Error from sample JAAS: Integrity check on decrypted field failed (31)
I am trying to follow the tutorial for JAAS Authentication located here:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/AcnOnly.html
I am trying to run the sample JaasAcn.java but am getting a strange error when I try to log on to my Active Directory.
I am using Java version: jre1.6.0_03
I can login to Active Directory fine with the credentials I am providing, just not with this client, so I know the credentials are valid.
What could this mean?
The Error message is: [Krb5LoginModule] authentication failed
Integrity check on decrypted field failed (31)
Here is the full output:
C:\Progra~1\Java\jre1.6.0_03\bin\java -Dsun.security.krb5.debug=true -Djava.security.krb5.realm=PRSDev.local -Djava.security.krb5.kdc=192.168.40.72 -Djava.security.auth.login.config=jaas.conf JaasAcn
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fa
lse principal is null tryFirstPass is false useFirstPass is false storePass is f
alse clearPass is false
Kerberos username [ILea]: sra
Kerberos password for sra:
[Krb5LoginModule] user entered username: sra
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Acquire TGT using AS Exchange
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=192.168.40.72 UDP:88, timeout=30000, number of retries =3, #bytes=144
KDCCommunication: kdc=192.168.40.72 UDP:88, timeout=30000,Attempt =1, #bytes=144
KrbKdcReq send: #bytes read=587
KrbKdcReq send: #bytes read=587
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType[Krb5LoginModule] authentication failed
Integrity check on decrypted field failed (31)
Authentication failed:
Integrity check on decrypted field failed (31)
FYI The fix for this was to chang the value for -Djava.security.krb5.realm to be all upper case
Once that change was made authentication passed
Edited by: IDL on Jan 2, 2008 9:25 AM
Similar Messages
-
Jaas & Integrity check on decrypted field failed
I'm trying to do Kerberos authentication using JAAS and the jdk 1.4.1_02 under Mandrake 9.1. The Kerberos server is installed on a Redhat 9 machine. I'm using the login module com.sun.security.auth.module.Krb5LoginModule and the TextCallbackHandler class. The login fails with the error "Exception: krb_error 31 Integrity check on decrypted field failed (31) Integrity check on decrypted field failed". I get the same error if I use the kinit utility bundled with the jdk. Conversely all seems ok when I use the kinit utility bundled with the kerberos client programs of my Mandrake 9.1 distribution.
Anyone could help me?
MicheleI encountered the same problem--"Integrity check on decrypted field failed (31)" when trying to authenticate against a KDC (v5) running RedHat 8.0 (JASS and JDK 1.4.1_02)--but I was able to use Kerberized telnet and login from remote/local machines to get authenticated with this RedHat KDC. There is no problem authenticating against a KDC running Win2k AD/Kerberos with the same code. I am using the com.sun.security.auth.module.Krb5LoginModule.
Can anyone help me to resolve this issure? -
Kerberos Authentication: "Integrity check on decrypted field failed"
Hi,
I have configured a portal (NW 7.0 SP13) for Kerberos Authentication. I have another portal with exactly the same configuration (same MS-ADS etc, just a different user) which is working fine. But this one is giving me the error "Integrity check on decrypted field failed" (and Kerberos Auth fails).
Any ideas?? I get the same error whether I use the keytab from the SPNEGO wizard, or the keytab from "ktpass -princ host/%HOST%@%DOMAIN% -pass %PASSWORD% -out keytab -mapUser %USER% +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL"
The only difference I can see between the ldifde outputs of the two users (the one that works and the one that doesn't) is the one that doesn't has an extra SPN "HTTP/" - would that cause this error??
Has anyone else had this error & what causes it?
Many thanks in advance.
Regards
Jane
Full error text:
JGSS_DBG_CTX Creating context, initiator = no, input cred = not null
JGSS_DBG_CRED getCred: only one cred, returning it
JGSS_DBG_CRED getName found name: host/[email protected], mech=1.2.840.113554.1.2.2
JGSS_DBG_CRED Krb5 name type = 0
JGSS_DBG_CTX Creating context, cred usage = 2
GSS Context created
JGSS_DBG_UNMARSH Real token len 1641
JGSS_DBG_UNMARSH Token oid 1.2.840.113554.1.2.2
JGSS_DBG_UNMARSH inner token len 1630
JGSS_DBG_PROV getFactory: index = 0 found factory
JGSS_DBG_PROV getMechs: Mechanism(s) supported by provider IBMJGSSProvider
JGSS_DBG_PROV 1.2.840.113554.1.2.2
JGSS_DBG_PROV getMechs: 1 unique mechanism(s) found
JGSS_DBG_PROV [0]: 1.2.840.113554.1.2.2
JGSS_DBG_CTX Default list of negotiable mechs:
1.2.840.113554.1.2.2
JGSS_DBG_CTX ticket enc type = des-cbc-md5
com.ibm.security.krb5.internal.KrbException, status code: 31
message: Integrity check on decrypted field failed
at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:31)
at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:15)
at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:32)
at com.ibm.security.krb5.EncryptedData.decrypt(EncryptedData.java:106)
at com.ibm.security.jgss.mech.krb5.k.a(k.java:248)
at com.ibm.security.jgss.mech.krb5.k.b(k.java:188)
at com.ibm.security.jgss.mech.krb5.k.acceptSecContext(k.java:533)
at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:155)
at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:153)
at com.sap.security.core.server.jaas.SPNegoLoginModule.doHandshake(SPNegoLoginModule.java:738)
at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:362)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
at java.security.AccessController.doPrivileged(AccessController.java:242)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
at java.security.AccessController.doPrivileged(AccessController.java:242)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:146)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
at java.security.AccessController.doPrivileged(AccessController.java:242)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:215)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
JGSS_DBG_CTX Error authenticating request. Reporting to client
Major code = 11, Minor code = 31
org.ietf.jgss.GSSException, major code: 11, minor code: 31
major string: General failure, unspecified at GSSAPI level
minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.KrbException, status code: 31
message: Integrity check on decrypted field failedHi Désirée,
Yes the service user has "Use DES encryption" set.
In the end, it was resolved by changing the password and running the SPNEGO wizard again to generate a new keytab with the new password.
Regards
Jane -
SSO using Kerberso receiving "Integrity check on decrypted field failed (31
I am trying to implement SSO for an application that is running on a WebLogic Server. I have flagged the AD Service user for DES encryption, added spn through setspn, created the keytab file, reset the password (to the same value), moved the keytab file, updated krb5.ini and krb5Login.conf accordingly, modified WebLogic startup command accordingly. When Users try to access the application, authentication fails, and I see Integrity check on decrypted field failed (31) error in the WebLogic logs. Any ideas ? I am attaching the related lines from the log below.
<Sep 29, 2008 9:46:50 AM MDT> <Debug> <SecurityDebug> <000000> <Found Negotiate with SPNEGO token>
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null KeyTab is devmax01.http.keytab2 refreshKrb5Config is false principal is HTTP/[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
KeyTab: load() entry length: 60
KeyTabInputStream, readName(): DEV.DENVERWATER.ORG
KeyTabInputStream, readName(): HTTP
KeyTabInputStream, readName(): devmax01principal's key obtained from the keytab
principal is HTTP/[email protected]
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbAsReq etypes are: 3 1
KrbKdcReq send: kdc=dwdev01 UDP:88, timeout=30000, number of retries =3, #bytes=249
KDCCommunication: kdc=dwdev01 UDP:88, timeout=30000,Attempt =1, #bytes=249
KrbKdcReq send: #bytes read=1312
KrbKdcReq send: #bytes read=1312
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsRep cons in KrbAsReq.getReply HTTP/devmax01Added server's keyKerberos Principal HTTP/[email protected] Version 8key EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: 2F 02 76 AB 7F 8C B0 6E
[Krb5LoginModule] added Krb5Principal HTTP/[email protected] to Subject
Commit Succeeded
Found key for HTTP/[email protected]
Entered Krb5Context.acceptSecContext with state=STATE_NEW
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType<Sep 29, 2008 9:46:50 AM MDT> <Debug> <SecurityDebug> <000000> <GSS exception GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))FYI The fix for this was to chang the value for -Djava.security.krb5.realm to be all upper case
Once that change was made authentication passed
Edited by: IDL on Jan 2, 2008 9:25 AM -
Error from sample JAAS client: Message stream modified (41)
I am trying to follow the tutorial for JAAS Authentication located here:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/AcnOnly.html
I am trying to run the sample client JaasAcn.java but am getting a strange error when I try to log on to my Active Directory.
I am using Java version: jre1.6.0_03
I can login to Active Directory fine with the credentials I am providing, just not with this client, so I know the credentials are valid.
Here is the error I get that I don't understand. Any suggestions would be very helpful, if you provide help for this
The Error message is: [Krb5LoginModule] authentication failed
Message stream modified (41)
Here is the full output:
C:\Progra~1\Java\jre1.6.0_03\bin\java -Dsun.security.krb5.debug=true -Djava.security.krb5.realm=PRSDev.local -Djava.security.krb5.kdc=192.168.40.72 -Djava.security.auth.login.config=jaas.conf JaasAcn
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fa
lse principal is null tryFirstPass is false useFirstPass is false storePass is f
alse clearPass is false
Kerberos username [ILea]: sra
Kerberos password for sra:
[Krb5LoginModule] user entered username: sra
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Acquire TGT using AS Exchange
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=192.168.40.72 UDP:88, timeout=30000, number of retries =3, #bytes=144
KDCCommunication: kdc=192.168.40.72 UDP:88, timeout=30000,Attempt =1, #bytes=144
KrbKdcReq send: #bytes read=202
KrbKdcReq send: #bytes read=202
KDCRep: init() encoding tag is 126 req type is 11
KRBError:sTime is Mon Dec 31 11:56:40 PST 2007 1199131000000
suSec is 884978
error code is 25
error Message is Additional pre-authentication required
realm is PRSDev.local
sname is krbtgt/PRSDev.local
eData provided.
msgType is 30
Pre-Authentication Data:PA-DATA type = 11
PA-ETYPE-INFO etype = 23
Pre-Authentication Data:PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Pre-Authentication: Set preferred etype = 23
KrbAsReq salt is PRSDev.localsraPre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=192.168.40.72 UDP:88, timeout=30000, number of retries =3, #bytes=210
KDCCommunication: kdc=192.168.40.72 UDP:88, timeout=30000,Attempt =1, #bytes=210
KrbKdcReq send: #bytes read=1182
KrbKdcReq send: #bytes read=1182
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType[Krb5LoginModule] authentication failed
Message stream modified (41)
Authentication failed:
Message stream modified (41)FYI I have fixed this problem (and moved on to the next error)
I disabled the preauthentication requirement on the Active Directory account according to this article:
http://technet2.microsoft.com/windowsserver/en/library/a0bd7520-ef2d-4de4-b487-e105a9de9e4f1033.mspx?mfr=true -
Error occured in the integration checks(read log)
Hi,
I try to post planning of machinery hours in KP26, tht time i got this error, and data is not saved too. " error occured in the integration checks(read log)" kindly solve this problem asap.
Regards
PRINCESir,
Where to maintain Nominal rate for this question KP26 ? give me a path or transaction code.
Regards
Prince -
Errors occurred in the integration checks (read log)
Hello Everyone ,
I am working on cross companycode- cost accounting
In the previous screen i said i am not getting cost elements box in transaction code KP06 , anyhow i am entering the itemoverview screen using one cost element which i appearing automatically and in here i am allocating funds to various activity types( here aslo its showing just one cost element as in the main screen of KP06 there was any Box asking me to enter cost element) , so i am giving all activity types with cost element plan fixed cost(entering an amount of 2000for all activity types )
&plan variable cost (entering an amount of 1000 for all activity types) nothing in plan fixed cons & plan variable consum.....remember this is just for practice purpose i am taking these small figures.
Now when i am trying to save this its giving me error which is as follows:
Errors occurred in the integration checks (read log)
Message no. GP542
Diagnosis
The data entered or changed in this planning transaction should not only be updated in controlling, but also in the related applications (such as profit centers).
These applications check the data to be posted beforehand to guarantee that the update is performed without any problems.
However, errors or warnings occurred during this check.
System Response
Data is not updated.
Procedure
Look to see which errors occurred using the function "Error log...",. "Plan Integration...".
Can anyone please help me with this one .
Thanks ,
Mohammed samiuddinHi,
I am also getting the same error message when I am trying to post activity type rates using Tcode KP26.
Can you please let me know how you solved this issue?
Error message :
Errors occurred in the integration checks (read log)
Message no. GP542
Diagnosis
The data entered or changed in this planning transaction should not only be updated in controlling, but also in the related applications (such as profit centers).
These applications check the data to be posted beforehand to guarantee that the update is performed without any problems.
However, errors or warnings occurred during this check.
System Response
Data is not updated.
Procedure
Look to see which errors occurred using the function "Error log...",. "Plan Integration...".
Regards,
Vicki -
Hi,
Every night I get a lot of warnings in the event log from MsiInstaller with event ID 1015 and text "Failed to connect to server. Error: 0x80070005". They are always followed by a new event 1035. Example:
Event 1015, MsiInstaller (Warning)
Failed to connect to server. Error: 0x80070005
Event 1035, MsiInstaller (Information)
Windows Installer reconfigured the product. Product Name: Microsoft Excel Mobile Viewer Components. Product Version: 14.0.4763.1000. Product Language: 0. Manufacturer: Microsoft Corporation. Reconfiguration success or error status: 0.
I probably get around 50 of these each night, and the 1035 events are all related to various SharePoint components. The user in all cases is the sharepoint farm account.
I use SharePoint 2010 enterprise in a farm install on one virtual server. I have a private domain, and the database is on a separate server.
Does anyone have any idea why this happens? Other than the error in the event log I cannot see any issues with my installation. I have searched for this error and seen it related to user profile synchronisation, but profile sync is working fine for me. I
installed using the Technet guide and the user profile sync guide at
http://www.harbar.net/articles/sp2010ups.aspx
Thanks,
MikaelHey Trevor. Thanks. I wasn't sure which method it was failing on although I understood it was the Windows Installer Service that was getting called by the job. There are three things that are still interesting to me though:
The job succeeds anyway. How? Does it just continue to run the rest of its checks but fails on this one? If it doesn't fail on this one, why not? If it does fail here, but then continues, should we be concerned about the quality of the data in Manage Patch
Status?
Or... does it somehow succeed once it uses the DCOM rights which appear to clear the 10016 errors? What I've never been able to reconcile with these warnings is that we've granted DCOM rights to launch and activate the Windows Installer Service and
that definitely seems to make a difference to success or failure of the job - so why doesn't it clear these warnings?
Why does granting the file system permissions clear the FIM version of this job's warnings, but not for the Product Version Job? This is particularly vexing since granting the DCOM rights appears to resolve the 10016 errors in exactly the same manner for
both jobs.
All of this has led me to believe that there were missing permissions somewhere, probably on the file system, but I just haven't had any luck pinning that down. One reason why I continued to pursue a solution to this is that the job doesn't actually try
to install anything, it's just trying to use the Windows Installer Service to query the installed version, and the DCOM rights should be sufficient to invoke the service. But getting much further than this has proven pretty difficult since I'm not a dev and
I've kind of pushed my limited reflection skills and understanding of the Windows Installer Service to the limit. If anyone can chip in and make some progress from this point, it'd be great to join forces! -
Error from sample JAX-WS security from documentation: Failed to get token
I am trying example 2-1 for the server and 2-3 for the client and i am using WLS 10.3.5:
http://docs.oracle.com/cd/E21764_01/web.1111/e13713/message.htm#CDEBIJEJ
i get some errors when trying to compile/generate the source listed, but i work around those.
and i hardcode some values ( like username/password, keystore locations, etc).
i can deploy the web service successfully and execute the client.
I have some debugging turned on, so i see that the messages are being successfully encrypted and decrypted.
However, i get an exception back from the server:
[java] Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: Failed to get token for tokenType: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
[java] at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:197)
[java] at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:122)
[java] at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:125)
[java] at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:95)
[java] at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:136)
[java] at $Proxy30.echo(Unknown Source)
[java] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[java] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
[java] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
[java] at java.lang.reflect.Method.invoke(Method.java:597)
[java] at weblogic.wsee.jaxws.spi.ClientInstanceInvocationHandler.invoke(ClientInstanceInvocationHandler.java:84)
[java] at $Proxy31.echo(Unknown Source)
[java] at wssp12.wss10.Test.main(Unknown Source)
For the Service:
I have used exactly the same policies from the example.
i did have to comment out the @WLHTTPTransport clause ( the error gives me the impression it is no longer supported )
For the client:
The generated port no longer takes just string for the wsdl url, so i don't pass in a url at all. i let it use the URL from the client gen process. I also hard coded a username/password i created.
any thoughts?
These examples don't mention anything about Secure Token Server ( although, i see it mentioned later down the page after other examples ). Do these examples require an STS be configured? or is that unrelated to my exception?
Thanks for the help!!!
Follow up:
i added the following ( which i think should take care of the STS part i was asking about):
61 String sts="https://TESTUESR0:7002/UsernameTokenPlainX509SignAndEncrypt/simpleSecureService";
62 requestContext.put(weblogic.wsee.jaxrpc.WLStub.WST_STS_ENDPOINT_ON_WSSC,sts);
but this made no difference.
Edited by: user733322 on Feb 17, 2012 7:38 AMDTC was running on remote computer. The problem was it was no longer accepting transactions from remote servers. This was in SSIS so I had to turn to "Transaction Supported" for all Data Flow Transactions.
Greg Hanson -
I am new to CORBA programming, I downloaded the code from
http://java.sun.com/j2se/1.3/docs/guide/idl/GShome.html
First start Name Service:
start tnameserv -ORBInitialPort 1050
then when I run the server:
start java HelloServer _ORBInitialPort 1050
I got error:
ERROR: org.omg.CORBA.COMM_FAILURE: minor code: 1398079490 completed: No
org.omg.CORBA.COMM_FAILURE: minor code: 1398079490 completed: No
at com.sun.corba.se.internal.iiop.IIOPConnection.writeLock(Unknown Sourc
e)
at com.sun.corba.se.internal.iiop.IIOPConnection.send(Unknown Source)
at com.sun.corba.se.internal.iiop.IIOPOutputStream.invoke(Unknown Source
at com.sun.corba.se.internal.iiop.ClientRequestImpl.invoke(Unknown Sourc
e)
at com.sun.corba.se.internal.corba.ClientDelegate.invoke(Unknown Source)
at com.sun.corba.se.internal.corba.InitialNamingClient.resolve(Unknown S
ource)
at com.sun.corba.se.internal.corba.InitialNamingClient.cachedInitialRefe
rences(Unknown Source)
at com.sun.corba.se.internal.corba.InitialNamingClient.resolve_initial_r
eferences(Unknown Source)
at com.sun.corba.se.internal.corba.ORB.resolve_initial_references(Unknow
n Source)
at HelloServer.main(HelloServer.java:30)
What's wrong with it?
Thank you very much for your time.Incase you still havent found out the answer you need to use the -ORBInitialPort 1050 instead of _OrbInitialPort 1050
-
Z61t - Integrity check for code area failed system halted
Saw the post for the T series which recommended to downgrade bios to 2.23.
Having this issue with the Z61ts since January 4, 2010.
-Docked and undocked
-With and without the network cable plugged in
-With and without peripherals plugged in
-Bios 2.26 and 2.27,
-SafeGuard Easy 4.3 and 4.5.2.
In some cases restoring the SafeguardEasy Kernel fixes the issue. In some cases the error reappears and either the kernel needs to be restored again, or the PC can just be rebooted. One case had 2 kernel restores, a reimage and a kernel restore.^ Same problem here.
How long it takes to create new fixed Bios-software.?
Moderator edit: Thinly disguised profanity removed. Please stick to the Community Rules. -
Repeated error from Intel integrated Graphics card in my brand-new B320
Hi
I am getting repeated errors from the Intel Integrated Graphics card (on the Intel i3 chip as I understand it) in my brand-new B320.
I checked via a tool from Intel that my drivers were up-to-date (version 15.22.1.2361).
I checked via Device Manager Update Drivers that my driver was up-to-date.
I attempted to uninstall and re-install my driver BUT the uninstall reverted me to a VGA Adapter (so my screen was then running in a low res 800x600 mode!) and I could not even then see the Intel Integrated Graphics card in Device Manager to be able to re-install the driver against (even if I ran scan for new hardware): I had to restore to a System Restore Point - so the problem has of course come back.
I have even had one error where the screen then went completely blank and nothing would bring it back: I had to power off the PC (Ouch!)
PLEASE advise how I rectify this incredibly frustrating problem step-by-step.hey johnestlea,
i was going through the download list of the B320 here : http://consumersupport.lenovo.com/us/en/DriversDownloads/drivers_list.aspx?CategoryID=156819
And could not find any driver with the version 15.22.1.2361 for the Intel Integrated Graphic Card. Where did you get that version ?
WW Social Media
Important Note: If you need help, post your question in the forum, and include your system type, model number and OS. Do not post your serial number.
Did someone help you today? Press the star on the left to thank them with a Kudo!
If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"!
Follow @LenovoForums on Twitter!
Have you checked out the Community Knowledgebase yet?!
How to send a private message? --> Check out this article. -
One computer at COMPANY-A is attempting to communicate with two
computers located at COMPANY-B, via an IPsec tunnel between the
two companies.
All communications are via TCP protocol.
All devices present public IP addresses to one another, although they
may have RFC 1918 addresses on other interfaces, and NAT may be in use
on the COMPANY-B side. (NAT is not being used on the COMPANY-A side.)
The players:(Note: first three octets have been changed for security reasons)
COMPANY-A computer 1.2.3.161
COMPANY-A router 1.2.3.8 (also IPsec peer)
COMPANY-A has 1.2.3.0/24 with no subnetting.
COMPANY-B router 4.5.6.228 (also IPsec peer)
COMPANY-B computer #1 4.5.7.94 (this one has no issues)
COMPANY-B computer #2 4.5.7.29 (this one fails)
COMPANY-B has 4.5.6.0/23 subnetted in various ways.
COMPANY-B also has 9.10.11.0/24, but it is not involved in the issue.
What works:
The COMPANY-A computer 1.2.3.161 can communicate via the single IPsec
tunnel to COMPANY-B computer #1 4.5.7.94 without problems.
The "show crypto session detail" command shows Inbound/Outbound packets
flowing in the dec'ed and enc'ed positions.
What doesn't:
When the COMPANY-A computer 1.2.3.161 attempts to communicate
via the single IPsec tunnel with the COMPANY-B computer #2 4.5.7.29,
the COMPANY-A router eventually reports five of these messages:
Oct 9 15:24:54.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:24:57.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:03.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:15.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:39.329: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:26:27.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
and the "show crypto session detail" shows inbound packets being dropped.
The COMPANY-A computer that opens the TCP connection never gets past the
SYN_SENT phase of the TCP connection whan trying to communicate with the
COMPANY-B computer #2, and the repeated error messages are the retries of
the SYN packet.
On the COMPANY-A side, this IPsec configuration has been set up on a 3745,
a 3725, and some 76xx routers were tried, all with similar behavior,
with packets from one far-end computer passing fine, and packets from
another far-end computer in the same netblock passing through the same
IPsec tunnel failing with the "failed SA identity" error.
The COMPANY-A computer directs all packets headed to COMPANY-B via the
COMPANY-A router at 1.2.3.8 with this set of route settings:
netstat -r -n
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
4.5.7.0 1.2.3.8 255.255.255.0 UG 0 0 0 eth3
1.2.3.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
10.1.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth3
10.0.0.0 10.1.1.1 255.0.0.0 UG 0 0 0 eth0
0.0.0.0 1.2.3.1 0.0.0.0 UG 0 0 0 eth3
The first route line shown is selected for access to both COMPANY-B computers.
The COMPANY-A router (IPsec tunnel endpoint, 1.2.3.8) has this
configuration:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 4.5.6.228
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set COMPANY-B01 esp-3des esp-sha-hmac
crypto map COMPANY-BMAP1 10 ipsec-isakmp
description COMPANY-B VPN
set peer 4.5.6.228
set transform-set COMPANY-B01
set pfs group2
match address 190
interface FastEthernet0/0
ip address 1.2.3.8 255.255.255.0
no ip redirects
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map COMPANY-BMAP1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.2.3.1
ip route 10.0.0.0 255.0.0.0 10.1.1.1
ip route 1.2.3.8.0 255.255.255.0 FastEthernet0/0
access-list 190 permit ip host 1.2.3.161 4.5.7.0 0.0.0.255
access-list 190 permit ip host 1.2.3.161 9.10.11.0 0.0.0.255
bridge 1 protocol ieee
One of the routers tried had this IOS/hardware configuration:
Cisco IOS Software, 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.4(25c),
RELEASE SOFTWARE (fc2)
isco 3725 (R7000) processor (revision 0.1) with 115712K/15360K bytes of memory.
Processor board ID XXXXXXXXXXXXXXX
R7000 CPU at 240MHz, Implementation 39, Rev 3.3, 256KB L2 Cache
2 FastEthernet interfaces
4 ATM interfaces
DRAM configuration is 64 bits wide with parity disabled.
55K bytes of NVRAM.
31296K bytes of ATA System CompactFlash (Read/Write)
250368K bytes of ATA Slot0 CompactFlash (Read/Write)
Configuration register is 0x2102
#show crypto sess
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
#show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:06:26:27
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 651 drop 16 life (KB/Sec) 4496182/23178
Outbound: #pkts enc'ed 574 drop 2 life (KB/Sec) 4496279/23178
IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
The COMPANY-B device on their end of the IPsec VPN is a Juniper SSG1000
Version 6.1 (ScreenOS)
We only have a limited view into the Juniper device configuration.
What we were allowed to see was:
COMPANY-B-ROUTER(M)-> sh config | incl COMPANY-A
set address "Untrust" "oss-COMPANY-A-1.2.3.161" 1.2.3.161 255.255.255.255
set ike gateway "COMPANY-A-1-GW" address 1.2.3.8 Main outgoing-interface "ethernet2/1" preshare xxxxxxxxxxxxxxxxxxxxxx proposal "pre-g2-3des-sha"
set vpn "COMPANY-A-1-IKE" gateway "COMPANY-A-1-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha-28800"
set policy id 2539 from "Untrust" to "Trust" "oss-COMPANY-A-1.2.3.161" "9.10.11.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2500
set policy id 2500 from "Trust" to "Untrust" "9.10.11.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2539
set policy id 2541 from "Trust" to "Untrust" "4.5.7.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2540
set policy id 2540 from "Untrust" to "Trust" "oss-COMPANY-A-1.2.3.161" "4.5.7.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2541
COMPANY-B-ROUTER(M)->
I suspect that this curious issue is due to a configuration setting on the
Juniper device, but neither party has seen this error before. COMPANY-B
operates thousands of IPsec VPNs and they report that this is a new error
for them too. The behavior that allows traffic from one IP address to
work and traffic from another to end up getting this error is also unique.
As only the Cisco side emits any error message at all, this is the only
clue we have as to what is going on, even if this isn't actually an IOS
problem.
What we are looking for is a description of exactly what the Cisco
IOS error message:
IPSEC(epa_des_crypt): decrypted packet failed SA identity check
is complaining about, and if there are any known causes of the behavior
described that occur when running IPsec between Cisco IOS and a Juniper
SSG device. Google reports many other incidents of the same error
message (but not the "I like that IP address but hate this one" behavior),
and not just with a Juniper device on the COMPANY-B end, but for those cases,
not one was found where the solution was described.
It is hoped that with a better explanation of the error message
and any known issues with Juniper configuration settings causing
this error, we can have COMPANY-B make adjustments to their device.
Or, if there is a setting change needed on the COMPANY-A router,
that can also be implemented.
Thanks in advance for your time in reading this, and any ideas.Hello Harish,
It is believed that:
COMPANY-B computer #1 4.5.7.94 (this one has no issues)
COMPANY-B computer #2 4.5.7.29 (this one fails)
both have at least two network interfaces, one with a public IP address
(which we are supposedly conversing with) and one with a RFC 1918 type
address. COMPANY-B is reluctant to disclose details of their network or
servers setup, so this is not 100% certain.
Because of that uncertainty, it occurred to me that perhaps COMPANY-B
computer #2 might be incorrectly routing via the RFC 1918 interface.
In theory, such packets should have been blocked by the access-list on both
COMPANY-A router, and should not have even made it into the IPsec VPN
if the Juniper access settings work as it appears they should. So I turned up
debugging on COMPANY-A router so that I could see the encrypted and
decrypted packet hex dumps.
I then hand-disassembled the decoded ACK packet IP header received just
prior to the "decrypted packet failed SA check" error being emitted and
found the expected source and destination IP addresses (4.5.7.29 and 1.2.3.161),
in the unecapsulated packet. I also found the expected port numbers of the TCP
conversation that was trying to be established in the TCP header. So, it
looks like COMPANY-B computer #2 is emitting the packets out the right
interface.
The IP packet header of the encrypted packet showed the IP addresses of the
two routers at each terminus of the IPsec VPN, but since I don't know what triggers
the "SA check" error message or what it is complaining about, I don't know what
other clues to look for in the packet dumps.
As to your second question, "can you check whether both encapsulation and
decapsulation happening in 'show crypto ipsec sa'", the enc'ed/dec'ed
counters were both going up by the correct quantities. When communicating
with the uncooperative COMPANY-B computer #2, you would also see the
received Drop increment for each packet decrypted. When communicating
with the working COMPANY-B computer #1, the Drop counters would not
increment, and the enc'ed/dec'ed would both increment.
#show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:07:59:54
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 376 drop 5 life (KB/Sec) 4458308/28784
Outbound: #pkts enc'ed 401 drop 3 life (KB/Sec) 4458308/28784
Attempt a TCP communication to COMPANY-B computer #2...
show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:07:59:23
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 376 drop 6 life (KB/Sec) 4458307/28753
Outbound: #pkts enc'ed 402 drop 3 life (KB/Sec) 4458307/28753
Note Inbound "drop" changed from 5 to 6. (I didn't let it sit for all
the retries.)
#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: COMPANY-BMAP1, local addr 1.2.3.8
protected vrf: (none)
local ident (addr/mask/prot/port): (1.2.3.161/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.5.7.0/255.255.255.0/0/0)
current_peer 4.5.6.228 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 402, #pkts encrypt: 402, #pkts digest: 402
#pkts decaps: 376, #pkts decrypt: 376, #pkts verify: 376
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3, #recv errors 6
local crypto endpt.: 1.2.3.8, remote crypto endpt.: 4.5.6.228
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xDF2CC59C(3744253340)
inbound esp sas:
spi: 0xD9D2EBBB(3654478779)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: COMPANY-BMAP1
sa timing: remaining key lifetime (k/sec): (4458307/28600)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDF2CC59C(3744253340)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: COMPANY-BMAP1
sa timing: remaining key lifetime (k/sec): (4458307/28600)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
The "send" errors appear to be related to the tunnel reverting to a
DOWN state after periods of inactivity, and you appear to get one
each time the tunnel has to be re-negotiated and returned to
an ACTIVE state. There is no relationship between Send errors
incrementing and working/non-working TCP conversations to the
two COMPANY-B servers.
Thanks for pondering this very odd behavior. -
Error while installing Adobe Reader "Did not pass integrity check"
When the download manager gets to about 80% this error pops up every time, I have tried clearing the temporary files, restarting my computer donwloading an older version but nothing works.
The entire message says:
"Adobe Reader":
"Adobe Reader":
The Download did not pass the integrity check (16291.304.428)
I have windows 7, 32 bit. Help please!Don't use the download manager; download the installer directly from http://ardownload.adobe.com/pub/adobe/reader/win/10.x/10.0.0/en_US/AdbeRdr1000_en_US.exe (English version 10.0 for Windows).
Use this link if you need another version http://get.adobe.com/reader/enterprise/ -
All,
I've published a new technote for folks who are having trouble with the Adobe Download Manager and Flash Player.
Error installing Flash Player "The download did not pass the integrity check (16236.304.443)
http://kb2.adobe.com/cps/512/cpsid_51258.html
Essentially this technote links to the Windows troubleshooting technote here:
http://www.adobe.com/go/tn_19166
However, before today the Windows troubleshooting technote only had an EXE install for the ActiveX version of Flash Player 10. I have now added a link to download the EXE version of the Flash Player Plugin installer as well.
Please point other users with integrity check errors to the first technote.Thank you for the update & Tech Note Announcement. I do have a couple of questions, if you could please respond.
After uninstalling and ready to download; reading from the link you provided on 9/4/09, Should we follow the normal download instructions
per #2. "Flash Player download Center" and if a successful installation is not accomplished, THEN, go to "download and unzip install_Flash_Player_10_Plugin (all other windows browsers) ? Or should the latter step be done in lieu of #2 mentioned. I am assuming the download from F.P. D.L. Center would be done first and then troubleshoot by running the EXE. version of the F.P. Plugin installer.
Experience has taught me not to assume much, and if you don't know, ask!
Thanks for your hard work, but you have to admit, for the technically deprived, it is frustrating and confusing.
Maybe you are looking for
-
I am seeking information on thermal cycle testing automation.
I am seeking information on thermal cycle testing automation. I am using Labview 7 to perform an 8 cycle thermal test with a performance test at -25C and 65C with an end-of-line test at the end of the 8 cycles. I am looking for a way to automate. I h
-
Dell 20.1 Inch UltraSharp LCD 2007FP Widescreen
I've found several postings that this will work with the MBP. I've got one on order. Does anyone have any recommendations for setting this up? I plan to use the DVI connection, laptop lid closed, BT mouse and keyboard. I did try this out at work usin
-
Airport needs to be told what to do
When I boot my G5 mac or my wife's ibook neither will automatically connect to the wireless network we always use (apple airport express network in our house). They have to be pointed to the network even though it is the only one listed in our prefer
-
Java.io.IOException: FRM-93000: Unexpected internal error.
Hi Exprerts, I have noticed the below errors in the application log file on my production instance. E Business Suit = R12.1.1 + 11.1.0.7 Application Log - /rsv/d02/inst/apps/PROD_oro/logs/ora/10.1.3/j2ee/forms/forms_default_group_1 13/02/21 13:36:44.
-
Podcast subscriptions screwy, exclamation mark, resubscribing doesn't work
I did a search on this first, but I didn't find anything. If you know it's already posted, please just direct me to that URL. I know how to deal with the exclamation mark regarding missing songs -- no problem there. But lately I've had some podcasts