Do i need krb5.ini ?

Hi,
i'm writing an SSO for an web app that should accessed using a browser as a client side and use the SPNEGO way.
- The App is running on my machine & is registred in AD as a SPN. I used KTPASS to create a keyTab & mapped the SPN to the user i log on with on my machine.
- My machine is a host in a large Windows DC & Kerberos is configured on that DC.
1 - Must the password used to create the keyTab file be the same as the password i from the user ?
2 - Do i need krb5.ini on my machine? If not where does it be needed ? cuz i'm getting this failure the whole time:
principal's key obtained from the keytab
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Pre-authentication information was invalid (24)
javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)and time is syncronized, i use JDK 1.6.0_05 where Pre-authentication should be supported.
when i use the useTicketCache it works then and i get the TGT and so on.

Hi wangwj,
it was exactly what u said and it works now. But i still need ur help understanding this:
http://forums.sun.com/thread.jspa?threadID=5317227&tstart=0
since i couldn't find a good explanation or whitepaper handling it.

Similar Messages

Need cntrller.ini for PXI Chassis

I need to configure an RT for use with my VXI system. My VXI embedded controller seems to be missing this file. Any help?

Hi NANOBOU,
I'm not 100% clear on what you are doing when it asks for that file. Do you have any hardware installed in the PXI-1036? If so, what is it? It's possible that getting the latest drivers will update MAX and possibly fix the problem.
In the meantime, please check out our MXI Troubleshooting guide. Some of these hints might help:
http://digital.ni.com/public.nsf/allkb/484f81e6570ad803862569ed007aaa41
http://digital.ni.com/public.nsf/websearch/61B9E985DC3025BD862569EB00718360?OpenDocument
Thanks,
mike

Can't start Firefox, XULRunner reports Error: App:Name not specified in application.ini

application.ini contents:
<pre><nowiki>2 17583/20136 22 2010.09.08 23:55:35 \Device\HarddiskVolume6\yenc\Xnews.ini
1 2217/2217 1 2010.09.08 23:25:04 \Device\HarddiskVolume1\Documents and Settings\evo\Mina dokument\Hämtade filer\emule049c.exe
1 3525/3525 1 2010.09.08 23:25:04 \Device\HarddiskVolume1\Documents and Settings\evo\Mina dokument\Hämtade filer\install_flash_player.exe
2 105/985 10 2010.09.08 23:14:53 \Device\HarddiskVolume1\WINDOWS\NeroDigital.ini
1 3599/4099 1 2010.09.08 23:04:43 \Device\HarddiskVolume1\WINDOWS\Temp\AskBarDis\upgrade\UpgradeData.xml
1 3282/23225 6 2010.09.08 23:04:43 \Device\HarddiskVolume1\Documents and Settings\evo\Application Data\Mozilla\Firefox\Profiles\wu5lq6am.default\sessionstore-3.js
1 3758/3758 1 2010.09.08 22:54:32 \Device\HarddiskVolume1\Documents and Settings\evo\Mina dokument\Hämtade filer\FoxitReader.exe
1 2057/2721 1 2010.09.08 22:34:12 \Device\HarddiskVolume1\Documents and Settings\evo\Skrivbord\WinUHA 2.0 RC1 (2005.02.27).exe
1 7384/12265 2 2010.09.08 22:34:12 \Device\HarddiskVolume1\Program\Mozilla Thunderbird\thunderbird.ex</nowiki></pre>

Hi Guys I have SOLUTION for that. I perhaps could not attach my file here but let me still tell you the solution.
You need "Application.ini" file from any other pc having Mozilla over it. There is no complex information in this file although. I will past code of that file here so you could copy that to your file as it is.
After doing this if you get any different error prompting for version error then open this "Application.ini" file again where you just copied code. and change the version (you will find version text on second line at end) to appropriate one according to the Error Alert you just encountered before.
That's it.
Application.ini File Code is below
(whole code must come in three lines, I can see line break special characters in special rectangular format)
; ***** BEGIN LICENSE BLOCK *****
; Version: MPL 1.1/GPL 2.0/LGPL 2.1
; The contents of this file are subject to the Mozilla Public License Version
; 1.1 (the "License"); you may not use this file except in compliance with
; the License. You may obtain a copy of the License at
; http://www.mozilla.org/MPL/
; Software distributed under the License is distributed on an "AS IS" basis,
; WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
; for the specific language governing rights and limitations under the
; License.
; The Original Code is Mozilla Firefox.
; The Initial Developer of the Original Code is
; Benjamin Smedberg <[email protected]>.
; Portions created by the Initial Developer are Copyright (C) 2006
; the Mozilla Foundation <http://www.mozilla.org/>. All Rights Reserved.
; Contributor(s):
; Alternatively, the contents of this file may be used under the terms of
; either the GNU General Public License Version 2 or later (the "GPL"), or
; the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
; in which case the provisions of the GPL or the LGPL are applicable instead
; of those above. If you wish to allow use of your version of this file only
; under the terms of either the GPL or the LGPL, and not to allow others to
; use your version of this file under the terms of the MPL, indicate your
; decision by deleting the provisions above and replace them with the notice
; and other provisions required by the GPL or the LGPL. If you do not delete
; the provisions above, a recipient may use your version of this file under
; the terms of any one of the MPL, the GPL or the LGPL.
; ***** END LICENSE BLOCK *****
[App]
Vendor=Mozilla
Name=Firefox
Version=3.5.11
BuildID=20100701023340
SourceRepository=http://hg.mozilla.org/releases/mozilla-1.9.1
SourceStamp=56248d52ac25
Copyright=Copyright (c) 1998 - 2010 mozilla.org
ID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[Gecko]
MinVersion=1.9.1.12
MaxVersion=1.9.1.12
[XRE]
EnableProfileMigrator=1
EnableExtensionManager=1
[Crash Reporter]
Enabled=1
ServerURL=https://crash-reports.mozilla.com/submit

Linker error: can't open "ini.lib"

Hi,
I've just installed the Evaluation copy of the Measurement Studio Tools for Visual C++ and whenever I try to run an example or a program that I create I get a linker error referencing ini.lib? I can find ini.lib in 2 folders both descending from VXIpnp, but I've also called the hotline and I was told I need the INI driver. Doesn't that come with the evaluation CD or do I need to manually download it from your website and then install it myself?
Alex

You need to add the path of the ini.lib to the VC++ environment. The installer should have done this for you, but it must not have. Go to Tools->Options and under the directories tab, add a Library files entry that points to the ini.lib directory.
Best Regards,
Chris Matthews
Measurement Studio Support Manager

SSO not working when launching the InfoView application

We are so close to implementing SSO for BO Edge 3.0 using AD and Kerberos. We can logon to InfoView and CMC using AD authenication and it works fine. When turning on SSO:
    <context-param>
        <param-name>sso.enabled</param-name>
        <param-value>true</param-value>
    </context-param>
in the InfoViewApp web.xml it fails with an error message in the Tomcat stdout.log
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
+          [Krb5LoginModule] user entered username: "at"MYCOMPANY.COM+
User name is missing.
When done through the application logon screen and able to logon it is
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
+          [Krb5LoginModule] user entered username: dennis"at"MYCOMPANY.COM+
The username appears in the log file followed by the debug message for Kerberos key being created.
I am so close, does anyone have an idea?

Hi Tim,
The Vintela SSO document for BOE XI 3.1 is very comprehensive, but it has not resolved my issue.
Under NTLM option I SSO works great with .NET InfoView as long as I have the web site authentication set to Windows Authentication and ASP .NET Authentication enabled. Once the ASP .NET is disabled, SSO does not work.
When using the Kerberos option, .NET InfoView SSO does not work due to the error 'propagating the security context between the security server and the client'.
The Java InfoView SSO does not work either, but I can enter my user credentials and logon fine.
std.out error:
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
          [Krb5LoginModule] user entered username: @OR.PROVIDENCE.ORG
Acquire TGT using AS Exchange
          [Krb5LoginModule] authentication failed
Generic error (description in e-text) (60)
No user name is being passed. I've been through a multitude of documents and forums ensuring settings are correct and I believe they are including no duplicate SPN's.
The only issue on the server is that I cannot open the tomcat confi app. due to it not able to start service BOE120Tomcat. I was able to update the registry with the info for the bsclogin.config and krb5.ini. I was not able to find anything on getting that service started.
Any ideas? Need more info? I have a bunch.
Thanks and have fun,
Phil

SSO with AD to DB

Hi Tim,
I have question regarding SSO to database (MSSQL).
I read most of posts here but no solution found. I configure SSO to infoview from your white paper and this works with no problem.
To enable SSO to database:
- in CMC => "Cache security context (required for SSO to database)" in enabled
- in krb5.ini => "forwardable = true" in entered
- we created SPN => MSSQLSvc/MSCompName.domain.com:1434 BOXISSO (boxisso is "kerberos user")
- in desiger => "use SSO when refreshing reports at view time"
In infoview I gen an error "Login failed to for user NT AUTHORITY/ANONYMOUS LOGON..."
On database are users authenticated with user boxisso or with their ad names? (what are privileges on mssql side needed?)
Thank you for reply!
Regards,
Gregor

Is the SIA running under a delegated service account (delegation to any service enabled)? Is the SQL DB integrated with AD? and enabled for kerberos? You should verify the latter with Microsoft.
Also try enabling this on the servers (reporting and SQL) http://support.microsoft.com/kb/262177
Regards,
Tim

I'm trying to use kerberos V5 with ActiveDirectory but get an error

I'm trying to use kerberos V5 with ActiveDirectory im using simple code from previuos posts but
when i try with correct username/password i get :
Authentication attempt failedjavax.security.auth.login.LoginException: Message stream modified (41)
when i try incorrect username/pass i get :
Pre-authentication information was invalid (24)
Debug info is :
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Kerberos username [naiden]: naiden
Kerberos password for naiden:      naiden
          [Krb5LoginModule] user entered username: naiden
Acquire TGT using AS Exchange
          [Krb5LoginModule] authentication failed
Pre-authentication information was invalid (24)
Authentication attempt failedjavax.security.auth.login.LoginException: Java code is :
import javax.naming.*;
import javax.naming.directory.*;
import javax.security.auth.login.*;
import javax.security.auth.Subject;
import com.sun.security.auth.callback.TextCallbackHandler;
import java.util.Hashtable;
* Demonstrates how to create an initial context to an LDAP server
* using "GSSAPI" SASL authentication (Kerberos v5).
* Requires J2SE 1.4, or JNDI 1.2 with ldapbp.jar, JAAS, JCE, an RFC 2853
* compliant implementation of J-GSS and a Kerberos v5 implementation.
* Jaas.conf
* racfldap.GssExample {com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true doNotPrompt=true; };
* 'qop' is a comma separated list of tokens, each of which is one of
* auth, auth-int, or auth-conf. If none is supplied, the default is 'auth'.
class KerberosExample {
public static void main(String[] args) {
java.util.Properties p = new java.util.Properties(System.getProperties());
p.setProperty("java.security.krb5.realm", "ISY");
p.setProperty("java.security.krb5.kdc", "192.168.0.101");
p.setProperty("java.security.auth.login.config", "C:\\jaas.conf");
System.setProperties(p);
// 1. Log in (to Kerberos)
LoginContext lc = null;
try {
lc = new LoginContext("ISY",
new TextCallbackHandler());
// Attempt authentication
lc.login();
} catch (LoginException le) {
System.err.println("Authentication attempt failed" + le);
System.exit(-1);
// 2. Perform JNDI work as logged in subject
Subject.doAs(lc.getSubject(), new LDAPAction(args));
// 3. Perform LDAP Action
* The application must supply a PrivilegedAction that is to be run
* inside a Subject.doAs() or Subject.doAsPrivileged().
class LDAPAction implements java.security.PrivilegedAction {
private String[] args;
private static String[] sAttrIDs;
private static String sUserAccount = new String("Administrator");
public LDAPAction(String[] origArgs) {
this.args = (String[])origArgs.clone();
public Object run() {
performLDAPOperation(args);
return null;
private static void performLDAPOperation(String[] args) {
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
// Must use fully qualified hostname
env.put(Context.PROVIDER_URL, "ldap://192.168.0.101:389/DC=isy,DC=local");
// Request the use of the "GSSAPI" SASL mechanism
// Authenticate by using already established Kerberos credentials
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
env.put("javax.security.sasl.server.authentication", "true");
try {
/* Create initial context */
DirContext ctx = new InitialDirContext(env);
/* Get the attributes requested */
Attributes aAnswer =ctx.getAttributes( "CN="+ sUserAccount + ",CN=Users,DC=isy,DC=local");
NamingEnumeration enumUserInfo = aAnswer.getAll();
while(enumUserInfo.hasMoreElements()) {
System.out.println(enumUserInfo.nextElement().toString());
// Close the context when we're done
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}JAAS conf file is :
ISY {
     com.sun.security.auth.module.Krb5LoginModule required
debug=true;
};krb5.ini file is :
# Kerberos 5 Configuration File
# All available options are specified in the Kerberos System Administrator's Guide. Very
# few are used here.
# Determines which Kerberos realm a machine should be in, given its domain name. This is
# especially important when obtaining AFS tokens - in afsdcell.ini in the Windows directory
# there should be an entry for your AFS cell name, followed by a list of IP addresses, and,
# after a # symbol, the name of the server corresponding to each IP address.
[libdefaults]
     default_realm = ISY
[domain_realm]
     .isy.local = ISY
     isy.local = ISY
# Specifies all the server information for each realm.
#[realms]
     ISY=
          kdc = 192.168.0.101
          admin_server = 192.168.0.101
          default_domain = ISY
     }

Now it works
i will try to explain how i do this :
step 1 )
fallow this guide http://www.cit.cornell.edu/computer/system/win2000/kerberos/
and configure AD to use kerberos and to heve Kerberos REALM
step 2 ) try windows login to the new realm to be sure that it works ADD trusted realm if needed.
step 3 ) create jaas.conf file for example in c:\
it looks like this :
ISY {
     com.sun.security.auth.module.Krb5LoginModule required
debug=true;
};step 4)
( dont forget to make mappings which are explained in step 1 ) go to Active Directory users make sure from View to check Advanced Features Right click on the user go to mappings in secound tab kerberos mapping add USERNAME@KERBEROSreaLm for example [email protected]
step 5)
copy+paste this code and HIT RUN :)
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import com.sun.security.auth.callback.TextCallbackHandler;
public class Main {
    public static void main(String[] args) {
    java.util.Properties p = new java.util.Properties(System.getProperties());
    p.setProperty("java.security.krb5.realm", "ISY.LOCAL");
    p.setProperty("java.security.krb5.kdc", "192.168.0.101");
    p.setProperty("java.security.auth.login.config", "C:\\jaas.conf");
    System.setProperties(p);
    // 1. Log in (to Kerberos)
    LoginContext lc = null;
    try {
            lc = new LoginContext("ISY", new TextCallbackHandler());
    // Attempt authentication
    lc.login();
    } catch (LoginException le) {
    System.err.println("Authentication attempt failed" + le);
    System.exit(-1);
    // 2. Perform JNDI work as logged in subject
    Subject.doAs(lc.getSubject(), new LDAPAction(args));
    // 3. Perform LDAP Action
    * The application must supply a PrivilegedAction that is to be run
    * inside a Subject.doAs() or Subject.doAsPrivileged().
    class LDAPAction implements java.security.PrivilegedAction {
    private String[] args;
    private static String[] sAttrIDs;
    private static String sUserAccount = new String("Administrator");
    public LDAPAction(String[] origArgs) {
    this.args = origArgs.clone();
    public Object run() {
    performLDAPOperation(args);
    return null;
    private static void performLDAPOperation(String[] args) {
    // Set up environment for creating initial context
    Hashtable env = new Hashtable(11);
    env.put(Context.INITIAL_CONTEXT_FACTORY,
    "com.sun.jndi.ldap.LdapCtxFactory");
    // Must use fully qualified hostname
    env.put(Context.PROVIDER_URL, "ldap://192.168.0.101:389");
    // Request the use of the "GSSAPI" SASL mechanism
    // Authenticate by using already established Kerberos credentials
    env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
//    env.put("javax.security.sasl.server.authentication", "true");
    try {
    /* Create initial context */
    DirContext ctx = new InitialDirContext(env);
    /* Get the attributes requested */
    //Create the search controls
    SearchControls searchCtls = new SearchControls();
    //Specify the attributes to return
    String returnedAtts[]={"sn","givenName","mail"};
    searchCtls.setReturningAttributes(returnedAtts);
    //Specify the search scope
    searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
    //specify the LDAP search filter
    String searchFilter = "(&(objectClass=user)(mail=*))";
    //Specify the Base for the search
    String searchBase = "DC=isy,DC=local";
    //initialize counter to total the results
    int totalResults = 0;
    // Search for objects using the filter
    NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
    //Loop through the search results
    while (answer.hasMoreElements()) {
            SearchResult sr = (SearchResult)answer.next();
        totalResults++;
        System.out.println(">>>" + sr.getName());
        // Print out some of the attributes, catch the exception if the attributes have no values
        Attributes attrs = sr.getAttributes();
        if (attrs != null) {
            try {
            System.out.println("   surname: " + attrs.get("sn").get());
            System.out.println("   firstname: " + attrs.get("givenName").get());
            System.out.println("   mail: " + attrs.get("mail").get());
            catch (NullPointerException e)    {
            System.err.println("Error listing attributes: " + e);
    System.out.println("RABOTIII");
        System.out.println("Total results: " + totalResults);
    ctx.close();
    } catch (NamingException e) {
    e.printStackTrace();
}It will ask for username and password
type for example : [email protected] for username
and password : TheSecretPassword
where ISY.LOCAL is the name of kerberos realm.
p.s. it is not good idea to use Administrator as login :)
Edited by: JOKe on Sep 14, 2007 2:23 PM

Please help with my crystal reports server 2008 trial setup

Firstly, if this is in the wrong section feel free to move it. I find this forum is to big to find the information i need, in fact trying to find anything i need on this website is almost impossible. So far not impressed with SAP at all! we download a trial and when we have problems nobody can support us and we have to post in the forums for answers, which i find disgracefull to be honest. So this post is my last attempt of finding the answers to my problems or we are going to forget crystal reports server for good! I was also told that if i wanted help setting this up then i would have to pay, thats not how things usually go when we download a trial of any software!
Anyway, rant over!!
Right, we have windows server 2008 and have installed crystal reports server 2008. So far all i have managed to get working is the reports themselves which run and schedule fine. The dashboard and business views are so confusing i just dont get it at all, the manuals dont help either becuase they are rubbish basically. But my first problem is trying to get windows AD authentication working! easier said than done. I have spent 4 days trying to get it working but nothing is happening. this is what i have done so far
Set up all the options in the CMC to enable AD authentication, mapped a few groups one of which i am a member of.
Then i setup the krb5.ini file like below (removed my server name and domain name)
[libdefaults]
    default_realm = DOMAIN.CO.UK
    dns_lookup_kdc = true
    dns_lookup_realm = true
    udp_preference_limit = 1
[realms]
DOMAIN.CO.UK = {
    kdc = DC.CO.UK
    default_domain = DOMAIN.CO.UK
i also have that other file bscLogin which looks like this...
com.businessobjects.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required;
The server inteligence agent has been set to use the same username as i specified in the CMC which is also the service principal name and the administartion name
i have set the web config file to use SecWINAD as default, i have also set it to give the option of enterprise, win ad etc in a drop down list
i have gone round in circles for days following the instructions, and nothing is happening
Also i dont see any usernames within the groups i have mapped , am i supposed to see any? am i supposed to add them manually?? if so, whats the point in that?
So now everytime i try to log in i get this error message
Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are a member of a valid mapped group and try again. If you are not a member of the default domain, enter your user name as UserName@DNS_DomainName, and then try again. (FWM 00006)
There is also another error message i get, which isnt coming up right now but it says somthing along the lines of could not authenticate at this time (FWM 00005)
i fail to see what im doing wrong. I shoudl also point out that the username i am using for everything is our own network admin password!
any ideas on things to check before we give up with this all together?

Hi Roberto,
With the changes when SAP took over BusinessObjects the support packaging also changed. It's the way it is now but we are moving to and giving as much options as we can. SAP works on the Self Serve practice. the info is available but you have to find it, which is another thing we are working on to improve for BOE/CRS.
Best place to start is in the CMS link off the start menu, You'll find the Admin Guide and Setup/Configuration Guides. You can also find all of the latest info and updates to those guides from help.sap.com then click on the SAP BusinessObjects tab along the top and then on the left click on All Products and then filter on your version.
Once the Firewalls and Domains and your CRS Server is added to the Trusted Domains and ports opened to allow CRS to talk to the DNS Server CRS will begin to load all of the users into it's User Mappings. You still have to add each user or Group of Users but they will be available. Documents does describe how to....
Once you have the Admin Guide search on Security and it explains in details how to set up and which ports need to be opened etc.
Thank you
Don

Windows Native Authentication with 2 (multiple) AD domains

I have managed to get Windows Native Authentication for Oracle Application Server 10g (9.0.4) on Windows working. The following has been done and works in a test environment:
Phase 1) Active Directory (AD) to Oracle Internet Directory (OID) Synchronization
Phase 2) Configure a Kerberos Service Account for the Single Sign-on
Currently all the above setup points to a single windows active directory server, i.e. active1.uk.oacle.com. This is acceptable for a test environment, but before the changes can be deployed to production I need to incorporate some disaster recovery.
The active directory is replicated across multiple servers – i.e. active1.uk.oacle.com, active2.uk.oacle.com. In the event that the primary active directory server is unavailable Oracle users should still be able to access applications. I need to incorporate active2.uk.oacle.com into the above setup.
Questions:
1)Can I get away with not incorporating active2.uk.oacle.com into phase 1. If the users have been pulled into OID then we are not particular concerned with pulling in new users in a disaster situation.
2)Can I configure the Oracle side of the Kerberos setup to use multiple realms with an order or precedence – i.e. try active1.uk.oacle.com, then try active2.uk.oacle.com. I would generate a keytab file from each server.
Ideally I would like to just modify the Kerberos setup to check active1.uk.oacle.com then active2.uk.oacle.com. Is this a workable approach? If yes how do I proceed? I believe the krb5.ini and opmn.xml need to be amended.
Thanks

Does anyone have any ideas on how to do this????

Manual Tomcat Active Directory (AD) Authentication with multiple domains

Hi,
We have successfully implemented manual AD Authenticaiton on our BO XI 3.1 environment using Tomcat applicaiton server.
Now we need to include another domain to be able to use AD authenticaiton to BOE.
What changes do we need to perform to allow the additional domain to log in successfully?
Thanks for any support.
Thanks,
J

Hello,
You need to modify the file krb5.ini by adding the second domain there
Have a look at the note 1406795 (https://bosap-support.wdf.sap.corp/sap/support/notes/1406795)
The users of that domain will have to login by specifying that domain (user@domain)
Regards,
Philippe

Help getting authentication=

Greetings,
I could use some help with getting tomcat 5.5.12 to use Kerberos against Microsoft Active Directory.
I have been using Ethereal to sniff the packets going back and forth from tomcat and I verified that with a normal server.xml entry (remove the authentication attribute keyword below), it uses 'simple'
authentication (clear text passwords).
My original server.xml works just fine but now I'm trying to take it to next level and I found documentation (jdk-1_5_0-doc.zip\docs\guide\jndi\jndi-ldap.html)
specifies that there are the following values:
- EXTERNAL (RFC 2222). This mechanism obtains authentication information from an external source (such as SSL/TLS or IPsec).
- DIGEST-MD5 (RFC 2831) is for Digest Authentication.
- GSSAPI (RFC 2222) is for Kerberos V5 authentication.
I wish to use GSSAPI to talk with Active Directory so I setup my server.xml with the following :
<Realm className="org.apache.catalina.realm.JNDIRealm"
     debug="4"
     authentication="GSSAPI"
     connectionName="CN=Klotz\, Dennis,OU=myou,DC=company,DC=com"
     connectionPassword="myPassword"
     connectionURL="ldap://10.16.0.xx:389"
     alternateURL="ldap://10.16.0.xx:389"
     userBase="OU= myou,DC=company,DC=com"
     userSearch="(sAMAccountName={0})"
     userSubtree="true"
     userRoleName="memberOf"
/>And now I get a different type of error from Catalina.out:
Oct 28, 2005 2:28:47 PM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
        at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential
.java:133)
.....At least the GSSAPI is being recognized! My next step was talking with IT; they suggested a c:\winnt\krb5.ini with the following contents:
[libdefaults]
default_realm = COMPANY.COM
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
[realms]
COMPANY.COM = {
kdc = addy.mycompany.com:88
admin_server = addy. mycompany.com:88
kpasswd_server = addy. mycompany.com:464 default_domain = COMPANY.COM }And that I then execute:
$ kinit DKlotz
Password for [email protected]:mypassword New ticket is stored in cache file C:\Documents and Settings\DKlotz\krb5cc_dklotzBut as you can see from the previous tomcat error log that something is still missing. Do I need to move the cache file or do other commands so that the code within ldap.jar can use it?
At this time tomcat never tries connecting to the LDAP server as it can't get out of the starting gate. I've got something wrong / missing from the Kerberos setup.
Any help is greatly appreciated!!
-Dennis Klotz

Ok I've made progress, whether it is backwards or not, I don't know yet.
I've added :
-Djavax.security.auth.useSubjectCredsOnly=false
To my Catalina options environment variable in Catalina.bat.
Now I get the error:
WARNING: Exception performing authentication
java.lang.SecurityException: Unable to locate a login configuration
     at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:97)
     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
     at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
     at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
     at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
     at java.lang.Class.newInstance0(Class.java:350)
     at java.lang.Class.newInstance(Class.java:303)
     at javax.security.auth.login.Configuration$3.run(Configuration.java:216)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:210)
     at javax.security.auth.login.LoginContext$1.run(LoginContext.java:237)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.LoginContext.init(LoginContext.java:234)
     at javax.security.auth.login.LoginContext.<init>(LoginContext.java:403)
     at sun.security.jgss.LoginUtility.login(LoginUtility.java:72)
     at sun.security.jgss.krb5.Krb5Util.getTicketFromSubject(Krb5Util.java:137)
     at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:331)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.security.jgss.krb5.Krb5InitCredential.getTgtFromSubject(Krb5InitCredential.java:328)
     at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:131)
     at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:72)
     at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
     at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
     at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
     at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:37)
     at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:96)
     at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:178)
     at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)
     at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:155)
     at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
     at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
     at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
     at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
     at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
     at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
     at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
     at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
     at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
     at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
     at javax.naming.InitialContext.init(InitialContext.java:223)
     at javax.naming.InitialContext.<init>(InitialContext.java:197)
     at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
     at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:1515)
     at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:1601)
     at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1004)
     at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
     at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1012)
     at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
     at org.apache.catalina.core.StandardService.start(StandardService.java:450)
     at org.apache.catalina.core.StandardServer.start(StandardServer.java:683)
     at org.apache.catalina.startup.Catalina.start(Catalina.java:537)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:585)
     at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:271)
     at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409)
Caused by: java.io.IOException: Unable to locate a login configuration
     at com.sun.security.auth.login.ConfigFile.init(ConfigFile.java:206)
     at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:95)
     ... 56 moreAm I moving in the right direction?
-Dennis

Help with GSSAPI Kerberos in tomcat JNDIRealm

Greetings,
I could use some help with getting tomcat 5.5.12 to use Kerberos against Microsoft Active Directory.
I have been using Ethereal to sniff the packets going back and forth from tomcat and I verified that with a normal server.xml entry (remove the authentication attribute keyword below), it uses 'simple'
authentication (clear text passwords).
My original server.xml works just fine but now I'm trying to take it to next level and I found documentation (jdk-1_5_0-doc.zip\docs\guide\jndi\jndi-ldap.html)
specifies that there are the following values:
- EXTERNAL (RFC 2222). This mechanism obtains authentication information from an external source (such as SSL/TLS or IPsec).
- DIGEST-MD5 (RFC 2831) is for Digest Authentication.
- GSSAPI (RFC 2222) is for Kerberos V5 authentication.
I wish to use GSSAPI to talk with Active Directory so I setup my server.xml with the following :
<Realm className="org.apache.catalina.realm.JNDIRealm"
     debug="4"
     authentication="GSSAPI"
     connectionName="CN=Klotz\, Dennis,OU=myou,DC=company,DC=com"
     connectionPassword="myPassword"
     connectionURL="ldap://10.16.0.xx:389"
     alternateURL="ldap://10.16.0.xx:389"
     userBase="OU= myou,DC=company,DC=com"
     userSearch="(sAMAccountName={0})"
     userSubtree="true"
     userRoleName="memberOf"
/>And now I get a different type of error from Catalina.out:
Oct 28, 2005 2:28:47 PM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
        at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential
.java:133)
.....At least the GSSAPI is being recognized! My next step was talking with IT; they suggested a c:\winnt\krb5.ini with the following contents:
[libdefaults]
default_realm = COMPANY.COM
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
[realms]
COMPANY.COM = {
kdc = addy.mycompany.com:88
admin_server = addy. mycompany.com:88
kpasswd_server = addy. mycompany.com:464 default_domain = COMPANY.COM }And that I then execute:
$ kinit DKlotz
Password for [email protected]:mypassword New ticket is stored in cache file C:\Documents and Settings\DKlotz\krb5cc_dklotzBut as you can see from the previous tomcat error log that something is still missing. Do I need to move the cache file or do other commands so that the code within ldap.jar can use it?
At this time tomcat never tries connecting to the LDAP server as it can't get out of the starting gate. I've got something wrong / missing from the Kerberos setup.
Any help is greatly appreciated!!
-Dennis Klotz

Ok I've made progress, whether it is backwards or not, I don't know yet.
I've added :
-Djavax.security.auth.useSubjectCredsOnly=false
To my Catalina options environment variable in Catalina.bat.
Now I get the error:
WARNING: Exception performing authentication
java.lang.SecurityException: Unable to locate a login configuration
     at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:97)
     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
     at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
     at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
     at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
     at java.lang.Class.newInstance0(Class.java:350)
     at java.lang.Class.newInstance(Class.java:303)
     at javax.security.auth.login.Configuration$3.run(Configuration.java:216)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:210)
     at javax.security.auth.login.LoginContext$1.run(LoginContext.java:237)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.LoginContext.init(LoginContext.java:234)
     at javax.security.auth.login.LoginContext.<init>(LoginContext.java:403)
     at sun.security.jgss.LoginUtility.login(LoginUtility.java:72)
     at sun.security.jgss.krb5.Krb5Util.getTicketFromSubject(Krb5Util.java:137)
     at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:331)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.security.jgss.krb5.Krb5InitCredential.getTgtFromSubject(Krb5InitCredential.java:328)
     at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:131)
     at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:72)
     at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
     at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
     at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
     at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:37)
     at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:96)
     at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:178)
     at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)
     at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:155)
     at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
     at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
     at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
     at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
     at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
     at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
     at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
     at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
     at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
     at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
     at javax.naming.InitialContext.init(InitialContext.java:223)
     at javax.naming.InitialContext.<init>(InitialContext.java:197)
     at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
     at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:1515)
     at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:1601)
     at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1004)
     at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
     at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1012)
     at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
     at org.apache.catalina.core.StandardService.start(StandardService.java:450)
     at org.apache.catalina.core.StandardServer.start(StandardServer.java:683)
     at org.apache.catalina.startup.Catalina.start(Catalina.java:537)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:585)
     at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:271)
     at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409)
Caused by: java.io.IOException: Unable to locate a login configuration
     at com.sun.security.auth.login.ConfigFile.init(ConfigFile.java:206)
     at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:95)
     ... 56 moreAm I moving in the right direction?
-Dennis

Malformed SQL Join Created in BO XI SP5

Hi I am receiving the following message when running a specific universe-based Crystal Report:
Error in File C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Data\procSched\hq-erpboprod.reportjobserver\~tmp1e061e138ef0560.rpt: Failed to retrieve data from the database.
I can see why it is failing to retrieve data from the database - the SQL that the Crystal is generating is not putting the 'AND' in between each clause in the join statement (see below). However, when I build the same query in Designer, I get the correct SQL results.
SELECT GLPD.GLDGL, GLPGL.GLGLNM, cvtdate(GLPD.GLDEDT), GLPD.GLDJC, GLPD.GLDEDS, sum(GLPD.GLDBA), GLPD.GLDJB, GLPD.GLDCC, GLPD.GLDCN, GLPPJ.GLPJ, DT_ROLLUPLEV.XAFVVC, trim(GLPPJ.GLPJNM), GLPD.GLDBT, GLPD.GLDBE, GLPD.GLDBL FROM GLPD INNER JOIN GLPMF ON (GLPMF.GLMGL= GLPD.GLDGL AND GLPMF.GLMCO=GLPD.GLDCOGLPMF.GLMIC= GLPD.GLDICGLPMF.GLMPJ= GLPD.GLDPJGLPMF.GLMJB= GLPD.GLDJBGLPMF.GLMCC= GLPD.GLDCCGLPMF.GLMCN= GLPD.GLDCNGLPMF.GLMBK=GLPD.GLDBKGLPD.GLDFY=GLPMF.GLMFYGLPD.GLDFFC=GLPMF.GLMFFCGLPMF.GLMFFY=GLPD.GLDFFYGLPD.GLDFC=GLPMF.GLMFC) RIGHT OUTER JOIN GLPGL ON (GLPMF.GLMGL=GLPGL.GLGL) INNER JOIN GLPPJ ON (GLPMF.GLMPJ=GLPPJ.GLPJ) RIGHT OUTER JOIN ( select distinct xafvk1, xafvvc, xafvvd
from xapfv
where xafvfl = 'XAPROJECT'
and xafvff = 'ROLLUPLEV' ) AS DT_ROLLUPLEV ON (GLPPJ.GLPJNV=DT_ROLLUPLEV.XAFVK1) WHERE ( GLPD.GLDBK='ACT' ) AND ( ( ( GLPPJ.GLPJ ) IN {?Query1_Prompt0} ) AND ( ( GLPMF.GLMBK )=('{?Query1_Prompt1}') ) AND GLPGL.GLGL IN {?Query1_Prompt2} AND DT_ROLLUPLEV.XAFVVC IN {?Query1_Prompt3} AND ( GLPD.GLDEDT <= RCVTDATE(( XCVTDATE(DATE(SUBSTRING({?Query1_Prompt4},1,10))) )) AND GLPD.GLDEDT >= RCVTDATE(( XCVTDATE(DATE(SUBSTRING({?Query1_Prompt5},1,10))) )) ) ) GROUP BY GLPD.GLDGL, GLPGL.GLGLNM, cvtdate(GLPD.GLDEDT), GLPD.GLDJC, GLPD.GLDEDS, GLPD.GLDJB, GLPD.GLDCC, GLPD.GLDCN, GLPPJ.GLPJ, DT_ROLLUPLEV.XAFVVC, trim(GLPPJ.GLPJNM), GLPD.GLDBT, GLPD.GLDBE, GLPD.GLDBL
Has anyone seen anything like this?
We have recently migrated from BO XI R2 SP2 to BO XI R2 SP5.
We use SQL Server 2005 SP3.

This should be set up in steps, Have you configured java AD kerberos so you can login via your web/app with AD? This is a prerequisite before setting up any type of delegation to the DB.
You can also set up SSO in the front end but this shouldn't be necessarry for delegating to the DB.
What SPN's do you need...
Well if using java AD you should have an SPN for the account running the SIA (typically BOBJCentralMS/something) This SPN needs to be set in the CMC, You will need the krb5 and bsclogin files to login to your web/app with kerberos/AD. The krb5.ini will have to have a setting forwardable = true, and finally the MSAS server will need SPN's http://support.microsoft.com/kb/917409
This a a very complex configuration and you will likely need to open an incident with support to get an engineer to help. I'm not sure where our current docs for the configuration are.
Regards,
Tim

Help-kerberos works with spnego keytab file but not in netbeans and Metro

Hi,
Appreciate if someone can shed some light on this problem and guide on what else am I missing.
I'm trying to call .NET based WCF webservice (MS Dynamics CRM - OrganizationSvc) from a java client. Started looking at Metro framework for interoperability. I was able to generate all the proxy classes and was able to write the code to invoke web service. However the challenge was using Kerberos based authentication and related setup.
I primarily followed the link below which was very helpful but had to dig more to get more specific details.
http://blogs.sun.com/enterprisetechtips/entry/building_kerberos_based_secure_services
Tried to follow netbeans route and hit some roadblocks in verifying the setup (krb5.conf & login.conf & wsit-client.xml). So, came across SPNEGO and used their examples, made changes accordingly and after experimenting with various configuration settings(krb5.conf and login.conf), finallyI was able to run HelloKDC & HelloKeytab files successfully.
krb5.conf_
[libdefaults]
default_realm = NA.CONVERGYS.COM
[realms]
NA.CONVERGYS.COM = {
kdc = CDCWW13.na.convergys.com
admin_server = CDCWW13.na.convergys.com
[domain_realm]
.na.convergys.com = NA.CONVERGYS.COM
login.conf_
spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="C:/WINDOWS/orldwv705_feb03.keytab"
doNotPrompt=false
storeKey=true
principal="HOST/ORLDWV705.na.convergys.com"
debug=true;
C:\spnego-r7>klist -k C:\WINDOWS\orldwv705_feb03.keytab
Key tab: C:\WINDOWS\orldwv705_feb03.keytab, 1 entry found.
[1] Service principal: HOST/[email protected]
KVNO: 7
With these settings, I was able to successfully make the call & Hello Keytab was able to get the Ticket and authenticate.
http://spnego.sourceforge.net/index.html
http://spnego.sourceforge.net/client_keytab.html
http://spnego.sourceforge.net/troubleshoot_hellokeytab.html
However, when I run the example in Netbeans with the setup mentioned in the link below, I run into following exception...
http://metro.java.net/guide/Developing_with_NetBeans.html#wsit_example_with_nb-creating_wsit_client
http://metro.java.net/guide/_Configuring_Kerberos_for_Glassfish_and_Tomcat.html
1) noticed that sc:KerberosConfig element in wsit-client.xml does not get updated automatically in netbeans ide, so manually edited to put the entries.
2) also followed the setup required in glassfish domain.xml & login.conf xml.
3) also noticed that netbeans setup requires us to use C:\Windows\krb5.ini file which is nothing but krb5.conf file referred elsewhere.)
wsit-client.xml_
<wsp:Policy wsu:Id="ClientKerberosPolicy"
xmlns:sc="http://schemas.sun.com/2006/03/wss/client"
xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
xmlns:scc="http://schemas.sun.com/ws/2006/05/sc/client"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sc:KerberosConfig wspp:visibility="private"
loginModule="KerberosClient"
servicePrincipal="HOST/ORLDWV705.na.convergys.com"
credentialDelegation="true" />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
ERROR
INFO: WSP5018: Loaded WSIT configuration from file: file:/C:/Documents%20and%20Settings/rchoppal/My%20Documents/NetBeansProjects/TestOrgSvc/build/web/WEB-INF/classes/META-INF/wsit-client.xml.
WARNING: [failed to localize] WSP_0075_PROBLEMATIC_ASSERTION_STATE({http://schemas.microsoft.com/xrm/2011/Contracts/Services}AuthenticationPolicy, UNKNOWN)
WARNING: [failed to localize] WSP_0019_SUBOPTIMAL_ALTERNATIVE_SELECTED(PARTIALLY_SUPPORTED)
INFO: >>>KinitOptions cache name is C:\Documents and Settings\rchoppal\krb5cc_rchoppal
INFO: >>> KrbCreds found the default ticket granting ticket in credential cache.
SEVERE: WSITPVD0050: Error while Securing Request Message.
com.sun.xml.wss.XWSSecurityException: Unexpected Exception in Kerberos login - unable to continue
at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:94)
at com.sun.xml.wss.impl.misc.WSITProviderSecurityEnvironment.doKerberosLogin(WSITProviderSecurityEnvironment.java:3049)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.populateKerberosContext(WSITClientAuthContext.java:911)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:318)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:291)
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
at sun.security.krb5.Credentials.acquireDefaultCreds(Credentials.java:451) (i tried to search open source code, but this line did'nt match exactly)
at sun.security.krb5.Credentials.acquireTGTFromCache(Credentials.java:272)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:589)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:85)
SEVERE: SEC2004: Container-auth: wss: Error securing request
javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
... 42 more
WARNING: StandardWrapperValve[TestOrgSvcServlet]: PWC1406: Servlet.service() for servlet TestOrgSvcServlet threw exception
javax.xml.ws.WebServiceException: Cannot secure request for {http://schemas.microsoft.com/xrm/2011/Contracts}CustomBinding_IOrganizationService
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:165)
Caused by: javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
... 40 more
Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
... 42 more
Edited by: user6748004 on Feb 3, 2011 5:36 PM
Edited by: user6748004 on Feb 3, 2011 5:38 PM

Hi Gasha,
The only change I did after this, was to try and use 'KerberosServer' configuration from the wsit-client.xml. Atleast, this enabled the glassfish application to load the configuration related to keytab etc, and use it to communicate with the WCF service for negotiation.
<sc:KerberosConfig wspp:visibility="private"
loginModule="KerberosServer"
servicePrincipal="HOST/ORLDWV705.na.convergys.com"
credentialDelegation="true" />
login.conf has
KerberosServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="C:/WINDOWS/orldwv705_feb03.keytab"
doNotPrompt=false
storeKey=true
principal="HOST/ORLDWV705.na.convergys.com"
debug=true;
fyi.. Used the following way to create the keytab
Keytab was created using below instructions
ktpass -princ HOST/[email protected]
-mapUser [email protected]
-mapOp set
-pass *
-crypto DES-CBC-MD5
-pType KRB5_NT_PRINCIPAL
-out orldwv705.keytab
Targeting domain controller: CDCWW13.na.convergys.com
Successfully mapped HOST/ORLDWV705.na.convergys.com to svcMSCRMDev.
Key created.
Output keytab to orldwv705.keytab:
Keytab version: 0x502
keysize 75 HOST/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x0bc27ca83891dc2a)
Also realised that we need to add 'HTTP/ORLDWV705.na.convergys.com' & 'http/ORLDWV705.na.convergys.com' using set SPN commands on the AD of the server where CRM is installed.
With these changes, the negotiate authentication seems to have happened using the Kerberos token from the keytab, but later ran into an error for which I was not able to get any clue to go forward. Someone in another post about this error suggested that it worked once they changed principal names, but when I tried I did'nt get any success.
This is where I'm struck now. What I don't know is if there is another setup from which we can try a similar interoperability example for ex.. weblogic 10.1 & eclipse which is more close to our real environment.
SEVERE: SEC2004: Container-auth: wss: Error securing request
java.lang.IllegalArgumentException: Missing argument
at javax.crypto.spec.SecretKeySpec.<init>(DashoA13*..)
at com.sun.xml.ws.security.impl.kerberos.KerberosContext.getSecretKey(KerberosContext.java:91)
at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:525)
Edited by: user6748004 on Apr 8, 2011 10:39 AM

Universe Creation On OLAP Cube(SSAS) throwing error. in BO X1 3.1

Hi Experts,
I have created OLAP universe based on SSAS Cube using Microsoft SQL Server 2005 Analysis Services Driver.
i have created webi report based on this SSAS Cube,everything is fine
but when i create condition in universe level,if i use the same universe in webi report its throwing error:An internal error occured while calling the 'processDPCommands' API.
Thanks,
Prasad

This should be set up in steps, Have you configured java AD kerberos so you can login via your web/app with AD? This is a prerequisite before setting up any type of delegation to the DB.
You can also set up SSO in the front end but this shouldn't be necessarry for delegating to the DB.
What SPN's do you need...
Well if using java AD you should have an SPN for the account running the SIA (typically BOBJCentralMS/something) This SPN needs to be set in the CMC, You will need the krb5 and bsclogin files to login to your web/app with kerberos/AD. The krb5.ini will have to have a setting forwardable = true, and finally the MSAS server will need SPN's http://support.microsoft.com/kb/917409
This a a very complex configuration and you will likely need to open an incident with support to get an engineer to help. I'm not sure where our current docs for the configuration are.
Regards,
Tim

Do i need krb5.ini ?

Similar Messages

Maybe you are looking for