Browser pre-authentication

I have an applet that is contained on a page for which Basic Authentication is required.
The applet itself makes calls to the same web-server, to a script, for which the same authentication is required. i.e. its in the same realm.
Communication is through the HttpURLConnection class.
When viewing the page within Internet Explorer (on windows), the applet does not ask me for authentication, it uses that of the Browser, for which a username and password has already been given. This, for me is the desired behaviour.
However, under netscape / mozilla / firefox (on both windows and linux) the applet displays its own login / password window.
Has anyone else found this, and perhaps found a workaround?
I am using plug-in version 1.4.2_04 on windows.
If it is not possible to to do this client side, perhaps somebody knows a way that I could clone the authentication information, server side, and pass it back to the applet through another means (via parameters when the applet page is generated), Does anyone know if this information is available in the CGI environment, and which Environment variables & HTTP headers would be used?
Regards
Nick

For anyone who is interested I managed to solve my own problem here, in a somewhat unorthodox way.
As I have access to the web server (apache), I added a RewriteRule, which passes the HTTP Authorization header to my cgi script. It take the form:
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},PT]
Which basically says : for any URL create an environment variable (HTTP_AUTHORIZATION), and set it to the value of the Authorization HTTP header.
So in my cgi script which generates my applet tag, I pass this value to my applet, via a parameter.
And set it for my HttpURLConnection using the following
URL url = new URL("http://blah/blah.cgi");
HttpURLConnection server = (HttpURLConnection)url.openConnection();
server.setRequestProperty("Authorization", getParameter("auth"));
server.connect();
Hope somebody finds this useful
Nick

Similar Messages

Calling a function in Pre-Authentication Process in Authentication Scheme

Hello all,
I want to call a function located somewhere inside apex (not in the database) from the Pre-Authentication Process in an Authentication Scheme.
Is it possible?
Regards Pedro.

Pedro
Possibly if you could unwrap the source of the package but basically you wouldn't want to mess with APEX's API.
If this is your function then you want it somewhere in one of your own schemas (you won't potentially break APEX and you will retain it when you upgrade).
If you wish, you could create your own authentication schema and only give yourself access to it (as well as execute to the applications parsing schema user). You could also just create it as in the application parsing schema
CREATE OR REPLACE PACKAGE BODY xxxxxxx WRAPPED This makes the source unreadable in the database. (remember to keep the original source yourself though!).
Hope this helps
Cheers
Ben

RDP pre-authentication: what does it actually do?

I'm trying to integrate Forefront TMG and RDS with SecurID authentication. I believe I'm very close to having it working, but I'm hitting a brick wall.
I have "require pre-authentication" set, and "pre-authentication server name" configured, as indicated in so many forum posts and HOWTOs.
No matter what I do, clients receive the error "authentication to the firewall failed due to missing firewall credentials." This is
after they have already successfully authenticated and visited the /RDWeb pages.
Using the TMG logs, procmon, and wireshark, I am 100% certain that no network activity is occurring from the RDP client when this error occurs; this error is being generated entirely on the client side, before it attempts to connect to anything. I understand
that this is what is expected; it is checking for the existence of a cookie.
But the cookie doesn't exist. Why? Because nothing is setting one. The only cookies the client receives during the entire process (logging in to rdweb and trying to launch an app) are the SecurID domain SSO cookie I set in TMG, and the persistent authentication
cookie I also set in TMG. RDweb itself is not issuing any cookie at all.
Can anyone please explain to me, what specific cookie is the RDP client looking for when "require pre-authentication" is enabled? And which component is meant to be setting it?
Obviously I'd be very grateful if anyone can tell me "run this command and it will start working" or whatever, but I'm really hoping to gain an engineering-level understanding of how it's
meant to work ;)

Hi,
Please double check the following article:
Configuring Forefront Threat Management Gateway Integration with RD Gateway Step-by-Step Guide
http://technet.microsoft.com/en-us/library/gg589607(v=ws.10).aspx
On the Forefront TMG server apply the Filter ipv4.address==<your public IP>
When client request of remote desktop is reaching to TMG server, please check if the TMG server is forwarding the packet to RDG server.
Looking forward to your feedback.
Regards,
Dollar Wang
Forum Support
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Technology changes life……

Error with Pre-Authentication for Windows Desktop SSO

When I try to use the windows desktop sso module created in the Access Manager I get an error in the amAuthWindowsDesktopSSO file, but I don't know what I'm doing erroneous. It's not an access manager problem, I can't get kinit to work either. I think I'm following the directions correctly from the manual.
Are these ktpass commands setup right?
The Windows AD administrator created the accounts:
C:\>ktpass -princ HOST/[email protected] -pass amdev -mapuser AD\amdev$ -out amdev.keytab
Targeting domain controller: dc2.ad.tcpip.com
Successfully mapped HOST/amdev.tcpip.com to AMDEV$.
WARNING: Account AMDEV$ is not a user account (uacflags=0x1021).
WARNING: Resetting AMDEV$'s password may cause authentication problems if AMDEV$ is being used as a server.
Reset AMDEV$'s password [y/n]? y
Key created.
Output keytab to amdev.keytab:
Keytab version: 0x502
keysize 56 HOST/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x023efe
3e6846d3cd)
Account AMDEV$ has been set for DES-only encryption.
C:\>ktpass -princ HTTP/[email protected] -pass amdev -mapuser AD\amdev$ -out amdev-http.keytab
Targeting domain controller: dc2.ad.tcpip.com
Successfully mapped HTTP/amdev.tcpip.com to AMDEV$.
WARNING: Account AMDEV$ is not a user account (uacflags=0x201021).
WARNING: Resetting AMDEV$'s password may cause authentication problems if AMDEV$ is being used as a server.
Reset AMDEV$'s password [y/n]? y
Key created.
Output keytab to amdev-http.keytab:
Keytab version: 0x502
keysize 56 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x3 (DES-CBC-MD5) keylength 8 (0x45201c
f4d3ec43e6)
Account AMDEV$ has been set for DES-only encryption.
C:\>I can read the keys with ktutil.
ktutil: rkt amdev-http.keytab
ktutil: list
slot KVNO Principal
   1    4            HTTP/[email protected]
ktutil: rkt amdev.keytab
ktutil: list
slot KVNO Principal
   1    4            HTTP/[email protected]
   2    3            HOST/[email protected]
ktutil: wkt amdev2.keytabI then try to do a kinit with the principal:
kinit -k -t amdev2.keytab HTTP/[email protected]
kinit(v5): Preauthentication failed while getting initial credentialsAccess Manager reports similar problem on access:
01/17/2007 10:23:56:699 AM CST: Thread[service-j2ee-2,5,main]
Stack trace:
javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652)
        at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
. . .

Something deep, dark, and inside Kerberos way outside of my knowledge base was the problem.
I could always get a kinit with the HTTP/amdev.tcpip.com service to work. I never got the keytabs from the output of ktpass to operate. I used ktutil to create keytab entries all in vain, kinit using the keytab always resulted in a PA error, although the time clocks are setup the same.
The AD administrator created the account, this time as a user account, not a machine account, and the keytabs from the Windows domain controller finally worked.
If anyone knows the difference between machine and user accounts are in AD, I would be obliged for his/her explanation. The UPN and SPN look the same in the directory. I'm at a loss. However, very glad to finally have this working.

Kerberos pre-authentication failed

Hi,
I have a customer has the below issue:
After he changed their administrator account password on domain, event ID 4771 is continuously thrown in the security log in DCs. Below is a snapshot:
Also the below email alert from ADManager:
Alert     Message:
Login failure for User 'Administrator' in server.domain.local'.     Reason: 'Bad password'.
Severity:
Attention
Event Details
Domain
  krbtgt/domain.LOCAL
Event Code
  16
SID
  %{S-1-5-21-428199501-1217283236-4064894256-500}
Client Host Name
  Server.domain.local
Event Type
  Failure
Remarks
  Kerberos pre-authentication failed.
Logon Service
  krbtgt/ domain.LOCAL
Domain Controller
  DC.domain.local
User Name
  Administrator
Client IP Address
  IP
Failure Code
  0x18
Logon Time
  Apr 09,2015 11:42 AM
Failure Reason
  Bad password
Record number
  2197037173
Event Number
  4771
They already changed the password for service accounts running using that admin account with new password. There is no issues in domain other than this, users can login and services are fine. However, account lockout policy is disabled and if it is enabled
I think they will have a huge issue due to this Kerberos authentication failure.
Please help!

Hi,
Did you confirm the time sync issue?
The error code 0x25, means Workstation’s clock too far out of sync with the DC’s , so i suggest you could check the time snyc of the computer failing pre-auth with DC firstly.
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771
Similar threads has been discussed:
https://social.technet.microsoft.com/forums/windowsserver/en-US/245aa714-8f2f-4ea7-b2a1-dd447c02fa93/accounts-lockedout
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Pre-authentication failed in krb

Hi All,
Wee also facing the same issue, but in a different way.
our java application accepts first 100(around) krb auth requests and the rest of the requests are droped out, during the droping it simply show the message like pre-authentication failed
What is doubt is, do we have any constraint on number of concurrent access in krb?
im using tomcat and casified sakai with apache2

Hi All,
Wee also facing the same issue, but in a different way.
our java application accepts first 100(around) krb auth requests and the rest of the requests are droped out, during the droping it simply show the message like pre-authentication failed
What is doubt is, do we have any constraint on number of concurrent access in krb?
im using tomcat and casified sakai with apache2

Browser-based authentication on E71

Hi,
I would appreciate any advice on how to enable browser-based authentication on my Nokia E71? I am a frequent traveller and cannot access any websites on the hotel provided wifi services.
Thanks!

You need to configure your web container to use an LDAP Realm. In Weblogic you can easily do this using the admin console.
http://e-docs.bea.com/wls/docs61/adminguide/cnfgsec.html#1071872 should have some info.
If you are using Tomcat then you need to edit the config.xml file
http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html#JNDIRealm has some info.
I have configured Tomcat, Weblogic 6.1, 7.0 to authenticate with an LDAP server earlier. There are some minor problems with each of these.
Hope this helps.
vijay

Pre-authentication ACL disconnects

Hi,
We have a Guest WLAN where an pre authentication ACL is configured. It works but the client gets disconnected after a while. The session time-out / idle time out etc. is configured on a higher value than the actuel disconnect (+/- 15min) takes place.
When the client is authenticated (and does not use the pre auth ACL) the client doesn't get disconnected.
It seems like the same issue as the following threads but it doesn't state a solution :
https://supportforums.cisco.com/message/3687872#3687872
https://supportforums.cisco.com/message/3424053
I'm running code 7.4.110.0
any ideas ?

Hi,
If clients are in Webauth_Reqd state, no matter if they are active or idle, the clients will get de-authenticated after a web-auth required timeout period (for example, 300 seconds and this time is non-user configurable). All traffic from the client (allowed via Pre-Auth ACL) will be disrupted. If the client associates again, it will move back to the Webauth_Reqd state.
There is an enhancement request filed esp. for your situation with Pre-auth ACL.
CSCtj32812 DHCP Option to mitigate the problem of guest client rejoining network
https://tools.cisco.com/bugsearch/bug/CSCtj32812
Regards
Dont forget to rate helpful posts

Pre-authentication information was invalid (24) authoriazation against AD

Hi all,
im going to be really desperate from this error message during the authentization to the Win2003 server where the Active Directory is running ... Im using Krb5LoginModule.
- Our administrator of the AD service has enabled DES encryption at the tested account.
- Im sure that entered password is correct, because im able to login via this password to our network.
- Entered Kerberos realm is in upper case...in the form (COMPANY.COM)
- Kerberos KDC contains IP adress of the Domain controller.
I really dont know why it doesnt work....:-(( Strange is that if i enable ticketCache to the ability to use the native ticket cache it works fine.....
My code is:
import javax.security.sasl.*;
import java.io.*;
import java.util.*;
import javax.security.auth.Subject;
import com.sun.security.auth.callback.TextCallbackHandler;
* This JaasAcn application attempts to authenticate a user
* and reports whether or not the authentication was successful.
public class JaasSample {
public static void main(String[] args) {
        LoginContext lc = null;
     java.util.Properties p = new java.util.Properties(System.getProperties());
       try
            lc = new LoginContext("JaasSample", new TextCallbackHandler());
       catch (LoginException le)
            System.err.println("Cannot create LoginContext. "
                 + le.getMessage());
            System.exit(-1);
       catch (SecurityException se)
            System.err.println("Cannot create LoginContext. "
                 + se.getMessage());
            System.exit(-1);
       catch (Exception e)
            System.out.println("Login failer: "+e.getMessage());
      try {
                    lc.login();
                    Subject subject = lc.getSubject();
                Iterator it = subject.getPrincipals().iterator();
                while (it.hasNext())
                    System.out.println("Authenticated: " + it.next().toString());
                it = subject.getPublicCredentials(Properties.class).iterator();
                while (it.hasNext())
                    ((Properties)it.next()).list(System.out);
                lc.logout();
      } catch (LoginException le) {
          System.err.println("Authentication failed: ");
          System.err.println(" " + le.getMessage());
          System.exit(-1);
      System.out.println("Authentication succeeded!");
}start.bat file:
"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Djava.security.auth.login.config=jaas.conf JaasSample
jaas.conf file:
JaasSample {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache="false" debug="true";
Output is:
c:\JAAS>"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=
BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Dja
va.security.auth.login.config=jaas.conf JaasSample
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null KeyTab is null refreshKrb5Config is false principal is
null tryFirstPass is false useFirstPass is false storePass is false clearPass is
false
Kerberos username [Kloucek]: User3
Kerberos password for User3: Poiu4566
[Krb5LoginModule] user entered username: User3
principal is [email protected]
Acquire TGT using AS Exchange
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 01 58 6E AE EF 25 15 43 F1
2C 40 46 7A 3D 2A B0 .Xn..%.C.,@Fz=*.
0010: 1F 16 9E B6 19 8A 46 68
[Krb5LoginModule] authentication failed
Pre-authentication information was invalid (24)
Authentication failed:
Pre-authentication information was invalid (24)
I tried all tips i found at this forum and other internet resources without luck...:-(((
Please heeeeelp!!!!!!!!!!!!!!!!!

I have solve it....The reason of this problem was this:
Im accesing our network via this login properties:
login: My second name
pass: My password
Due to this fact i had entered this login properties into the Kerberos database too..., BUT KERBEROS had been expecting my fully qualified network name which is myfirstname.myseconame@KERBEROS-REALM!!!!!!!!!!!!!!!So after i had entered [email protected] instead of [email protected] it started to work!!!!! I hope this will help many other programmers....

Pre-authentication information was invalid (24)

Hi all,
im going to be really desperate from this error message during the authentization to the Win2003 server where the Active Directory is running ... Im using Krb5LoginModule.
- Our administrator of the AD service has enabled DES encryption at the tested account.
- Im sure that entered password is correct, because im able to login via this password to our network.
- Entered Kerberos realm is in upper case...in the form (COMPANY.COM)
- Kerberos KDC contains IP adress of the Domain controller.
I really dont know why it doesnt work....:-(( Strange is that if i enable ticketCache to the ability to use the native ticket cache it works fine.....
My code is:
import javax.security.sasl.*;
import java.io.*;
import java.util.*;
import javax.security.auth.Subject;
import com.sun.security.auth.callback.TextCallbackHandler;
* This JaasAcn application attempts to authenticate a user
* and reports whether or not the authentication was successful.
public class JaasSample {
public static void main(String[] args) {
        LoginContext lc = null;
     java.util.Properties p = new java.util.Properties(System.getProperties());
       try
            lc = new LoginContext("JaasSample", new TextCallbackHandler());
       catch (LoginException le)
            System.err.println("Cannot create LoginContext. "
                 + le.getMessage());
            System.exit(-1);
       catch (SecurityException se)
            System.err.println("Cannot create LoginContext. "
                 + se.getMessage());
            System.exit(-1);
       catch (Exception e)
            System.out.println("Login failer: "+e.getMessage());
      try {
                    lc.login();
                    Subject subject = lc.getSubject();
                Iterator it = subject.getPrincipals().iterator();
                while (it.hasNext())
                    System.out.println("Authenticated: " + it.next().toString());
                it = subject.getPublicCredentials(Properties.class).iterator();
                while (it.hasNext())
                    ((Properties)it.next()).list(System.out);
                lc.logout();
      } catch (LoginException le) {
          System.err.println("Authentication failed: ");
          System.err.println(" " + le.getMessage());
          System.exit(-1);
      System.out.println("Authentication succeeded!");
}start.bat file:
"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Djava.security.auth.login.config=jaas.conf JaasSample
jaas.conf file:
JaasSample {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache="false" debug="true";
Output is:
c:\JAAS>"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=
BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Dja
va.security.auth.login.config=jaas.conf JaasSample
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null KeyTab is null refreshKrb5Config is false principal is
null tryFirstPass is false useFirstPass is false storePass is false clearPass is
false
Kerberos username [Kloucek]: User3
Kerberos password for User3: Poiu4566
[Krb5LoginModule] user entered username: User3
principal is [email protected]
Acquire TGT using AS Exchange
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 01 58 6E AE EF 25 15 43 F1
2C 40 46 7A 3D 2A B0 .Xn..%.C.,@Fz=*.
0010: 1F 16 9E B6 19 8A 46 68
[Krb5LoginModule] authentication failed
Pre-authentication information was invalid (24)
Authentication failed:
Pre-authentication information was invalid (24)
I tried all tips i found at this forum and other internet resources without luck...:-(((
Please heeeeelp!!!!!!!!!!!!!!!!!

Hi all,
im going to be really desperate from this error message during the authentization to the Win2003 server where the Active Directory is running ... Im using Krb5LoginModule.
- Our administrator of the AD service has enabled DES encryption at the tested account.
- Im sure that entered password is correct, because im able to login via this password to our network.
- Entered Kerberos realm is in upper case...in the form (COMPANY.COM)
- Kerberos KDC contains IP adress of the Domain controller.
I really dont know why it doesnt work....:-(( Strange is that if i enable ticketCache to the ability to use the native ticket cache it works fine.....
My code is:
import javax.security.sasl.*;
import java.io.*;
import java.util.*;
import javax.security.auth.Subject;
import com.sun.security.auth.callback.TextCallbackHandler;
* This JaasAcn application attempts to authenticate a user
* and reports whether or not the authentication was successful.
public class JaasSample {
public static void main(String[] args) {
        LoginContext lc = null;
     java.util.Properties p = new java.util.Properties(System.getProperties());
       try
            lc = new LoginContext("JaasSample", new TextCallbackHandler());
       catch (LoginException le)
            System.err.println("Cannot create LoginContext. "
                 + le.getMessage());
            System.exit(-1);
       catch (SecurityException se)
            System.err.println("Cannot create LoginContext. "
                 + se.getMessage());
            System.exit(-1);
       catch (Exception e)
            System.out.println("Login failer: "+e.getMessage());
      try {
                    lc.login();
                    Subject subject = lc.getSubject();
                Iterator it = subject.getPrincipals().iterator();
                while (it.hasNext())
                    System.out.println("Authenticated: " + it.next().toString());
                it = subject.getPublicCredentials(Properties.class).iterator();
                while (it.hasNext())
                    ((Properties)it.next()).list(System.out);
                lc.logout();
      } catch (LoginException le) {
          System.err.println("Authentication failed: ");
          System.err.println(" " + le.getMessage());
          System.exit(-1);
      System.out.println("Authentication succeeded!");
start.bat file:
"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Djava.security.auth.login.config=jaas.conf JaasSample
jaas.conf file:
JaasSample {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache="false" debug="true";
Output is:
c:\JAAS>"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=
BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Dja
va.security.auth.login.config=jaas.conf JaasSample
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null KeyTab is null refreshKrb5Config is false principal is
null tryFirstPass is false useFirstPass is false storePass is false clearPass is
false
Kerberos username [Kloucek]: User3
Kerberos password for User3: Poiu4566
[Krb5LoginModule] user entered username: User3
principal is [email protected]
Acquire TGT using AS Exchange
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 01 58 6E AE EF 25 15 43 F1
2C 40 46 7A 3D 2A B0 .Xn..%.C.,@Fz=*.
0010: 1F 16 9E B6 19 8A 46 68
[Krb5LoginModule] authentication failed
Pre-authentication information was invalid (24)
Authentication failed:
Pre-authentication information was invalid (24)I tried all tips i found at this forum and other internet resources without luck...:-(((
Please heeeeelp!!!!!!!!!!!!!!!!!

Exchange 2013 pre-authentication & Reverse Proxy Options

Hello,
I wanted to see if anyone has any suggestions on reverse proxy options that can do pre-authentication like TMG use to do? I am currently trying to deploy out a new Excahnge 2013 setup in coexistence with an existing Exchange 2010 environment
which will then be migrated over. And one of the requirements is to block certain users from accessing webmail externally while still allowing others to access webmail. That is currently achieved by using a TMG server but that is going to be decommissioned
along with Exchange 2010.
I have been searching online but so far I have not found anything that seemed to meet this requirement. I have seen that IIS Web Application Proxy tied in with AD FS would do the job. But there is some issue there with Excahnge 2010 still being active that
won't allow it to work. Some suggestions I have seen online involved changing permissions on the IIS directory or modifying web config files but those options didn't seem like they provided a consistent result.
So I am looking for some sort of option that is either inexpensive or some means of leveraging existing Microsoft technologies to achieve my goal any suggestions would be helpful.
Nicholas,

Hello,
I wanted to see if anyone has any suggestions on reverse proxy options that can do pre-authentication like TMG use to do? I am currently trying to deploy out a new Excahnge 2013 setup in coexistence with an existing Exchange 2010 environment
which will then be migrated over. And one of the requirements is to block certain users from accessing webmail externally while still allowing others to access webmail. That is currently achieved by using a TMG server but that is going to be decommissioned
along with Exchange 2010.
I have been searching online but so far I have not found anything that seemed to meet this requirement. I have seen that IIS Web Application Proxy tied in with AD FS would do the job. But there is some issue there with Excahnge 2010 still being active that
won't allow it to work. Some suggestions I have seen online involved changing permissions on the IIS directory or modifying web config files but those options didn't seem like they provided a consistent result.
So I am looking for some sort of option that is either inexpensive or some means of leveraging existing Microsoft technologies to achieve my goal any suggestions would be helpful.
Nicholas,
How about IIS ARR?
http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx
http://blogs.technet.com/b/exchange/archive/2013/08/02/part-2-reverse-proxy-for-exchange-server-2013-using-iis-arr.aspx
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

Kerberos pre-authentication issues - why now?

Hi all,
We recently put up a new Windows 2003 Active Directory domain controller to replace a de-commissioned Windows 2000 DC. When my VPN users try to authenticate to it using Kerberos, they are getting rejected with a pre-authentication failed error. I know that this is a common issue with the ASA, and TAC has confirmed that there's no solution for it yet. However, we have another W2K3 DC that has never had this issue. So why now? Why this new DC? What's the difference between my DCs where one can authenticate a user with pre-authentication enabled and one can't?
Any help or information that I can get would be helpful.
Thanks,
- Steve

Hi JK,
Thanks for the reply.
Right, I understand that, and TAC directed me to the same document. But we have an existing domain controller that we are currently using the authenicate against; pre-authentication is enabled, and it works fine. It's only the NEW domain controller that has this problem. So I'm trying to figure out what the difference is!
I would rather NOT disable pre-authentication for all VPN users if possible - there are a lot of them and it lessens the security of Active Directory.
Thanks,
- Steve

When addressing my router, Firefox says "browser not authentication capable"

I am trying to address my Linksys router. The authentication is failing with the following error message displayed
401 Authorization Required
Browser not authentication-capable or authentication failed.
I am able to address the router using Internet Explorer.

English translation (This did work for me.):
"I had this problem too. Tick away at 'Tell web sites I do not want to be tracked.' After doing this, the problem was solved."
Found under: Tools/Options/Privacy

JAAS, AD, Pre-authentication information was invalid (24)

Our application is java based, and we use JAAS to allow authentication for the users though Active Directory.
In particular we alwyas encourage our prospect clients to use Krb5LoginModule.
We would
1. add new user to AD , set DES for the account, reset the password
2.
setspn -A host/newUser.DOMAIN.COM newUser
setspn -A HTTP/newUser.DOMAIN.COM newUser
run ktpass
pass the keytab to the server where the server application will be running from and setup there
-Djava.security.auth.login.config=c:\config\config.conf
-Djava.security.realm=DOMANNAME
-Djava.security.kdc=<Ip address of kdc>
where config.conf file would have line
Krb5LoginModule tryFirstPass=true storePass=true storeKey=true useKeyTab=true keyTab="c:\keytab.key";
and it works...
However, I have encountered a situation where the above would return
Pre-authentication information was invalid (24) error.
We have reset the password, re-generate the keytab, it is the same time zone ... and nothing.
Then I asked to have a new user added (just to test it) - and it worked for the new user.
Now - what do I need to do to get to work for the hunders of others?
Thanks

Support for the new Kerberos preauthentication mechanisms is available in Java SE 6.
In addition, the pre-auth support has been backported to J2SE 5.0 Update 8.
Seema

Mobile Phone Web Browsing - Automated Authentication.

Our company currently provides subscription data content to our customers which they access via mobile web services on their mobile phones. Instead of requiring our customers to enter a user name and password to access our secure website, we would like to automate the subscribers authentication to our website with an automated authentication technology.
Is anyone familiar with any tools available to support authentication technologies (i.e.; digital certificates) that are supported by (recent at best) versions of mobile phones?

I have tried your suggestion with both Firefox beta and opera bowser. Same issue. Works perfectly in chrome, but I would prefer to use Firefox browser. Thanks for your suggestion. I have also removed all cookies in every browser. Any other suggestions would be gratefully received.

Browser pre-authentication

Similar Messages

Maybe you are looking for