Error Kerberos
Post Author: hqcire
CA Forum: Authentication
I'm running Windows server 2003 + IIS 6.0 + windows AD + SSO and I try to used the Kerberos Token. But I Have this error I did those SETSPN: SETSPN -A BOBJCentralMS/aaaa.dev.bbbb.qc.ca dev\user123 SETSPN -A BOBJCentralMS/ aaaa dev\user123 SETSPN -A HTTP/aaaa.dev.bbbb.qc.ca dev\user123 ERROR 1 A Kerberos Error Message was received: on logon session Client Time: Server Time: 15:23:8.0000 2/26/2008 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc00000bb KLIN(0) Client Realm: Client Name: Server Realm: DEV.bbbb.QC.CA Server Name: host/aaaa.dev.bbbb.qc.ca Target Name: host/aaaa.dev.bbbb.qc.ca @DEV.bbbb.QC.CA Error Text: File: 9 Line: ae0 Error Data is in record data. ERROR 2 A Kerberos Error Message was received: on logon session Client Time: Server Time: 15:22:32.0000 2/26/2008 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: Client Realm: Client Name: Server Realm: DEV.bbbb.QC.CA Server Name: cccc.dev.bbbb.qc.ca Target Name:cccc.dev.bbbb.qc.ca @DEV.bbbb.QC.CA Error Text: File: 9 Line: ae0 Error Data is in record data. ERROR 3 A Kerberos Error Message was received: on logon session Client Time: Server Time: 15:22:30.0000 2/26/2008 Z Error Code: 0x34 KRB_ERR_RESPONSE_TOO_BIG Extended Error: Client Realm: Client Name: Server Realm: DEV.bbbb.QC.CA Server Name: host/aaaa.dev.bbbb.qc.ca Target Name: host/aaaa.dev.bbbb.qc.ca @DEV.bbbb.QC.CA Error Text: File: 9 Line: ae0 Error Data is in record data. What is my problem ?
Post Author: hqcire
CA Forum: Authentication
I used WFETCH to have more information. There's whta I have
started....WWWConnect::Connect("placebo","443")\nsource port: 3055\r\nISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\nSEC_I_CONTINUE_NEEDED\nREQUEST: **************\nGET D:\SystProd\BOE\BusinessObjects Enterprise 11.5\Web Content HTTP/1.1\r\nHost: placebo\r\nAccept: /\r\nConnection: Keep-Alive\r\nAuthorization: Kerberos YIIMAQYJKoZIhvcSAQICAQBuggvwMIIL7KADAgEFoQMCAQ6iBwMFACAAAACjggsUYYILEDCCCwygAwIBBaERGw9ERVYuSFlEUk8uUUMuQ0GiGjAYoAMCAQKhETAPGwRIVFRQGwdwbGFjZWJvo4IK1DCCCtCgAwIBF6EDAgECooIKwgSCCr4k5OSUJ9fiV7KWJvAfjdWHY8Sl6cRMt7KXeR7D2LmgAZXHnWAZBdd2TXjVYCCQ2OIOPZKOnJmuvIy9pzXc/mzgUJuB9O999aQjNPBUEf6bss8cE8FPOceFXH1oYLhUFXidns7ykFTGB/iC2sxzeYBUZL0xXALbd5zprZQxg3WRaOcCJe0v8BsrKglV56cnKdSDWHcBuvbfxKYS2nUnnVYApoMjzqZKilHMXtfcDCsdn66e99U483TYxbqMJcQqiJEuntGdc/w/eGqKVsPC9iTZAJmPCBE88zxmTdcQtt9ZsHkxOmuHrJILH2vf1j/xP9pzFIZOf7Y5sRNYKwn74Ee7fHbY5CwVnPpM3wCnBsyYGWZ3e90BtF7Z2xklT/Gmvw7yHCKrIwAZvnc6yVMsrMhqsqJUHimFRlzddUzoH/L5HPDX5TDUoeuBeO4X6zLteIMIOGcQ1C47W59R3qscwZDWWJL4T/R7TjpY3PLsQcaHv/fUuo6lv8gRzYaS9tljJQMr6BwFgw4xS2TyyZZBaKqdbYuH/Y1wksu1XDIwTYpkgLex7xsZC5CCP1FJP7TKQA3V1fpZbdAgOZRCdFCTzl0UbYt2qrIKB4a7bKVsfmJefDHVHoLf7LBQC8/fKA696Qxdph6/PRYh4KwhwEMWM3nGkNnB2MpLqhVXxhDio0bhiZtEmFUVjylZepikLEP9AfC2j4IoiVPu2BujhW79/SR9Gl2HQrSlpXnHzhtCT7hSoKH8Zm99jnofpiBJk6tD4LsbRuDeWYf4X3Mw5qns7/SD6umCHMs2eNtgt/H2d6cJxBEc81nbdoU3fIErlC2jSsjo7Tv4xeiLNbi7nH7woXvzFYIGlRrVILRRbteoA5269Ju8rB1UKestiPsvxo9sz265eEKgotDVNUIBn7f6TXd4Bjr1lOhzq2zY9v7kK21y95cxHHqKaNBGVnbz7Y9EYaxyGQrEG7oXf8/herH/IRTfmabKSU8JBHOt7RBwgCh46Qmt6DisyIr0dkLH2m1xlS6dbtELLjRj0EXxAUMxt7ufFcmE3hEK9JRmGhuwi5SFKCcUKNlJbgWwf6Od/oySbXoaBamoh0w1t/98XGFUR8JCn5V7x5oAxG9oCABmCKdq6cy7XR9F8PKcqbtbZC2EM7Bcyvpk4HJSZKTL7YCbtzwWTDbEZmm1wQvroCu7JXU1qhpWLvJPzfm9Hi2xU5UYgIMfdcqK8uNOys2QPkCdFqcHrLUDQH/dQ9PksFnk2oJORbjR0L94FJgtTowurn3xt13j9wq5solwcSJnTWTiX4g7Xx2ciBTcE1fJfIN/LaPGFq1hQfM7f0pIgwQH/Up0BGHPiOfTBe9VGWswoQaygXxb4aD3aLPahP4BrkfcnIRv61Y7xS6yWgGvkizY5oVwgpi6l8kRkui7L8s3PLJfDZ28CBO3eoxeCbtMcjijKI1mQ0me5VFoEfpUVdkaOFBlX2Lb1qgR7BA/eIXCcToTmXCk7lPHkt8wIUzzl4g8950lLn0o0WPpMm1V+5/ab11ySSlF5n6s3kNvrLOSRcrCJ4sXWPAYbI7pqHgDah7iJtZsSaMFglSpKAV734pWSx7fybUuxxvL48ELGSGogaeCutKpOoabvA3nz1J471cRwrBVQXnFMt2b3Z1rCnDYC6B2L30gu3IASvpWZZAnn4Jzq64CD/RhtgUxYQW5cJX0B01xlLZRZ9ANruTmO8B/Ui/ZWLJYb3A8sSzKtA7Q0QNCXPk2sXvC6RWiEJUsKz/rYWdgNGkqhNKVFyLaxvFNYPDI2P4bf5fbOwuYbIyYrXfO8pZU8GqlOTXzVANOxPpaVyD22Q5o2wcVeShg0f0YILFaSD5CF31KGo5KTR5AyP8WRMH9Kvjs7hq8RG7DkLHdGannsLXll5DIuaPARVvoVF06PjktDHOaQnjYDnnnOw6V0QKq8oItDEemeWw7gQwgFIzGtRvzK6yX6zrNqTGOOhc2P/GZtN03Afe7DxNmIC2FNMT0aaVBnvoysQyqGEnUyp4PrhhDhkLDHLDiSJgWf/u82IzdMcBkJisBdswu0jVTyWnowX2b8GI8F1aCzD0cxcahhYNgxA58ouFzmmoeRhf0vFMqpv2GQlE2eKIMmCQ50jDHHfABw5KUiIr68NV1mqzUxan9QwKHvFrPVnIxsS4K0c95KMX1/NaYNpoBC2iVsRljj0LiQZs0rRYe/aM7IFY71Zqw8vuIxuE64QOMsBNGs8pDQBNhPzy2sKG01JjU5nSsh4Rv6kX4HGh2aV6Nb6bsJ59EOQa7IkVsZkJ9TPgglRiSdHq0G4PHB/asfEHZkVZB2aJzPMiUYVYpu6s/zX37S08U9fYl6ygHKiR1gQU0gWlDA/A4I4r5S8t1jaTlrmDqAe64bd56P/Fhr7zpYz/1FZ98TOTHh7DHWnm5tzj6JyPrUcY7OtJrQVGObWCM0/g1pv13ektbgw7b/evAcahKnTRiJnjvwFj16G0057c88EV7T5ivVGhD9viKqR7hKJuxvmCVbhSvY7jRbVTNrR52FUIEFkk0FVkU6VkfdpCZTsDrmeQ/Rhad79jtKeudzO6vLKY8vdC7YE51o/Pid2Ebi6UbuznKONKGVBxEa2KArVc/UDbbT9YSPN9kfPlzgxSB/lc2zDr6bWaRiuL6xfxP36ofoWhyeybtFGjwjormCUEmkf1uxoMRKRzJEtFlGrN/B8DMxmZSobeOsObyjTDZ6XSMOjGUNnJwojiQ5ptzLf1iEQ1aYs4BJPnvjHYsBwZFr6wkN1wIDFNgm1IRX4lXTvrJwjumKCLRLN97DJGqR3m7R8WophOotAUfT0ccWY0DOcUJgArVDQvwrMr1UdPk2Wp5WPS8utwRahSFt4xCWhbd25ST5I81zRpQt8RGjaCwvW3c4YoaSJ3Zd20ZQJ3kmGbV1T9jpozMpEned7TthohNde0GTS7QwCb6oPCJLmlc00sB3SIDk6pdhQJf9u15ydrQFxeAWvKWjpRRQ2f8W/h281twvOkNJLbEBs66ZJPQlDcZdpSswin4h6nGiuBGf9X/i2GoxZ2yaDVPfdazPtin6O3MPtIxPilKHIBwsQXLPV4Tjs0YeFKGJkAezCOMA8mo9iGwEOmTC73heKApyyRKpE2CKNWTWwXXMsyObpGOkmQI3hFt4uj6TOjFOFIqliRMBm9OSnPaWenbJD3MJ23jmszEDmPhJgayK2JGwuYzp9RLwALP1UhDEGbVtpR1NquSapaXxuAJcoJ7c9OZ63Jz2mWXJWqcOu6gb4qHNfi4tS/4oLEKcPAfOpxTnhCvXOPks1DM2TclPxkZd9J9fHMxdfsXozcVrA98169EILHoa4yeoJ/iPhD9qyNnTI95eDjaVcngdSrNmw6VX5IUbGV8Jg3mf8XMzOPa/Iyp5OYTMktL7SL3UNIOPafPte3wMfsxNE/ZOuw2KeDAQtNlm2qy0/UmFNurlbAKtINZDcq6rVEBO79DDq53WNBXNm/RYIAuze1mt6UGusSed0HjdckLhIEX12dklM8fpspULrItbmjjBqDzeCq0EJHtqepgbV5I8417DKPoUjtSqmmsAoVEAN9HfX6i4cxZgtubL1QtByI6SBvjCBu6ADAgEXooGzBIGw6nOV/0EFjDnf1MK8uSeNUehzQRkQNR/DSLJIm2G49hJeW7q5V3RVIZf243qJwgonLr0v1cPh/BJE3bij6WlECbnA8LhCsY9poQQd8/JIJpxU/MFlMUAFllBZFrn0CUdzhxDcSbDoTOFQDKCxCc0GwNk7VGVNkKVBaKgWciqVPfdCmVVCwazCczfjodTlhyqRXpv1ufuF1ZGIw7e2676wYfyWjWiDwwqTDMlEMhVL8=\r\n\r\nRESPONSE: **************\nHTTP/1.1 400 Bad Request\r\nContent-Type: text/html\r\nDate: Thu, 28 Feb 2008 14:45:39 GMT\r\nConnection: close\r\nContent-Length: 20\r\n\r\n<h1>Bad Request</h1>WWWConnect::Close("placebo","443")\nclosed source port: 3055\r\nfinished.
Similar Messages
-
Random 401 errors - Kerberos + Reporting Server
We have a portal with Reporting Server in SharePoint mode and deployed our reports to SharePoint. Reports run in integrated security mode, we configured Kerberos. (Reporting server configured as RSNegotiate,
added SPN's, etc.)
Everything seems to be working fine.
However, if two users access the same RDL at the same time (just opening the RDL from the Document library), the second user can get a HTTP/401 from SharePoint, showing the default SP2010 error page with correlation ID and so on. No errors in the ULS log.Error
disappears after refresh.
This error is always showing up when Kerberos was not configured correctly. In this case no error in ULS or event log.
If we configure Reporting Server as RSKerberos instead of RSNegotiate, we don't get a 401, but the report of the other user! So,user A has permissions on report X, opens it. At the same time user B without permissions opens report X and sees exactly the
same as user A! So, this is a security hole if we configure it as RSNegotiate.
No proxy server is used. We changed EnableAuthPersistence to FALSE, just in case.
Anyone can point me in the way where to look? The user credentials / Kerberos ticket seem to be cached by SharePoint.Hi Stacy, thanks for your reply.
I tried all different combinaties of those settings, but nothting solves the problem. The fact that I am possible to see anyone else his reports, is a big security hole, no matter how I configure it, right?
If I configure RSWindowsExtendedProtectionScenario
to Direct, I get HTTP/401 all the time. Any other settings changes nothing, still one HTTP/401 when 2 users access report at same time (AuthenticationType = RSNegotiate) or 2 users see each other's report (AuthenticationType = RSKerberos).
It seems indeed something gets cached, but I have no idea how to fix it. Do you, or anyone else, know where to look now? -
Kerberos-no-logon-server in fim 2010
Hi,
When we run Export run profile of ADMA Management Agent then we get fallowing error
kerberos-no-logon-server
and all user that provisioned in AD OU in disabled mode and also taking more time for provisioning.
please provide any solution.
Regards
Anil KumarYes I do - if the fqdn idea still doesn't fix your problem, turn off the Exchange provisioning features of the AD MA and run a post-export PowerShell script to manage your mailboxes. This is the approach we mostly take here @ UNIFY whereby the PowerShell
script is executed by FIM Event Broker - mainly to overcome problems like this.
Bob Bradley (FIMBob @
TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM -
Run Profile Deletion and Speeding up portal access
Hi,
My FIM 2010 R2 architecture uses 4 servers as follows:
1 x fim server, 1 x fim sql DB (fim service DB), 1 x sync server + fim SQL DB and 1 x SSPR
I have a PowerShell sync scripts running every 5 minutes which take fim portal changes and export those changes to AD.
I've created some PowerShell scripts for removing old run profiles, but am not sure how many run profiles to keep? Reading online I came across one blog post which mentions that Ms recommend no more than 10,000 run profile history entries - about 4 days
worth (although I can't find official Ms recommendations).
I'm assuming it's OK, but are there any issues with one script running a run profile at the same time as another script which deletes older run profiles?
On a side note, if anyone has any tips for speeding up fim portal access I'd be glad to hear them - each page in my environment takes about 30 seconds to load, regardless of the number of users connected.
thanks in advance
IT Support/EverythingOn a side note, if anyone has any tips for speeding up fim portal access I'd be glad to hear them - each page in my environment takes about 30 seconds to load, regardless of the number of users connected.
If every page load of the FIM Portal is taking 30 seconds, something is broken in your environment. I get better performance than that running an entire test FIM configuration in virtualized machines on my laptop (AD, Exchange, FIM Portal/Service/Sync, etc.)
When you first start up the environment and bring up a given page the first time, it can take some time, but once you get to steady state, you should not be seeing delays like that.
Any chance you have an authentication configuration error (Kerberos settings, SPN assignment, DNS settings, etc.) that is causing authentication to time out on each page load?
During that 30 second delay, are any of your servers pegged on CPU or IO?
If this is a virtual environment or if you are using SAN based disk, do you have enough IOPS allocated? -
I'm trying to use kerberos V5 with ActiveDirectory but get an error
I'm trying to use kerberos V5 with ActiveDirectory im using simple code from previuos posts but
when i try with correct username/password i get :
Authentication attempt failedjavax.security.auth.login.LoginException: Message stream modified (41)
when i try incorrect username/pass i get :
Pre-authentication information was invalid (24)
Debug info is :
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Kerberos username [naiden]: naiden
Kerberos password for naiden: naiden
[Krb5LoginModule] user entered username: naiden
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Pre-authentication information was invalid (24)
Authentication attempt failedjavax.security.auth.login.LoginException: Java code is :
import javax.naming.*;
import javax.naming.directory.*;
import javax.security.auth.login.*;
import javax.security.auth.Subject;
import com.sun.security.auth.callback.TextCallbackHandler;
import java.util.Hashtable;
* Demonstrates how to create an initial context to an LDAP server
* using "GSSAPI" SASL authentication (Kerberos v5).
* Requires J2SE 1.4, or JNDI 1.2 with ldapbp.jar, JAAS, JCE, an RFC 2853
* compliant implementation of J-GSS and a Kerberos v5 implementation.
* Jaas.conf
* racfldap.GssExample {com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true doNotPrompt=true; };
* 'qop' is a comma separated list of tokens, each of which is one of
* auth, auth-int, or auth-conf. If none is supplied, the default is 'auth'.
class KerberosExample {
public static void main(String[] args) {
java.util.Properties p = new java.util.Properties(System.getProperties());
p.setProperty("java.security.krb5.realm", "ISY");
p.setProperty("java.security.krb5.kdc", "192.168.0.101");
p.setProperty("java.security.auth.login.config", "C:\\jaas.conf");
System.setProperties(p);
// 1. Log in (to Kerberos)
LoginContext lc = null;
try {
lc = new LoginContext("ISY",
new TextCallbackHandler());
// Attempt authentication
lc.login();
} catch (LoginException le) {
System.err.println("Authentication attempt failed" + le);
System.exit(-1);
// 2. Perform JNDI work as logged in subject
Subject.doAs(lc.getSubject(), new LDAPAction(args));
// 3. Perform LDAP Action
* The application must supply a PrivilegedAction that is to be run
* inside a Subject.doAs() or Subject.doAsPrivileged().
class LDAPAction implements java.security.PrivilegedAction {
private String[] args;
private static String[] sAttrIDs;
private static String sUserAccount = new String("Administrator");
public LDAPAction(String[] origArgs) {
this.args = (String[])origArgs.clone();
public Object run() {
performLDAPOperation(args);
return null;
private static void performLDAPOperation(String[] args) {
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
// Must use fully qualified hostname
env.put(Context.PROVIDER_URL, "ldap://192.168.0.101:389/DC=isy,DC=local");
// Request the use of the "GSSAPI" SASL mechanism
// Authenticate by using already established Kerberos credentials
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
env.put("javax.security.sasl.server.authentication", "true");
try {
/* Create initial context */
DirContext ctx = new InitialDirContext(env);
/* Get the attributes requested */
Attributes aAnswer =ctx.getAttributes( "CN="+ sUserAccount + ",CN=Users,DC=isy,DC=local");
NamingEnumeration enumUserInfo = aAnswer.getAll();
while(enumUserInfo.hasMoreElements()) {
System.out.println(enumUserInfo.nextElement().toString());
// Close the context when we're done
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}JAAS conf file is :
ISY {
com.sun.security.auth.module.Krb5LoginModule required
debug=true;
};krb5.ini file is :
# Kerberos 5 Configuration File
# All available options are specified in the Kerberos System Administrator's Guide. Very
# few are used here.
# Determines which Kerberos realm a machine should be in, given its domain name. This is
# especially important when obtaining AFS tokens - in afsdcell.ini in the Windows directory
# there should be an entry for your AFS cell name, followed by a list of IP addresses, and,
# after a # symbol, the name of the server corresponding to each IP address.
[libdefaults]
default_realm = ISY
[domain_realm]
.isy.local = ISY
isy.local = ISY
# Specifies all the server information for each realm.
#[realms]
ISY=
kdc = 192.168.0.101
admin_server = 192.168.0.101
default_domain = ISY
}Now it works
i will try to explain how i do this :
step 1 )
fallow this guide http://www.cit.cornell.edu/computer/system/win2000/kerberos/
and configure AD to use kerberos and to heve Kerberos REALM
step 2 ) try windows login to the new realm to be sure that it works ADD trusted realm if needed.
step 3 ) create jaas.conf file for example in c:\
it looks like this :
ISY {
com.sun.security.auth.module.Krb5LoginModule required
debug=true;
};step 4)
( dont forget to make mappings which are explained in step 1 ) go to Active Directory users make sure from View to check Advanced Features Right click on the user go to mappings in secound tab kerberos mapping add USERNAME@KERBEROSreaLm for example [email protected]
step 5)
copy+paste this code and HIT RUN :)
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import com.sun.security.auth.callback.TextCallbackHandler;
public class Main {
public static void main(String[] args) {
java.util.Properties p = new java.util.Properties(System.getProperties());
p.setProperty("java.security.krb5.realm", "ISY.LOCAL");
p.setProperty("java.security.krb5.kdc", "192.168.0.101");
p.setProperty("java.security.auth.login.config", "C:\\jaas.conf");
System.setProperties(p);
// 1. Log in (to Kerberos)
LoginContext lc = null;
try {
lc = new LoginContext("ISY", new TextCallbackHandler());
// Attempt authentication
lc.login();
} catch (LoginException le) {
System.err.println("Authentication attempt failed" + le);
System.exit(-1);
// 2. Perform JNDI work as logged in subject
Subject.doAs(lc.getSubject(), new LDAPAction(args));
// 3. Perform LDAP Action
* The application must supply a PrivilegedAction that is to be run
* inside a Subject.doAs() or Subject.doAsPrivileged().
class LDAPAction implements java.security.PrivilegedAction {
private String[] args;
private static String[] sAttrIDs;
private static String sUserAccount = new String("Administrator");
public LDAPAction(String[] origArgs) {
this.args = origArgs.clone();
public Object run() {
performLDAPOperation(args);
return null;
private static void performLDAPOperation(String[] args) {
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
// Must use fully qualified hostname
env.put(Context.PROVIDER_URL, "ldap://192.168.0.101:389");
// Request the use of the "GSSAPI" SASL mechanism
// Authenticate by using already established Kerberos credentials
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
// env.put("javax.security.sasl.server.authentication", "true");
try {
/* Create initial context */
DirContext ctx = new InitialDirContext(env);
/* Get the attributes requested */
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"sn","givenName","mail"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//specify the LDAP search filter
String searchFilter = "(&(objectClass=user)(mail=*))";
//Specify the Base for the search
String searchBase = "DC=isy,DC=local";
//initialize counter to total the results
int totalResults = 0;
// Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println(">>>" + sr.getName());
// Print out some of the attributes, catch the exception if the attributes have no values
Attributes attrs = sr.getAttributes();
if (attrs != null) {
try {
System.out.println(" surname: " + attrs.get("sn").get());
System.out.println(" firstname: " + attrs.get("givenName").get());
System.out.println(" mail: " + attrs.get("mail").get());
catch (NullPointerException e) {
System.err.println("Error listing attributes: " + e);
System.out.println("RABOTIII");
System.out.println("Total results: " + totalResults);
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}It will ask for username and password
type for example : [email protected] for username
and password : TheSecretPassword
where ISY.LOCAL is the name of kerberos realm.
p.s. it is not good idea to use Administrator as login :)
Edited by: JOKe on Sep 14, 2007 2:23 PM -
Error while integrating with Kerberos and AD
Hi,
Implementing Kerberos as the Desktop Single Signon Solution
Environment : Peoplesoft
OS : Redhat Linux
webserver: Weblogic 10.3.4
appserver : tuxedo 10gr3
While doing this implementation I was able to complete it successfully with the JDK linux has provided(1.6.0_22). However the weblogic comes preconfigured with jrockit jdk version1.6.0_24-R28.1.3-4.0.1. When I start the weblogic with jrockit jdk as java_home I am getting the following error.
<Error> <HTTP> <BEA-101165> <Could not load user defined filter in web.xml: com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.
java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named krbServer
at com.bea.common.security.jdkutils.JAASConfiguration.getAppConfigurationEntry(JAASConfiguration.java:130)
at javax.security.auth.login.LoginContext.init(LoginContext.java:243)
at javax.security.auth.login.LoginContext.<init>(LoginContext.java:334)
at com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.init(KerberosSSOFilter.java:142)
at weblogic.servlet.internal.FilterManager$FilterInitAction.run(FilterManager.java:332)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.FilterManager.loadFilter(FilterManager.java:98)
at weblogic.servlet.internal.FilterManager.preloadFilters(FilterManager.java:59)
at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1878)
at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:3154)
at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1508)
at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:485)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:427)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:201)
at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:249)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:427)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:28)
at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:637)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:205)
at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:58)
at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
at weblogic.deploy.internal.targetserver.BasicDeployment.activate(BasicDeployment.java:184)
at weblogic.deploy.internal.targetserver.BasicDeployment.activateFromServerLifecycle(BasicDeployment.java:361)
at weblogic.management.deploy.internal.DeploymentAdapter$1.doActivate(DeploymentAdapter.java:52)
at weblogic.management.deploy.internal.DeploymentAdapter.activate(DeploymentAdapter.java:200)
at weblogic.management.deploy.internal.AppTransition$2.transitionApp(AppTransition.java:31)
at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:240)
at weblogic.management.deploy.internal.ConfiguredDeployments.activate(ConfiguredDeployments.java:170)
at weblogic.management.deploy.internal.ConfiguredDeployments.deploy(ConfiguredDeployments.java:124)
at weblogic.management.deploy.internal.DeploymentServerService.resume(DeploymentServerService.java:181)
at weblogic.management.deploy.internal.DeploymentServerService.start(DeploymentServerService.java:97)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)
these are my runtime parameters
java -jrockit -XnoOpt -XXnoJITInline -Xms512m -Xmx512m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0 -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=krbLogin.conf -Dsun.security.krb5.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.Chunksize=65536 -Djava.util.logging.config.file=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/logging.properties -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger -Dweblogic.Name=PIA -Dps_vault=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/psvault -Djavax.net.ssl.trustStore=/u01/app/psoft89/webserv/PREFRESH/piaconfig/keystore/pskey -Dweblogic.ProductionModeEnabled=true -Djava.security.policy=/u01/app/psoft89/weblogic/wlserver_10.3/server/lib/weblogic.policy -Dssl.debug=false -Dps_home=/u01/app/psoft89 weblogic.Server
The files krb5.conf and krbLogin.conf exists and have full access.
With the error above it seems that it is not able to pick the configuration file. But just by changing the JAVA_HOME to /usr/java/jdk1.6_022 it starts working.
I have raised this concern with Oracle almost a month before, but still haven't got any reply from them.
Please help.
Thanks and Regards
Anirudha SinghHi Faisal,
Thanks for your reply.
Yes I have given the complete path too.
This is the full command line of the weblogic server. I had modifed it to test if it is trying to pick it up from any default location.
java -jrockit -XnoOpt -XXnoJITInline -Xms512m -Xmx512m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0 -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/krbLogin.conf -Dsun.security.krb5.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dweblogic.Chunksize=65536 -Djava.util.logging.config.file=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/logging.properties -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger -Dweblogic.Name=PIA -Dps_vault=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/psvault -Djavax.net.ssl.trustStore=/u01/app/psoft89/webserv/PREFRESH/piaconfig/keystore/pskey -Dweblogic.ProductionModeEnabled=true -Djava.security.policy=/u01/app/psoft89/weblogic/wlserver_10.3/server/lib/weblogic.policy -Dssl.debug=false -Dps_home=/u01/app/psoft89 weblogic.Server
The file is located in /etc folder and has 777 permissions.
Thanks and Regards
Anirudha Singh -
Data connection error to analysis services via unattended account after configure kerberos
Hi, I setup connection to SASS from dashboard designer using Unattended Account, and everything was fine. Then I started to configure connection with Kerberos using Per-user Identity authentication, and after long customization it started to work. But in
the same time Unattended Account authentication stopped working.
From dashboard designer I got error:
PerformancePoint Services was unable to connect to "dbserver\instance". Verify that the server name is correct and that the Unattended Service Account has permission to connect to the server.
Additional details have been logged for the administrator.
And in SharePoint server in application log:
The Unattended Service Account "dom\unaccount" does not have access to the following data source server.
Data source location: http://testit/sites/adrian/Data Connections Library for PP/35_.000
Data source name: New Data Source
Server name: dbserver\instance
Exception details:
Microsoft.AnalysisServices.AdomdClient.AdomdConnectionException: Authentication failed. ---> System.ComponentModel.Win32Exception: The target principal name is incorrect
at Microsoft.AnalysisServices.AdomdClient.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean& handshakeComplete)
at Microsoft.AnalysisServices.AdomdClient.XmlaClient.Authenticate(ConnectionInfo connectionInfo, DateTime startTime)
--- End of inner exception stack trace ---
at Microsoft.AnalysisServices.AdomdClient.XmlaClient.Authenticate(ConnectionInfo connectionInfo, DateTime startTime)
at Microsoft.AnalysisServices.AdomdClient.XmlaClient.OpenTcpConnection(ConnectionInfo connectionInfo)
at Microsoft.AnalysisServices.AdomdClient.XmlaClient.Connect(ConnectionInfo connectionInfo, Boolean beginSession)
at Microsoft.AnalysisServices.AdomdClient.XmlaClient.GetInstancePort(ConnectionInfo connectionInfo)
at Microsoft.AnalysisServices.AdomdClient.XmlaClient.GetTcpClient(ConnectionInfo connectionInfo)
at Microsoft.AnalysisServices.AdomdClient.XmlaClient.OpenTcpConnection(ConnectionInfo connectionInfo)
at Microsoft.AnalysisServices.AdomdClient.XmlaClient.Connect(ConnectionInfo connectionInfo, Boolean beginSession)
at Microsoft.AnalysisServices.AdomdClient.AdomdConnection.XmlaClientProvider.Connect(Boolean toIXMLA)
at Microsoft.AnalysisServices.AdomdClient.AdomdConnection.ConnectToXMLA(Boolean createSession, Boolean isHTTP)
at Microsoft.AnalysisServices.AdomdClient.AdomdConnection.Open()
at Microsoft.PerformancePoint.Scorecards.DataSourceProviders.AdomdConnectionPool`1.<>c__DisplayClass4.<GetConnection>b__2()
at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()
at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)
at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)
at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)
at Microsoft.PerformancePoint.Scorecards.DataSourceProviders.AdomdConnectionPool`1.GetConnection(String connectionString, ConnectionContext connectionCtx, String effectiveUserName, CultureInfo culture, NewConnectionHandler newConnectionHandler,
TestConnectionHandler testConnectionHandler, String targetAppId)Hi Adrian,
Sorry for misunderstanding and thanks for the additional information.
As I searched, there are tips for your situation:
1. of the great new features of PerformancePoint Services is that you can now select different authentication options for each data source you create rather than having to decide on one authentication model to use for each web application.
2.If SharePoint is configured in standalone mode Per-user Identity authentication is only supported if the data source and the application server are located on the same machine. Kerberos constrained delegation is required to connect to a data source
located on a separate machine from the application server in a farm deployment.
3.Per-user Identity is only supported with Windows credentials, neither anonymous or forms login are supported.
For more information:
http://blogs.msdn.com/b/performancepoint/archive/2010/05/06/data-source-authentication-in-performancepoint-services-for-sharepoint-2010.aspx
http://blogs.technet.com/b/tothesharepoint/archive/2010/06/23/performancepoint-services-troubleshooting.aspx
Regards,
Rebecca Tu
TechNet Community Support -
I have two forests with a transitive on-way trust between them: PROD -> TEST (test trusts PROD). I had previously had kerberos authentication working with winrm from PROD to machines in TEST. I have verified the trust is healthy, I also verified users
in TEST can use WINRM with kerberos just fine. Users from PROD cannot connect via kerberos to machines in TEST with winrm.
I have verified the service has registered the appropriate SPNs. I ran dcdiag against all my PROD and TEST domain controllers and didn't find anything that would prevent kerberos from happening. I even tried disabling the firewall entirely on my TEST dcs
but that didn't gain me anything.
I've enabled kerberos logging but only see the expected errors such as it couldn't find a PROD SPN for the machine, which it shouldn't from what I understand, it should go to the TEST domain and find the SPN from there.
I'm really out of next steps before I call PSS and hope someone here has run into this and could provide me some next steps.
PowerShell Error:
Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (:) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionStateBroken
winrs Error:
Winrs error:
WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config.Hi Adam,
I'm a little unclear about which SPNs you were looking for, in which case could you confirm you were checking that on the computer object belonging to the actual destination host it has the following SPNs registered?
WSMAN/<NetBIOS name>
WSMAN/<FQDN>
If you were actually trying to use WinRM to connect to the remote forest's domain controllers, then what you said makes sense, but I was caught between assuming this was the case or you meant another member server in that remote forest.
Also, from the client trying to connect to this remote server, are you able to telnet to port 5985? (If you've used something other than the default, try that port)
If you can't, then you've got something else like a firewall (be that the Windows firewall on the destination or a hardware firewall somewhere in between) blocking you at the port level, or the listener on the remote box just isn't working as expected. I
just replied to your other winrm post with steps for checking the latter, so I won't repeat myself here.
If you can telnet to it and the SPNs exist, then you might be up against something called selective authentication which has to do with how the trust was defined. You can have a read of
this to learn a bit more about selective trusts and whether or not it's affecting you.
Cheers,
Lain -
A Kerberos Error Message was received: on logon session
Hi i am getting this error in event viewer in a client machine, from where powershell sccripts collecting data from our sharepoint servers
Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: 9/16/2014 11:09:42 PM
Event ID: 3
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: PortalHealthChe.XYZportal.com
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 20:9:42.0000 9/16/2014 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error: 0xc0000035 KLIN(0)
Client Realm:
Client Name:
Server Realm: XYZPORTAL.COM
Server Name: HTTP/XYZWFE01.XYZPORTAL.COM
Target Name: HTTP/[email protected]
Error Text:
File: 9
Line: f09
Error Data is in record data.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
<EventID Qualifiers="32768">3</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-09-16T20:09:42.000000000Z" />
<EventRecordID>5466</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>PortalHealthChe.XYZportal.com</Computer>
<Security />
</System>
<EventData>
<Data Name="LogonSession">
</Data>
<Data Name="ClientTime">
</Data>
<Data Name="ServerTime">20:9:42.0000 9/16/2014 Z</Data>
<Data Name="ErrorCode">0x7</Data>
<Data Name="ErrorMessage"> KDC_ERR_S_PRINCIPAL_UNKNOWN</Data>
<Data Name="ExtendedError">0xc0000035 KLIN(0)</Data>
<Data Name="ClientRealm">
</Data>
<Data Name="ClientName">
</Data>
<Data Name="ServerRealm">XYZPORTAL.COM</Data>
<Data Name="ServerName">HTTP/XYZWFE01.XYZPORTAL.COM</Data>
<Data Name="TargetName">HTTP/[email protected]</Data>
<Data Name="ErrorText">
</Data>
<Data Name="File">9</Data>
<Data Name="Line">f09</Data>
<Binary>3015A103020103A20E040C350000C00000000001000000</Binary>
</EventData>
</Event>
adilHi
i am getting this error in a client machine
Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: 9/16/2014 11:09:42 PM
Event ID: 3
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: PortalHealthChe.XYZportal.com
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 20:9:42.0000 9/16/2014 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error: 0xc0000035 KLIN(0)
Client Realm:
Client Name:
Server Realm: XYZPORTAL.COM
Server Name: HTTP/XYZWFE01.XYZPORTAL.COM
Target Name: HTTP/[email protected]
Error Text:
File: 9
Line: f09
Error Data is in record data.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
<EventID Qualifiers="32768">3</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-09-16T20:09:42.000000000Z" />
<EventRecordID>5466</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>PortalHealthChe.XYZportal.com</Computer>
<Security />
</System>
<EventData>
<Data Name="LogonSession">
</Data>
<Data Name="ClientTime">
</Data>
<Data Name="ServerTime">20:9:42.0000 9/16/2014 Z</Data>
<Data Name="ErrorCode">0x7</Data>
<Data Name="ErrorMessage"> KDC_ERR_S_PRINCIPAL_UNKNOWN</Data>
<Data Name="ExtendedError">0xc0000035 KLIN(0)</Data>
<Data Name="ClientRealm">
</Data>
<Data Name="ClientName">
</Data>
<Data Name="ServerRealm">XYZPORTAL.COM</Data>
<Data Name="ServerName">HTTP/XYZWFE01.XYZPORTAL.COM</Data>
<Data Name="TargetName">HTTP/[email protected]</Data>
<Data Name="ErrorText">
</Data>
<Data Name="File">9</Data>
<Data Name="Line">f09</Data>
<Binary>3015A103020103A20E040C350000C00000000001000000</Binary>
</EventData>
</Event>
adil -
Kerberos error when using a DNS name that doesn't match the Active Directory domain name
I am running into a weird issue with a new SQL Reporting Services server I built. I installed SQL Reporting 2014 on Windows Server 2012 R2 and configured Kerberos, but the site is extremely slow. After some reconfiguration and log captures I have determined
the issue has to do with the Kerberos setup but it is an exact replica of a Windows Server 2008 R2 server we currently have and it does not have these issues.
The error I see while using Wireshark is KRB Error: KRB5KDC_ERR_BADOPTION NT Status: STATUS_NO_MATCH.
When I drill down the into the error I can see the kerberos string is testprjmnmtreports14.company.com, which is the URL we are using to access the site. I made sure to add that name as an SPN for the service account that is running SQL Reporting Services,
however I still receive the error.
Then I tried configuring the site to run without a hostheader, so I accessed the site with the server name ECTSTSQLRS5 and the site works perfectly fine, no errors are reported either. So it seems I have isolated the issue down to Kerberos but I am not sure
how to resolve it. Here is some more information about my environment:
DNS/URL used: testprjmnmtreports14.company.com
Server Name (FQDN): ECTSTSQLRS5.company.int
AD Domain Name: company.int
Server Version: Windows Server 2012 R2
AD Functional Level: 2008 R2
I also have the following SPNs set for my SQL service account:
http/testprjmngmtreports14.company.com
http/testprjmngmtreports14
http/ECTSTSQLRS5.COMPANY.INT
http/ECTSTSQLRS5
As you can see I am trying to use a .com address but my AD domain is .int which I think is the issue, but I do not have the same problem on my other server that is running Windows Server 2008 R2.
Has anyone see this issue before? What do I need to do to allow my new site on 2012 R2 to work with this DNS Alias?
Thanks,
BrandonHi
Quote from there; Kerberos errors in network captures
The most common scenario is a request for a delegated ticket (unconstrained or constrained delegation). You will typically see this on the middle-tier server trying to access a back-end server. There are several reasons for rejection:
1. The service account is not trusted for delegation
2. The service account is not trusted for delegation to the SPN requested
3. The user’s account is marked as sensitive
4. The request was for a constrained delegation ticket to itself (constrained delegation is designed to allow a middle tier service to request a ticket to a back end service on behalf on another user,
not on behalf of itself).
Regards, Philippe
Don't forget to mark as answer or vote as helpful to help identify good information. ( linkedin endorsement never hurt too :o) )
Answer an interesting question ? Create a
wiki article about it! -
Hi!
We have 5 Exchange 2013 servers and when I’m trying to run a script that includes the cmd-let Get-MessageTrackinglog with StartDate = the first of the month and with EndDate = the end of the month I get the following error message after
a couple of hours. The script is run on the server SERVER01 and goes through the Message Tracking logs of all Exchange servers. I have tried the script on other servers and get the same result.
Processing data for a remote command failed with the following error message: Error occurred during the Kerberos reponse.
[Server=SERVER01, TimeStamp = 918/2014 19:32:34]
For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo
: OperationStopped: (server01.domain.com:String) [], PSRemotingTransportException
+ FullyQualifiedErrorId : JobFailure
+ PSComputerName
: server01.domain.com
I have gone through “about_Remote_Troubleshooting Help topic”, but can’t find anything related to my issue. There is nothing in the Application or the Windows PowerShell log either.
/HenrikHi Henado
Check the time on your Exchange server(s) relative to the DCs and ensure they are in correct sync
Use another account which is assigned the Organization Management permission and log to to the server run the command in shell and see the results
Run
Add-PSSnapin -Name Microsoft.Exchange.Management.PowerShell.E2010
Set-Adserversettings -ViewEntireForest $True and then run message tracking command and see the results
If none of the above helps you may need to remove and re-install the WinRM and see the results
Good Luck :)
Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you Check out my latest blog posts on http://exchangequery.com -
I've been noticing The Error with event ID 11 popping up a lot on our domain controllers:
The KDC encountered duplicate names while processing a Kerberos authentication request.
When running setspn -X it says that it found 111 groups of duplicate SPNs. However, when going through the list, it references domain service accounts that are used to run our SQL Server services. We have about 50 remote locations and each of them has 3
machines participating in a SQL mirror (principal, mirror, witness) and they all run the SQL Server service on the same account (1 account per location).
We haven't experienced any issues at all but I was wondering if this could cause problems or if we are straying from best practice. Any advice is welcome. Thanks!I believe what you should do to follow best practice is to provide unique SPNs for each SQL server, which will also provide increased security, and to do that you must create individual service account for each SQL server so it can associate that
account with that server's SPN.
Here's more on it to help guide you. Read Paul's comments, as well as other suggestions in the following thread:
event ID 11 There are multiple accounts with name MSSQLSvc/xxxxxx
http://social.technet.microsoft.com/Forums/windowsserver/en-US/8df35316-23ba-48ba-aa3e-2249fcbfecbc/event-id-11-there-are-multiple-accounts-with-name-mssqlsvcxxxxxx?forum=winserverDS
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Exchange 2010 sp2 emc initialization error using "kerberos" authentication failed
We use exchange 2010 SP2.
We have 2 management stations, both w2k8 R2 SP1.
I have one mangement station on which the emc and ems works ok.
On the other management staiton (which is also in another ad site) the emc and ems don't work.
I get the following error message : The attempt to connect to
http://fqdnCasServer/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
I have checked the time on the management station and on the exchange server and this is ok.
It is not a permissions issue because the user functions ok on the other management station.
On the bad management station I can open the emc once and after a minute I get an error message and the message access denied. From then on I can't connect any more.
What am I doing wrong?
Anyone any tips?
Thanks,
JBThis is what I get in the eventlog of the bad management station.
Log Name: MSExchange Management
Source: MSExchange CmdletLogs
Date: 1/10/2012 11:39:27
Event ID: 6
Task Category: (1)
Level: Error
Keywords: Classic
User: N/A
Computer: Server.domain.com
Description:
The description for Event ID 6 from source MSExchange CmdletLogs cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Get-ExchangeServer
{Identity=Servername}
Domain/ou/ou/ou/ou/username
Exchange Management Console-Local
3080
22
00:00:00.3593888
View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DN }'
Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMTSTATION' couldn't be found on 'FQDN DC'.
Context
the message resource is present but the message is not found in the string/message table
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchange CmdletLogs" />
<EventID Qualifiers="49152">6</EventID>
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-10-01T09:39:27.000000000Z" />
<EventRecordID>11</EventRecordID>
<Channel>MSExchange Management</Channel>
<Computer>FQDN MGMT STATION</Computer>
<Security />
</System>
<EventData>
<Data>Get-ExchangeServer</Data>
<Data>{Identity=MGMT STATION}</Data>
<Data>domain/ou/ou/ou/ou/username</Data>
<Data>
</Data>
<Data>
</Data>
<Data>Exchange Management Console-Local</Data>
<Data>3080</Data>
<Data>
</Data>
<Data>22</Data>
<Data>00:00:00.3593888</Data>
<Data>View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DC }'</Data>
<Data>Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMT STATION' couldn't be found on 'FQDN DC'.</Data>
<Data>Context</Data>
<Data>
</Data>
</EventData>
</Event> -
BO XI 3.0 Kerberos Authentication error
I have installed BO XI 3.0 and everything works great, except I cannot logon with my AD account. I have followed all the steps in Administrator Guid and I get an error when I run the kinit.exe:
Exception: krb_error 0 Cannot get kdc for realm NET.ADS.STATE.TN.US No error
KrbException: Cannot get kdc for realm NET.ADS.STATE.TN.US
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:133)
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:106)
at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:300)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:239)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)
Do I need to open any specific ports? I have a side-by-side installation of BO XI R1 that authenticates using NTLM without a problem.
My krb5.ini looks like this:
[libdefaults]
default_realm = NET.ADS.STATE.TN.US
dns_lookup_kdc = true
dns_lookup_realm = true
[realms]
DNS.COM = {default_domain = NET.ADS.STATE.TN.US kdc = AG0319008WD102.NET.ADS.STATE.TN.US}The error means it can't find the specified KDC (AG0319008WD102.NET.ADS.STATE.TN.US), can you ping it. Is kerberos running on port 88, is it running global catalog?
Try this
[libdefaults]
default_realm = NET.ADS.STATE.TN.US
dns_lookup_kdc = true
dns_lookup_realm = true
udp_preference_limit = 1
[realms]
NET.ADS.STATE.TN.US = {
kdc = AG0319008WD102.NET.ADS.STATE.TN.US
default_domain = NET.ADS.STATE.TN.US
The forum is removing the brackets around lib defaults and realms make sure they are still in your file.
[libdefaults]
default_realm = NET.ADS.STATE.TN.US
dns_lookup_kdc = true
dns_lookup_realm = true
udp_preference_limit = 1
[realms]
NET.ADS.STATE.TN.US = {
kdc = AG0319008WD102.NET.ADS.STATE.TN.US
default_domain = NET.ADS.STATE.TN.US
Regards,
Tim
Edited by: Tim Ziemba on Aug 12, 2008 11:13 AM -
Error=49 from the LDAP server for GSSAPI Kerberos authentication
I am trying to find solution for ldapsearch failure with GSSAPI Kerberos authentication . I am running Sun Directory Server 5.2 P4 on a Solaris-9 sparc machine..
Steps :
bash-2.05# kinit tester1
Password for [email protected]:
bash-2.05#
When I do ldapsearch , I am getting following logs on the server :
tail -f /var/Sun/mps/slapd-bf1r-dsun-1/logs/access
[22/Feb/2007:01:44:16 -0700] conn=32 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
[22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
[22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
[22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
[22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
[22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=4 - UNBIND
[22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=-1 - closing - U1
[22/Feb/2007:01:44:17 -0700] conn=32 op=-1 msgId=-1 - closed.
[22/Feb/2007:01:45:50 -0700] conn=33 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
[22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
[22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
[22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
[22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
[22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=4 - UNBIND
[22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=-1 - closing - U1
[22/Feb/2007:01:45:51 -0700] conn=33 op=-1 msgId=-1 - closed.
I am using default Identiy Mapping and the ldif file looks like this :
dn: cn=default,cn=GSSAPI,cn=identity mapping,cn=config
objectClass: dsIdentityMapping
objectClass: nsContainer
objectClass: dsPatternMatching
objectClass: top
cn: default
dsMatching-pattern: ${Principal}
creatorsName: cn=directory manager
createTimestamp: 20070220045812Z
dsMatching-regexp: uid=(.*)
dsSearchBaseDN: ou=people,dc=test1,dc=com
dsMappedDN: uid=${Principal},ou=people,dc=test1,dc=com
modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
t
modifyTimestamp: 20070221082740Z
Following is the snoop for LDAP on the server :
bash-2.05# !snoop
snoop -v port 389 | grep LDAP
Using device /dev/eri (promiscuous mode)
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 0: Bind Request]
LDAP: [Version]
LDAP: [Object Name]
LDAP: uid=tester1,ou=people,dc=test1,d
LDAP: c=com
LDAP: Authentication: SASL *[3]
LDAP: [OctetString]
LDAP: GSSAPI
LDAP: [OctetString]
LDAP: *** NOT PRINTED - Too long value ***
LDAP:
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 1: Bind Response]
LDAP: [Result Code]
LDAP: SASL Bind In Progress
LDAP: [Matched DN]
LDAP: [Error Message]
LDAP: SASL Credentials [7]
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 0: Bind Request]
LDAP: [Version]
LDAP: [Object Name]
LDAP: uid=tester1,ou=people,dc=test1,d
LDAP: c=com
LDAP: Authentication: SASL *[3]
LDAP: [OctetString]
LDAP: GSSAPI
LDAP:
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 1: Bind Response]
LDAP: [Result Code]
LDAP: SASL Bind In Progress
LDAP: [Matched DN]
LDAP: [Error Message]
LDAP: SASL Credentials [7]
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 0: Bind Request]
LDAP: [Version]
LDAP: [Object Name]
LDAP: uid=tester1,ou=people,dc=test1,d
LDAP: c=com
LDAP: Authentication: SASL *[3]
LDAP: [OctetString]
LDAP: GSSAPI
LDAP: [OctetString]
LDAP:
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 1: Bind Response]
LDAP: [Result Code]
LDAP: 1
LDAP: Invalid Credentials
LDAP: [Matched DN]
LDAP: [Error Message]
LDAP: SASL(-1): generic failure:
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation [APPL 2: Unbind Request]
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
Please help me on how to fix this issue.
Thanks,
RadhakrishnanI did reply on the other thread of yours...
Ludovic
Maybe you are looking for
-
Looking for a Telephone call recorder app
I have tried a few telephone call recorder apps on my droid X and they just don't seem to work. They are great when the Doctor calls with test results when you are driving.
-
CloudConfigurationManager does not exist
Hello I am new to Windows Azure. I am trying to get started with blob storage by using the instructions available on Azure official website with the title "How to use the Windows Azure Blob Storage Service in .NET" When I add this code CloudStorageAc
-
How do i change my apple id to another one in iPhoto
How do you change id's for iphoto
-
Company code field blank while creating new shopping cart
Hi , We are in SRM5.0.When we try to create shopping cart , the company code is not getting defaulted even though default attributes are maintained in PPOMA_BBP under BUK.We have a classic scenario. Please throw some light to this problem. regards Su
-
Ni PCIe1433 board card can't detcet recognizable video source
hell0 everyone! my PCIe1433 and basler spl2048 camera has linked.But when i press the 'snap'button,the window shows"can't detect recognizable viedeo souce" ,the error code is 0xBFF6001F.Anyone else kown what's the matter?