: ' || l_ldap_host );
            dbms_output.put_line( 'port: ' || l_ldap_port ); 
            l_retval  := dbms_ldap.unbind_s( l_session );
  end;
  /Scott