Command-line support for encrypted images
Hi,
Is there any support in asr for performing restores using an encrypted image directly? I can't seem to find anything. It isn't much of a burden I guess to mount the image and then use it (now that I know that, anyway), but it seems like an oversight that asr can't just be given a password directly.
Similarly for hdiutil, it has some support for encrypted images, but some things seem to be missing. At the very least you can't convert an encrypted image into an unencrypted image because convert doesn't understand that.
Are these known issues? Are there plans to add this functionality? Or is it considered unnecessary since there's other ways around it?
tom
Sorry for my ignorance, when you say you installed every driver in there are you referring to adding them to the driver database or to your bootwim. Also if you cant grab the logs you might be able to get a report based on an unknown system, look in reporting
under "History of a task sequence deployment on a computer" if there was anything recorded before it bombed out you might be able to get some info.
Im still leaning towards a network driver though, can you snap an image of the drivers you have loaded into your preferred bootwim.
Similar Messages
-
Command Line Support Not Working in OSD
I am trying to deploy an image to a dell optiplex 760. I have added all of the storage and nic drivers from Dell's WINPE package, and then all of the drivers from the Intel site for the nic to my boot image. I then enabled command line support on the boot
image, after all of this I updated the boot image on my DP. When the SCCM splash screen comes up it says loading network, and then all dialog boxes disappears and the machine reboots. During this time when i press F8 nothing happens. I get no command
prompt window, and it doesnt pause the reboot. Any Ideas?Sorry for my ignorance, when you say you installed every driver in there are you referring to adding them to the driver database or to your bootwim. Also if you cant grab the logs you might be able to get a report based on an unknown system, look in reporting
under "History of a task sequence deployment on a computer" if there was anything recorded before it bombed out you might be able to get some info.
Im still leaning towards a network driver though, can you snap an image of the drivers you have loaded into your preferred bootwim. -
Adobe, Has CreatePDF a command line support in order to convert multiple pdf files from a specific folder?
thanks!Sorry for my ignorance, when you say you installed every driver in there are you referring to adding them to the driver database or to your bootwim. Also if you cant grab the logs you might be able to get a report based on an unknown system, look in reporting
under "History of a task sequence deployment on a computer" if there was anything recorded before it bombed out you might be able to get some info.
Im still leaning towards a network driver though, can you snap an image of the drivers you have loaded into your preferred bootwim. -
WebLogic SSO receiving "KDC has no support for encryption type (14)" error
Hello,
I am trying to implement SSO using an Off-the-Shelf app running on WebLogic, but receiving "KDC has no support for encryption type (14)" error. I have set the AD Server to Use DES encryption types for this account . I have added 'allowtgtsessionkey' registry entry on the client machine as well as the Windows Server on which WebLogic is running. My klist results on the client machine still seems to indicate AD is sending RC4 encryption format (please confirm looking at the results below). I am also attaching the WebLogic error log. I am slo seeing 2 errors at the very beginning of the WebLogic log when I restart the appserver.
% KLIST output
C:\Program Files\Resource Kit>klist tickets
Cached Tickets: (2)
Server: krbtgt/[email protected]
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 8/27/2008 1:52:56
Renew Time: 9/2/2008 15:52:56
Server: HTTP/[email protected]
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 8/27/2008 1:52:56
Renew Time: 9/2/2008 15:52:56
% WebLogic Error
<Aug 28, 2008 8:43:02 AM MDT> <Debug> <SecurityDebug> <000000> <java.security.krb5.realm was not defined, this could cause problems using Kerberos for negotiation>
<Aug 28, 2008 8:43:02 AM MDT> <Debug> <SecurityDebug> <000000> <java.security.krb5.kdc was not defined, this could cause problems using Kerberos for negotiation>
<Aug 26, 2008 8:26:18 AM MDT> <Debug> <SecurityDebug> <000000> <Default Authorization isAccessAllowed(): returning PERMIT>
<Aug 26, 2008 8:26:18 AM MDT> <Debug> <SecurityDebug> <000000> <DefaultAdjudicatorImpl.adjudicate results: PERMIT >
<Aug 26, 2008 8:26:18 AM MDT> <Debug> <SecurityDebug> <000000> <AuthorizationManager.isAccessAllowed returning adjudicated: true>
<Aug 26, 2008 8:26:27 AM MDT> <Debug> <SecurityDebug> <000000> <PrincipalAuthenticator.assertIdentity - Token Type: Authorization>
<Aug 26, 2008 8:26:27 AM MDT> <Debug> <SecurityDebug> <000000> <Found Negotiate with SPNEGO token>
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null KeyTab is devmax01.http.keytab refreshKrb5Config is false principal is HTTP/[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
KeyTab: load() entry length: 60
KeyTabInputStream, readName(): DEV.DENVERWATER.ORG
KeyTabInputStream, readName(): HTTP
KeyTabInputStream, readName(): devmax01principal's key obtained from the keytab
principal is HTTP/[email protected]
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbAsReq etypes are: 3 1 1
KrbKdcReq send: kdc=10.143.60.1 UDP:88, timeout=30000, number of retries =3, #bytes=252
KDCCommunication: kdc=10.143.60.1 UDP:88, timeout=30000,Attempt =1, #bytes=252
KrbKdcReq send: #bytes read=1311
KrbKdcReq send: #bytes read=1311
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsRep cons in KrbAsReq.getReply HTTP/devmax01Added server's keyKerberos Principal HTTP/[email protected] Version 4key EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: B3 86 A4 E5 83 0E 6D 9E
[Krb5LoginModule] added Krb5Principal HTTP/[email protected] to Subject
Commit Succeeded
Found key for HTTP/[email protected]
Entered Krb5Context.acceptSecContext with state=STATE_NEW
<Aug 26, 2008 8:26:27 AM MDT> <Debug> <SecurityDebug> <000000> < GSS exception GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371)
at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProviderImpl.java:201)
at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:553)
at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)
at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199)
at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3685)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
>
<Aug 26, 2008 8:26:27 AM MDT> <Debug> <SecurityDebug> <000000> <PrincipalAuthenticator.assertIdentity - IdentityAssertionException>dins wrote:Do you think the klist output in my original posting confirms that AD is not encrypting tickets in DES format ?Yes, the current line prove it :
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)The fact is that Microsoft seems to use by default the RC4-HMAC-MD5 encryption type for AD.
Try to specify only des for encryption type in both your krb5.conf
[libdefaults]
default_realm = ...
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
...and kdc.conf
[realms]
REALM = {
kadmind_port = ...
max_life = ...
max_renewable_life = ...
master_key_type = ddes-cbc-md5 des-cbc-crc des3-cbc-sha1
supported_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
kdc_supported_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
}If it still does not work, I'm out of ammo ;-). -
Command line tools for xcode mac os x 10.6.8
Hi,
Will the latest command line tool work for mac os x 10.6.8 also? If yes, I will go ahead and download them.
If no, please help find a download location for command line tools for mac os x 10.6.8.
Also, please let me know if that will support the development of latest ios apps.developing for "the latest iOS Apps" is supported by the latest X-code tools, which does NOT run under 10.6.8.
Version 3.2.6 will run under 10.6.6 and later.
Version 5.0.1 requires 10.8.4 or later.
Version 6.1.1 (currently the latest) requires 10.9.4 or later. -
Is there a command line option for VNC to automatically launch in fullscreen mode?
I can launch a VNC window from the command line, as such:
open vnc://username:password@hostname
... but I'd like it to automatically start in full screen mode. Is there a command line option for this?
I'm using an old MacMini purely to connect to another Mac over screen sharing, but when the MacMini boots I'd like it to go straight into the fullscreen of the other desktop.
Many thanks!Set the Integer pref browser.sessionstore.max_resumed_crashes to 0 on the about:config page to get the about:sessionrestore page immediately with the first restart after a crash has occurred or the Task Manager was used to close Firefox.
* http://kb.mozillazine.org/browser.sessionstore.max_resumed_crashes
That will allow you to deselect the tab(s) that you do not want to reopen, but will allow to reopen other tabs.
See:
* http://kb.mozillazine.org/Session_Restore#Restoring_a_session_after_a_crash
* http://kb.mozillazine.org/Browser.sessionstore.max_resumed_crashes -
Command line parameters for automator?
I'm trying to setup a cron job to so that every morning at 8 am "New Mail.workflow" will open and run. I'm able to get it to open but I was wondering if there were command line parameters for Automator that could open AND run a workflow file? Ideally I'd like it to close after running, but I'll worry about that later. Thanks in advance.
The preferred way is to save your workflow as an application and then call usr/bin/open on it. If for some reason you must have the workflow run inside of Automator (not self-contained) then you're looking at some quality time with man osascript. As it happens Apple has removed even the need for Cron for most users. A click to File -> Save As Plug-In -> for iCal handles it from start to finish.
Edit: I forgot to mention that Automator has its own simple command line utility for running *.workflow files. Check out man automator -
Command line parameters for al_engine.exe
If you go to a command line window on a DS server and type al_engine.exe with no parameters it prints "Usage" information. Some of the parameters it mentions are known to the community (like -XX, -XI, etc). However there are some which sound pretty interesting, but I can't find any information or examples how it should be used. Examples:
-L<list of value> : List of Object Labels from UI (separated by , or ; or space) to filter.
-Je<XML file> Execute the Installation scenario defined in XML file.
-jd"datastore delta file in quotes>" : Modify datastore values using "file"
-Jf, -Ja, -We, and many more.
I am particularily interested in -Je functiohnality - it sounds like it can be used to automate deployment. I am using import/export options to do some automation, but real automation would include deletion of some objects, adding jobs to projects, etc.
Can anybody help with the documentation/examples?The preferred way is to save your workflow as an application and then call usr/bin/open on it. If for some reason you must have the workflow run inside of Automator (not self-contained) then you're looking at some quality time with man osascript. As it happens Apple has removed even the need for Cron for most users. A click to File -> Save As Plug-In -> for iCal handles it from start to finish.
Edit: I forgot to mention that Automator has its own simple command line utility for running *.workflow files. Check out man automator -
Command Line Parameters for Run Application.vi in the LVWUtil
I am trying to use the "Run Application.vi" located in the LVWUtil.llb. I am sending a command line similiar to this:
"C:\WINXP\system32\msiexec.exe" /i "C:\qc data\ZVMS Program Updates\Application Installer\install.msi"
this command line works from the Start>Run dialog but the Run Application.vi only sees the beginning of the line "C:\WINXP\system32\msiexec.exe" so it opens the windows installler but does not go to the install.msi file and run it. Does anyone know the correct command line formats for the Run Application.vi to run the entire command line?
Thanks,
BethVHello BethV,
I downloaded the LVWUtil32.zip file from the Windows API Function Utilities (32-bit) for LabVIEW example program. In that zip file, is a library entitled Winevent.lib, which includes the Run Application.vi. When you used this VI, I believe the string you passed in as a input had too many quotation marks. Namely, you do not need quotes around the msiexec.exe call. I passed the following string into the Run Application.vi and got the expected results:
C:\WINDOWS\system32\msiexec.exe /i "C:\mymsi.msi"
Please let me know if it helps.
Message Edited by Wendy L on 10-21-2005 02:34 PM
Wendy L
LabWindows/CVI Developer Newsletter - ni.com/cvinews
Attachments:
RunApplication.GIF 2 KB -
What are the commands for compiling c++ using the command line tools for xcode?
Hi, I am taking a class in school for c++ and i would like ot be able to practice at home i found the command line tools for xcode and went ahead and installed it on my computer. now i need to know the commands and procedure to be able to compile and run c++.
c++ testfile.cc
-
Using Command Line Tool for Linux
I have to use the command lines of Linux for SCM commands(like repcmd, set workarea, checkin etc...)
should I have to install something?
I have documentation for using the oracle repository command line Toll for Windows and Unix, but I didn't found anything about using the oracle repository command line Toll for Linux.JDeveloper runs excellent on Linux and is supposed to be able to use the repository, but that's a GUI...
-
Command line tools for xcode??
I am used to compiling code much like the java sdk works from terminal where I say javac the filename and then i get a .class file that i can run by doing the command java and then the .class file after. I am now wanting to learn c++ and I dont feel like installing xcode all i want is a compiler that can run from terminal. i found command line tools for xcode on the apple developers site and i was wondering do i need xcode for this to run and after that what the commands are and how i compile/run the code. But my biggest question is still wether or not i need xcode to let command line tools work. ive read in a couple places i dont need it but in other ive read you do can i get help?!
You don't need Xcode to compile your apps with; just the compiler/linker.
Xcode is Apple's IDE. One could write the same code in TextEdit but that wouldn't be easy nor fun.
(Missed it by THAT much!) -
KDC has no support for encryption type (14)
I have come across a posting on "KDC has no support for encryption type (14)" - " http://www.webservertalk.com/message1277232.html"
and believe that I am hitting the same problem. However, there is no solution. Can anybody help?
I have done all the necessary steps suggested, including changing the registry and removing the unwanted SPN, but the error still there. The only different is probably I combined WebLogic and AD in one machine. But, does that make any difference?
Client
====
Name: ssoclient.ssow2k.com
OS: Win XP SP2
Server
=====
Name: ssow2kserver.ssow2k.com
OS: Windows 2000 Advanced Server SP4
WLS: BEA WebLogic 8.1.4
<<Registry>>
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01
The following is the WebLogic myserver log for your reference:
========================================================================================
####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Resource: type=<url>, application=console, contextPath=/console, uri=/*>
####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Role:>
####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> < roleName: Admin>
####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> < roleName: Operator>
####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> < roleName: Deployer>
####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> < roleName: Monitor>
####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Built role expression of {Rol(Admin,Operator,Deployer,Monitor)}>
####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): policy {Rol(Admin,Operator,Deployer,Monitor)} successfully deployed for resource type=<url>, application=console, contextPath=/console, uri=/*>
####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Resource: type=<url>, application=mySampleWebApp, contextPath=/mysamplewebapp, uri=/*, httpMethod=GET>
####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Role:>
####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> < roleName: DCMS_ROLE>
####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Built role expression of {Rol(DCMS_ROLE)}>
####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): policy {Rol(DCMS_ROLE)} successfully deployed for resource type=<url>, application=mySampleWebApp, contextPath=/mysamplewebapp, uri=/*, httpMethod=GET>
####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Resource: type=<url>, application=mySampleWebApp, contextPath=/mysamplewebapp, uri=/*, httpMethod=POST>
####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Role:>
####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> < roleName: DCMS_ROLE>
####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Built role expression of {Rol(DCMS_ROLE)}>
####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): policy {Rol(DCMS_ROLE)} successfully deployed for resource type=<url>, application=mySampleWebApp, contextPath=/mysamplewebapp, uri=/*, httpMethod=POST>
####<Apr 6, 2006 3:02:07 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> < PrincipalAuthenticator.assertIdentity - Token Type: Authorization>
####<Apr 6, 2006 3:02:07 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <ExecuteThread: '14' for queue: ' weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Found Negotiate with SPNEGO token>
####<Apr 6, 2006 3:02:08 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <ExecuteThread: '14' for queue: ' weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <GSS exception GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
at sun.security.jgss.GSSContextImpl.acceptSecContext (GSSContextImpl.java:246)
at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371)
at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity (SinglePassNegotiateIdentityAsserterProviderImpl.java:201)
at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:553)
at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm (CertSecurityModule.java:104)
at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199)
at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3685)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
>
####<Apr 6, 2006 3:02:08 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Exception weblogic.security.providers.utils.NegotiateTokenException: GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
weblogic.security.providers.utils.NegotiateTokenException : GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:419)
at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProviderImpl.java:201)
at weblogic.security.service.PrincipalAuthenticator.assertIdentity (PrincipalAuthenticator.java:553)
at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)
at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java :199)
at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3685)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
at weblogic.kernel.ExecuteThread.execute (ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
>
========================================================================================
The following are some krb5 packets captured. I suspected it is due to the encryption type used - RC4-HMAC:
========================================================================================
KRB5 (AS-REQ)
============
No. Time Source Destination Protocol Info
125 10.301166 10.122.1.2 10.122.1.200 KRB5 AS-REQ
Frame 125 (345 bytes on wire, 345 bytes captured)
Arrival Time: Apr 6, 2006 13:49:54.848903000
Time delta from previous packet: 0.008330000 seconds
Time since reference or first frame: 10.301166000 seconds
Frame Number: 125
Packet Length: 345 bytes
Capture Length: 345 bytes
Protocols in frame: eth:ip:udp:kerberos
Ethernet II, Src: 10.122.1.2 (00:0c:29:17:9a:be), Dst: Vmware_59:2c:e6 (00:0c:29:59:2c:e6)
Destination: Vmware_59:2c:e6 (00:0c:29:59:2c:e6)
Source: 10.122.1.2 (00:0c:29:17:9a:be)
Type: IP (0x0800)
Internet Protocol, Src: 10.122.1.2 (10.122.1.2), Dst: 10.122.1.200 (10.122.1.200)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 331
Identification: 0x0158 (344)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x208d [correct]
Source: 10.122.1.2 (10.122.1.2 )
Destination: 10.122.1.200 (10.122.1.200)
User Datagram Protocol, Src Port: 1075 (1075), Dst Port: kerberos (88)
Source port: 1075 (1075)
Destination port: kerberos (88)
Length: 311
Checksum: 0x1133 [correct]
Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
padata: PA-ENC-TIMESTAMP PA-PAC-REQUEST
Type: PA-ENC-TIMESTAMP (2)
Type: PA-PAC-REQUEST (128)
KDC_REQ_BODY
Padding: 0
KDCOptions: 40810010 (Forwardable, Renewable, Canonicalize, Renewable OK)
Client Name (Principal): ssouser
Realm: SSOW2K.COM
Server Name (Service and Instance): krbtgt/SSOW2K.COM
till: 2037-09-13 02:48:05 (Z)
rtime: 2037-09-13 02:48:05 (Z)
Nonce: 1870983219
Encryption Types: rc4-hmac rc4-hmac-old rc4-md4 des-cbc-md5 des-cbc-crc rc4-hmac-exp rc4-hmac-old-exp
Encryption type: rc4-hmac (23)
Encryption type: rc4-hmac-old (-133)
Encryption type: rc4-md4 (-128)
Encryption type: des-cbc-md5 (3)
Encryption type: des-cbc-crc (1)
Encryption type: rc4-hmac-exp (24)
Encryption type: rc4-hmac-old-exp (-135)
HostAddresses: SSOCLIENT<20>
KRB5 (AS-REP)
============
No. Time Source Destination Protocol Info
126 10.303156 10.122.1.200 10.122.1.2 KRB5 AS-REP
Frame 126 (1324 bytes on wire, 1324 bytes captured)
Arrival Time: Apr 6, 2006 13:49:54.850893000
Time delta from previous packet: 0.001990000 seconds
Time since reference or first frame: 10.303156000 seconds
Frame Number: 126
Packet Length: 1324 bytes
Capture Length: 1324 bytes
Protocols in frame: eth:ip:udp:kerberos
Ethernet II, Src: Vmware_59:2c:e6 (00:0c:29:59:2c:e6), Dst: 10.122.1.2 (00:0c:29:17:9a:be)
Destination: 10.122.1.2 (00:0c:29:17:9a:be)
Source: Vmware_59:2c:e6 (00:0c:29:59:2c:e6)
Type: IP (0x0800)
Internet Protocol, Src: 10.122.1.200 (10.122.1.200), Dst: 10.122.1.2 (10.122.1.2)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 1310
Identification: 0x0a0f (2575)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x1403 [correct]
Source: 10.122.1.200 (10.122.1.200)
Destination: 10.122.1.2 (10.122.1.2)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1075 (1075)
Source port: kerberos (88)
Destination port: 1075 (1075)
Length: 1290
Checksum: 0xb637 [correct]
Kerberos AS-REP
Pvno: 5
MSG Type: AS-REP (11)
Client Realm: SSOW2K.COM
Client Name (Principal): ssouser
Ticket
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 1
enc-part: E3610239EACDD0E6D4E89AA7D81A355F6C93B95D95B13B56...
KRB5 (TGS-REQ)
============
No. Time Source Destination Protocol Info
127 10.309350 10.122.1.2 10.122.1.200 KRB5 TGS-REQ
Frame 127 (1307 bytes on wire, 1307 bytes captured)
Arrival Time: Apr 6, 2006 13:49:54.857087000
Time delta from previous packet: 0.006194000 seconds
Time since reference or first frame: 10.309350000 seconds
Frame Number: 127
Packet Length: 1307 bytes
Capture Length: 1307 bytes
Protocols in frame: eth:ip:udp:kerberos
Ethernet II, Src: 10.122.1.2 (00:0c:29:17:9a:be), Dst: Vmware_59:2c:e6 (00:0c:29:59:2c:e6)
Destination: Vmware_59:2c:e6 (00:0c:29:59:2c:e6)
Source: 10.122.1.2 (00:0c:29:17:9a:be)
Type: IP (0x0800)
Internet Protocol, Src: 10.122.1.2 (10.122.1.2), Dst: 10.122.1.200 (10.122.1.200)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 1293
Identification: 0x0159 (345)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x1cca [correct]
Source: 10.122.1.2 (10.122.1.2)
Destination: 10.122.1.200 ( 10.122.1.200)
User Datagram Protocol, Src Port: 1076 (1076), Dst Port: kerberos (88)
Source port: 1076 (1076)
Destination port: kerberos (88)
Length: 1273
Checksum: 0xd085 [correct]
Kerberos TGS-REQ
Pvno: 5
MSG Type: TGS-REQ (12)
padata: PA-TGS-REQ
Type: PA-TGS-REQ (1)
KDC_REQ_BODY
Padding: 0
KDCOptions: 40800000 (Forwardable, Renewable)
Realm: SSOW2K.COM
Server Name (Service and Instance): HTTP/ssow2kserver.ssow2k.com
till: 2037-09-13 02:48:05 (Z)
Nonce: 1871140380
Encryption Types: rc4-hmac rc4-hmac-old rc4-md4 des-cbc-md5 des-cbc-crc rc4-hmac-exp rc4-hmac-old-exp
Encryption type: rc4-hmac (23)
Encryption type: rc4-hmac-old (-133)
Encryption type: rc4-md4 (-128)
Encryption type: des-cbc-md5 (3)
Encryption type: des-cbc-crc (1)
Encryption type: rc4-hmac-exp (24)
Encryption type: rc4-hmac-old-exp (-135)
KRB5 (TGS-REP)
============
No. Time Source Destination Protocol Info
128 10.310791 10.122.1.200 10.122.1.2 KRB5 TGS-REP
Frame 128 (1290 bytes on wire, 1290 bytes captured)
Arrival Time: Apr 6, 2006 13:49:54.858528000
Time delta from previous packet: 0.001441000 seconds
Time since reference or first frame: 10.310791000 seconds
Frame Number: 128
Packet Length: 1290 bytes
Capture Length: 1290 bytes
Protocols in frame: eth:ip:udp:kerberos
Ethernet II, Src: Vmware_59:2c:e6 (00:0c:29:59:2c:e6), Dst: 10.122.1.2 (00:0c:29:17:9a:be)
Destination: 10.122.1.2 (00:0c:29:17:9a:be)
Source: Vmware_59:2c:e6 (00:0c:29:59:2c:e6)
Type: IP (0x0800)
Internet Protocol, Src: 10.122.1.200 (10.122.1.200), Dst: 10.122.1.2 (10.122.1.2)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 1276
Identification: 0x0a10 (2576)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x1424 [correct]
Source: 10.122.1.200 (10.122.1.200)
Destination: 10.122.1.2 (10.122.1.2)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1076 (1076)
Source port: kerberos (88)
Destination port: 1076 (1076)
Length: 1256
Checksum: 0x1318 [correct]
Kerberos TGS-REP
Pvno: 5
MSG Type: TGS-REP (13)
Client Realm: SSOW2K.COM
Client Name (Principal): ssouser
Ticket
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 1
enc-part: 4D2A9E8590CC716EA6571B093B6FAF89537B0B89F832C073...
========================================================================================
Can anybody enlighten me on how you solve this problem? Thanks.I ran into this error and caught the error code to remind me to edit the registry.
if (sError.contains("KDC has no support for encryption type (14)")){
JOptionPane.showMessageDialog(null,"Error " + ThisErrorCode.myErrorCode() + '\n' +
" http://support.microsoft.com/default.aspx?scid=kb;en-us;308339" + '\n' + '\n' +
"There is a known issue involving Windows clients running Windows 2000 SP4, XP SP2." + '\n' +
"To avoid the error, administrators need to update the Windows registry." + '\n' +
"The registry key, allowtgtsessionkey, should be added, and its value set correctly" + '\n' +
"to allow session keys to be sent in the Kerberos Ticket-Granting Ticket." + '\n' + '\n' +
"Windows XP SP2, add the registry entry:" + '\n' +
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\Kerberos\\" + '\n' +
"Value Name: allowtgtsessionkey" + '\n' +
"Value Type: REG_DWORD" + '\n' +
"Value: 0x01" ,null, JOptionPane.ERROR_MESSAGE);
System.exit(-1); -
Problem: KDC has no support for encryption type (14)
hi, I have dealing the problem for long time and no response in bea forum.
I feel very exhausted when checking mit's kerberos mailist and sun forum. Any try every method they provide but not success.
first I generate the keytab using w2k's ktpass
ktpass -princ HTTP/[email protected] -mapuser weblogic -pass weblogic -out dlsvr_keytab -crypto des-cbc-crc
and it turn out to be successful.
My W2KSP4 KDC Config is:
c:\winnt\krb5.ini-----------------------------
[libdefaults]
default_realm = DLSVR.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
ticket_lifetime = 600
[realms]
DLSVR.COM = {
kdc = 192.168.2.231
admin_server = dlserver
default_domain = DLSVR.COM
[domain_realm]
.dlsvr.com= DLSVR.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
i also set des type in AD Accout and also reset password after that
i create my keytab using des-cbc-crc as you can see in the log below :
<2005-11-8 ����06��09��39�� CST> <Debug> <SecurityDebug> <000000> <Found Negotiate with SPNEGO token>
KeyTab: load() entry length: 50
KeyTabInputStream, readName(): DLSVR.COM
KeyTabInputStream, readName(): host
KeyTabInputStream, readName(): weblogic
KeyTab: load() entry length: 44
KeyTabInputStream, readName(): dlsvr.com
KeyTabInputStream, readName(): weblogic
EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
crc32: e9889c7a
crc32: 11101001100010001001110001111010
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbAsReq etypes are: 1
KrbKdcReq send: kdc=192.168.2.231 UDP:88, timeout=30000, number of retries =3, #bytes=216
KDCCommunication: kdc=192.168.2.231 UDP:88, timeout=30000,Attempt =1, #bytes=216
KrbKdcReq send: #bytes read=1217
KrbKdcReq send: #bytes read=1217
EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
crc32: 54c176ae
crc32: 1010100110000010111011010101110
KrbAsRep cons in KrbAsReq.getReply host/weblogicFound key for host/[email protected]
Entered Krb5Context.acceptSecContext with state=STATE_NEW
<2005-11-8 ����06��09��39�� CST> <Debug> <SecurityDebug> <000000> <GSS exception GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no
support for encryption type (14))
GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371)
at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProvider
Impl.java:201)
at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:553)
at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)
at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199)
at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3685)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
So i don't know why win2k's KDC not support the des-cbc-crc,
Any Help or Clue woud be highly appreciated!
davidException was: javax.naming.AuthenticationException: KDC has no support for encryption type (14) [Root exception is KrbException: KDC has no support for encryption type (14)]
at com.sco.tta.server.security.java14.KerberosAuth.login(KerberosAuth.java:286)
at com.sco.tta.server.login.ADLoginAuthority.authenticate(ADLoginAuthority.java:39 0)
Cause 2: This exception is thrown when using native ticket cache on some Windows platforms. Microsoft has added a new feature in which they no longer export the session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT obtained on Windows has an "empty" session key and null EType. The effected platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) and Windows XP SP2.
Solution 2: You need to update the Windows registry to disable this new feature. The registry key allowtgtsessionkey should be added--and set correctly--to allow session keys to be sent in the Kerberos Ticket-Granting Ticket.
On the Windows Server 2003 and Windows 2000 SP4, here is the required registry setting:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01 ( default is 0 )
By default, the value is 0; setting it to "0x01" allows a session key to be included in the TGT. -
GSSException"KDC has no support for encryption type (14)" on token exchange
I'm stumped. Just started working with an MIT KDC v5 1.3.1 running on Linux and trying to get the IBM sample apps (GSSClient and GSSServer) working. The apps are here: http://www-106.ibm.com/developerworks/java/library/j-gss-sso/
I have two principals set up using defaults: one for the client and one for the server. The GSSClient, GSSServer and KDC are all running on the same machine in the same Realm.
I start the server just fine and it waits with:
GSSServer starts... Waiting for incoming connectionWhen I run the client the client authentictes and the context is successsfully created. However, the GSSServer throws an Exception:
GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at com.ourcorp.caa.security.GSSServer.run(GSSServer.java:138)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at com.ourcorp.caa.security.GSSServer.startServer(GSSServer.java:98)
at com.ourcorp.caa.security.GSSServer.main(GSSServer.java:71)
The client also throws an Exception:
GSSClient... Getting client credentials
GSSClient... GSSManager creating security context
GSSClient...Sending token to server over secure context
GSSClient...Secure context initialized
GSSClient...Written 511 bytes
GSSClient...Exception nulljava.io.EOFException
at java.io.DataInputStream.readInt(DataInputStream.java:448)
at com.ourcorp.caa.security.GSSClient.run(GSSClient.java:184)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:320)
at com.ourcorp.caa.security.GSSClient.login(GSSClient.java:117)
at com.ourcorp.caa.security.GSSClient.main(GSSClient.java:63)
Client authentication denied...
This happens consistently and I cannot get passed this point! The weird thing is, is that the same thing happens using the Windows 2003 Server KDC! Same Exception.
Can anyone help me understand what is causing this? The Exception mentions "KDC has no support for encryption type (14)" but we're not specifying any encryption type other than the defaults. The principals are the same as far as I know.
Thanks.Interesting I managed to get this example to work but I had to create two principals (one for the client one for the server) with encryption types of "des-cbc-crc:normal" only . It seems that a with principal with "des-cbc-crc:normal" and "des3-hmac-sha1:normal" encryption types causes the Exception. So, the question I have is: does the GSS API support TripleDES or what? The KDC is obviosuly trying to use it for the user-user exchange but fails.
Anyone got any ideas? Thanks.
Maybe you are looking for
-
I go to facebook and click on one of the toolbar options like messages. The drop down window opens but no text is visible. If I click on a region of the open window, sometimes it will take me to a message. This also happens on yahoo.
-
Facebook inbox notifications are no longer showing with new OS 4.5
Hi all: I have a Curve 8310 with ATT. Just downloaded the new os 4.5 and got the facebook reinstalled so that I can see the icon. However, now when I get messages through my facebook inbox, notifications no longer appear on the home screen. On fact,
-
ADF/BC4J EO and VO cache question
I created an EO off a simple table and a corresponding VO. I created a Struts/JSP app to display, add, and update the records. When I add or update records through the Struts/JSP app, I see my add and updates on the display page --- this is expected.
-
Office 2004 and "not responding" message
My office 2004 student/teachers worked fine even on leopard - until recently. My latest updates were works and life 2009 and Abiword. Now when i reinstall using all methods suggested, - the install works but on clicking on any of the office icons suc
-
Hello I'm running the latest version of iTunes, when I go into apps and click update all apps download ok, all seem to update but every time "Angry Birds Rio" fails to update, it always says there is any update, Any tips on how to update it Paul