Default credentials for Kerberos service?

All Java GSS examples I have found have the server authenticate with a service account to the KDB prior to accepting connections from clients.
Given that the Windows system itself (i.e. the node) is already registered in AD already (and authenticated), I was wondering whether it is possible to use the system's credentials instead of the more fine-grained service credentials, and thus avoid that the need to register each individual service in AD (to avoid the extra administrative work). From a security perspective I'd be perfectly fine to have my client authenticate to a service at the system/node level.
I noticed that my service can obtain a TGT from the LSA (using the LoginModule with useTicketCache=true, the principal will be [email protected]), however, I don't seem to get the server's key, and thus cannot create a GSS context that can validate the APP-REQ received from the client.
Thus my question - do you know how a service can avoid having to have its own account in the KDC (e.g. by using the system-level credentials), yet still can validate the client's service request?

I figured it out. The job is associated with a particular user but default credentials were not set for that particular user. Once I set those credentials for that user the job submission was successful. Thanks.

Similar Messages

  • Which folder is the default root for https service (port433) in Lion?

    Which folder is the default root for https service (port433) in Lion?

    You chose the password during the configure script.
    If not, su to the oracle user and do
    sqlplus "/ as sysdba"
    password system
    and it should prompt you for a new system password.
    ~Jer

  • Unable to properly submit default credentials for use with Job Submission

    Greetings,
    I have several jobs running successfully by overriding default credentials. I am having difficulty getting them to run using the default credentials. Under preferences I choose referred credentials and set the username and password for the target of interest, choose to test the connection and it is successful. Under the database instance I set the username and password and the host username and host password and again the connection test is successful. I then go to the job in question (which BTW is running successfully if I choose override default credentials), edit the job and ask it to use the preferred credentials. WHen I click submit I see the following message displayed - FOllowing Preferred Credentials are not set: Database Host Credentials on Targets.... or Normal Database Credentials on targets....
    I am cleary missing something but I am not certain what. Any thoughts would be appreciated.
    Thanks.

    I figured it out. The job is associated with a particular user but default credentials were not set for that particular user. Once I set those credentials for that user the job submission was successful. Thanks.

  • When running Junit for AMImplTest, service invocation fails due to security

    We have a Junit to test an AM java method. Part of the logic is to retrieve a cost using a service. We are using the Service Factory to perform the call and have the credential set in the connections, so when it is deployed, the credentials will be used. The issue is when the Junit is run, it does not seem to be getting the credentials. When the service is invoked, an error is thrown: oracle.jbo.service.errors.ServiceException: java.lang.reflect.InvocationTargetException. Within this error, I have found another error wrapped: oracle.fabric.common.PolicyEnforcementException: WSM-00015 : The user name is missing.     WebServiceException.
    How does the Junit get credentials for the service invocation?

    Just need to update the wallet.soo using: ant addCredential -Djws=<relative-path-to-your-jws-file> -Dmap=oracle.wsm.security -Dkey=keystore-csf-key -Duser=owsm -Dpassword=welcome1

  • Default credentials not being saved in Hyper-V Manager for a single VM

    Greetings,
    I have a Server 2008 R2 SP1 Standard Hyper-V box running about 8 virtual machines on it.  The machine is  joined to a 2008 domain. 
    Recently, I moved the .VHD file for a single machine from one folder to another folder.  After doing so, when I connect to ONLY that specific machine via Hyper-V manager, I receive the error: "Your credentials did not work.  Your system administrator
    does not allow the use of default credentials to log on to the remote computer XXXXXX because its identity is not fully verified.  Please enter new credentials."
    I have the "Use default credentials automatically (no prompt)" option checked in the Hyper-V settings, and I have tried checking and unchecking this box and saving multiple times.  I have also deleted the saved credentials and the system reports no
    saved credentials.
    I have attempted to change settings in the group policy (gpedit.msc) regarding enabling the Local Computer Policy > Computer Configuration > Administrative Templates > System > Credentials Delegation > Allow Delegating Saved Credentials with
    NTLM-only Server Authenticaton setting, something I found in older blog posts here in the Hyper-V forum and on other websites, and it has not made any difference.
    At this point, I can only assume this must be some sort of bug because I cannot identify any other possible solution for getting rid of this annoying Windows Security pop-up box.  There are no entries in the Windows event log that indicate anything
    odd.  When I enter the correct username/password, I can still access the VM, but the credentials are never remembered, and ONLY for this single VM.
    Does anybody have any knowledge of how to fix this issue?  I can't believe that just moving a VHD caused all these problems.
    Thanks!

    Ah, finally found a solution!  I cannot explain why this suddenly got changed other than to assume it must have had something to do with a recent Windows Update or me trying to install Remote Desktop Services and Network Policy and Access Services.
    I roughly followed the directions from
    KB954357 or this
    older post on the Hyper-V forum.
    FIX:
    1) Run gpedit.msc on the Hyper-V host that exhibits the problem.
    2) Enable the policy setting Local Computer Policy > Computer Configuration > Administrative Templates > System > Credentials Delegation > Allow Delegating Default Credentials with NTLM-only Server Authentication.  Click the Show... button
    next to "Add Servers to the list", and add the value "Microsoft Virtual Console Service/*" without the double quotes.  Click OK.  Click OK again to exit the dialog box.
    3) Run a command prompt and execute gpupdate /force to refresh the group policy.
    4) Now try to log into a machine in Hyper-V manager with default credentials enabled, and note that you are not prompted.
    Again, I don't know why I had to do this, but it's working fine now.

  • Kerberos authentication for Excel Services

    Hi,
    I am configuring Keberos for Excel Service Application and facing some issue. Things i have done so far:
    Configured web application to use Kerberos: Verified it from server authentication logs, klist and net mon that web application is using kerberos.
    Excel service Account: domain\ExcelSVA
    SQL server service account: domain\SQLSERV
    C2WTS account : domain\C2wts
     set spn on in using setspn - s sp/excelservices domain\ExcelSVA and delegated constarined authentication to domain\SQLSERV
    then setspn - s sp/c2wts domain\C2wts and delegated constrained authentication to domain\SQLSERV.
    C2WS account has impersonate identity ,logon as service and act as part of OS rights in app servers where excel and c2wt are running 
    Now when i try to refresh data i get error :The data connection uses Windows Authentication and user credentials could not be delegated.
    The following connections failed to refresh: SQLServername port, databasename
    http://technet.microsoft.com/en-us/library/ff487975.aspx
    First 3 errors don't apply to me since i cant see these errors in SP log files and my sharepoint and database servers are in same domain.
    For UPN, there is a email id assoisated with account that i am using and i have been using that email id to logon to other services in my company so UPN should be done too.
    The Excel Services service account must have Active Directory permissions to query the object. Now this got me confusing. Where do i actually
    give this? In sql server or AD? Which object does it need to query? The excel database in sql server. If it is so, then the permission needs to be granted on sql .
    Also this link http://social.msdn.microsoft.com/Forums/en-US/99a3cf4f-dabc-4ac9-9ea8-afa677199ffa/kerberos-and-excel-services?forum=sharepointgeneralprevious
    Microsoft solution described here is weired. I don't think sql server has c2wts or excel service application started on it. And from drop down list that is i don't know what is the solution talking of.
    Does any one have any idea if i am missing any delegation or any step?
    sachin

    Any idea??
    sachin

  • Creating OD Replica: Unable to locate kerberos services for localhost

    Hello,
    I'm trying to setup a new OS X Server to become an OD Replica for my other OS X Server that is acting as an OD Master in an Active Directory Magic Triangle configuration. Both Macs are running the same build of 10.8.2 (12C3104). Here is the log from slapconfig from the Mac I'm trying to set as the replica:
    2012-12-17 00:41:11 +0000 slapconfig -createreplica
    2012-12-17 00:41:18 +0000 command: /usr/sbin/sso_util info -r /LDAPv3/ldap://172.20.9.40 -p
    2012-12-17 00:41:19 +0000 int _populateLDAPService(): Unable to locate kerberos services for localhost: 0 (null)
    2012-12-17 00:41:19 +0000 Populating LDAP kerberos service in local node's localhost computer record failed.  Replication and rootDSE may not behave as expected.
    2012-12-17 00:41:19 +0000 Error retrieving kerberos realm
    2012-12-17 00:41:19 +0000 CopyReplicaArray: ldap_search_ext_s failed
    2012-12-17 00:41:19 +0000 Error retrieving replica array
    2012-12-17 00:41:19 +0000 Deleting Cert Authority related data
    2012-12-17 00:41:19 +0000 No intCAIdentity, not removing int CA from keychain
    2012-12-17 00:41:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd.plist
    2012-12-17 00:41:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertd-helper.plist
    2012-12-17 00:41:19 +0000 command: /bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.xscertadmin.plist
    2012-12-17 00:41:19 +0000 void _destroyLDAPServer(const char *): Failed to find computer record named usvtamtln103.lostarrow.com$: 0 (null)
    2012-12-17 00:41:19 +0000 Updating ldapreplicas on primary master
    2012-12-17 00:41:19 +0000 CopyPrimaryMaster: CopyLdapReplicas failed
    2012-12-17 00:41:19 +0000 Unable to locate primary master
    2012-12-17 00:41:19 +0000 Primary master node is nil!
    2012-12-17 00:41:19 +0000 Unable to locate ldapreplicas record: 0 (null)
    2012-12-17 00:41:19 +0000 Error setting read ldap replicas array: 0 (null)
    2012-12-17 00:41:19 +0000 Error setting write ldap replicas array: 0 (null)
    2012-12-17 00:41:19 +0000 ODRecord *_getODRecord(ODNode *, NSString *, NSString *, NSArray *): ODNodeRef parameter error
    2012-12-17 00:41:19 +0000 int _removeReplicaFromConfigRecord(ODNode *, NSString *): ODRecord not found
    2012-12-17 00:41:19 +0000 Error synchronizing ldapreplicas: 0 (null)
    2012-12-17 00:41:19 +0000 Removing self from the database
    2012-12-17 00:41:19 +0000 Stopping LDAP server (slapd)
    2012-12-17 00:41:19 +0000 Stopping password server
    2012-12-17 00:41:19 +0000 cleanKeytab: unable to retrieve default realm
    2012-12-17 00:41:19 +0000 Stopping password server
    2012-12-17 00:41:19 +0000 Removed file at path /Library/Preferences/com.apple.openldap.plist.
    The only thing I can derive from this is that the issue is related to kerberos. Any suggestions?

    SSH is enabled for all users on both Macs. Manually added diradmin aswell just to make me feel better.
    Additionally, here's what I get when I try running preflight on either Mac:
    usvtamtln101:~ sadmin$ sudo /usr/sbin/slapconfig -preflightreplica 172.20.9.40 diradmin
    Password:
    172.20.9.40's Password:
    2012-12-17 19:34:33 +0000 NSMutableDictionary *_getRootDSE(const char *): rootDSE not found
    2012-12-17 19:34:33 +0000 Error: Unable to determine the master's software version.
    After seeing this, I tried unbinding both Macs from Active Directory, restarting and then trying again. Same thing...

  • Default credentials type for logging in win7 x64

    Hello!
    Though there are similar threads about default credentials, I haven't found an answer to my question.
    We can log on to our (company's) computers using username + password, or using the
    smartcard + PIN. We ought to use smartcard for other stuff too, so it would be better for me to use smartcard for logging in. I can do that by selecting
    other credentials in the welcome screen. But my first choice is always
    username + pass. How can I change it that it gives me default choice to use
    smartcard?
    (on win xp when i would insert smartcard it would automaticly change and I would enter PIN, but in win7 when I enter smartcard nothing happens, I still have to manually change credentials, and then eneter PIN).
    So, is there a way for me to make smartcard + PIN the deafult credential choice for logging in?
    Thank you!

    Hi,
    Based on knowledge, system can detect a smart card in the reader automatically and prompt you to logon by smart card and to input the PIN code. Please make smartcard service is set to “Automatic”.
    Also please refer to
    http://harun.se/blog/?p=92
    Andy Altmann
    TechNet Community Support

  • Default GL account (cost element) for external service contracts

    Hi everybody,
    question about GL being defaulted from contract for external services
    The requirement is to have GL (cost element) being defined per service sub item defaulting to work order. Account assignment is unknown,  because the costs might be settled later to cost center or AFE or else.
    You could default cost element either through material group (which doesn't enable cost element to contract) or with account assignment category 'K' or 'F'  which do not suit, cause the former requires cost center, that is unknown yet, whereas the latter requires assignment to order which doesn't make sense at all.  Theoretically, it could be done with acc assignment cat 'U' , but cost element is not enabled with that category..
    I was assuming that cost center which you are required to enter along with cost element while creating service sub item referring to some sort of internal accounting. The system also requires service sub item acc assignment category being aligned with requisition (which is 'F') and would in fact create PR referrencing actual work order number. But still, doesn't it make sense having contract referencing another order.. Also, we don't use default values for PM ext operation data.
    So, the question is how to accomplish the requirement with Unknown assignment category? what is the point of defining cost center in the contract in given circumstances? Is there any work around exists?
    Thanks in advance
    Sergey

    Hi,
    Try this: IMG -> Plant Maintenance and Customer Service -> Maintenance and Service Processing -> Maintenance and Service Orders -> Functions and Settings for Order Types -> Create Default Value Profiles for External Procurement.
    After that assign it to order type: Default Values for Task List Data and Profile Assignments.
    Regards,
    Rogério Reis

  • Default values for service provider in transaction TRIP

    Hello Gurus...
    We are implementing travel management and I have a problem... here's the scenario
    Tha gl account that should be used for a specific trip recepit depends on the following:
    The expense type
    The company specific type of trip
    The Employee grouping for Travel Management
    What we have done so far is :
    create a service provider for every combination of trip_type/employee_grouping
    create entries in V_T706B4 for every valid combination of expense_type/service_provider
    configure transfer to accounting
    With this configuration the gl account is determined correctly. However this way of solving the situation means that the user must enter the service provider for every recepit entered in the expense report. Given that in our particular scenario the service provider depends on data that has been already entered (type of trip) or that "the system should know" (employee grouping), users are not happy about having to enter the service provider.
    ¿Is there a way to assign default values to the service provider, and would it be possible to code/configure somewhere how to set those default values? I tried doing it through the trip schema, but apparently it is not possible to set a default service provider that way. I also tried setting the values in the user exit (b4 assigning trip number) but this doesn't work since the user exit is called after the standard validation. I also tried implementing subroutine USER_EVAL_RECEIPT, but this doesn't seem to work in transaction TRIP.
    Thanks in advance for any help you may provide!
    Juan Ramon

    Hello AP.
    Thogh your suggestion is helpful (I might use profile parameters somewhere else) thre is no parameter for the field I need. In any case It wouldn't have solved the issue completely, since the default value I need depends on both the employee(user) and the type of trip that's selected.

  • MM-PUR default scales for condition types for service (ME31K

    Hi,
    We have faced the following problem:
    The business case was, to have default scales for certain condition types for a service for a purchasing contract.
    We didn't find it in SAP, so we wrote an OSS. SAP answered that it's not possible now, nor in the future.
    So we decided to look around in SAP, and found out that it was half possible.
    I've abused the exit USEREXIT_XKOMV_BEWERTEN_INIT of program RV61AFZB.
    In this exit I provide the internal table staffel for program SAPMV13A with the correct information (via ASSIGN ('(SAPMV13A)STAFFEL[]') to <staffel>.)
    In this way, if a user adds a service, this exit will get reached and the scales are filled. If the user then clicks on conditions and then double clicks the condition type with the scales, all the default scales are shown to the user. If you then click on save, the next screen is the service screen, if you then click on save again, all the date is stored in the database. (bit of a work around, but this works)
    However, I can't figure out how to save the scales data, when you only add a service and then push the save button without viewing the conditions. Quite logically actually because I'm skipping two whole screens with pbo and pai modules, in these modules internal converting takes place.
    Has anyone encountered this problem before and how did you solve it then ?
    Alternatively what is the SAP standard way to add pricing condition scales on condition types of a service of a purchasing contract? As you know there is no BAPI yet to change/create a purchasing contract.
    I was thinking, to add the scales by updating the tables directly via ABAP, I know that's not a clean way to do it, although it isn't too risky.
    Kind regards, Rob Dielemans

    Dear Rob,
    Is this solution properly working for you?
    I think my problem is similar: purchasing outline agreement (contract) refuses to apply relevant scale prices in the item line. Always uses the first price - without considering order quantity depencies.
    Regards,
    Tamás
    Edited by: Tamas Szabo on Mar 31, 2009 3:50 PM

  • RC0: RS Installation Problem - The credentials you provided for Reporting Services service are invalid. To continue ...

    Hi
    When installing 2008 RC0 I get the following error message:
    "The credentials you provided for Reporting Services service are invalid. To continue, provide a valid account and password for the Reporting Services service.
    Error code: 0x84B40000"
    During the installation process it never prompted for the credentials to be used for the Reporting Services service (i.e. the Reporting Services service did not appear under the "Service Accounts" tab during the Server Configuration stage of the installation. The other services did appear). In the "Ready to Install" stage the Account under Reporting Services, Service Configuration is given as "udefined". Everything else installed without a problem.
    Any help would be appreciated.
    Thanks.
    Egmont

    I had a same and similar issue.
    I finish the installation by providing SQL Agnt and SQL Service by NT AUTHORITY\NETWORK SERVICE and blank password. Once complete the installation I changed the Service Account by services.msc to SQL SA account.
    Reason: Service account is not granted for Log on as Service.
    Solution: Grant the SA to Log on as Service.
    Abu
    Bad Idea When you first install Microsoft SQL Server to run under a Microsoft Windows NT account, SQL Server sets for that Windows NT account various Windows user rights and permissions on certain files, folders, and registry keys. If you later change the startup
    account for SQL Server (the MSSQLServer service) and the SQL Server Agent service by using SQL Server Enterprise Manager (SEM) or SQL Server Configuration Manager (SSCM), SEM automatically assigns all the required permissions and Windows user rights to the
    new startup account for you so that you do not have to do anything else. We recommend that you use this is the approach to change the service account.
    http://support.microsoft.com/kb/283811

  • Is there any way we can set default value for a Date Attribute to current date in Master Data Services

    Is there any way we can set default value for a Date Attribute to current date in Master Data Services.
    I as well wants to know that is there any posibility to show Calendar control while input data into respective date attributes.
    Thanks.

    Hi Anagha,
    So far i havent found any way to set todays date by default from MMI, but i guess this flow should work as workaroud
    1. Add buisness rule which can set a default value when Date = NULL/Blank
    2.get the entity table ,use -select EntityTable from mdm.tblEntity where Name = '<enter entity name>'
    3.Go to that table and add a after update trigger like
    if uda_<entityid>_<attributeid(Date attribute)> = default value
    update uda_<entityid>_<attributeid(Date attribute)> =getdate() where id = <LastUpdatedRow>
    I will check on this too from my side.
    By the way AFAIK i dont think so calendar control integration is possible .

  • Wrong GL account defaulted for Unplanned services in Service Entry sheet.

    Dear Experts,
    We create a Service PR with Acct asst - K & Item Cat - D, for which we enter Cost center, Order No. & GL account. We maintain it as Unplanned Service with Value Limits. When we create A PO wrt the above PR the GL account is defaulted corretly in PO. But when i enter Service entry sheet for above PO for Unplanned Service . System defaults a different GL account automatically. That differs from the existing one in PR & PO. User posts it directly, since it is done wrt PO without checking. How can the defaults of wrong GL account be avoided for Unplanned Services?
    Thanks & regards
    Chandan

    Hi,
    In Service PO, if some one By mistake Put the wrong G/L but u can change the G/L while SES.
    Educate the SES person to note the proper G/L or assign a release streatgy for SES with give final release authority should check the proper G/l or cost center.
    We have this solution as SAP is not able to reply on this front
    Regards,
    Pardeep Malik

  • Apparently the default country for an account is US. I want it changed to Netherlands without having to call customer service. In need of assistance please.

    Hi,
    Apparently the default country for an account is US. I want it changed to Netherlands without having to call customer service. In need of assistance please, is there someone from Adobe on this forum who can help me? Or does someone know an email address?
    thanks!
    Arjan de Jong

    Change/Verify Account https://forums.adobe.com/thread/1465499 may help
    -http://helpx.adobe.com/x-productkb/policy-pricing/change-country-associated-with-adobe-id. html

Maybe you are looking for

  • Handling multiple calendar sources

    How do I manage multiple calendars on the iPhone? I have an exchange server, caldav server, and the local calendar items. On my iPad there is a calendars button and I can tick on and off specific calendars and see their sources, just like iCal on the

  • Adding History list and saved reports to info view toolbar

    Hello All, We want to write a new u201CJSPu201D program to display a new info view toolbar with an option to view saved reports and another option to view history list of reports  . Is it possible to use Bobj java api and add this functionality to al

  • Newbie in regex... pb with pattern

    Hello, I want to identify each occurence of -> <tr bgcolor="#f7f7f7"> <- in a html code source, this string could be written like this -> <td class="t2" bgcolor="#f7f7f7"> <-... I try the fallowing java code to parse it : Pattern p=Pattern.compile("<

  • Imbed Dynamic Content?

    I am new to RoboHelp (using ver 7) and just went through the excellent "Essentials of Adobe Robohelp 7 HTML". I have been tasked with something I did not find in the book...embedding dynamic content. In other words, can the Help output use an externa

  • Oracle Path

    Hello: I have installed Oracle 11g in my personal laptop. I now want to access oracle objects in that database using SAS, which is also installed in my same personal laptop. Should I give the path as Orcl? thanks, AP