Configuring WACS for AD-kerberos Authentication in XI 3.1
Hi,
Installed WACS (WebApplication Container Server) and trying to configure CMC hosted on it, for AD-Kerberos authentication in XI 3.1.Followed all the steps inu201D XI 3.1 admin guideu201D but when trying to login to CMC using Kerberos authentication getting the error u201CAccount Information Not Recognized: Active Directory failed to log you onu2026u201D
Then installed Tomcat on the same machine and deployed Infoview and CMC on it. Able to login to CMC and Infoview hosted on tomcat using Kerberos authentication, but still Kerberos authentication is failing with WACS.
Also enabled Kerberos logging for WACS, by adding the command line parameters
u201C-Dcrystal.enterprise.trace.configuration=verbose
-Djcsi.kerberos.debug=trueu201D
But not getting any useful from WebApplicationContainerServer_stdout.log.
Could you please suggest me know how to proceed here.
Regards,
Saikrishna.
Hi Tim,
Yes. Did put the paths for krb5.ini and bscLogin.conf in the properties section of WACS.
Tried deleting the WACS server (Right click and u201CDeleteu201D the server)->Created the server again from Home->Servers->Core Services->Manage->New->New server.
But getting the same issue, able to login to WACS with enterprise authentication but AD is failing. Anything else I may need to check?
Regards,
Saikrishna.
Similar Messages
-
Configuring tomcat for form based authentication-help badly needed
hi , i want to have form based or some other way of authentication for the users comming to my site , i have access only to web.xml , but in tomcat documentations its giveni need to change server.xml and tomcat-user.xml , can i make these changes on web.xml to implement it or please tell me way out of this please , i tried even jguard but it needs changes in jvm which also not into my access
Hi,
I'm a little confused. You wanted to know how to configure Tomcat for form based authentication, and I sent you an article on how to do that. Is there something more you need from me? You had offered 10 duke dollars for this post, and if there is more I can do I will help for the remaining amount, but I can't help you getting access to the Tomcat *.xml file. -
Error=49 from the LDAP server for GSSAPI Kerberos authentication
I am trying to find solution for ldapsearch failure with GSSAPI Kerberos authentication . I am running Sun Directory Server 5.2 P4 on a Solaris-9 sparc machine..
Steps :
bash-2.05# kinit tester1
Password for [email protected]:
bash-2.05#
When I do ldapsearch , I am getting following logs on the server :
tail -f /var/Sun/mps/slapd-bf1r-dsun-1/logs/access
[22/Feb/2007:01:44:16 -0700] conn=32 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
[22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
[22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
[22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
[22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
[22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=4 - UNBIND
[22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=-1 - closing - U1
[22/Feb/2007:01:44:17 -0700] conn=32 op=-1 msgId=-1 - closed.
[22/Feb/2007:01:45:50 -0700] conn=33 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
[22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
[22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
[22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
[22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
[22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=4 - UNBIND
[22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=-1 - closing - U1
[22/Feb/2007:01:45:51 -0700] conn=33 op=-1 msgId=-1 - closed.
I am using default Identiy Mapping and the ldif file looks like this :
dn: cn=default,cn=GSSAPI,cn=identity mapping,cn=config
objectClass: dsIdentityMapping
objectClass: nsContainer
objectClass: dsPatternMatching
objectClass: top
cn: default
dsMatching-pattern: ${Principal}
creatorsName: cn=directory manager
createTimestamp: 20070220045812Z
dsMatching-regexp: uid=(.*)
dsSearchBaseDN: ou=people,dc=test1,dc=com
dsMappedDN: uid=${Principal},ou=people,dc=test1,dc=com
modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
t
modifyTimestamp: 20070221082740Z
Following is the snoop for LDAP on the server :
bash-2.05# !snoop
snoop -v port 389 | grep LDAP
Using device /dev/eri (promiscuous mode)
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 0: Bind Request]
LDAP: [Version]
LDAP: [Object Name]
LDAP: uid=tester1,ou=people,dc=test1,d
LDAP: c=com
LDAP: Authentication: SASL *[3]
LDAP: [OctetString]
LDAP: GSSAPI
LDAP: [OctetString]
LDAP: *** NOT PRINTED - Too long value ***
LDAP:
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 1: Bind Response]
LDAP: [Result Code]
LDAP: SASL Bind In Progress
LDAP: [Matched DN]
LDAP: [Error Message]
LDAP: SASL Credentials [7]
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 0: Bind Request]
LDAP: [Version]
LDAP: [Object Name]
LDAP: uid=tester1,ou=people,dc=test1,d
LDAP: c=com
LDAP: Authentication: SASL *[3]
LDAP: [OctetString]
LDAP: GSSAPI
LDAP:
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 1: Bind Response]
LDAP: [Result Code]
LDAP: SASL Bind In Progress
LDAP: [Matched DN]
LDAP: [Error Message]
LDAP: SASL Credentials [7]
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 0: Bind Request]
LDAP: [Version]
LDAP: [Object Name]
LDAP: uid=tester1,ou=people,dc=test1,d
LDAP: c=com
LDAP: Authentication: SASL *[3]
LDAP: [OctetString]
LDAP: GSSAPI
LDAP: [OctetString]
LDAP:
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 1: Bind Response]
LDAP: [Result Code]
LDAP: 1
LDAP: Invalid Credentials
LDAP: [Matched DN]
LDAP: [Error Message]
LDAP: SASL(-1): generic failure:
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation [APPL 2: Unbind Request]
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
Please help me on how to fix this issue.
Thanks,
RadhakrishnanI did reply on the other thread of yours...
Ludovic -
How to configure the applet use Kerberos authentication
Hi all:
I know few about the java or applet security and hope someone can help me.
I have a MS IIS Web server named win2003stdbase1 and it use Kerberos authentication, and the
web server host a jar file.The client machine has jdk1.5 installed.When the client visit a html page which contains a java applet,the jre starts the applet and a dialog "Password Needed -Networking" popups.Then we input the right user name and the password,but the dialog popup again.The dialog display these message:
Server: win2003stdbase1/192.168.0.43
Scheme: ntlm
UserName:
Password:
Domain:
I suspect that the applet use the ntlm authentcation method which different from the web server,and I want it to use Kerberos authentication.How can I achieve this?
Any suggestion or idear will be appreciated.Thanks.Are there anyone can help on this? It is a urgent issue. Also if I did not explain it clearly, please let me know.Thanks.
-
Error while configuring Webgate for simple mode authentication
Trying to convert open mode authentication to simple mode. Followed the documentation.
http://download.oracle.com/docs/cd/E12530_01/oam.1014/b32419/trnscrty.htm#BGBGEIFB
Was able to get identity server and access server configured. As in...got no error. When trying to change to simple mode for Webgate getting the following error....
Client authentication failed, please verify your WebGate ID.
Command executed for one of the webgates is below....Any thoughts??
./start_configureWebGate -i /u01/app/oracle/product/10.1.4.2.2/OAM/webgate/access -t WebGate -R
Please enter the Mode in which you want the Web Gate to run : 1(Open) 2(Simple) 3(Cert) : 2
Please enter the Password for this Web Gate :
Please note that the Global Access Protocol Pass phrase has to be the same across all Access Servers and Web Gates installed in Simple mode
Please enter the Global Access Protocol Pass phrase :
Preparing to generate certificate. This may take up to 60 seconds. Please wait.
Generating a 1024 bit RSA private key
........................++++++
.......................................++++++
writing new private key to '/u01/app/oracle/product/10.1.4.2.2/OAM/webgate/access/oblix/config/simple/aaa_key.pem'
writing RSA key
Using configuration from /u01/app/oracle/product/10.1.4.2.2/OAM/webgate/access/oblix/tools/openssl/openssl_silent.cnf
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'Some-State'
localityName :PRINTABLE:'Locality Name'
organizationName :PRINTABLE:'Some-Organization Pty Ltd'
organizationalUnitName:PRINTABLE:'production'
commonName :PRINTABLE:'hostName.domainName.com'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Sep 29 18:20:01 2011 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
Client authentication failed, please verify your WebGate ID.Is the Access Server already in Simple Mode, and does the AccessGate definition in the Access System Console have "Simple" transport security mode set?
Regards,
Colin -
Configure WLan for user certificate authentication
I have windows CA and NPS (radius server).
I want wireless clients / devices using active directory user certificates (generated by AD CA) to authenticate and encrypted to wireless WLAN.
I have setup WLAN as [WPA2][Auth(802.1X)] and pointing to Radius server (windows NPS).
My test notebook PC has ca.cer and username certificate installed in trusted and personal stores. And configure the wireless profile as "Microsoft: smart card or other certificate".
However when I try to connect I got failed. And wireshark on NPS showing no traffic on port 1812.
Could someone please help a look anything wrong on WLC setting?
Thanks.
GPINGHi, Scott,
My WLC setting: SSID-Test, WPA2 802.1x, AES, Radius server overwrite interficace "ticked", Server1 - x.x.x.x port 1812,
Local EAP auth - Enabled and profile = "Peap"
On my NPS, I got 2 policies (enabled only one of them for test).
NPS-Policy 1: Auth method = Microsoft PEAP -> "wireless server certificate", User group ="test users".
On Win7, I setup wireless profile = WPS2-Enterprise, AES, Choose auth method = "Microsoft PEAP" with ca.cer installed and ticked . When "connect", I got connected with login user credential.
NPS-Policy 2: Auth method = "Microsoft Smart card or other certificate" -> wireless server certificate"
On Win7, I setup wireless profile = WPS2-Enterprise, AES, Choose auth method = "Microsoft Smart card or other certificate". Choose "use a certificate on this computer". (I have one user certificate installed on Personal store). Also ticked "Validate server certificate" and ticked the ca.cer which was installed. When "connect" I failed.
I tried some other combination, like TKIP instead of AES, but I got "
The settings saved on this computer for the network do not match the requiremen
ts of the network" - really frastrated.
Could please point me where got wrong?
THanks
GPING -
Manager password in tomcat for form based authentication
Hi all,
I have a jsp using form based authentication.I have set up the web.xml,server.xml and created my database with the various users and roles but when i try to deploy the application,it as for the manger username/password and when i enter what i have in the database it refuses to connect.
Anyone has any idea what i might be doiing wrong?
Thans in advanceHi,
I'm a little confused. You wanted to know how to configure Tomcat for form based authentication, and I sent you an article on how to do that. Is there something more you need from me? You had offered 10 duke dollars for this post, and if there is more I can do I will help for the remaining amount, but I can't help you getting access to the Tomcat *.xml file. -
Configuring Kerberos authentication for SSRS in native mode - SSRS 2008 R2-2012
Hi,
I've a SSRS native mode installation on a server and a SSAS installation on another server.
In order to configure the Kerberos authentication for SSRS native mode, I need to register one SPN for the report server service, one SPN for SSAS service and to configure SSRS to use the negotiate authentication type, isn't it?
ThanksHi pscorca,
If we have applications that only use Kerberos authentication and we are using RSWindowsNegotiate AuthenticationType, we must create a Service Principal Name (SPN) for the Report Server service if we configure it to run as a domain user account.
Before setting up constrained delegation, we must register a
Service Principle Name (SPN) for the Analysis Services instance. We will need the Analysis Services SPN when configuring Kerberos constrained delegation for middle tier services.
There is a document about Enabling Kerberos Authentication for Reporting Services, you can refer to it.
http://blogs.technet.com/b/rob/archive/2011/11/23/enabling-kerberos-authentication-for-reporting-services.aspx
Hoe this helps.
Regards,
Alisa Tang
Alisa Tang
TechNet Community Support -
Updating hybrid configuration failed - Kerberos authentication: The network path was not found
I'm configuring Exchange 2010 SP3 as a Hybrid server with Exchange Online. This is a single server running Exchange roles Mailbox, Client Access, Unified Messaging and Hub Transport.
When I run the Manage Hybrid Configuration, I receive the following error:
Updating hybrid configuration failed with error
'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: The network
path was not found.
The full text from the Hybrid Configuration log file (C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration)
[1/5/2014 21:21:1] INFO:Opening runspace to
http://[servername]/powershell?serializationLevel=Full
[1/5/2014 21:21:1] INFO:Disconnected from On-Premises session
[1/5/2014 21:21:1] ERROR:Updating hybrid configuration failed with error 'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following
error occured while using Kerberos authentication: The network path was not found.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
at System.Management.Automation.Runspaces.RunspacePool.Open()
at System.Management.Automation.RemoteRunspace.Open()
at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.Connect(PSCredential credentials, CultureInfo sessionUiCulture)
at Microsoft.Exchange.Management.Hybrid.Engine.Execute(ILogger logger, String onPremPowershellHost, PSCredential onPremCredentials, PSCredential tenantCredentials, HybridConfiguration hybridConfiguration)
at Microsoft.Exchange.Management.SystemConfigurationTasks.UpdateHybridConfiguration.InternalProcessRecord()'.
I have sought help, posting on the forum at community.office365.com -
http://community.office365.com/en-us/forums/158/t/212265.aspx. But I've got to a point where I believe the problem is more to do with how PowerShell is operating on the on-prem Exchange server.
Has anyone else come across this problem running the Hybrid Configuration Wizard?Hello Darrell,
Have you verified the settings of Powershell virtual directories for the on-premises Exchange Servers? The following article has a list of some common issues with that virtual directory and how to correct them:
http://technet.microsoft.com/en-us/library/ff607221(v=exchg.80).aspxI would take a look at the one titled "Configure Kerberos Authentication" specifically to ensure everything
looks good.
As the article states you can run the Exchange BPA and it will check if any of these exist as well. -
Configure SSO for ITS to R/3 using SNC/Kerberos
Our R/3 systems had been configured for SSO using SNC and Kerberos for awhile now. We now have a requirement to configure SSO between ITS and R/3. Since our R/3 env. has been using kerberos library, we won't be able to use SAP Cryptographic library. I had modified the registry, environment and services in itsadmin to point to the kerberos library and principal names for agate and r/3 servers as described in SNC User Guide; also, I updated table SNCSYSACL with the Agate SNC name. That seems to work fine. From the trace file, it recognized GSS-API library for Kerberos and the SNC name for Agate. However, when I tried to logon to R/3 from ITS, I still am being prompted with the logon screen to enter my SAP account/password.
I found several whitepapers and documentations stating that ITS does support Kerberos for SSO but I couldn't find any procedure on how to implement it. Following is the error I'm getting from the sapbasis.trc file but I can't find any document on this error:
=====================================================
[Thr 5284] SncInit(): Initializing Secure Network Communication (SNC)
[Thr 5284] PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)
[Thr 5284] SncInit(): Trying environment variable SNC_LIB as a
gssapi library name: "C:\WINNT\system32\gsskrb5.dll".
[Thr 5284] File "C:\WINNT\system32\gsskrb5.dll" dynamically loaded as GSS-API v2 library.
[Thr 5284] The internal Adapter for the loaded GSS-API mechanism identifies as:
Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
[Thr 2888] Sun Jan 15 22:44:59 2006
[Thr 2888] <<- ERROR: SncSetParam()==SNCERR_PARAM_DENIED
[Thr 2888] *** WARNING => NO Domain! domain==NULL means: No domain at all within the cookie. [sapss1_loctr 333]
[Thr 2888] Sun Jan 15 22:45:29 2006
[Thr 2888] *** WARNING => NO Domain! domain==NULL means: No domain at all within the cookie. [sapss1_loctr 333]
=====================================================
Does anyone know what am I missing? Any help is greatly appreciated.
Thank you!
DiemHi Markus,
I also just installed/configured PAS for LDAP authentication using the "PAS for External Authentication Mechanisms" documentation. I think the domain problem probably due to not having the external authentication mechanism install (in this case - PAS). Does that sound right to you?
I tried both options for ~extid_type parameter = "LD" and "UN". I added the DN information to table USREXTID when ~extid_type="LD" but both options gave me error of "LDAP authentication failed". I increased the trace level for sapextaut.trc but I don't see enough detail information. Following are the errors/data from the trace file. Can you please let me know how I can tell what string is being passed for authentication?
I'm quite sure the LDAP host and port data is correct since we've been using the same information for the SAP LDAP connector and we've been using our LDAP connector between MS AD and R/3 for a long time without any problem.
To logon to R/3 through ITS, I entered the AD account (CN attribute in AD) when I got the errors.
Thank you very much for all your help.
Diem Tran
Trace:
=====================================================
2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth, 437]: W sapextauth: PAS session begins...
2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth, 456]: sapextauth: SncNameR3 is: "p:na1adm/[email protected]"
2006-01-18T01:39:30.734 p001688 t4992 s0158B4E8 [sapextauth, 462]: sapextauth: SncNameAGate is: "p:[email protected]"
2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 468]: sapextauth: SNC_LIB is: "C:\WINNT\system32\gsskrb5.dll"
2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 568]: sapextauth: XGatConnectSession leaving....
2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 616]: sapextauth: XGatHandleLogin called....
2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 976]: sapextauth: Entering XGatHandleLogin with LDAP...
2006-01-18T01:39:30.750 p001688 t4992 s0158B4E8 [sapextauth, 993]: W Either ~login or ~password missing, returning XGDKRCloginrequired.
2006-01-18T01:39:50.281 p001688 t4992 s00000000 [sapextauth, 398]: sapextauth: XGatEventOpenSession called...
2006-01-18T01:39:50.281 p001688 t4992 s0158B4E8 [sapextauth, 616]: sapextauth: XGatHandleLogin called....
2006-01-18T01:39:50.281 p001688 t4992 s0158B4E8 [sapextauth, 976]: sapextauth: Entering XGatHandleLogin with LDAP...
2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1059]: sapextauth: LDAP port ist 389
2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1261]: E sapextauth: LDAP authentication failed.
2006-01-18T01:39:50.296 p001688 t4992 s0158B4E8 [sapextauth, 1277]: E sapextauth: Wrong try for user Tran_Diem
2006-01-18T01:39:59.140 p001688 t4992 s00000000 [sapextauth, 398]: sapextauth: XGatEventOpenSession called...
2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 616]: sapextauth: XGatHandleLogin called....
2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 976]: sapextauth: Entering XGatHandleLogin with LDAP...
2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1059]: sapextauth: LDAP port ist 389
2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1261]: E sapextauth: LDAP authentication failed.
2006-01-18T01:39:59.156 p001688 t4992 s0158B4E8 [sapextauth, 1277]: E sapextauth: Wrong try for user Tran_Diem
======================================================= -
Hi ,
I am using solaris 4.8 as my ssh server , Mac OS x 10.5 as ssh client and Mac OS X server as my KDC. I am newbie in solaris. I have successfully configured password less ssh with the help of GSSAPI authentication for ssh server on mac machine. But I am not getting any pointers for configuring ssh server in solaries for password less authenitcation using kerberos authentication.
For Mac and linux we can enable GSSAPI authentication in sshd_config file but can we do simillar thing in solaris also ?
Any pointers will be very helpful.Are your client Mac Pros bound to your OD master?
Are you logging-in to the clients with OD accounts?
If both answers are yes, then type this in a Terminal window after logging-in to a client workstation with your OD account:
*kinit username*
(where 'username' is your OD username, you must be logged-in to the client with an OD account, then hit Return)
You should see this:
*Password for [email protected]:* (OD password goes here)
hit Return. then enter this next bit:
klist
and you should see something like this:
*Default principal: [email protected]*
*Valid starting Expires Service principal*
*03/15/08 17:40:28 03/16/08 03:40:34 krbtgt/[email protected] Renew until 03/16/08 17:40:28*
then enter:
*ssh servsername.psc.edu* (hit Return)
you should see your ssh banner (if configured) or just the standard 'Welcome to Darwin!' message.
More info can be found in the man files for klist and kinit. -
Need SSO on CRM 2013. As per documents assigning Delegation Permission in Kerberos Authentication is mandatory to achieve SSO in CRM 2013.
Before doing that need to evaluate risks in doing so. Any help or document for the same is helpful.
DeveshHi Devesh,
“The idea of delegation in Kerberos is that if a user makes a request to a final resource, and some
intermediary accounts must process the request, then those intermediary accounts can be trusted to delegate on the user’s behalf. You can configure an account for delegation by using Active Directory Users and Computers as a domain administrator.
Select Trust this user/computer for delegation to any service (Kerberos) under the Delegation tab of the user or computer account.”
Quoted from this article below:
Using Kerberos for SharePoint Authentication
http://technet.microsoft.com/en-us/magazine/ee914605.aspx
From my point of view, as long as the intermediary account can be trusted, then it is safe.
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Kerberos authentication prompting for credentials in Sharepoint 2013
Hello all,
I think I’m a bit confused on what I should expect out of Kerberos and sharepoint.
Following the steps located in
http://blog.blksthl.com/2012/09/26/the-first-kerberos-guide-for-sharepoint-2013-technicians/ , I’ve setup Kerberos in my Sharepoint 2013 environment. My hope was that configuring kerberos authentication would solve the issue of users being prompted for
credentials when they access sharepoint. I know that one way to address this problem is to tweak the IE settings by adding the site to the local intranet or trusted zones, but am I wrong in thinking that Kerberos should also authenticate the user on to the
site? Here’s my situation:
Previously, I had our sharepoint URL in the trusted zone and had IE set to pass my credentials through, and that worked. After configuring Kerberos, I can see the tickets on my system using klist and the security log on our web front-end shows that I authenticated
using Kerberos.
However, if I then remove the sharepoint URL from the trusted zone in IE, I still get prompted for credentials. If I cancel the credential prompt, I get a 401 error and the security log on the server shows a NTLM login attempt.
As soon as I put the URL back in the trusted zone, I can access the site and the server log shows a Kerberos authentication.
I’m I wrong in thinking that if Kerberos was working properly then I shouldn't need to have the URL in the trusted zone?
Thanks
BillThanks for the quick reply, Alex. At least it’s good to know it appears to be working as designed.
Thanks again,
Bill -
Kerberos Authentication Setup for MSCRM in cross forest oneway trust environment.
Dear All,
Kindly help related to implement Kerberos authentication on CRM application with multiple Forest environment. My environment details are as below:
Number of forests: 2
1. First is with name of domain1.local
2. Second is with name of domain2.local
Trust Level: One Way trust from domain1 and domain2.
CRM Farm Details:
1. 1 CRM(APP + WEB)Server (CRMAPP-01.domain1.local)
2. 1 SQL Server (CRMSQL-01.domain1.local)
3. 1 CRM SSRS Server (CRMSSRS-01.domain.local)
4. CRM site url: http://mscrminternal.domain.local/MSORG1
*I have successfuly configured Kerberos authentication and everything is working fine once try to access for Users of domain1.
But once I tried to access for users of domain2. I am getting following error.
HTTP Error 401 - Unathorized: Access denied.
*If i switch to NTLM, I can access CRM site for domain2 and domain1 users without any issue.
I read MS article, Kerberos delegation can be established if one way FOrest trust is present.
Please help me to understand if Kerberos is possible to setup cross forest oneway trust.
Regards
Gyan
GYAN SHUKLAHi Gyan,
I assume that you have solved this issue by synchronizing time between Domain Controllers, right?
Then your last reply should be marked as answer.
If this issue still persists, pelase feel free to let us know.
Best Regards,
Amy -
Kerberos authentication for Excel Services
Hi,
I am configuring Keberos for Excel Service Application and facing some issue. Things i have done so far:
Configured web application to use Kerberos: Verified it from server authentication logs, klist and net mon that web application is using kerberos.
Excel service Account: domain\ExcelSVA
SQL server service account: domain\SQLSERV
C2WTS account : domain\C2wts
set spn on in using setspn - s sp/excelservices domain\ExcelSVA and delegated constarined authentication to domain\SQLSERV
then setspn - s sp/c2wts domain\C2wts and delegated constrained authentication to domain\SQLSERV.
C2WS account has impersonate identity ,logon as service and act as part of OS rights in app servers where excel and c2wt are running
Now when i try to refresh data i get error :The data connection uses Windows Authentication and user credentials could not be delegated.
The following connections failed to refresh: SQLServername port, databasename
http://technet.microsoft.com/en-us/library/ff487975.aspx
First 3 errors don't apply to me since i cant see these errors in SP log files and my sharepoint and database servers are in same domain.
For UPN, there is a email id assoisated with account that i am using and i have been using that email id to logon to other services in my company so UPN should be done too.
The Excel Services service account must have Active Directory permissions to query the object. Now this got me confusing. Where do i actually
give this? In sql server or AD? Which object does it need to query? The excel database in sql server. If it is so, then the permission needs to be granted on sql .
Also this link http://social.msdn.microsoft.com/Forums/en-US/99a3cf4f-dabc-4ac9-9ea8-afa677199ffa/kerberos-and-excel-services?forum=sharepointgeneralprevious
Microsoft solution described here is weired. I don't think sql server has c2wts or excel service application started on it. And from drop down list that is i don't know what is the solution talking of.
Does any one have any idea if i am missing any delegation or any step?
sachinAny idea??
sachin
Maybe you are looking for
-
My iTunes doesn't recognise my iPhone 4S
I hae tried everything and my iTunes still doesn't recognise it. I have uninstalled and re-installed my iTunes numerous times. Please does anyone have any suggestions as to how I could resolve this?! My computer recognises it but iTunes just freezes
-
Flash Drive Unreadable - HELP PLEASE!!
"The disk you inserted was not readable by this computer." Story of my life. I have a 32gb Micro Center brand flash drive. It's completely full of pictures, videos, documents, and files. Every time I stick it into my Macbook Pro, it tells me its unre
-
Can we run another exectuiable program in LabView
Such like running a hello.exe(written in c) in the LabView?
-
ACE 4710 Lbs and SharePoint 2007 issues
We have 2 4710 ACE boxes servicing our Sharepoint farm. Users try to go to Sharepoint will get a page not displayed. We have to add ahost file to one of the sharepoint webservers and then they work just fine and get their data. We have looked and
-
Last Purchased Price not adding tax
Hi guys, I have a new question today. I have my tax definition set up as Included in Price. So now let's say I purchase one Item A for $100 From this $100, $10 are tax. When I see the last prices report it's showing correctly, $100 But when I see the