Does a Kerberos authentication module exist?

Similar Messages

• Kerberos authentication with Apache Kerberos Module

  Hi,
  Using the Java GSS tutorials, I have been able to create code to successfully authenticate with our KDC server or from a local ticket cache.
  However, I have been unsuccessful in using the obtained credentials to perform client authentication with a web server running Apache using Kerberos for authentication (mod_kerberos).
  I have tried to use an SSLSocket to connect to the server, which works fine. To request a page that requires client side authentication, I have passed the necessary client headers, over the socket connection e.g.
  GET: http://www.myhost.com/protected_page.html
  HOST: www.myhost.com
  AUTHENTICATE: negotiate XXXXX
  However, I do not know what to put in place of XXXXX. Using some PHP code and Firefox, I have been able to observe what Firefox is passing to the web server to perform client side authentication. It is clearly passing a base64 encoded string, which is related to the cached Kerberos credentials.
  Can anyone tell me, how I can use Java and GSS to perform client side authentication with an Apache web server that is using the Kerberos authentication module? I know it is possible to do so using SPEGNO in a Windows environment, but this is a Linux/Unix environment, so it is not an option.
  Thanks for any help or advice,
  Neil.

  Here are your options:
  1) Configure Krb5LoginModule programmatically.
  If the environment variable KRB5CC_NAME points to the ticket cache location,
  (which is updated each time), you can configure the Krb5LoginModule
  programmatically and set the "ticketCache" option to the value obtained
  from KRB5CC_NAME.
  Refer to following docs for details:
  http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/LoginConfigFile.html
  http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
  http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/AppConfigurationEntry.html
  2) Use native Kerberos from the platform
  Java SE 6 provides support for native GSS/Kerberos on Solaris/Linux platforms.
  NOTE: If native GSS/Kerberos on your platform does not have support for SPNEGO,
  you will not be able to use this option.
  For details refer to following docs:
  http://download.java.net/jdk6/docs/technotes/guides/security/jgss/jgss-features.html
  Seema

• IChat - Host does not support Kerberos authentication

  Hi all,
  I have been trying but with no success to set up an iChat server on 10.6. Our OS X server is bound to AD and will hopefully be using AD to authenticate the iChat clients. I have followed Apple's guide on commenting out the <!-- <cram-md5/> --> section of the c2s.xml file which hasn't solved our problems. Open Directory isn't running as a master it is connected to another directory (our AD directory), and as a test I set up a Wiki server on the same box and this does allow us to authenticate against AD.
  The error message we are receiving in iChat is "The host example.com does not support Kerberos authentication. The client is set to use Kerberos, the username format is [email protected] all I think the correct settings.
  Under iChat General Settings on the server the Host Domain is example.com, SSL Certificate: No Certificate, Authentication: Any Method, and Enable XMPP server-to-server federation is enable for all domains.
  This is our jabber fullstatus:
  jabber:state = "RUNNING"
  jabber:readWriteSettingsVersion = 1
  jabber:logPaths:PROXY_LOG = "/private/var/jabberd/log/proxy65.log"
  jabber:logPaths:MUCSTDLOG = "/var/jabberd/log/mu-conference.log"
  jabber:logPaths:JABBER_LOG = "/var/log/system.log"
  jabber:proxyState = "RUNNING"
  jabber:currentConnections = "0"
  jabber:currentConnectionsPort1 = "0"
  jabber:currentConnectionsPort2 = "0"
  jabber:pluginVersion = "10.6.100"
  jabber:serviceMode = "CHATSERVER"
  jabber:domainName = "example.com"
  jabber:mucState = "RUNNING"
  jabber:servicePortsAreRestricted = "NO"
  jabber:servicePortsRestrictionInfo = emptyarray
  jabber:hosts:arrayindex:0 = "example.com"
  jabber:setStateVersion = 1
  jabber:startedTime = "2010-10-07 16:12:01 +0100"
  jabber:jabberdState = "RUNNING"
  This is our changeip -checkhostname:
  Primary address = 192.168.1.20
  Current HostName = ichat.example.com
  DNS HostName = ichat.example.com
  The names match. There is nothing to change.
  dirserv:success = "success"
  Any help with this would be much appreciated, and I can supply further logs details if needed. I have used example.com to protect our domain name but i kept the format identical.
  Cheers,
  Chris

  From the console:
  08/10/2010 13:00:52 com.apple.launchd.peruser.2027651558[416] ([0x0-0x16a16a].com.apple.iChat[2873]) The USER environmental variable changed out from under us!
  08/10/2010 13:00:52 com.apple.launchd.peruser.2027651558[416] ([0x0-0x16a16a].com.apple.iChat[2873]) In a future build of the OS, this error will be fatal.
  08/10/2010 13:00:52 com.apple.launchd.peruser.2027651558[416] ([0x0-0x16b16b].com.apple.iChatAgent[2875]) The USER environmental variable changed out from under us!
  08/10/2010 13:00:52 com.apple.launchd.peruser.2027651558[416] ([0x0-0x16b16b].com.apple.iChatAgent[2875]) In a future build of the OS, this error will be fatal.
  08/10/2010 13:00:52 iChatAgent[2875] [Warning] JConnection: Error: Error Domain=XMPPErrorDomain Code=122 UserInfo=0x10020b680 "The host corepublishing.co.uk does not support Kerberos authentication."
  The iChat server log shows this at the same time:
  Oct 8 13:00:52 ichat jabberd/c2s[1051]: [7] [::ffff:192.168.2.170, port=50624] connect
  Oct 8 13:00:52 ichat jabberd/c2s[1051]: [7] [::ffff:192.168.2.170, port=50624] disconnect jid=unbound, packets: 0

• Authenticating Host SPN using Kerberos Login module

  Hi,
  I have written an application that needs to support Java GSS based context establishment using Java's Kerberos Login module with the clients.This application is hosted in Tomcat and I have a limitation that tomcat is running as "LocalSystem" account on the host machine(Not to confuse with Administrator account on the host machine) so it is not having password.
  On the AD to which this host is connected has SPN registered for this host machine like any other computer account. But my doubt is how will I authenticate my application(Using Kerberos Login module) using that Host SPN if I do not have any password for the "LocalSystem". I am giving user name as "HOST/<machine-name", or "<machine-name>" but it fails at the application side saying no encryption key found. If I try to give some random password I get error message from AD saying that Pre Authentication failed.
  Without authentication my application to AD I am not able to get the Kerberos Key which is required for context establishment for GSS.
  Any help in this regard will be really helpful.
  Thanks.

  Thanks for your response!
  My application is just an authentication module in a bigger application which is not under my control. This application is hosted on Apache Tomcat and provide both the options to run as "LocalSystem" account and domain account. So I have to provide support for both the options.
  I am getting increasingly convinced that Java Kerberos module can't handle the authentication for "LocalSystem" account and I need to opt for some Windows Native Apis for that. If that is the case Can someone tell me how can i proceed for that. I have no idea which Windows apis to use for it.
  Thanks.
  Edited by: Java-Dev-01 on Mar 14, 2010 6:03 AM

• Does 10.4.6 SMB support Kerberos authentication?

  Our company is heading towards using Kerberos authentication to access home directories shared via NFS and CIFS/SMB. I did some searching but wasn't able to determine if OS X 10.4.6 supported Kerberos auth. in it's version of SMB. Does it?

  Hello a brody and Kiraly,
  thanks for the answers and much appreciate your hints regarding memory.
  Was thinking about the upgrade mostly for future security updates - they surely will end for 10.3.9 at some point in time, won't they? - and potentially for EAP-FAST. Application-wise I'm fine with eMail, Office and Telnet/SSH but when a memory on eBay comes along I may think about it
  Again thanks for your help!
  Regards, Marc

• Custom Authentication Module on Identity Server

  Hi,
  I have a custom authentication module which I am trying to access through the policy agent.
  I have set the following property in AMAgent.properties file
  com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login?module=CustomLoginModule.
  My login module code is something like this:
  package com.iplanet.am.samples.authentication.providers;
  import java.util.*;
  import javax.security.auth.Subject;
  import javax.security.auth.callback.Callback;
  import javax.security.auth.callback.NameCallback;
  import javax.security.auth.callback.PasswordCallback;
  import javax.security.auth.login.LoginException;
  import com.sun.identity.authentication.spi.AMLoginModule;
  import com.sun.identity.authentication.spi.AuthLoginException;
  import java.rmi.RemoteException;
  import java.io.FileInputStream;
  import java.util.Properties;
  public class LoginModule1 extends AMLoginModule
  private String userName;
  private String userTokenId;
  private HashMap usersMap;
  private java.security.Principal userPrincipal = null;
  public LoginModule1() throws LoginException
  public void init(Subject subject, Map sharedState, Map options)
            System.out.println("LoginModule1 initialization");
            usersMap = new HashMap();
            ResourceBundle bundle = ResourceBundle.getBundle("users");
            Enumeration users = bundle.getKeys();
            while (users.hasMoreElements())
                 String user = (String)users.nextElement();
                 String password = bundle.getString(user.trim());
                 usersMap.put(user, password);
  public int process(Callback[] callbacks, int state) throws AuthLoginException
            int currentState = state;
            if (currentState == 1)
                 userName = ((NameCallback) callbacks[0]).getName().trim();
                 char[] passwd = ((PasswordCallback) callbacks[1]).getPassword();
                 String passwdString = new String (passwd);
                 if (userName.equals(""))
                      throw new AuthLoginException("names must not be empty");
                 if (userName.equals("testuser") && passwdString.equals("testuser"))
                      userTokenId = userName;
                      return -1;
                 if (usersMap.containsKey(userName))
                      if (usersMap.get(userName).equals(new String(passwd)))
                           userTokenId = userName;
                           return -1;
                 return 0;
       public java.security.Principal getPrincipal()
            if (userPrincipal != null)
                 return userPrincipal;
            else
            if (userTokenId != null)
                 userPrincipal = new SamplePrincipal("testuser");
                 return userPrincipal;
            else
                 return null;
  So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication does not succeed and I get the following error message in the agent log file.
  2004-08-09 15:24:08.640 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:09.030 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:23.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
  2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:29.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:29.499 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
  2004-08-09 15:24:29.499 128 2712:24fda5e8 RemoteLog: User unknown was denied access to http://ps0391.persistent.co.in:80/test/index.html.
  2004-08-09 15:24:29.499 Error 2712:24fda5e8 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
  2004-08-09 15:24:29.499 Error 2712:24fda5e8 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
  2004-08-09 15:24:29.499 -1 2712:24fda5e8 PolicyAgent: validate_session_policy() access denied to unknown user
  The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
  Thanks
  Srinivas

  Does the principal "testuser" exist in your realm? If I understand your module correctly, it looks like it always returns "testuser".
  I am guessing that Access Manager is not finding your principal. Typically if access manager cannot associate the principal returned by the custom AMLoginModule it will fail the authentication.
  I am wondering if this is related to a seperate problem I have seen with custom login modules. Try chaning the code to return an LDAP style principal it may work:
  so return "uid=testuser,ou=People,dc=yourdomain,dc=com" for example. In theory this should not be necessary but it solved some problems for me, though I am not sure why.

• Updating hybrid configuration failed - Kerberos authentication: The network path was not found

  I'm configuring Exchange 2010 SP3 as a Hybrid server with Exchange Online. This is a single server running Exchange roles Mailbox, Client Access, Unified Messaging and Hub Transport.
  When I run the Manage Hybrid Configuration, I receive the following error:
  Updating hybrid configuration failed with error
  'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: The network
  path was not found.
  The full text from the Hybrid Configuration log file (C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration)
  [1/5/2014 21:21:1] INFO:Opening runspace to
  http://[servername]/powershell?serializationLevel=Full
  [1/5/2014 21:21:1] INFO:Disconnected from On-Premises session
  [1/5/2014 21:21:1] ERROR:Updating hybrid configuration failed with error 'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following
  error occured while using Kerberos authentication: The network path was not found. 
   Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
   After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
   Note that computers in the TrustedHosts list might not be authenticated.
     -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
     at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
     at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
     at System.Management.Automation.Runspaces.RunspacePool.Open()
     at System.Management.Automation.RemoteRunspace.Open()
     at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.Connect(PSCredential credentials, CultureInfo sessionUiCulture)
     at Microsoft.Exchange.Management.Hybrid.Engine.Execute(ILogger logger, String onPremPowershellHost, PSCredential onPremCredentials, PSCredential tenantCredentials, HybridConfiguration hybridConfiguration)
     at Microsoft.Exchange.Management.SystemConfigurationTasks.UpdateHybridConfiguration.InternalProcessRecord()'.
  I have sought help, posting on the forum at community.office365.com -
  http://community.office365.com/en-us/forums/158/t/212265.aspx. But I've got to a point where I believe the problem is more to do with how PowerShell is operating on the on-prem Exchange server.
  Has anyone else come across this problem running the Hybrid Configuration Wizard?

  Hello Darrell,
  Have you verified the settings of Powershell virtual directories for the on-premises Exchange Servers? The following article has a list of some common issues with that virtual directory and how to correct them:
  http://technet.microsoft.com/en-us/library/ff607221(v=exchg.80).aspxI would take a look at the one titled "Configure Kerberos Authentication" specifically to ensure everything
  looks good.
  As the article states you can run the Exchange BPA and it will check if any of these exist as well.

• WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.

  I have two forests with a transitive on-way trust between them: PROD -> TEST (test trusts PROD). I had previously had kerberos authentication working with winrm from PROD to machines in TEST. I have verified the trust is healthy, I also verified users
  in TEST can use WINRM with kerberos just fine. Users from PROD cannot connect via kerberos to machines in TEST with winrm.
  I have verified the service has registered the appropriate SPNs. I ran dcdiag against all my PROD and TEST domain controllers and didn't find anything that would prevent kerberos from happening. I even tried disabling the firewall entirely on my TEST dcs
  but that didn't gain me anything.
  I've enabled kerberos logging but only see the expected errors such as it couldn't find a PROD SPN for the machine, which it shouldn't from what I understand, it should go to the TEST domain and find the SPN from there.
  I'm really out of next steps before I call PSS and hope someone here has run into this and could provide me some next steps.
  PowerShell Error:
  Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
   Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
   After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
   Note that computers in the TrustedHosts list might not be authenticated.
     -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
      + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
      + FullyQualifiedErrorId : PSSessionStateBroken
  winrs Error:
  Winrs error:
  WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
   Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
   After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
   Note that computers in the TrustedHosts list might not be authenticated.
     -For more information about WinRM configuration, run the following command: winrm help config.

  Hi Adam,
  I'm a little unclear about which SPNs you were looking for, in which case could you confirm you were checking that on the computer object belonging to the actual destination host it has the following SPNs registered?
  WSMAN/<NetBIOS name>
  WSMAN/<FQDN>
  If you were actually trying to use WinRM to connect to the remote forest's domain controllers, then what you said makes sense, but I was caught between assuming this was the case or you meant another member server in that remote forest.
  Also, from the client trying to connect to this remote server, are you able to telnet to port 5985? (If you've used something other than the default, try that port)
  If you can't, then you've got something else like a firewall (be that the Windows firewall on the destination or a hardware firewall somewhere in between) blocking you at the port level, or the listener on the remote box just isn't working as expected. I
  just replied to your other winrm post with steps for checking the latter, so I won't repeat myself here.
  If you can telnet to it and the SPNs exist, then you might be up against something called selective authentication which has to do with how the trust was defined. You can have a read of
  this to learn a bit more about selective trusts and whether or not it's affecting you.
  Cheers,
  Lain

• Issue in confuguration of Kerberos authentication

  Hi all
  We are trying to configure Kerberos authentication for single sign-on on a SAP WAS 6.40 Java System. We configured the Kerberos using SPNEGO wizard. After configuring when we tried to login to UME, but it prompted for Username and Password which confirms that single sign on is not working.
  In default trace file we got the following info
  i. Key for the principal [email protected] not available in default key     tab
  ii. [Krb5LoginModule] authentication failed
       Unable to obtain password from user
  iii. Login module com.sun.security.auth.module.Krb5LoginModule from authentication stack com.sun.security.jgss.accept does not authenticate the caller.
  iv. LOGIN.FAILED
      Unable to obtain password from user
  1. Why password cannot be obtained from user?
  2. Is there a default keytab other than the one created by the spnego wizard?
  3. If there is one, then can we add the key for [email protected]  in         that file and how?
  4. How can this be resolved?
  Regards
  Deepu

  Your log files are recording an authentication error, so that usually means your login information is incorrect, or just corrupted. Try reseting your Kerberos password, and if that doesn't work, double-check your Kerberos connectivity and configuration settings.

• EP 6.0 SP2 + external kerberos authentication

  We recently installed EP 6.0 SP2 Patch 4 HF 6 on an Aix 5.2 unix platform. We would like to create our own authentication scheme that uses a login module written in Java that does kerberos authentication externally. From reading the Portal Security Guide it appears that this is a doable approach. Has anyone actually done this with the portal on a unix platform? Which Java kerberos library implementation did you use?
  Thanks in advance.
  Sincerely,
  Steven McElwee, Duke University

  Hi,
  as mentioned above, you need a second server. This one could be Windows. People use this architecture in productive environments.
  If this does not work for you, you need to go the second approach: Custom JAAS login module using the WebCallback plus a kerberos library.
  Here some links:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sapportals.km.docs/documents/a1-8-1/pluggable authentication implementing a jaas login module presentation
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sapportals.km.docs/documents/a1-8-1/pluggable authentication implementing a jaas login module exercises
  Best regards,
  Oliver

• Kerberos Authentication on an NT machine.

  I have this config file:
  MyAuth {
  com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true doNotPrompt=true;
  I want to authenticate a user using an already existing Kerberos Cache. This works fine on a sun box, but fails on an NT. I think I need to set the TicketCache attribute for the NT machine, but can't find out how designate the memory cache. Anyone have any idea how to do this (which enables single signon)?

  A listing of the Exception would have been good, however, l can give you a few tips on where to look.
  (1) Check your runtime arguments that you supply to the JAAS login module. They should include:
  % java -Djava.security.manager
  -Djava.security.krb5.realm=<your_realm>
  -Djava.security.krb5.kdc=<your_kdc>
  -Djava.security.auth.login.config=jaas.conf JaasLogin
  Namely check that your realm and kdc parameters are pointing to the correct addresses.
  (2) Make sure that Kerberos Authentication Protocol is used on the NT Domain server.
  I have found that and application called KerbTray has been very useful in providing useful information. This program allows you to view the Credential Information stored in the Credentials Cache. This application can be found at the Microsoft site.
  For further reference.. check out the information on :
  http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorials/AcnOnly.html
  Goodluck.

• Kerberos authentication

  Hi,
  I have set up kerberos authentication for my application, but I allways get 401 - Unauthorized.
  I've done all steps from http://e-docs.bea.com/wls/docs92/secmanage/sso.html - Single Sign-On with Microsoft Clients: Main Steps.
  C:\jaas.conf:
  com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="host/[email protected]" useKeyTab=true refreshKrb5Config=true
  keyTab="c:\\pc179.keytab" storeKey=true debug=true;
  com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  principal="host/[email protected]" useKeyTab=true refreshKrb5Config=true
  keyTab="c:\\pc179.keytab" storeKey=true debug=true;
  C:\krb5.conf:
  \[libdefaults\]
  default_realm = CCA.CZ
  dns_lookup_kdc = true
  default_tkt_enctypes = des-cbc-crc
  default_tgs_enctypes = des-cbc-crc
  \[realms\]
  CCA.CZ = {
  kdc = BOBES.CCA.CZ
  \[domain_realm\]
  .cca.cz = CCA.CZ
  \[appdefaults\]
  autologin = true
  forward = true
  forwardable = true
  encrypt = true
  I also have created security realm CCA.CZ as a copy of myrealm with WebLogic Negotiate Identity Assertion provider added.
  Server is starting with parameters -Djava.security.krb5.conf=c:/krb5.conf -Djava.security.auth.login.config=c:/jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true -Djava.security.krb5.realm=CCA.CZ -Djava.security.krb5.kdc=BOBES.CCA.CZ
  When I request any secured page, the server returns 401 with WWW-Authenticate: Negotiate header. So browser sends another request with Authorization: Negotiate and ticket. Server then returns 401 without authentication header (instead of requested page - which I expect).
  Can you please tell me what am I doing wrong?
  (WebLogic v10.3)
  Edited by: user11038158 on 15.4.2009 0:50

  Hi:
  Did you manage to overcome this problem? I'm having the same problem and any help would be highly appreciated.
  Cheers,
  Albert

• Kerberos authentication with Active Directory

  I have tried using JAAS to authenticate to MS Active Directory and keep getting "javax.security.auth.login.LoginException: Pre-Authentication Information was invalid"
  I have tried authenticating with multiple user accounts and on three different realms (Active Directory domains).
  How do I need to format the username? I know that when using JNDI to access Active Directory I have to use the format "[email protected]" or the RDN. I have tried it both ways with JAAS kerberos authentication as well as with just the username by itself. I don't think that the username format is the problem though because if I set the account lockout policy to 5 failed attempts, sure enough my account will be locked out after running my code 5 times. If I give a username that doesn't exist in Active Directory I get the error "javax.security.auth.login.loginexception: Client not found in Kerberos database" Is there something special that I have to do to the password?
  I know that there is just something stupid that I'm missing. Here is the simplest example of code that I'm working with:
  import java.io.*;
  import javax.security.auth.callback.*;
  import javax.security.auth.login.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  public class krb5ADLogin1 {
  public static void main(String[] args){
  LoginContext lc = null;
  try {
  lc=new LoginContext("krb5ADLogin1", new TextCallbackHandler());
  lc.login();
  catch(Exception e){
  e.printStackTrace();
  Here is my config file:
  krb5ADLogin1 {
  com.sun.security.auth.module.Krb5LoginModule required;
  The command I use to start the program is:
  java -Djava.security.krb5.realm=mydomain.com
  -Djava.security.krb5.kdc=DomainController.mydomain.com
  -Djava.security.auth.login.config=sample.conf krb5ADLogin1

  Hi there ... the Sun web site has the following snippet:
  http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorials/Troubleshooting.html
  + javax.security.auth.login.LoginException: KrbException::
  Pre-authentication information was invalid (24) - Preauthentication failed
  Cause 1: The password entered is incorrect.
  Solution 1: Verify the password.
  Cause 2: If you are using the keytab to get the key (e.g., by
  setting the useKeyTab option to true in the Krb5LoginModule entry
  in the JAAS login configuration file), then the key might have
  changed since you updated the keytab.
  Solution 2: Consult your Kerberos documentation to generate a new
  keytab and use that keytab.
  Cause 3: Clock skew - If the time on the KDC and on the client
  differ significanlty (typically 5 minutes), this error can be
  returned.
  Solution 3: Synchronize the clocks (or have a system administrator
  do so).
  Good luck,
  -Derek

• Kerberos Authentication Not Working on OS X 10.6

  Using FF version 20.0, on OS X 10.6.8, I can not get it to use Kerberos authentication to allow SSO to a SharePoint web site.
  On OS X 10.8, with the same configuration in the about:config, everything works fine - the user is not prompted for credentials.
  I have put the necessary entires in network.negotiate-auth.delegation-uris and network.automatic-ntlm-auth.trusted-uris, network.negotiate-auth.gsslib is set to true.
  When I have setup to log the errors from the authentication module, I find in the log file "Fail to load gssapi library".
  Interestingly on 10.8, when I start Firefox from the command line the Kerberos authentication does not work. When I start it via the icon, it does. What is the difference? Are the preferences not being loaded when launching via the command line?
  Thanks for any help,
  Richard

  Found the solution:
  Was a combination of kinit being run on login (apparently a known 10.6 bug). Our Mac team were able to alter the appropriate plist file so that this does happen on login.
  We also had to add an extra SPN for the actual server, as well as the DNS name of the SharePoint site we were trying to access with Kerberos authentication - although this may have something to do with using host-named site collections at the SharePoint end.
  Main problem was the kinit thing though.

• Exchange Management Console couldn't start with Kerberos authentication failed

  When I was making changes to Client Access\owa settings, chaning from Basic authentication to Form authentication (upn name) then changed to Basic again. It was ok after changing to Form authentication but moment after changing back to Basic, I couldn't
  no longer access owa (blank page when one vertical line) and in Exchange Management Console, I got "Initialization failed" - The following error occured while attempting to connect to the specified Exchange server 'sgp-ex1.mydomain.com':
  The attempt to connect to http://sgp-ex1.mydomain.com/powershell using "Kerberos" authentication failed: Connecting to the remote server failed with the following error message: The WinRM client cannto process
  the request. It cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalid. For more information, see the about_Remote_Troubleshooting Help topic.
  I tried the troubleshooting tool from Exchange team blog:
  http://blogs.technet.com/b/exchange/archive/2010/12/07/3411644.aspx. It give 3 possible causes for this error: 1. WSMan module entry is missing from global module section of c:\Windows\System32\InetSrv\Config\ApplicationHost.config; 2. Kerbauth module shows
  up as Managed module or has been loaded in the Default Web Site Level; 3. The Path of the Powershell virtual directory has been modified.
  I checked carefully, all the 3 causes do not apply to my situation as WSman entry is in order, the Kerbauth is native and local and the path of Powershell virtual directory is correct.
  I find that in Application log, there are Event 2297 and 2307 dumped at the time of failure:
  The worker process for application pool 'MSExchangeSyncAppPool' encountered an error 'Confiugration file in not well-formed XML' trying to read configuration data from file '\\?\C:\inetpubl\temp\apppools\MSExchangeSyncAppPool\MSExchangeSyncAppPool.config',
  line number '2'. The data field contains the error code.
  Help is very much appreciated.
  Valuable skills are not learned, learned skills aren't valuable.

  Unfortunately, all the links you provided didn't help.
  The first link contains 3 methods:1 Removing WinRM feature and reinstalling. 2 Rename the web.config file in location C:\inetpub\wwwroot 3 Have you installed Microsoft Dynamics CRM 4. I?
  As my server is Windows 2008 R2, the first method does not apply. I couldn't find any web.config in c:\Inetpub\wwwroot. The web.config however is found in many times in .netframework and winsxs directories. The 3rd method doesn't apply as I don't have CRM.
  The 2nd link contains 3 possible causes. The first 2 are the same as the ones I mentioned in my initial post. I couldn't verify the last cause because when open Exchange Management Shell, I got this error: [sgp.ex1.mydomain.com] connecting to remote server
  failed with the following server failed with the following error message: The WinRM client cannot process the request, it cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalide. For more
  information, see the about_Remote_Troubleshooting Help topic.
  I do not think the user is not remote powershell enabled because the problem happened suddenly, while I was making changes to Authentication settings of OWA(default) in Client Access in Exchange Management Console. If the user account is not remote powershell
  enabled, then I couldn't event connect to EMC in the first place.
  The last link didn't help because I could open up modules under PowerShell virtual directory in IIS.
  I think since the event log is saying MSExchangeSyncAppPool.config and DefaultAppPool.config not well-formed XML, that might be a clue.
  In the event id 2307 this is the message:
  The worker process for application pool 'DefaultAppPool' encountered an error 'Configuration file is not well-formed XML
  ' trying to read configuration data from file '\\?\C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config', line number '2'.  The data field contains the error code.
  Valuable skills are not learned, learned skills aren't valuable.