Checksum failed while authenticating via Kerberos

Similar Messages

• Problem getting an LDAPContext after authenticating via Kerberos

  Hi,
  I am trying to create a Java program that can query an Active Directory server using the currenlty logged in Windows user's credentials to authenticate via LDAP.
  I am getting the following error in my output when trying to create the LdapContext object.
  GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
  The full output is as follows
  Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  Acquire TGT from Cache
  KinitOptions cache name is C:\Documents and Settings\Administrator.THALES-3D8PWWDM\krb5cc_AdministratorAcquire default native Credentials
  Obtained TGT from LSA: Credentials:
  [email protected]
  server=krbtgt/[email protected]
  authTime=20090618162927Z
  startTime=20090618162927Z
  endTime=20090619022927Z
  renewTill=20090625162927Z
  flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
  EType (int): 23
  Principal is [email protected]
  Commit Succeeded
  Subject:
       Principal: [email protected]
       Private Credential: Ticket (hex) =
  0000: 61 82 03 BC 30 82 03 B8   A0 03 02 01 05 A1 0A 1B  a...0...........
  <REMOVED>4   8A 8C BE 6B FD 65 5D 2F  .R..t#@d...k.e]/
  Client Principal = [email protected]
  Server Principal = krbtgt/[email protected]
  Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
  0000: C0 62 F6 3F 5C 29 F4 7B   C1 FC AB A0 77 D1 E7 E0  .b.?\)......w...
  Forwardable Ticket true
  Forwarded Ticket false
  Proxiable Ticket false
  Proxy Ticket false
  Postdated Ticket false
  Renewable Ticket true
  Initial Ticket true
  Auth Time = Thu Jun 18 17:29:27 BST 2009
  Start Time = Thu Jun 18 17:29:27 BST 2009
  End Time = Fri Jun 19 03:29:27 BST 2009
  Renew Till = Thu Jun 25 17:29:27 BST 2009
  Client Addresses  Null
  Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri Jun 19 03:29:27 BST 2009
  KinitOptions cache name is C:\Documents and Settings\Administrator.THALES-3D8PWWDM\krb5cc_AdministratorAcquire default native Credentials
  Obtained TGT from LSA: Credentials:
  [email protected]
  server=krbtgt/[email protected]
  authTime=20090618162927Z
  startTime=20090618162927Z
  endTime=20090619022927Z
  renewTill=20090625162927Z
  flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
  EType (int): 23
  Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri Jun 19 03:29:27 BST 2009
  GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
       at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
       at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
       at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
       at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
       at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
       at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
       at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
       at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
       at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
       at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
       at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
       at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
       at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
       at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
       at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
       at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
       at javax.naming.InitialContext.init(Unknown Source)
       at javax.naming.InitialContext.<init>(Unknown Source)
       at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
       at com.thalesgroup.planit.ldap.LDAPAction.performLDAPOperation(Main.java:87)
       at com.thalesgroup.planit.ldap.LDAPAction.run(Main.java:66)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAs(Unknown Source)
       at com.thalesgroup.planit.ldap.Main.main(Main.java:46)
  javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate I am running this using the following VM arguments
  -Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=true
  Finally my jaas config file is as follows
  fsta {
       com.sun.security.auth.module.Krb5LoginModule required
  debug=true client=false useTicketCache=true;
  com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
  };I am running this locally on the AD server (running Windows Server 2003).
  Does anybody know how I can get rid of the exception and create an authenticated LdapContext?
  Any suggestions would be greatly appreciated.
  Thanks
  Graeme

  My java source is as follows (its a modified example I found online)
  import java.util.Hashtable;
  import javax.naming.Context;
  import javax.naming.NamingEnumeration;
  import javax.naming.NamingException;
  import javax.naming.directory.Attributes;
  import javax.naming.directory.DirContext;
  import javax.naming.directory.InitialDirContext;
  import javax.naming.directory.SearchControls;
  import javax.naming.directory.SearchResult;
  import javax.security.auth.Subject;
  import javax.security.auth.login.LoginContext;
  import javax.security.auth.login.LoginException;
  import com.sun.security.auth.callback.TextCallbackHandler;
  public class Main {
      public static void main(String[] args) {
      java.util.Properties p = new java.util.Properties(System.getProperties());
      p.setProperty("java.security.krb5.realm", "fsta.com");
      p.setProperty("java.security.krb5.kdc", "192.168.1.10");
      p.setProperty("java.security.auth.login.config", "C:\\jaas.conf");
      System.setProperties(p);
      // 1. Log in (to Kerberos)
      LoginContext lc = null;
      try {
              lc = new LoginContext("fsta", new TextCallbackHandler());
      // Attempt authentication
      lc.login();
      } catch (LoginException le) {
      System.err.println("Authentication attempt failed" + le);
      System.exit(-1);
      Subject subject = lc.getSubject();
      System.out.println(subject.toString());
      // 2. Perform JNDI work as logged in subject
      Subject.doAs(subject, new LDAPAction(args));
      // 3. Perform LDAP Action
      * The application must supply a PrivilegedAction that is to be run
      * inside a Subject.doAs() or Subject.doAsPrivileged().
      class LDAPAction implements java.security.PrivilegedAction {
      private String[] args;
      private static String[] sAttrIDs;
      private static String sUserAccount = new String("Administrator");
      public LDAPAction(String[] origArgs) {
      this.args = origArgs.clone();
      public Object run() {
      performLDAPOperation(args);
      return null;
      private static void performLDAPOperation(String[] args) {
      // Set up environment for creating initial context
      Hashtable env = new Hashtable(11);
      env.put(Context.INITIAL_CONTEXT_FACTORY,
      "com.sun.jndi.ldap.LdapCtxFactory");
      // Must use fully qualified hostname
      env.put(Context.PROVIDER_URL, "ldap://192.168.1.10:389");
      // Request the use of the "GSSAPI" SASL mechanism
      // Authenticate by using already established Kerberos credentials
      env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
  //    env.put("javax.security.sasl.server.authentication", "true");
      try {
      /* Create initial context */
      DirContext ctx = new InitialDirContext(env);
      /* Get the attributes requested */
      //Create the search controls        
      SearchControls searchCtls = new SearchControls();
      //Specify the attributes to return
      String returnedAtts[]={"sn","givenName","mail"};
      searchCtls.setReturningAttributes(returnedAtts);
      //Specify the search scope
      searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
      //specify the LDAP search filter
      String searchFilter = "(&(objectClass=user)(mail=*))";
      //Specify the Base for the search
      String searchBase = "DC=fsta,DC=com";
      //initialize counter to total the results
      int totalResults = 0;
      // Search for objects using the filter
      NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
      //Loop through the search results
      while (answer.hasMoreElements()) {
              SearchResult sr = (SearchResult)answer.next();
          totalResults++;
          System.out.println(">>>" + sr.getName());
          // Print out some of the attributes, catch the exception if the attributes have no values
          Attributes attrs = sr.getAttributes();
          if (attrs != null) {
              try {
              System.out.println("   surname: " + attrs.get("sn").get());
              System.out.println("   firstname: " + attrs.get("givenName").get());
              System.out.println("   mail: " + attrs.get("mail").get());
              catch (NullPointerException e)    {
              System.err.println("Error listing attributes: " + e);
      System.out.println("RABOTIII");
          System.out.println("Total results: " + totalResults);
      ctx.close();
      } catch (NamingException e) {
      e.printStackTrace();
  }Edited by: GraemeK on Jun 18, 2009 11:56 AM

• OVI Problem While Authenticating via Bluetooth

  Hi, I´m having troubles while authenticating an 5800 XpressMusic via bluetooh with OVI Suite.
  All works fine until the moment to enter the password for pairing.
  I enter in both sides and the suite alerts me that "The device cannot be authorized", but whet I press the BACK button, the icon in the device list show the phone as paired (and the first time in list, not appear paired), so, the pairing is done, in IVT Bluesoleil I also see the device as paired, but the connection wizard keeps insisting on the password process, so I can see my device in the connection list.
  This works perfect in another computher with the same Bluesoleil software and the same BT dongle.
  All the same but the Windowx XP language. (works on english, doesn´t work in spanish)
  Any ideas?
  I also tested reinstalling all.

  My hardware details:
  PC: Win XP Professional SP3 Spanish (the same but in english, works)
  IVT Bluesoleil: 6.4.237
  OVI version 1.1 (Spanish & English...tried both..same results.
  Bluetooth is the problem, cable works OK

• Kerberos & AFP fails to login via kerberos

  Hi,
  I am unable to login via afp using kerberos. When i used the kadmin.local -q listprincs comand to list the principals the afpserver is listed. When i change the authorization to kerberos. I revice a : "Connection Failed! The User Authentication Method required by this server can't be found." It was working under 10.4.3 is there any changes since.
  PowerMac G5 DP 2.0   Mac OS X (10.4.4)  

  You get this message:
  <blockquote>The server has rejected your login. Please verify that your user name and password are correct. Error Code: 800cccd1 </blockquote>
  And Thunderbird can successfully receive/send on the test account but not on your own account, with the same server/port/SSL settings?
  Other than the possibility that your password is incorrect...
  Does your server require or have you tried entering your login username in this format:
  domain\username
  I don't know whether the following is relevant to your mailbox (server-side issue): [http://support.microsoft.com/kb/949926 Error when you use an IMAP4 client or a POP3 client to log on to a delegate mailbox of Exchange Server 2007: "800cccd1"].

• Windows authentication via kerberos on LDAP

  question - where can I generate ktpass -princ host/ etc. it isn't at j2ee engine machine ( is it at SAP Web Dispatcher)??

  Hi Damian
  You need to run the command on the Domain Controller
  Theo

• Kerberos authentication via Apache ...

  Hi all !
  we use SAP NW Portal 7.0; we can access the portal from internet via Apache as reverse proxy;
  our internal and external users access the portal via the Apache reverse proxy;
  now we want to use kerberos to authenticate against J2EE of Portal;
  Kerberos is working when ich access the Portal directly via http://<fqdn>:<port>/irj;
  but when we want to access the portal via Apache reverse proxy e.g. http://portal.test.com authentication via Kerberos don't work; Apache doesn't pass the kerberos ticket;
  is there any solution ?
  the Apache reverse proxy should be the 'single point of contact' for portal access;
  Thanks
  Oliver

  to use the portal, all users ( internal or external ) have to use the URL to our apache reverse proxy; the URL is the same for internal or external users
  ==> http://portal.test.com;
  for the internal users, it would be nice if the apache reverse proxy could pass the kerberos ticket to the portal server so that the login page doesn't appear;
  how to ?
  Thanks
  Oliver

• Terrible error with kerberos, win2003 - Checksum failed!

  Now i'm trying to use CAS SSO with kerberos for authentication.
  I done all settings by instruction, see this tutorial http://www.ja-sig.org/wiki/display/CASUM/SPNEGO.
  So, the error is: Failure unspecified at GSS-API level (Mechanism level: Checksum failed).
  I guess, there is a problem with encryption type, but i don't know how to resolve it. Please help
  My stacktrace shown below:
  Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level:
  Checksum failed)
          at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:
  741)
          at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java
  :323)
          at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java
  :267)
          ... 75 more
  Caused by: KrbException: Checksum failed
          at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
  cEType.java:85)
          at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
  cEType.java:77)
          at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
          at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
          at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
          at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken
  .java:79)
          at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:
  724)
          ... 77 more
  Caused by: java.security.GeneralSecurityException: Checksum failed
          at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCry
  pto.java:388)
          at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.jav
  a:74)
          at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
  cEType.java:83)
          ... 83 more

  Thank you for advice, my friend.
  I have analyzed info in TGS-REQ request, but i could not find any SPN in it.
  Please see this screenshot and say me: where is needed SPN in ticket?
  Here is my full configuration:
  [logging]
  [libdefaults]
  ticket_lifetime = 24000
  default_realm = MYCORP.KUBA
  dns_lookup_kdc = true
  dns_lookup_realm = true
  default_tkt_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc
  default_tgs_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc
  [realms]
  MYCORP.KUBA = {
  kdc = mycorp.kuba:88
  admin_server = mycorp.kuba:749
  default_domain = mycorp.kuba
  [domain_realm]
  .mycorp.kuba = MYCORP.KUBA
  mycorp.kuba = MYCORP.KUBA
  [domain_realm]
  .mycorp.kuba = MYCORP.KUBA
  [appdefaults]
  autologin = true
  forward = true
  forwardable = true
  encrypt = true
  <bean class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"
            p:jcifsDomainController="xxx"
            p:jcifsNetbiosWins="xxx"
            p:jcifsServicePrincipal="HTTP/MYUSER.mycorp.kuba"
            p:jcifsServicePassword="secret"
            p:useSubjectCredsOnly="true"
            p:kerberosDebug="true"
            p:kerberosRealm="MYCORP.KUBA"
            p:kerberosKdc="xxx"
            p:kerberosConf="c:/winnt/krb5.conf"
            p:loginConf="C:/mypath/WEB-INF/login.conf"
       />
  jcifs.spnego.initiate {
     com.sun.security.auth.module.Krb5LoginModule
     required
     debug=true
     realm="MYCORP.KUBA"
     principal="HTTP/MYUSER.mycorp.kuba"
     storeKey=true
     doNotPrompt=false
     client=true
     refreshKrb5Config=true
     storePass=true
     isInitiator=false
     useKeyTab=true
     useTicketCache=false
     keyTab="c:\a.keytab"
  jcifs.spnego.accept {
     com.sun.security.auth.module.Krb5LoginModule
     required
     debug=true
     realm="MYCORP.KUBA"
     principal="HTTP/MYUSER.mycorp.kuba"
     storeKey=true
     doNotPrompt=false
     client=true
     refreshKrb5Config=true
     storePass=true
     isInitiator=false
     useKeyTab=true
     useTicketCache=false
     keyTab="c:\a.keytab"
  setspn -A HTTP/MYUSER.mycorp.kuba myuser
  ktpass -out a.keytab -princ HTTP/[email protected] -pass secret -mapuser [email protected] -ptype krb5_nt_principal -crypto RC4-HMAC-NTWhat is wrong with it? Please correct it if you can?

• The KDC encountered duplicate names while processing a Kerberos authentication request in a Domain controller server

  HI
  we have a sharepoint farm and in domain controller server, this error is in event viewer
  Log Name:      System
  Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
  Date:          9/15/2014 10:44:15 PM
  Event ID:      11
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      XXXAPP01.xxxportal.com
  Description:
  The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is HTTP/XXXWFE01.xxxportal.com (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent
  this from occuring remove the duplicate entries for HTTP/XXXWFE01.xxxportal.com in Active Directory.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" />
      <EventID Qualifiers="49152">11</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-09-15T19:44:15.000000000Z" />
      <EventRecordID>131824</EventRecordID>
      <Correlation />
      <Execution ProcessID="0" ThreadID="0" />
      <Channel>System</Channel>
      <Computer>XXXAPP01.xxxportal.com</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="Name">HTTP/XXXWFE01.xxxportal.com</Data>
      <Data Name="Type">DS_SERVICE_PRINCIPAL_NAME</Data>
      <Binary>
      </Binary>
    </EventData>
  </Event>
  adil

  Hi adil,
  Service principal names (SPNs) are stored as a property of the associated account object in Active Directory
  Domain Services (AD DS). I noticed that you have used setpn –X to identify the duplicate SPN. Please refer to following articles and check if help you to solve this issue.
  Event ID 11 — Service Principal
  Name Configuration
  Event ID 11 in the System log of domain controllers
  Please also refer to following article and check if can help you.
  The problem with duplicate SPNs
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
  does not guarantee the accuracy of this information.
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu

• Error Event ID 11 The KDC encountered duplicate names while processing a Kerberos authentication request.

  I've been noticing The Error with event ID 11 popping up a lot on our domain controllers:
  The KDC encountered duplicate names while processing a Kerberos authentication request.
  When running setspn -X it says that it found 111 groups of duplicate SPNs. However, when going through the list, it references domain service accounts that are used to run our SQL Server services. We have about 50 remote locations and each of them has 3
  machines participating in a SQL mirror (principal, mirror, witness) and they all run the SQL Server service on the same account (1 account per location).
  We haven't experienced any issues at all but I was wondering if this could cause problems or if we are straying from best practice. Any advice is welcome. Thanks!

  I believe what you should do to follow best practice is to provide unique SPNs for each SQL server, which will also provide increased security, and to do that you must create individual service account for each SQL server so it can associate that
  account with that server's SPN.
  Here's more on it to help guide you. Read Paul's comments, as well as other suggestions in the following thread:
  event ID 11 There are multiple accounts with name MSSQLSvc/xxxxxx
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/8df35316-23ba-48ba-aa3e-2249fcbfecbc/event-id-11-there-are-multiple-accounts-with-name-mssqlsvcxxxxxx?forum=winserverDS
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• KDC encountered duplicate names while processing a Kerberos authentication request

  The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is RPCSS/HKHVS01 (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent
  this from occuring remove the duplicate entries for RPCSS/HKHCS01 in Active Directory.
  - What the error means ??
  - Why happen ??
  - How to fix it ??
  Thanks

  This is an SPN problem. Having duplicate SPNs will result in Kerberos failures and a downgrade to NTLM authentication. Please run
  setspn -x to get the list of duplicated SPNs. Once identified, you need to remove the duplicated ones. 
  You can also see that:
  http://blogs.technet.com/b/askds/archive/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-1.aspx
  http://blogs.technet.com/b/askds/archive/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-2.aspx
  http://blogs.technet.com/b/askds/archive/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-3.aspx
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• Checksum failed and some newbie questiions

  Hi people,
  I have tried the GSS-API without JAAS tutorial for java 1.5 at http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/BasicClientServer.html with that config:
  1) Environment config:
  - JKD 1.5.0 update 11
  - Windows XP pro against Active Directory on a Windows Server
  2) The bcsLogin.conf jaas config file exactly as it appears in the tutorial
  3) My krb5.conf file:
          [libdefaults]
                  default_realm = MYCOMPANY.COM
                  default_tkt_enctypes = rc4-hmac
                  default_tgs_enctypes = rc4-hmac
          [realms]
                  MYCOMPANY.COM = {
                          kdc = MYCOMPANY.COM
                          admin_server = MYCOMPANY.COM
                          default_domain = MYCOMPANY.COM
          [domain_realm]
                  MYCOMPANY = MYCOMPANY.COM4) Parameters for the SampleServer program:
  Program arguments
  4444
  VM arguments
  -Djavax.security.auth.useSubjectCredsOnly=false
  -Djava.security.krb5.conf=krb5.conf
  -Djava.security.auth.login.config=bcsLogin.conf
  5) Parameters for the SampleClient program:
  Program arguments
  krbtgt localhost 4444
  VM arguments
  -Djavax.security.auth.useSubjectCredsOnly=false
  -Djava.security.krb5.conf=krb5.conf
  -Djava.security.auth.login.config=bcsLogin.conf
  After executing it I obtained the below checksum exception:
  Checksum failed !
  Exception in thread "main" java.lang.RuntimeException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
       at SampleServer.main(SampleServer.java:121)
  Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
       at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:730)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
       at SampleServer.main(SampleServer.java:118)
  Caused by: KrbException: Checksum failed
       at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85)
       at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)
       at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:167)
       at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
       at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
       at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
       at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:715)
       ... 3 more
  Caused by: java.security.GeneralSecurityException: Checksum failed
       at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:387)
       at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)
       at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)
       ... 9 moreApart from help for the exception itselft I have some questions:
  1-     For the SampleClient program I use krbtgt as the server name but I don�t know exactly why this works. Other values don�t work and I don�t know exactly what this server name is, who creates it, etc. I would be grateful for some explanation about it
  2-     I use the same username-password (mine) for authentication in the SampleServer and in the SampleClient, is that correct?
  Thank you very much in advance.

  Hello wangwj,
  I don�t know what you want to say exactly with �trying the username you used for ServerClient�.
  In the SampleServer code (I believe that you refer it as ServerClient) there is no place where I can give a username (apart from my credentials when I do a login).
  Debugging SampleClient the program generates the next error when I use a server name different from krbtgt:
  KRBError:      sTime is Fri Mar 09 09:32:16 CET 2007 1173429136000
        suSec is 407323
        error code is 7
        error Message is Server not found in Kerberos database
        realm is ADGBS.COM
        sname is V442596
        eData provided.
        msgType is 30When I use krbtgt as the server name all goes ok for the client (well, it shows an error but is expected):
  KRBError:      sTime is Fri Mar 09 09:42:33 CET 2007 1173429753000
        suSec is 711423
        error code is 52
        error Message is Response too big for UDP, retry with TCP
        realm is ADGBS.COM
        sname is krbtgt
        msgType is 30After that:
  1) It�s possible that I have to create a new server account in Kerberos and pass his username to the client parameter?
  2) In the first post I wrote it shows a checksum exception. I have read that It�s needed that Active Directoy configures to DES encryption for interoperability. Someone knows something about that?
  Thanks in advance,

• Satellite M40-256 - error while booting via CD

  Hello,
  a well-known friend owns Satellite M40-256 which has Windows problem (error while updating/handling by her children).
  She doesn't own an external Toshiba FDD or ODD. Also this portable has no built-in FDD. Buying one only for this issue? NO
  The boot priority has been changed to: CD-network-HDD.
  I've tried another non Toshiba branded ODD (in BIOS not mentioned/found)
  The original ODD works/boots in another pc (via adapter) very great.
  Ive tried several CD/DVDs to boot from (no error displayed): instant-Linux like knoppix, suse, other windows CDs, recovery CD, ... no success
  Every time the same result: the laptop has a black screen, the ODD speeds up and after about 3 to 5 seconds windows starts with the black-white progress bar.
  I also tried to press C to force booting from CD.
  Some time ago, I had only access to windows in secured mode. But after uninstalling some updates it ends in a licence problem. This issue can be only solved by booting windows-cd via cd.
  It has a Toshiba bios 1.00 (interesting, seems quite old).
  I've trying at the moment to boot via network. Does the Toshiba show some messages about succeeding/failing at boot via network or CD?
  Has setting the execution bit an influence on behaviour?
  Does anybody know a solution booting windows?
  Thanks in advance

  Thanks for help.
  I will look for an other ODD from Toshiba trying for boot.
  Does the toshiba bios show messages about booting via cd or network? Even choosing network ends in a faulty Windows boot.
  After choosing an item there's no message while booting
  As I mentioned: the most interesting issue is ODD works/boots well via adapter in a normal pc and also after windows has been started (secured mode). But no boot possible.
  I suspect meanwhile BIOS or Mainboard. But is there a chance for update in secured mode? (the only thing it starts is "secured with prompt"). Cats bites itself in tail.
  BIOS also was saved with default setup. Nothing changed.
  In event viewer I've found entry about probs with hard-drive and controller.
  Does a destructive data processing influence the toshiba bios

• MailServiceHelper Failed while sending email java.lang.NullPointerException

  Hi guys,
  I am trying to send email with Adobe CQ API.
  But i am getting a nullpointer exception at this line:  MsgGateway.send(htmlEmail);    
  This is my method that i am using to send.
  import com.day.cq.mailer.MessageGateway;
  import com.day.cq.mailer.MessageGatewayService;
  import javax.mail.internet.InternetAddress;
     public boolean sendHtmlEmail(SlingHttpServletRequest sling,
              String fromMailAdress, List<String> recepientmailAddress,
              String emailSubject, String htmlbodyMail) {
          HtmlEmail htmlEmail = new HtmlEmail();
          List<InternetAddress> emailAddress = new ArrayList<InternetAddress>();
          try {
              for (String recipient : recepientmailAddress) {
                  if (!StringUtil.isEmpty(recipient)) {
                      emailAddress.add(new InternetAddress(recipient));
                      log.error(recipient);
              if (!StringUtil.isEmpty(fromMailAdress)) {
                  htmlEmail.setFrom(fromMailAdress);
              htmlEmail.setTo(emailAddress);
              htmlEmail.setSubject(emailSubject);
              htmlEmail.setHtmlMsg(htmlbodyMail);
              htmlEmail.setCharset("utf-8");
              MessageGatewayService MsgService = getMessageGateWayService(sling);
              MessageGateway<HtmlEmail> MsgGateway = MsgService.getGateway(HtmlEmail.class);
              MsgGateway.send(htmlEmail);   //nullpointer exception caught here        
              return true;
          } catch (Exception e) {
              log.error("Failed while sending email", e);
          return false;
  I have checked to ensure the bundle com.day.cq.cq-mail and my own bundle is running .
  I am also sure that 'htmlEmail' is not null by retrieving the email subject via .getSubject and it did return me the subject.
  I do not understand what is returning the nullpointerexception.
  Thanks in advance !

  The MessageGateway instance (MessageGateway<HtmlEmail> MsgGateway) is null therby throwing a null pointer.
  Instead of instanciating msgGateway as :
  MessageGatewayService MsgService = getMessageGateWayService(sling);
  MessageGateway<HtmlEmail> MsgGateway = MsgService.getGateway(HtmlEmail.class);
  Inject your MessageGateway as:
  @Reference
  private MessageGateway<HtmlEmail> msgGateway;
  and then call send on msgGateway as msgGateway.send(htmlEmail)
  ~ Aditya

• Cisco Prime Infrastructure 2.1 GUI authentication via RADIUS server (Cisco ISE 1.2 integrated with AD)

  Hi,
  I want to access Cisco PI 2.1 GUI using my AD credentials, so on PI I've enabled RADIUS AAA Mode and added RADIUS servers (two ISE nodes in our case). On ISE I added PI as RADIUS client and configured the same keys. Next, on ISE I created authorization profile PRIME_ADMIN_ACCESS with only attribute settings defined:
  My authentication and authorization rules relating that case are as on following screenshots:
  So when I open GUI of PI and enter my AD credentials to log in I have no success and I receive following message:
  Looking in ISE's Authentication section I can see following:
  Time difference between these two authentication/authorizations is just 25 msecs and clicking on each of them reveals following:
  So at first I can authenticate and authorize (authorization profile has necessary attributes defined for PI management access (NCS:role0=Root, NCS:virtual-domain0=ROOT-DOMAIN)) and after 25 msecs I am getting failure. So what could be cause of such things and how I can successfully log in to PI GUI authenticating via ISE using AD credentials?

  Hi,
  -- Please Go to Administration > Logging > set the Message level to TRACE > Click save
  -- Then try to add the ISE.
  -- Once it fails, collect the logs from Administration > Logging > 
  check the "ncs-0-0.log"  & search the file for "ERROR" & paste the results here. This will give us exact reason.
  - Ashok
  Please rate the post or mark as correct answer as it will help others looking for similar information

• Mechanism level: Checksum failed

  Hello everyone, I hope that you can help me.I have problems with the examples of JGSS. The log is:
  GSSServer:
  Config name: C:\WINDOWS\krb5.ini
  KeyTabInputStream, readName(): HIPER.COM.PE
  KeyTabInputStream, readName(): developer
  KeyTab: load() entry length: 56; type: 17
  KeyTabInputStream, readName(): HIPER.COM.PE
  KeyTabInputStream, readName(): developer
  KeyTab: load() entry length: 56; type: 23
  KeyTabInputStream, readName(): HIPER.COM.PE
  KeyTabInputStream, readName(): developer
  KeyTab: load() entry length: 64; type: 16
  KeyTabInputStream, readName(): HIPER.COM.PE
  KeyTabInputStream, readName(): developer
  KeyTab: load() entry length: 48; type: 3
  KeyTabInputStream, readName(): HIPER.COM.PE
  KeyTabInputStream, readName(): developer
  KeyTab: load() entry length: 48; type: 1Added key: 1version: 1
  Added key: 3version: 1
  Added key: 16version: 1
  Added key: 23version: 1
  Added key: 17version: 1
  Ordering keys wrt default_tkt_enctypes list
  default etypes for default_tkt_enctypes: 17 23 16 3 1.
  0: EncryptionKey: keyType=17 kvno=1 keyValue (hex dump)=
  0000: E2 4B DD 17 2F 34 55 E6 BB 78 33 85 28 90 52 3C .K../4U..x3.(.R<
  1: EncryptionKey: keyType=23 kvno=1 keyValue (hex dump)=
  0000: 25 F1 43 85 EE 17 82 BB 71 FE E1 E5 83 5D 63 0F %.C.....q....]c.
  2: EncryptionKey: keyType=16 kvno=1 keyValue (hex dump)=
  0000: 31 04 E0 F8 F4 CB 57 89 C1 13 B3 15 20 A1 10 64 1.....W..... ..d
  0010: 16 57 CB 57 01 D9 F8 67
  3: EncryptionKey: keyType=3 kvno=1 keyValue (hex dump)=
  0000: 70 38 0E 49 73 2A 57 51
  4: EncryptionKey: keyType=1 kvno=1 keyValue (hex dump)=
  0000: 70 38 0E 49 73 2A 57 51
  default etypes for default_tkt_enctypes: 17 23 16 3 1.
  KrbAsReq calling createMessage
  KrbAsReq in createMessage
  KrbKdcReq send: kdc=192.168.61.2 UDP:88, timeout=30000, number of retries =3, #bytes=152
  KDCCommunication: kdc=192.168.61.2 UDP:88, timeout=30000,Attempt =1, #bytes=152
  KrbKdcReq send: #bytes read=626
  KrbKdcReq send: #bytes read=626
  EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
  KrbAsRep cons in KrbAsReq.getReply developerAuthenticated principal: [[email protected]]
  Found key for [email protected](1)
  Found key for [email protected](23)
  Found key for [email protected](16)
  Found key for [email protected](17)
  Found key for [email protected](3)
  Waiting for incoming connection...
  Got connection from client /192.168.61.66
  Entered Krb5Context.acceptSecContext with state=STATE_NEW
  EType: sun.security.krb5.internal.crypto.ArcFourHmacETypeChecksum failed !
  Exception in thread "main" java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
            at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.Subject.doAs(Subject.java:396)
  at com.hiper.jgss.Jaas.loginAndAction(Jaas.java:95)
  at com.hiper.jgss.GssServer.main(GssServer.java:89)
  Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
  at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
  at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
  at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
  at com.hiper.jgss.GssServer$GssServerAction.run(GssServer.java:168)
  ... 4 more
  Caused by: KrbException: Checksum failed
  at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85)
  at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)
  at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
  at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
  at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
  at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
  at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
  ... 7 more
  Caused by: java.security.GeneralSecurityException: Checksum failed
  at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388)
  at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)
  at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)
  ... 13 more
  Java Result: 1
  GSSClient:
  run:
  KinitOptions cache name is C:\Documents and Settings\cgamarra\krb5cc_cgamarra
  DEBUG <CCacheInputStream> client principal is [email protected]
  DEBUG <CCacheInputStream> server principal is krbtgt/[email protected]
  DEBUG <CCacheInputStream> key type: 23
  DEBUG <CCacheInputStream> auth time: Wed Jan 16 17:56:16 COT 2008
  DEBUG <CCacheInputStream> start time: Wed Jan 16 17:56:16 COT 2008
  DEBUG <CCacheInputStream> end time: Thu Jan 17 03:56:16 COT 2008
  DEBUG <CCacheInputStream> renew_till time: Wed Dec 31 19:00:00 COT 1969
  CCacheInputStream: readFlags() INITIAL;Host address is /192.168.61.66
  DEBUG <CCacheInputStream>
  KrbCreds found the default ticket granting ticket in credential cache.
  Obtained TGT from LSA: Credentials:[email protected]
  server=krbtgt/[email protected]
  authTime=20080116225616Z
  startTime=20080116225616Z
  endTime=20080117085616Z
  renewTill=19700101000000Z
  flags: INITIAL
  EType (int): 23
  Authenticated principal: [[email protected]]
  Connected to address cgamarra/192.168.61.66
  Config name: C:\WINDOWS\krb5.ini
  Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Thu Jan 17 03:56:16 COT 2008
  Entered Krb5Context.initSecContext with state=STATE_NEW
  Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Thu Jan 17 03:56:16 COT 2008
  Service ticket not found in the subject
  Credentials acquireServiceCreds: same realmdefault etypes for default_tgs_enctypes: 17 23 16 3 1.
  CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
  EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
  KrbKdcReq send: kdc=192.168.61.2 UDP:88, timeout=30000, number of retries =3, #bytes=596
  KDCCommunication: kdc=192.168.61.2 UDP:88, timeout=30000,Attempt =1, #bytes=596
  KrbKdcReq send: #bytes read=569
  KrbKdcReq send: #bytes read=569
  EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
  KrbApReq: APOptions are 00100000 00000000 00000000 00000000
  EType: sun.security.krb5.internal.crypto.ArcFourHmacETypeKrb5Context setting mySeqNumber to: 372002863
  Created InitSecContextToken:
  0000: 01 00 6E 82 01 EA 30 82 01 E6 A0 03 02 01 05 A1 ..n...0.........
  0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 01 ......... ......
  0020: 0E 61 82 01 0A 30 82 01 06 A0 03 02 01 05 A1 0E .a...0..........
  0030: 1B 0C 48 49 50 45 52 2E 43 4F 4D 2E 50 45 A2 28 ..HIPER.COM.PE.(
  0040: 30 26 A0 03 02 01 00 A1 1F 30 1D 1B 04 68 6F 73 0&.......0...hos
  0050: 74 1B 15 63 67 61 6D 61 72 72 61 2E 68 69 70 65 t..cgamarra.hipe
  0060: 72 2E 63 6F 6D 2E 70 65 A3 81 C4 30 81 C1 A0 03 r.com.pe...0....
  0070: 02 01 17 A1 03 02 01 0B A2 81 B4 04 81 B1 8D 1D ................
  0080: 14 45 C1 35 7D C5 71 4C 81 10 FE 41 D7 34 48 15 .E.5..qL...A.4H.
  0090: 78 35 3D 63 4D F5 4B F5 39 18 2D 28 50 E7 A8 D7 x5=cM.K.9.-(P...
  00A0: 4E 32 F2 F9 62 63 DE 2D E3 05 F7 B3 41 E4 CE 16 N2..bc.-....A...
  00B0: 77 A1 F4 0E BC 04 59 03 0D 06 12 FB F4 7F 5B 60 w.....Y.......[`
  00C0: E0 1D 9A 37 9C 07 9A FA FD A6 2A 57 84 3D 20 86 ...7......*W.= .
  00D0: 3B 7F 39 5E 07 63 EC 32 20 36 47 5E FA F9 49 C6 ;.9^.c.2 6G^..I.
  00E0: E9 E1 77 1E 77 EC C8 B5 35 FE 80 38 3B 4E 98 21 ..w.w...5..8;N.!
  00F0: 5D 63 EB 19 4D A8 0A 79 52 D8 8C 72 05 AA 81 4E ]c..M..yR..r...N
  0100: 7E 93 47 06 79 AF 81 DE C1 3A E5 A2 93 8C 12 AB ..G.y....:......
  0110: 85 96 22 09 71 37 E5 99 31 86 33 AC 3A 89 F7 CB ..".q7..1.3.:...
  0120: CE 02 0F 49 1F F2 B7 9D A5 79 B4 28 B7 14 99 A4 ...I.....y.(....
  0130: 81 BE 30 81 BB A0 03 02 01 17 A2 81 B3 04 81 B0 ..0.............
  0140: E4 97 3F 28 21 08 16 19 46 5B B8 FF C7 4C 53 D1 ..?(!...F[...LS.
  0150: E6 5B AE 64 23 70 9E 72 11 B5 AE 2C 0D 5C 6D 48 .[.d#p.r...,.\mH
  0160: B5 7D 3B 83 90 17 1B D1 65 FB 78 BF 6E 34 18 5C ..;.....e.x.n4.\
  0170: B5 3A 3D 5C 40 8F 82 3E EC DB 11 B3 0D 06 2B C1 .:=\@..>......+.
  0180: 4C FD A1 A4 E1 DE 1A 94 AB F0 43 56 B8 14 48 00 L.........CV..H.
  0190: 55 EC 55 00 F5 01 9C 80 C3 F4 9E 1C B8 BA FE 86 U.U.............
  01A0: 14 BA 23 CC 61 18 44 3F C2 CC D1 76 A3 3C 9C 57 ..#.a.D?...v.<.W
  01B0: D3 3A 58 D5 36 C9 CC 59 55 4E 38 88 47 5A 3C 1A .:X.6..YUN8.GZ<.
  01C0: 03 18 3B 53 B8 60 6E 6A 19 A8 AE FD 0E D0 9D 60 ..;S.`nj.......`
  01D0: 3A 7F B1 F3 28 0C 3A 96 61 80 0A 36 16 28 6B 80 :...(.:.a..6.(k.
  01E0: 1D F9 6C 76 C2 98 8D D0 7E A4 EF 8D A8 02 2B CC ..lv..........+.
  Exception in thread "main" java.security.PrivilegedActionException: java.net.SocketException: Connection reset
  at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.Subject.doAs(Subject.java:396)
  at com.hiper.jgss.Jaas.loginAndAction(Jaas.java:100)
  at com.hiper.jgss.GssClient.main(GssClient.java:103)
  Caused by: java.net.SocketException: Connection reset
  at java.net.SocketInputStream.read(SocketInputStream.java:168)
  at java.net.SocketInputStream.read(SocketInputStream.java:182)
  at java.io.DataInputStream.readInt(DataInputStream.java:370)
  at com.hiper.jgss.GssClient$GssClientAction.run(GssClient.java:203)
  ... 4 more
  Java Result: 1
  Does anyone know how to fix the exception: Mechanism level: Checksum failed ?
  Thanks.

  Looks like the client's target and the server does not match, maybe not the same principal.
  The JGSS tutorials starts the server side program using a service principal, which looks like host/[email protected] As I read from your debug output, your server program's principal is [email protected], which is a normal user principal.