Error Kerberos

Similar Messages

• Random 401 errors - Kerberos + Reporting Server

  We have a portal with Reporting Server in SharePoint mode and deployed our reports to SharePoint. Reports run in integrated security mode, we configured Kerberos. (Reporting server configured as RSNegotiate,
  added SPN's, etc.)
  Everything seems to be working fine. 
  However, if two users access the same RDL at the same time (just opening the RDL from the Document library), the second user can get a HTTP/401 from SharePoint, showing the default SP2010 error page with correlation ID and so on. No errors in the ULS log.Error
  disappears after refresh.
  This error is always showing up when Kerberos was not configured correctly. In this case no error in ULS or event log.
  If we configure Reporting Server as RSKerberos instead of RSNegotiate, we don't get a 401, but the report of the other user! So,user A has permissions on report X, opens it. At the same time user B without permissions opens report X and sees exactly the
  same as user A! So, this is a security hole if we configure it as RSNegotiate.
  No proxy server is used. We changed EnableAuthPersistence to FALSE, just in case. 
  Anyone can point me in the way where to look? The user credentials / Kerberos ticket seem to be cached by SharePoint.

  Hi Stacy, thanks for your reply.
  I tried all different combinaties of those settings, but nothting solves the problem. The fact that I am possible to see anyone else his reports, is a big security hole, no matter how I configure it, right? 
  If I configure RSWindowsExtendedProtectionScenario
  to Direct, I get HTTP/401 all the time. Any other settings changes nothing, still one HTTP/401 when 2 users access report at same time (AuthenticationType = RSNegotiate) or 2 users see each other's report (AuthenticationType = RSKerberos).
  It seems indeed something gets cached, but I have no idea how to fix it. Do you, or anyone else, know where to look now?

• Kerberos-no-logon-server in fim 2010

  Hi,
  When we run Export run profile of ADMA Management Agent then we get fallowing error
  kerberos-no-logon-server
  and all user that provisioned in AD OU in disabled mode and also taking more time for provisioning.
  please provide any solution.
  Regards
  Anil Kumar

  Yes I do - if the fqdn idea still doesn't fix your problem, turn off the Exchange provisioning features of the AD MA and run a post-export PowerShell script to manage your mailboxes.  This is the approach we mostly take here @ UNIFY whereby the PowerShell
  script is executed by FIM Event Broker - mainly to overcome problems like this.
  Bob Bradley (FIMBob @
  TheFIMTeam.com) ... now using FIM Event Broker for just-in-time delivery of FIM 2010 policy via the sync engine, and continuous compliance for FIM

• Run Profile Deletion and Speeding up portal access

  Hi,
   My FIM 2010 R2 architecture uses 4 servers as follows:
  1 x fim server, 1 x fim sql DB (fim service DB), 1 x sync server + fim SQL DB and 1 x SSPR
  I have a PowerShell sync scripts running every 5 minutes which take fim portal changes and export those changes to AD.
  I've created some PowerShell scripts for removing old run profiles, but am not sure how many run profiles to keep? Reading online I came across one blog post which mentions that Ms recommend no more than 10,000 run profile history entries - about 4 days
  worth (although I can't find official Ms recommendations).
   I'm assuming it's OK, but are there any issues with one script running a run profile at the same time as another script which deletes older run profiles?
   On a side note, if anyone has any tips for speeding up fim portal access I'd be glad to hear them - each page in my environment takes about 30 seconds to load, regardless of the number of users connected.
  thanks in advance
  IT Support/Everything

  On a side note, if anyone has any tips for speeding up fim portal access I'd be glad to hear them - each page in my environment takes about 30 seconds to load, regardless of the number of users connected.
  If every page load of the FIM Portal is taking 30 seconds, something is broken in your environment. I get better performance than that running an entire test FIM configuration in virtualized machines on my laptop (AD, Exchange, FIM Portal/Service/Sync, etc.)
  When you first start up the environment and bring up a given page the first time, it can take some time, but once you get to steady state, you should not be seeing delays like that.
  Any chance you have an authentication configuration error (Kerberos settings, SPN assignment, DNS settings, etc.) that is causing authentication to time out on each page load?
  During that 30 second delay, are any of your servers pegged on CPU or IO?
  If this is a virtual environment or if you are using SAN based disk, do you have enough IOPS allocated?

• I'm trying to use kerberos V5 with ActiveDirectory but get an error

  I'm trying to use kerberos V5 with ActiveDirectory im using simple code from previuos posts but
  when i try with correct username/password i get :
  Authentication attempt failedjavax.security.auth.login.LoginException: Message stream modified (41)
  when i try incorrect username/pass i get :
  Pre-authentication information was invalid (24)
  Debug info is :
  Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  Kerberos username [naiden]: naiden
  Kerberos password for naiden:      naiden
            [Krb5LoginModule] user entered username: naiden
  Acquire TGT using AS Exchange
            [Krb5LoginModule] authentication failed
  Pre-authentication information was invalid (24)
  Authentication attempt failedjavax.security.auth.login.LoginException: Java code is :
  import javax.naming.*;
  import javax.naming.directory.*;
  import javax.security.auth.login.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  import java.util.Hashtable;
  * Demonstrates how to create an initial context to an LDAP server
  * using "GSSAPI" SASL authentication (Kerberos v5).
  * Requires J2SE 1.4, or JNDI 1.2 with ldapbp.jar, JAAS, JCE, an RFC 2853
  * compliant implementation of J-GSS and a Kerberos v5 implementation.
  * Jaas.conf
  * racfldap.GssExample {com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true doNotPrompt=true; };
  * 'qop' is a comma separated list of tokens, each of which is one of
  * auth, auth-int, or auth-conf. If none is supplied, the default is 'auth'.
  class KerberosExample {
  public static void main(String[] args) {
  java.util.Properties p = new java.util.Properties(System.getProperties());
  p.setProperty("java.security.krb5.realm", "ISY");
  p.setProperty("java.security.krb5.kdc", "192.168.0.101");
  p.setProperty("java.security.auth.login.config", "C:\\jaas.conf");
  System.setProperties(p);
  // 1. Log in (to Kerberos)
  LoginContext lc = null;
  try {
  lc = new LoginContext("ISY",
  new TextCallbackHandler());
  // Attempt authentication
  lc.login();
  } catch (LoginException le) {
  System.err.println("Authentication attempt failed" + le);
  System.exit(-1);
  // 2. Perform JNDI work as logged in subject
  Subject.doAs(lc.getSubject(), new LDAPAction(args));
  // 3. Perform LDAP Action
  * The application must supply a PrivilegedAction that is to be run
  * inside a Subject.doAs() or Subject.doAsPrivileged().
  class LDAPAction implements java.security.PrivilegedAction {
  private String[] args;
  private static String[] sAttrIDs;
  private static String sUserAccount = new String("Administrator");
  public LDAPAction(String[] origArgs) {
  this.args = (String[])origArgs.clone();
  public Object run() {
  performLDAPOperation(args);
  return null;
  private static void performLDAPOperation(String[] args) {
  // Set up environment for creating initial context
  Hashtable env = new Hashtable(11);
  env.put(Context.INITIAL_CONTEXT_FACTORY,
  "com.sun.jndi.ldap.LdapCtxFactory");
  // Must use fully qualified hostname
  env.put(Context.PROVIDER_URL, "ldap://192.168.0.101:389/DC=isy,DC=local");
  // Request the use of the "GSSAPI" SASL mechanism
  // Authenticate by using already established Kerberos credentials
  env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
  env.put("javax.security.sasl.server.authentication", "true");
  try {
  /* Create initial context */
  DirContext ctx = new InitialDirContext(env);
  /* Get the attributes requested */
  Attributes aAnswer =ctx.getAttributes( "CN="+ sUserAccount + ",CN=Users,DC=isy,DC=local");
  NamingEnumeration enumUserInfo = aAnswer.getAll();
  while(enumUserInfo.hasMoreElements()) {
  System.out.println(enumUserInfo.nextElement().toString());
  // Close the context when we're done
  ctx.close();
  } catch (NamingException e) {
  e.printStackTrace();
  }JAAS conf file is :
  ISY {
       com.sun.security.auth.module.Krb5LoginModule required
  debug=true;
  };krb5.ini file is :
  # Kerberos 5 Configuration File
  # All available options are specified in the Kerberos System Administrator's Guide.  Very
  # few are used here.
  # Determines which Kerberos realm a machine should be in, given its domain name.  This is
  # especially important when obtaining AFS tokens - in afsdcell.ini in the Windows directory
  # there should be an entry for your AFS cell name, followed by a list of IP addresses, and,
  # after a # symbol, the name of the server corresponding to each IP address.
  [libdefaults]
       default_realm = ISY
  [domain_realm]
       .isy.local = ISY
       isy.local = ISY
  # Specifies all the server information for each realm.
  #[realms]
       ISY=
            kdc = 192.168.0.101
            admin_server = 192.168.0.101
            default_domain = ISY
       }

  Now it works
  i will try to explain how i do this :
  step 1 )
  fallow this guide http://www.cit.cornell.edu/computer/system/win2000/kerberos/
  and configure AD to use kerberos and to heve Kerberos REALM
  step 2 ) try windows login to the new realm to be sure that it works ADD trusted realm if needed.
  step 3 ) create jaas.conf file for example in c:\
  it looks like this :
  ISY {
       com.sun.security.auth.module.Krb5LoginModule required
  debug=true;
  };step 4)
  ( dont forget to make mappings which are explained in step 1 ) go to Active Directory users make sure from View to check Advanced Features Right click on the user go to mappings in secound tab kerberos mapping add USERNAME@KERBEROSreaLm for example [email protected]
  step 5)
  copy+paste this code and HIT RUN :)
  import java.util.Hashtable;
  import javax.naming.Context;
  import javax.naming.NamingEnumeration;
  import javax.naming.NamingException;
  import javax.naming.directory.Attributes;
  import javax.naming.directory.DirContext;
  import javax.naming.directory.InitialDirContext;
  import javax.naming.directory.SearchControls;
  import javax.naming.directory.SearchResult;
  import javax.security.auth.Subject;
  import javax.security.auth.login.LoginContext;
  import javax.security.auth.login.LoginException;
  import com.sun.security.auth.callback.TextCallbackHandler;
  public class Main {
      public static void main(String[] args) {
      java.util.Properties p = new java.util.Properties(System.getProperties());
      p.setProperty("java.security.krb5.realm", "ISY.LOCAL");
      p.setProperty("java.security.krb5.kdc", "192.168.0.101");
      p.setProperty("java.security.auth.login.config", "C:\\jaas.conf");
      System.setProperties(p);
      // 1. Log in (to Kerberos)
      LoginContext lc = null;
      try {
              lc = new LoginContext("ISY", new TextCallbackHandler());
      // Attempt authentication
      lc.login();
      } catch (LoginException le) {
      System.err.println("Authentication attempt failed" + le);
      System.exit(-1);
      // 2. Perform JNDI work as logged in subject
      Subject.doAs(lc.getSubject(), new LDAPAction(args));
      // 3. Perform LDAP Action
      * The application must supply a PrivilegedAction that is to be run
      * inside a Subject.doAs() or Subject.doAsPrivileged().
      class LDAPAction implements java.security.PrivilegedAction {
      private String[] args;
      private static String[] sAttrIDs;
      private static String sUserAccount = new String("Administrator");
      public LDAPAction(String[] origArgs) {
      this.args = origArgs.clone();
      public Object run() {
      performLDAPOperation(args);
      return null;
      private static void performLDAPOperation(String[] args) {
      // Set up environment for creating initial context
      Hashtable env = new Hashtable(11);
      env.put(Context.INITIAL_CONTEXT_FACTORY,
      "com.sun.jndi.ldap.LdapCtxFactory");
      // Must use fully qualified hostname
      env.put(Context.PROVIDER_URL, "ldap://192.168.0.101:389");
      // Request the use of the "GSSAPI" SASL mechanism
      // Authenticate by using already established Kerberos credentials
      env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
  //    env.put("javax.security.sasl.server.authentication", "true");
      try {
      /* Create initial context */
      DirContext ctx = new InitialDirContext(env);
      /* Get the attributes requested */
      //Create the search controls        
      SearchControls searchCtls = new SearchControls();
      //Specify the attributes to return
      String returnedAtts[]={"sn","givenName","mail"};
      searchCtls.setReturningAttributes(returnedAtts);
      //Specify the search scope
      searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
      //specify the LDAP search filter
      String searchFilter = "(&(objectClass=user)(mail=*))";
      //Specify the Base for the search
      String searchBase = "DC=isy,DC=local";
      //initialize counter to total the results
      int totalResults = 0;
      // Search for objects using the filter
      NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
      //Loop through the search results
      while (answer.hasMoreElements()) {
              SearchResult sr = (SearchResult)answer.next();
          totalResults++;
          System.out.println(">>>" + sr.getName());
          // Print out some of the attributes, catch the exception if the attributes have no values
          Attributes attrs = sr.getAttributes();
          if (attrs != null) {
              try {
              System.out.println("   surname: " + attrs.get("sn").get());
              System.out.println("   firstname: " + attrs.get("givenName").get());
              System.out.println("   mail: " + attrs.get("mail").get());
              catch (NullPointerException e)    {
              System.err.println("Error listing attributes: " + e);
      System.out.println("RABOTIII");
          System.out.println("Total results: " + totalResults);
      ctx.close();
      } catch (NamingException e) {
      e.printStackTrace();
  }It will ask for username and password
  type for example : [email protected] for username
  and password : TheSecretPassword
  where ISY.LOCAL is the name of kerberos realm.
  p.s. it is not good idea to use Administrator as login :)
  Edited by: JOKe on Sep 14, 2007 2:23 PM

• Error while integrating with Kerberos and AD

  Hi,
  Implementing Kerberos as the Desktop Single Signon Solution
  Environment : Peoplesoft
  OS : Redhat Linux
  webserver: Weblogic 10.3.4
  appserver : tuxedo 10gr3
  While doing this implementation I was able to complete it successfully with the JDK linux has provided(1.6.0_22). However the weblogic comes preconfigured with jrockit jdk version1.6.0_24-R28.1.3-4.0.1. When I start the weblogic with jrockit jdk as java_home I am getting the following error.
  <Error> <HTTP> <BEA-101165> <Could not load user defined filter in web.xml: com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.
  java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named krbServer
  at com.bea.common.security.jdkutils.JAASConfiguration.getAppConfigurationEntry(JAASConfiguration.java:130)
  at javax.security.auth.login.LoginContext.init(LoginContext.java:243)
  at javax.security.auth.login.LoginContext.<init>(LoginContext.java:334)
  at com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.init(KerberosSSOFilter.java:142)
  at weblogic.servlet.internal.FilterManager$FilterInitAction.run(FilterManager.java:332)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
  at weblogic.servlet.internal.FilterManager.loadFilter(FilterManager.java:98)
  at weblogic.servlet.internal.FilterManager.preloadFilters(FilterManager.java:59)
  at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1878)
  at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:3154)
  at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1508)
  at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:485)
  at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:427)
  at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
  at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
  at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:201)
  at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:249)
  at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:427)
  at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
  at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
  at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:28)
  at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:637)
  at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
  at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:205)
  at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:58)
  at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
  at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
  at weblogic.deploy.internal.targetserver.BasicDeployment.activate(BasicDeployment.java:184)
  at weblogic.deploy.internal.targetserver.BasicDeployment.activateFromServerLifecycle(BasicDeployment.java:361)
  at weblogic.management.deploy.internal.DeploymentAdapter$1.doActivate(DeploymentAdapter.java:52)
  at weblogic.management.deploy.internal.DeploymentAdapter.activate(DeploymentAdapter.java:200)
  at weblogic.management.deploy.internal.AppTransition$2.transitionApp(AppTransition.java:31)
  at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:240)
  at weblogic.management.deploy.internal.ConfiguredDeployments.activate(ConfiguredDeployments.java:170)
  at weblogic.management.deploy.internal.ConfiguredDeployments.deploy(ConfiguredDeployments.java:124)
  at weblogic.management.deploy.internal.DeploymentServerService.resume(DeploymentServerService.java:181)
  at weblogic.management.deploy.internal.DeploymentServerService.start(DeploymentServerService.java:97)
  at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)
  these are my runtime parameters
  java -jrockit -XnoOpt -XXnoJITInline -Xms512m -Xmx512m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0 -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=krbLogin.conf -Dsun.security.krb5.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.Chunksize=65536 -Djava.util.logging.config.file=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/logging.properties -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger -Dweblogic.Name=PIA -Dps_vault=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/psvault -Djavax.net.ssl.trustStore=/u01/app/psoft89/webserv/PREFRESH/piaconfig/keystore/pskey -Dweblogic.ProductionModeEnabled=true -Djava.security.policy=/u01/app/psoft89/weblogic/wlserver_10.3/server/lib/weblogic.policy -Dssl.debug=false -Dps_home=/u01/app/psoft89 weblogic.Server
  The files krb5.conf and krbLogin.conf exists and have full access.
  With the error above it seems that it is not able to pick the configuration file. But just by changing the JAVA_HOME to /usr/java/jdk1.6_022 it starts working.
  I have raised this concern with Oracle almost a month before, but still haven't got any reply from them.
  Please help.
  Thanks and Regards
  Anirudha Singh

  Hi Faisal,
  Thanks for your reply.
  Yes I have given the complete path too.
  This is the full command line of the weblogic server. I had modifed it to test if it is trying to pick it up from any default location.
  java -jrockit -XnoOpt -XXnoJITInline -Xms512m -Xmx512m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0 -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/krbLogin.conf -Dsun.security.krb5.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dweblogic.Chunksize=65536 -Djava.util.logging.config.file=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/logging.properties -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger -Dweblogic.Name=PIA -Dps_vault=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/psvault -Djavax.net.ssl.trustStore=/u01/app/psoft89/webserv/PREFRESH/piaconfig/keystore/pskey -Dweblogic.ProductionModeEnabled=true -Djava.security.policy=/u01/app/psoft89/weblogic/wlserver_10.3/server/lib/weblogic.policy -Dssl.debug=false -Dps_home=/u01/app/psoft89 weblogic.Server
  The file is located in /etc folder and has 777 permissions.
  Thanks and Regards
  Anirudha Singh

• Data connection error to analysis services via unattended account after configure kerberos

  Hi, I setup connection to SASS from dashboard designer using Unattended Account, and everything was fine. Then I started to configure connection with Kerberos using Per-user Identity authentication, and after long customization it started to work. But in
  the same time Unattended Account authentication stopped working.
  From dashboard designer I got error:
  PerformancePoint Services was unable to connect to "dbserver\instance". Verify that the server name is correct and that the Unattended Service Account has permission to connect to the server.
  Additional details have been logged for the administrator.
  And in SharePoint server in application log:
  The Unattended Service Account "dom\unaccount" does not have access to the following data source server.
  Data source location: http://testit/sites/adrian/Data Connections Library for PP/35_.000
  Data source name: New Data Source
  Server name: dbserver\instance
  Exception details:
  Microsoft.AnalysisServices.AdomdClient.AdomdConnectionException: Authentication failed. ---> System.ComponentModel.Win32Exception: The target principal name is incorrect
     at Microsoft.AnalysisServices.AdomdClient.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean& handshakeComplete)
     at Microsoft.AnalysisServices.AdomdClient.XmlaClient.Authenticate(ConnectionInfo connectionInfo, DateTime startTime)
     --- End of inner exception stack trace ---
     at Microsoft.AnalysisServices.AdomdClient.XmlaClient.Authenticate(ConnectionInfo connectionInfo, DateTime startTime)
     at Microsoft.AnalysisServices.AdomdClient.XmlaClient.OpenTcpConnection(ConnectionInfo connectionInfo)
     at Microsoft.AnalysisServices.AdomdClient.XmlaClient.Connect(ConnectionInfo connectionInfo, Boolean beginSession)
     at Microsoft.AnalysisServices.AdomdClient.XmlaClient.GetInstancePort(ConnectionInfo connectionInfo)
     at Microsoft.AnalysisServices.AdomdClient.XmlaClient.GetTcpClient(ConnectionInfo connectionInfo)
     at Microsoft.AnalysisServices.AdomdClient.XmlaClient.OpenTcpConnection(ConnectionInfo connectionInfo)
     at Microsoft.AnalysisServices.AdomdClient.XmlaClient.Connect(ConnectionInfo connectionInfo, Boolean beginSession)
     at Microsoft.AnalysisServices.AdomdClient.AdomdConnection.XmlaClientProvider.Connect(Boolean toIXMLA)
     at Microsoft.AnalysisServices.AdomdClient.AdomdConnection.ConnectToXMLA(Boolean createSession, Boolean isHTTP)
     at Microsoft.AnalysisServices.AdomdClient.AdomdConnection.Open()
     at Microsoft.PerformancePoint.Scorecards.DataSourceProviders.AdomdConnectionPool`1.<>c__DisplayClass4.<GetConnection>b__2()
     at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass5.<RunWithElevatedPrivileges>b__3()
     at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)
     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)
     at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)
     at Microsoft.PerformancePoint.Scorecards.DataSourceProviders.AdomdConnectionPool`1.GetConnection(String connectionString, ConnectionContext connectionCtx, String effectiveUserName, CultureInfo culture, NewConnectionHandler newConnectionHandler,
  TestConnectionHandler testConnectionHandler, String targetAppId)

  Hi Adrian,
  Sorry for misunderstanding and thanks for the additional information.
  As I searched, there are tips for your situation:
  1. of the great new features of PerformancePoint Services is that you can now select different authentication options for each data source you create rather than having to decide on one authentication model to use for each web application. 
  2.If SharePoint is configured in standalone mode Per-user Identity authentication is only supported if the data source and the application server are located on the same machine.  Kerberos constrained delegation is required to connect to a data source
  located on a separate machine from the application server in a farm deployment.
  3.Per-user Identity is only supported with Windows credentials, neither anonymous or forms login are supported.
  For more information:
  http://blogs.msdn.com/b/performancepoint/archive/2010/05/06/data-source-authentication-in-performancepoint-services-for-sharepoint-2010.aspx
  http://blogs.technet.com/b/tothesharepoint/archive/2010/06/23/performancepoint-services-troubleshooting.aspx
  Regards,
  Rebecca Tu
  TechNet Community Support

• WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.

  I have two forests with a transitive on-way trust between them: PROD -> TEST (test trusts PROD). I had previously had kerberos authentication working with winrm from PROD to machines in TEST. I have verified the trust is healthy, I also verified users
  in TEST can use WINRM with kerberos just fine. Users from PROD cannot connect via kerberos to machines in TEST with winrm.
  I have verified the service has registered the appropriate SPNs. I ran dcdiag against all my PROD and TEST domain controllers and didn't find anything that would prevent kerberos from happening. I even tried disabling the firewall entirely on my TEST dcs
  but that didn't gain me anything.
  I've enabled kerberos logging but only see the expected errors such as it couldn't find a PROD SPN for the machine, which it shouldn't from what I understand, it should go to the TEST domain and find the SPN from there.
  I'm really out of next steps before I call PSS and hope someone here has run into this and could provide me some next steps.
  PowerShell Error:
  Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
   Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
   After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
   Note that computers in the TrustedHosts list might not be authenticated.
     -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
      + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
      + FullyQualifiedErrorId : PSSessionStateBroken
  winrs Error:
  Winrs error:
  WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
   Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
   After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
   Note that computers in the TrustedHosts list might not be authenticated.
     -For more information about WinRM configuration, run the following command: winrm help config.

  Hi Adam,
  I'm a little unclear about which SPNs you were looking for, in which case could you confirm you were checking that on the computer object belonging to the actual destination host it has the following SPNs registered?
  WSMAN/<NetBIOS name>
  WSMAN/<FQDN>
  If you were actually trying to use WinRM to connect to the remote forest's domain controllers, then what you said makes sense, but I was caught between assuming this was the case or you meant another member server in that remote forest.
  Also, from the client trying to connect to this remote server, are you able to telnet to port 5985? (If you've used something other than the default, try that port)
  If you can't, then you've got something else like a firewall (be that the Windows firewall on the destination or a hardware firewall somewhere in between) blocking you at the port level, or the listener on the remote box just isn't working as expected. I
  just replied to your other winrm post with steps for checking the latter, so I won't repeat myself here.
  If you can telnet to it and the SPNs exist, then you might be up against something called selective authentication which has to do with how the trust was defined. You can have a read of
  this to learn a bit more about selective trusts and whether or not it's affecting you.
  Cheers,
  Lain

• A Kerberos Error Message was received: on logon session

  Hi i am getting this error in event viewer in a client machine, from where powershell sccripts collecting data from our sharepoint servers
  Log Name:      System
  Source:        Microsoft-Windows-Security-Kerberos
  Date:          9/16/2014 11:09:42 PM
  Event ID:      3
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      PortalHealthChe.XYZportal.com
  Description:
  A Kerberos Error Message was received:
   on logon session
   Client Time:
   Server Time: 20:9:42.0000 9/16/2014 Z
   Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
   Extended Error: 0xc0000035 KLIN(0)
   Client Realm:
   Client Name:
   Server Realm: XYZPORTAL.COM
   Server Name: HTTP/XYZWFE01.XYZPORTAL.COM
   Target Name: HTTP/[email protected]
   Error Text:
   File: 9
   Line: f09
   Error Data is in record data.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
      <EventID Qualifiers="32768">3</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-09-16T20:09:42.000000000Z" />
      <EventRecordID>5466</EventRecordID>
      <Correlation />
      <Execution ProcessID="0" ThreadID="0" />
      <Channel>System</Channel>
      <Computer>PortalHealthChe.XYZportal.com</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="LogonSession">
      </Data>
      <Data Name="ClientTime">
      </Data>
      <Data Name="ServerTime">20:9:42.0000 9/16/2014 Z</Data>
      <Data Name="ErrorCode">0x7</Data>
      <Data Name="ErrorMessage"> KDC_ERR_S_PRINCIPAL_UNKNOWN</Data>
      <Data Name="ExtendedError">0xc0000035 KLIN(0)</Data>
      <Data Name="ClientRealm">
      </Data>
      <Data Name="ClientName">
      </Data>
      <Data Name="ServerRealm">XYZPORTAL.COM</Data>
      <Data Name="ServerName">HTTP/XYZWFE01.XYZPORTAL.COM</Data>
      <Data Name="TargetName">HTTP/[email protected]</Data>
      <Data Name="ErrorText">
      </Data>
      <Data Name="File">9</Data>
      <Data Name="Line">f09</Data>
      <Binary>3015A103020103A20E040C350000C00000000001000000</Binary>
    </EventData>
  </Event>
  adil

  Hi 
  i am getting this error in a client machine
  Log Name:      System
  Source:        Microsoft-Windows-Security-Kerberos
  Date:          9/16/2014 11:09:42 PM
  Event ID:      3
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      PortalHealthChe.XYZportal.com
  Description:
  A Kerberos Error Message was received:
   on logon session
   Client Time:
   Server Time: 20:9:42.0000 9/16/2014 Z
   Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
   Extended Error: 0xc0000035 KLIN(0)
   Client Realm:
   Client Name:
   Server Realm: XYZPORTAL.COM
   Server Name: HTTP/XYZWFE01.XYZPORTAL.COM
   Target Name: HTTP/[email protected]
   Error Text:
   File: 9
   Line: f09
   Error Data is in record data.
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
      <EventID Qualifiers="32768">3</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>0</Task>
      <Opcode>0</Opcode>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-09-16T20:09:42.000000000Z" />
      <EventRecordID>5466</EventRecordID>
      <Correlation />
      <Execution ProcessID="0" ThreadID="0" />
      <Channel>System</Channel>
      <Computer>PortalHealthChe.XYZportal.com</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="LogonSession">
      </Data>
      <Data Name="ClientTime">
      </Data>
      <Data Name="ServerTime">20:9:42.0000 9/16/2014 Z</Data>
      <Data Name="ErrorCode">0x7</Data>
      <Data Name="ErrorMessage"> KDC_ERR_S_PRINCIPAL_UNKNOWN</Data>
      <Data Name="ExtendedError">0xc0000035 KLIN(0)</Data>
      <Data Name="ClientRealm">
      </Data>
      <Data Name="ClientName">
      </Data>
      <Data Name="ServerRealm">XYZPORTAL.COM</Data>
      <Data Name="ServerName">HTTP/XYZWFE01.XYZPORTAL.COM</Data>
      <Data Name="TargetName">HTTP/[email protected]</Data>
      <Data Name="ErrorText">
      </Data>
      <Data Name="File">9</Data>
      <Data Name="Line">f09</Data>
      <Binary>3015A103020103A20E040C350000C00000000001000000</Binary>
    </EventData>
  </Event>
  adil

• Kerberos error when using a DNS name that doesn't match the Active Directory domain name

  I am running into a weird issue with a new SQL Reporting Services server I built. I installed SQL Reporting 2014 on Windows Server 2012 R2 and configured Kerberos, but the site is extremely slow. After some reconfiguration and log captures I have determined
  the issue has to do with the Kerberos setup but it is an exact replica of a Windows Server 2008 R2 server we currently have and it does not have these issues.
  The error I see while using Wireshark is KRB Error: KRB5KDC_ERR_BADOPTION NT Status: STATUS_NO_MATCH.
  When I drill down the into the error I can see the kerberos string is testprjmnmtreports14.company.com, which is the URL we are using to access the site. I made sure to add that name as an SPN for the service account that is running SQL Reporting Services,
  however I still receive the error.
  Then I tried configuring the site to run without a hostheader, so I accessed the site with the server name ECTSTSQLRS5 and the site works perfectly fine, no errors are reported either. So it seems I have isolated the issue down to Kerberos but I am not sure
  how to resolve it. Here is some more information about my environment:
  DNS/URL used: testprjmnmtreports14.company.com
  Server Name (FQDN): ECTSTSQLRS5.company.int
  AD Domain Name: company.int
  Server Version: Windows Server 2012 R2
  AD Functional Level: 2008 R2
  I also have the following SPNs set for my SQL service account:
  http/testprjmngmtreports14.company.com
  http/testprjmngmtreports14
  http/ECTSTSQLRS5.COMPANY.INT
  http/ECTSTSQLRS5
  As you can see I am trying to use a .com address but my AD domain is .int which I think is the issue, but I do not have the same problem on my other server that is running Windows Server 2008 R2. 
  Has anyone see this issue before? What do I need to do to allow my new site on 2012 R2 to work with this DNS Alias?
  Thanks,
  Brandon

  Hi
  Quote from there; Kerberos errors in network captures
  The most common scenario is a request for a delegated ticket (unconstrained or constrained delegation). You will typically see this on the middle-tier server trying to access a back-end server. There are several reasons for rejection:
  1. The service account is not trusted for delegation
  2. The service account is not trusted for delegation to the SPN requested
  3. The user’s account is marked as sensitive
  4. The request was for a constrained delegation ticket to itself (constrained delegation is designed to allow a middle tier service to request a ticket to a back end service on behalf on another user,
  not on behalf of itself).
  Regards, Philippe
  Don't forget to mark as answer or vote as helpful to help identify good information. ( linkedin endorsement never hurt too :o) )
  Answer an interesting question ? Create a
  wiki article about it!

• Processing data for a remote command failed with the following error message: Error occurred during the Kerberos reponse.

  Hi!
  We have 5 Exchange 2013 servers and when I’m trying to run a script that includes the cmd-let Get-MessageTrackinglog with StartDate = the first of the month and with EndDate = the end of the month I get the following error message after
  a couple of hours. The script is run on the server SERVER01 and goes through the Message Tracking logs of all Exchange servers. I have tried the script on other servers and get the same result.
  Processing data for a remote command failed with the following error message: Error occurred during the Kerberos reponse.
  [Server=SERVER01, TimeStamp = 918/2014 19:32:34]
  For more information, see the about_Remote_Troubleshooting Help topic.
      + CategoryInfo         
  : OperationStopped: (server01.domain.com:String) [], PSRemotingTransportException
      + FullyQualifiedErrorId : JobFailure
      + PSComputerName       
  : server01.domain.com
  I have gone through “about_Remote_Troubleshooting Help topic”, but can’t find anything related to my issue. There is nothing in the Application or the Windows PowerShell log either.
  /Henrik

  Hi Henado 
  Check the time on your Exchange server(s) relative to the DCs and ensure they are in correct sync
  Use another account which is assigned the Organization Management permission and log to to the server run the command in shell and see the results
  Run 
  Add-PSSnapin -Name Microsoft.Exchange.Management.PowerShell.E2010
  Set-Adserversettings -ViewEntireForest $True and then run message tracking command and see the results
  If none of the above helps you may need to remove and re-install the WinRM and see the results
  Good Luck :)
  Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you Check out my latest blog posts on http://exchangequery.com

• Error Event ID 11 The KDC encountered duplicate names while processing a Kerberos authentication request.

  I've been noticing The Error with event ID 11 popping up a lot on our domain controllers:
  The KDC encountered duplicate names while processing a Kerberos authentication request.
  When running setspn -X it says that it found 111 groups of duplicate SPNs. However, when going through the list, it references domain service accounts that are used to run our SQL Server services. We have about 50 remote locations and each of them has 3
  machines participating in a SQL mirror (principal, mirror, witness) and they all run the SQL Server service on the same account (1 account per location).
  We haven't experienced any issues at all but I was wondering if this could cause problems or if we are straying from best practice. Any advice is welcome. Thanks!

  I believe what you should do to follow best practice is to provide unique SPNs for each SQL server, which will also provide increased security, and to do that you must create individual service account for each SQL server so it can associate that
  account with that server's SPN.
  Here's more on it to help guide you. Read Paul's comments, as well as other suggestions in the following thread:
  event ID 11 There are multiple accounts with name MSSQLSvc/xxxxxx
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/8df35316-23ba-48ba-aa3e-2249fcbfecbc/event-id-11-there-are-multiple-accounts-with-name-mssqlsvcxxxxxx?forum=winserverDS
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Exchange 2010 sp2 emc initialization error using "kerberos" authentication failed

  We use exchange 2010 SP2.
  We have 2 management stations, both w2k8 R2 SP1.
  I have one mangement station on which the emc and ems works ok.
  On the other management staiton (which is also in another ad site) the emc and ems don't work.
  I get the following error message : The attempt to connect to
  http://fqdnCasServer/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
  I have checked the time on the management station and on the exchange server and this is ok.
  It is not a permissions issue because the user functions ok on the other management station.
  On the bad management station I can open the emc once and after a minute I get an error message and the message access denied. From then on I can't connect any more.
  What am I doing wrong?
  Anyone any tips?
  Thanks,
  JB 

  This is what I get in the eventlog of the bad management station.
  Log Name:      MSExchange Management
  Source:        MSExchange CmdletLogs
  Date:          1/10/2012 11:39:27
  Event ID:      6
  Task Category: (1)
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      Server.domain.com
  Description:
  The description for Event ID 6 from source MSExchange CmdletLogs cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  If the event originated on another computer, the display information had to be saved with the event.
  The following information was included with the event:
  Get-ExchangeServer
  {Identity=Servername}
  Domain/ou/ou/ou/ou/username
  Exchange Management Console-Local
  3080
  22
  00:00:00.3593888
  View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DN }'
  Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMTSTATION' couldn't be found on 'FQDN DC'.
  Context
  the message resource is present but the message is not found in the string/message table
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="MSExchange CmdletLogs" />
      <EventID Qualifiers="49152">6</EventID>
      <Level>2</Level>
      <Task>1</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2012-10-01T09:39:27.000000000Z" />
      <EventRecordID>11</EventRecordID>
      <Channel>MSExchange Management</Channel>
      <Computer>FQDN MGMT STATION</Computer>
      <Security />
    </System>
    <EventData>
      <Data>Get-ExchangeServer</Data>
      <Data>{Identity=MGMT STATION}</Data>
      <Data>domain/ou/ou/ou/ou/username</Data>
      <Data>
      </Data>
      <Data>
      </Data>
      <Data>Exchange Management Console-Local</Data>
      <Data>3080</Data>
      <Data>
      </Data>
      <Data>22</Data>
      <Data>00:00:00.3593888</Data>
      <Data>View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DC }'</Data>
      <Data>Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMT STATION' couldn't be found on 'FQDN DC'.</Data>
      <Data>Context</Data>
      <Data>
      </Data>
    </EventData>
  </Event>

• BO XI 3.0 Kerberos Authentication error

  I have installed BO XI 3.0 and everything works great, except I cannot logon with my AD account. I have followed all the steps in Administrator Guid and I get an error when I run the kinit.exe:
  Exception: krb_error 0 Cannot get kdc for realm NET.ADS.STATE.TN.US No error
  KrbException: Cannot get kdc for realm NET.ADS.STATE.TN.US
  at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:133)
  at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:106)
  at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:300)
  at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:239)
  at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)
  Do I need to open any specific ports? I have a side-by-side installation of BO XI R1 that authenticates using NTLM without a problem.
  My krb5.ini looks like this:
  [libdefaults]
  default_realm = NET.ADS.STATE.TN.US
  dns_lookup_kdc = true
  dns_lookup_realm = true
  [realms]
  DNS.COM = {default_domain = NET.ADS.STATE.TN.US kdc = AG0319008WD102.NET.ADS.STATE.TN.US}

  The error means it can't find the specified KDC (AG0319008WD102.NET.ADS.STATE.TN.US), can you ping it. Is kerberos running on port 88, is it running global catalog?
  Try this
  [libdefaults]
  default_realm = NET.ADS.STATE.TN.US
  dns_lookup_kdc = true
  dns_lookup_realm = true
  udp_preference_limit = 1
  [realms]
  NET.ADS.STATE.TN.US = {
  kdc = AG0319008WD102.NET.ADS.STATE.TN.US
  default_domain = NET.ADS.STATE.TN.US
  The forum is removing the brackets around lib defaults and realms make sure they are still in your file.
  [libdefaults]
  default_realm = NET.ADS.STATE.TN.US
  dns_lookup_kdc = true
  dns_lookup_realm = true
  udp_preference_limit = 1
  [realms]
  NET.ADS.STATE.TN.US = {
  kdc = AG0319008WD102.NET.ADS.STATE.TN.US
  default_domain = NET.ADS.STATE.TN.US
  Regards,
  Tim
  Edited by: Tim Ziemba on Aug 12, 2008 11:13 AM

• Error=49 from the LDAP server for GSSAPI Kerberos authentication

  I am trying to find solution for ldapsearch failure with GSSAPI Kerberos authentication . I am running Sun Directory Server 5.2 P4 on a Solaris-9 sparc machine..
  Steps :
  bash-2.05# kinit tester1
  Password for [email protected]:
  bash-2.05#
  When I do ldapsearch , I am getting following logs on the server :
  tail -f /var/Sun/mps/slapd-bf1r-dsun-1/logs/access
  [22/Feb/2007:01:44:16 -0700] conn=32 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
  [22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
  [22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
  [22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
  [22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=4 - UNBIND
  [22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=-1 - closing - U1
  [22/Feb/2007:01:44:17 -0700] conn=32 op=-1 msgId=-1 - closed.
  [22/Feb/2007:01:45:50 -0700] conn=33 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
  [22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
  [22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
  [22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
  [22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=4 - UNBIND
  [22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=-1 - closing - U1
  [22/Feb/2007:01:45:51 -0700] conn=33 op=-1 msgId=-1 - closed.
  I am using default Identiy Mapping and the ldif file looks like this :
  dn: cn=default,cn=GSSAPI,cn=identity mapping,cn=config
  objectClass: dsIdentityMapping
  objectClass: nsContainer
  objectClass: dsPatternMatching
  objectClass: top
  cn: default
  dsMatching-pattern: ${Principal}
  creatorsName: cn=directory manager
  createTimestamp: 20070220045812Z
  dsMatching-regexp: uid=(.*)
  dsSearchBaseDN: ou=people,dc=test1,dc=com
  dsMappedDN: uid=${Principal},ou=people,dc=test1,dc=com
  modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
  t
  modifyTimestamp: 20070221082740Z
  Following is the snoop for LDAP on the server :
  bash-2.05# !snoop
  snoop -v port 389 | grep LDAP
  Using device /dev/eri (promiscuous mode)
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 0: Bind Request]
  LDAP: [Version]
  LDAP: [Object Name]
  LDAP: uid=tester1,ou=people,dc=test1,d
  LDAP: c=com
  LDAP: Authentication: SASL *[3]
  LDAP: [OctetString]
  LDAP: GSSAPI
  LDAP: [OctetString]
  LDAP: *** NOT PRINTED - Too long value ***
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 1: Bind Response]
  LDAP: [Result Code]
  LDAP: SASL Bind In Progress
  LDAP: [Matched DN]
  LDAP: [Error Message]
  LDAP: SASL Credentials [7]
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 0: Bind Request]
  LDAP: [Version]
  LDAP: [Object Name]
  LDAP: uid=tester1,ou=people,dc=test1,d
  LDAP: c=com
  LDAP: Authentication: SASL *[3]
  LDAP: [OctetString]
  LDAP: GSSAPI
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 1: Bind Response]
  LDAP: [Result Code]
  LDAP: SASL Bind In Progress
  LDAP: [Matched DN]
  LDAP: [Error Message]
  LDAP: SASL Credentials [7]
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 0: Bind Request]
  LDAP: [Version]
  LDAP: [Object Name]
  LDAP: uid=tester1,ou=people,dc=test1,d
  LDAP: c=com
  LDAP: Authentication: SASL *[3]
  LDAP: [OctetString]
  LDAP: GSSAPI
  LDAP: [OctetString]
  LDAP:
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 1: Bind Response]
  LDAP: [Result Code]
  LDAP: 1
  LDAP: Invalid Credentials
  LDAP: [Matched DN]
  LDAP: [Error Message]
  LDAP: SASL(-1): generic failure:
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation [APPL 2: Unbind Request]
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  Please help me on how to fix this issue.
  Thanks,
  Radhakrishnan

  I did reply on the other thread of yours...
  Ludovic