GSSAPI SASL Kerberos authentication

I have Sun one Directory Server 5.2 P4 installed on Solars -Sparc system.
For GSSAPI SASL Kerberos authentication to work, do I need to install a third party GSSAPI plugin(like PADL's) or is it enough to use the GSSAPI plugin that comes with Sune One bundle ?
I got this doubt after going through the following link
http://lists.fini.net/pipermail/ldap-interop/2005-March/000342.html .. Please clarify

Hi Ludovic,
I have fixed the Kerberos issue..I am getting following messages from the access logs on the server while doing ldapsearch
tail -f /var/Sun/mps/slapd-bf1r-dsun-1/logs/access
[20/Feb/2007:05:53:35 -0700] conn=21 op=0 msgId=1 - RESULT err=49 tag=97 nentries=0 etime=0
[20/Feb/2007:05:53:35 -0700] conn=21 op=1 msgId=2 - UNBIND
[20/Feb/2007:05:53:35 -0700] conn=21 op=1 msgId=-1 - closing - U1
[20/Feb/2007:05:53:36 -0700] conn=21 op=-1 msgId=-1 - closed.
[20/Feb/2007:05:56:18 -0700] conn=22 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
[20/Feb/2007:05:56:18 -0700] conn=22 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
[20/Feb/2007:05:56:18 -0700] conn=22 op=0 msgId=1 - RESULT err=49 tag=97 nentries=0 etime=0
from ethereal i am getting the following message
----- Lightweight Directory Access Protocol Header -----
LDAP: SASL(-13): authentication failur
LDAP: e: GSSAPI Error: Unspecified GSS
LDAP: failure. Minor code may provid
LDAP: e more information (No error)
My rootdse looks liks this for gssapi
dn: cn=default,cn=GSSAPI,cn=identity mapping,cn=config
objectClass: dsIdentityMapping
objectClass: nsContainer
objectClass: dsPatternMatching
objectClass: top
cn: default
dsMatching-pattern: ${Principal}
dsSearchBaseDN: ou=people,dc=cisco,dc=com
creatorsName: cn=directory manager
createTimestamp: 20070220045812Z
dsMappedDN: uid=$1,ou=people,dc=test1,dc=com
dsMatching-regexp: (.*)@(.*)
modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
t
modifyTimestamp: 20070220102553Z
Please help on this.
Thanks,
Radhakrishnan

Similar Messages

  • Error=49 from the LDAP server for GSSAPI Kerberos authentication

    I am trying to find solution for ldapsearch failure with GSSAPI Kerberos authentication . I am running Sun Directory Server 5.2 P4 on a Solaris-9 sparc machine..
    Steps :
    bash-2.05# kinit tester1
    Password for [email protected]:
    bash-2.05#
    When I do ldapsearch , I am getting following logs on the server :
    tail -f /var/Sun/mps/slapd-bf1r-dsun-1/logs/access
    [22/Feb/2007:01:44:16 -0700] conn=32 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
    [22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
    [22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
    [22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
    [22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
    [22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
    [22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
    [22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=4 - UNBIND
    [22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=-1 - closing - U1
    [22/Feb/2007:01:44:17 -0700] conn=32 op=-1 msgId=-1 - closed.
    [22/Feb/2007:01:45:50 -0700] conn=33 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
    [22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
    [22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
    [22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
    [22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
    [22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
    [22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
    [22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=4 - UNBIND
    [22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=-1 - closing - U1
    [22/Feb/2007:01:45:51 -0700] conn=33 op=-1 msgId=-1 - closed.
    I am using default Identiy Mapping and the ldif file looks like this :
    dn: cn=default,cn=GSSAPI,cn=identity mapping,cn=config
    objectClass: dsIdentityMapping
    objectClass: nsContainer
    objectClass: dsPatternMatching
    objectClass: top
    cn: default
    dsMatching-pattern: ${Principal}
    creatorsName: cn=directory manager
    createTimestamp: 20070220045812Z
    dsMatching-regexp: uid=(.*)
    dsSearchBaseDN: ou=people,dc=test1,dc=com
    dsMappedDN: uid=${Principal},ou=people,dc=test1,dc=com
    modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
    t
    modifyTimestamp: 20070221082740Z
    Following is the snoop for LDAP on the server :
    bash-2.05# !snoop
    snoop -v port 389 | grep LDAP
    Using device /dev/eri (promiscuous mode)
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation *[APPL 0: Bind Request]
    LDAP: [Version]
    LDAP: [Object Name]
    LDAP: uid=tester1,ou=people,dc=test1,d
    LDAP: c=com
    LDAP: Authentication: SASL *[3]
    LDAP: [OctetString]
    LDAP: GSSAPI
    LDAP: [OctetString]
    LDAP: *** NOT PRINTED - Too long value ***
    LDAP:
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation *[APPL 1: Bind Response]
    LDAP: [Result Code]
    LDAP: SASL Bind In Progress
    LDAP: [Matched DN]
    LDAP: [Error Message]
    LDAP: SASL Credentials [7]
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation *[APPL 0: Bind Request]
    LDAP: [Version]
    LDAP: [Object Name]
    LDAP: uid=tester1,ou=people,dc=test1,d
    LDAP: c=com
    LDAP: Authentication: SASL *[3]
    LDAP: [OctetString]
    LDAP: GSSAPI
    LDAP:
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation *[APPL 1: Bind Response]
    LDAP: [Result Code]
    LDAP: SASL Bind In Progress
    LDAP: [Matched DN]
    LDAP: [Error Message]
    LDAP: SASL Credentials [7]
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation *[APPL 0: Bind Request]
    LDAP: [Version]
    LDAP: [Object Name]
    LDAP: uid=tester1,ou=people,dc=test1,d
    LDAP: c=com
    LDAP: Authentication: SASL *[3]
    LDAP: [OctetString]
    LDAP: GSSAPI
    LDAP: [OctetString]
    LDAP:
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation *[APPL 1: Bind Response]
    LDAP: [Result Code]
    LDAP: 1
    LDAP: Invalid Credentials
    LDAP: [Matched DN]
    LDAP: [Error Message]
    LDAP: SASL(-1): generic failure:
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- Lightweight Directory Access Protocol Header -----
    LDAP: *[LDAPMessage]
    LDAP: [Message ID]
    LDAP: Operation [APPL 2: Unbind Request]
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    TCP: Destination port = 389 (LDAP)
    LDAP: ----- LDAP: -----
    LDAP:
    LDAP: ""
    LDAP:
    Please help me on how to fix this issue.
    Thanks,
    Radhakrishnan

    I did reply on the other thread of yours...
    Ludovic

  • GSSAPI Kerberos authentication and WS-Security

    Hi,
    We have a requirement to perform Kerberos authentication to a web service.
    The client is to be written in C# using Microsoft's Web Services
    Enhancements (WSE 3.0). WSE (which uses SSPI) has support for
    Kerberos authentication. The application server does not support Kerberos.
    The intention is to use the Java GSSAPI on the web service side to process
    a limited part of the WS-Security header.
    I've successfully processed the <wsse:BinarySecurityToken> to performed
    the actual authentication, I'm now left with checking the signatures.
    The values of the <DigestValue> and <SignatureValue> appear to always be
    20 bytes long (when decoded from Base64) which suggests they're the
    output from SHA1.
    The outputs from GSSContext.getMIC and GSSContext.wrap always start
    with the ASN.1 value 0x60. The <SignatureValue> donen't, therefore
    attempting to use verifyMIC or unwrap fail with:
    "GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)"
    It appears that the digest algorithm is SHA1 and the signature algorithm is
    HMAC-SHA1. So the <DigestValue> is probably just the SHA1 of the
    Canonical XML of the SOAP:Body. The HMAC algorithm requires access to
    the Kerberos private session key, which doesn't appear to be made
    available through the GSSAPI interface, so implementing our own functions
    doesn't seem to be an option.
    I've included the portion of the SOAP header I'm looking at below, apologies
    if the format's messed up.
    So what I'm looking for is:
         1) A way of Canonicalising the SOAP:Body so I can feed it into SHA1           
              (java.security.MessageDigest).
         2) A way of getting at the Kerberos session key through the GSSAPI so I
              can produce the <SignatureValue> from the <DigestValue> for      
              verification (javax.crypto.Mac).
    Any ideas ?
    Cheers
    Phil
    <wsse:Security soap:mustUnderstand="1">
    <wsu:Timestamp wsu:Id="Timestamp-343caad4-454a-4dcd-b206-3e6bf4ad0116">
    <wsu:Created>2006-04-27T13:00:48Z</wsu:Created>
    <wsu:Expires>2006-04-27T13:05:48Z</wsu:Expires>
    </wsu:Timestamp>
    <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-2c5a4b4a-4408-4ee8-8e32-9378c063d422">YIIB1AYJKoZIh<snip>==</wsse:BinarySecurityToken>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
    <Reference URI="#Id-73b189ca-2ddd-4fcb-a60e-025e71857802">
    <Transforms>
    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
    <DigestValue>BRyjTgrnalo2YXtWUi80pzgoVso=</DigestValue>
    </Reference>
    </SignedInfo>
    <SignatureValue>ddTO413OprTwFPWj3NDx94PidZc=</SignatureValue>
    <KeyInfo>
    <wsse:SecurityTokenReference>
    <wsse:Reference URI="#SecurityToken-2c5a4b4a-4408-4ee8-8e32-9378c063d422" ValueType="http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ" />
    </wsse:SecurityTokenReference>
    </KeyInfo>
    </Signature>
    </wsse:Security>

    Hi Osman,
    Hope this blog will answer your Query: /people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter
    Documentation SOAP adapter - http://help.sap.com/saphelp_nw04/helpdata/en/69/a6fb3fea9df028e10000000a1550b0/content.htm
    Security settings for SOAP adapter - http://help.sap.com/saphelp_nw04/helpdata/en/56/992d4142badb2be10000000a1550b0/content.htm
    Regards
    Pothana

  • JNDI,AD,Kerberos Authentication, Windows

    Hi all,
    OS:
    Server: LDAP Server AD running on win2k server with KDC on the same machine
    Client: Sun's JNDI application on WinXP
    Senario:
    I managed to make the well-known tutorial example (list 1) work well on both jdk1.4.2_05 and jdk1.5.1_02. The main steps can be summarized as
    step 1: Kerberose authtication with lc.login() based on JAAS
    step 2: Assume the identity of the authenticated subject
    step 3: Run JNDI client application under this identity with Subject.doAS()
    Problem:
    It's very hard to force users to run their JNDI applications UNDER step 1 & 2. As you know, step 3 is run by a spawn child's thread and for this reason it's very hard to convince users including myself of doing SSO in this way. There should be a better way. Actually, KDC's realm is built in such a way that all applications and computers under the same realm should be SSO Kerberose aware -- that is -- once the intial authentication is done, the identity assuming should be valid for the entire login session (usually 8~10 hours).
    Solution:
    Step 0: Create client's user account 'testuser' on AD
    Step 1: Initially login using command kinit()
    C\: kinit test
    Password for testuser@REALM:mypassword
    New ticket is stored in cache file C:\Documents and Settings\abc\kerb5cc_abc
    Step 2: Run JNDI client application (list 2)
    Error:
    GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
         at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:133)
         at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:72)
         at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
         at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
         at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
         at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:37)
         at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:96)
         at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:178)
         at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)
         at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:155)
         at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
         at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
         at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
         at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
         at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
         at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
         at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
         at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
         at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
         at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
         at javax.naming.InitialContext.init(InitialContext.java:223)
         at javax.naming.InitialContext.<init>(InitialContext.java:197)
         at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
         at JndiClientAction.main(JndiClientAction.java:61)
    javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided]]
         at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:150)
         at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
         at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
         at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
         at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
         at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
         at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
         at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
         at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
         at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
         at javax.naming.InitialContext.init(InitialContext.java:223)
         at javax.naming.InitialContext.<init>(InitialContext.java:197)
         at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
         at JndiClientAction.main(JndiClientAction.java:61)
    Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided]
         at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:174)
         at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
         ... 13 more
    Caused by: GSSException: No valid credentials provided
         at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:69)
         at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:37)
         at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:96)
         at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:178)
         at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)
         at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:155)
         ... 14 more
    SOS:
    Can anyone pin point what's going wrong?
    Thanks in advance
    Spencer
    ------------------- LIST 1 -------------------
    import javax.naming.*;
    import javax.naming.directory.*;
    import javax.security.auth.login.*;
    import javax.security.auth.Subject;
    import com.sun.security.auth.callback.TextCallbackHandler;
    import java.util.Hashtable;
    * Demonstrates how to create an initial context to an LDAP server
    * using "GSSAPI" SASL authentication (Kerberos v5).
    * Requires J2SE 1.4, or JNDI 1.2 with ldapbp.jar, JAAS, JCE, an RFC 2853
    * compliant implementation of J-GSS and a Kerberos v5 implementation.
    * Jaas.conf
    * racfldap.GssExample {com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true doNotPrompt=true; };
    * 'qop' is a comma separated list of tokens, each of which is one of
    * auth, auth-int, or auth-conf. If none is supplied, the default is 'auth'.
    class KerberosExample {
    public static void main(String[] args) {
    java.util.Properties p = new java.util.Properties(System.getProperties());
    p.setProperty("java.security.krb5.realm", "MYCOMPANY.ORG");
    p.setProperty("java.security.krb5.kdc", "mydomaincontroller.mycompany.org");
    p.setProperty("java.security.auth.login.config", "C:\\WINNT\\jaas.conf");
    System.setProperties(p);
    // 1. Log in (to Kerberos)
    LoginContext lc = null;
    try {
    lc = new LoginContext(GssExample.class.getName(),
    new TextCallbackHandler());
    // Attempt authentication
    lc.login();
    } catch (LoginException le) {
    System.err.println("Authentication attempt failed" + le);
    System.exit(-1);
    // 2. Perform JNDI work as logged in subject
    Subject.doAs(lc.getSubject(), new LDAPAction(args));
    // 3. Perform LDAP Action
    * The application must supply a PrivilegedAction that is to be run
    * inside a Subject.doAs() or Subject.doAsPrivileged().
    class LDAPAction implements java.security.PrivilegedAction {
    private String[] args;
    private static String[] sAttrIDs;
    private static String sUserAccount = new String("testuser");
    public LDAPAction(String[] origArgs) {
    this.args = (String[])origArgs.clone();
    public Object run() {
    performLDAPOperation(args);
    return null;
    private static void performLDAPOperation(String[] args) {
    // Set up environment for creating initial context
    Hashtable env = new Hashtable(11);
    env.put(Context.INITIAL_CONTEXT_FACTORY,
    "com.sun.jndi.ldap.LdapCtxFactory");
    // Must use fully qualified hostname
    env.put(Context.PROVIDER_URL, "ldap://mydomaincontroller.mycompany.org:389/DC=mycompany,DC=org");
    // Request the use of the "GSSAPI" SASL mechanism
    // Authenticate by using already established Kerberos credentials
    env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
    env.put("javax.security.sasl.server.authentication", "true");
    try {
    /* Create initial context */
    DirContext ctx = new InitialDirContext(env);
    /* Get the attributes requested */
    Attributes aAnswer =ctx.getAttributes( "CN="+ sUserAccount + ",OU=mydivision,OU=Departments");
    NamingEnumeration enumUserInfo = aAnswer.getAll();
    while(enumUserInfo.hasMoreElements()) {
    System.out.println(enumUserInfo.nextElement().toString());
    // Close the context when we're done
    ctx.close();
    } catch (NamingException e) {
    e.printStackTrace();
    ------------------- LIST 2 ------------------------------
    import javax.naming.*;
    import javax.naming.directory.*;
    import java.util.Hashtable;
    class JNDIClientAction {
    private static String[] sAttrIDs;
    private static String sUserAccount = new String("testuser");
    public static void main(String[] args) {
    // Set up environment for creating initial context
    Hashtable env = new Hashtable(11);
    env.put(Context.INITIAL_CONTEXT_FACTORY,
    "com.sun.jndi.ldap.LdapCtxFactory");
    // Must use fully qualified hostname
    env.put(Context.PROVIDER_URL, "ldap://mydomaincontroller.mycompany.org:389/DC=mycompany,DC=org");
    // Request the use of the "GSSAPI" SASL mechanism
    // Authenticate by using already established Kerberos credentials
    env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
    try {
    /* Create initial context */
    DirContext ctx = new InitialDirContext(env);
    /* Get the attributes requested */
    Attributes aAnswer =ctx.getAttributes( "CN="+ sUserAccount + ",OU=mydivision,OU=Departments");
    NamingEnumeration enumUserInfo = aAnswer.getAll();
    while(enumUserInfo.hasMoreElements()) {
    System.out.println(enumUserInfo.nextElement().toString());
    // Close the context when we're done
    ctx.close();
    } catch (NamingException e) {
    e.printStackTrace();
    }

    Hi,
    these Notes will help you :
    Note 352295 - Microsoft Windows Single Sign-On options
    Note 595341 - Installation issues with Single Sign-On and SNC
    Note 1580808 - SAP Logon 7.20: "SNC logon w/o SSO" for connection entry
    http://help.sap.com/saphelp_nwes72/helpdata/en/44/0ea40dc6970d1ce10000000a114a6b/frameset.htm
    For Windows SAP Servers pls download the libs of note 352295.
    For Linux use the one on OS level  ( /usr/lib64/libgssapi_krb5.so )
    For Linux make sure that the krb5 rpm packages are installed
    krb5-32bit.......
    krb5-...............
    krb5-client.......
    I hope this helps
    greetings
    oliver

  • Kerberos Authentication: "Integrity check on decrypted field failed"

    Hi,
    I have configured a portal (NW 7.0 SP13) for Kerberos Authentication. I have another portal with exactly the same configuration (same MS-ADS etc, just a different user) which is working fine. But this one is giving me the error "Integrity check on decrypted field failed" (and Kerberos Auth fails).
    Any ideas?? I get the same error whether I use the keytab from the SPNEGO wizard, or the keytab from "ktpass -princ host/%HOST%@%DOMAIN% -pass %PASSWORD% -out keytab -mapUser %USER% +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL"
    The only difference I can see between the ldifde outputs of the two users (the one that works and the one that doesn't) is the one that doesn't has an extra SPN "HTTP/" - would that cause this error??
    Has anyone else had this error & what causes it?
    Many thanks in advance.
    Regards
    Jane
    Full error text:
    JGSS_DBG_CTX Creating context, initiator = no, input cred = not null
    JGSS_DBG_CRED getCred: only one cred, returning it
    JGSS_DBG_CRED getName found name: host/[email protected], mech=1.2.840.113554.1.2.2
    JGSS_DBG_CRED Krb5 name type = 0
    JGSS_DBG_CTX Creating context, cred usage = 2
    GSS Context created
    JGSS_DBG_UNMARSH Real token len 1641
    JGSS_DBG_UNMARSH Token oid 1.2.840.113554.1.2.2
    JGSS_DBG_UNMARSH inner token len 1630
    JGSS_DBG_PROV getFactory: index = 0 found factory
    JGSS_DBG_PROV getMechs: Mechanism(s) supported by provider IBMJGSSProvider
    JGSS_DBG_PROV 1.2.840.113554.1.2.2
    JGSS_DBG_PROV getMechs: 1 unique mechanism(s) found
    JGSS_DBG_PROV [0]: 1.2.840.113554.1.2.2
    JGSS_DBG_CTX Default list of negotiable mechs:
    1.2.840.113554.1.2.2
    JGSS_DBG_CTX ticket enc type = des-cbc-md5
    com.ibm.security.krb5.internal.KrbException, status code: 31
    message: Integrity check on decrypted field failed
    at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:31)
    at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:15)
    at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:32)
    at com.ibm.security.krb5.EncryptedData.decrypt(EncryptedData.java:106)
    at com.ibm.security.jgss.mech.krb5.k.a(k.java:248)
    at com.ibm.security.jgss.mech.krb5.k.b(k.java:188)
    at com.ibm.security.jgss.mech.krb5.k.acceptSecContext(k.java:533)
    at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:155)
    at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:153)
    at com.sap.security.core.server.jaas.SPNegoLoginModule.doHandshake(SPNegoLoginModule.java:738)
    at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:362)
    at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
    at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
    at java.security.AccessController.doPrivileged(AccessController.java:242)
    at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
    at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
    at java.lang.reflect.Method.invoke(Method.java:391)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
    at java.security.AccessController.doPrivileged(AccessController.java:242)
    at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
    at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:146)
    at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
    at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
    at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
    at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
    at java.security.AccessController.doPrivileged(AccessController.java:242)
    at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
    at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
    at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
    at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
    at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
    at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
    at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
    at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
    at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
    at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
    at java.security.AccessController.doPrivileged(AccessController.java:215)
    at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
    com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
    JGSS_DBG_CTX Error authenticating request. Reporting to client
    Major code = 11, Minor code = 31
    org.ietf.jgss.GSSException, major code: 11, minor code: 31
    major string: General failure, unspecified at GSSAPI level
    minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.KrbException, status code: 31
    message: Integrity check on decrypted field failed

    Hi Désirée,
    Yes the service user has "Use DES encryption" set.
    In the end, it was resolved by changing the password and running the SPNEGO wizard again to generate a new keytab with the new password.
    Regards
    Jane

  • Kerberos Authentication Not Working on OS X 10.6

    Using FF version 20.0, on OS X 10.6.8, I can not get it to use Kerberos authentication to allow SSO to a SharePoint web site.
    On OS X 10.8, with the same configuration in the about:config, everything works fine - the user is not prompted for credentials.
    I have put the necessary entires in network.negotiate-auth.delegation-uris and network.automatic-ntlm-auth.trusted-uris, network.negotiate-auth.gsslib is set to true.
    When I have setup to log the errors from the authentication module, I find in the log file "Fail to load gssapi library".
    Interestingly on 10.8, when I start Firefox from the command line the Kerberos authentication does not work. When I start it via the icon, it does. What is the difference? Are the preferences not being loaded when launching via the command line?
    Thanks for any help,
    Richard

    Found the solution:
    Was a combination of kinit being run on login (apparently a known 10.6 bug). Our Mac team were able to alter the appropriate plist file so that this does happen on login.
    We also had to add an extra SPN for the actual server, as well as the DNS name of the SharePoint site we were trying to access with Kerberos authentication - although this may have something to do with using host-named site collections at the SharePoint end.
    Main problem was the kinit thing though.

  • Kerberos Authentication Failure for POP3 After Upgrading to 10.6.5

    So I just upgraded from 10.6.4 to 10.6.5 and now Kerberos authentication for POP3 from Mail fails. Kerberos authentication for SMTP outgoing mail is just fine, it's only POP3 incoming mail that fails to authenticate. POP3 Kerberos authentication still works fine for the same account from another machine running 10.5.8. The mailaccess.log file contains the following:
    Nov 23 15:36:59 server master[423]: about to exec /usr/bin/cyrus/bin/pop3d
    Nov 23 15:36:59 server pop3[423]: executed
    Nov 23 15:37:00 server pop3[423]: accepted connection
    Nov 23 15:37:00 server pop3[423]: Major Error (1): A token was invalid (gssaccept_seccontext)
    Nov 23 15:37:01 server pop3[423]: Minor Error (1): Token header is malformed or corrupt (gssaccept_seccontext)
    Nov 23 15:37:01 server pop3[423]: Major Error (1): A token was invalid (gssaccept_seccontext)
    Nov 23 15:37:01 server pop3[423]: Minor Error (1): Token header is malformed or corrupt (gssaccept_seccontext)
    Nov 23 15:37:04 server pop3[423]: badlogin: FQDN [192.168.0.4] GSSAPI
    Nov 23 15:37:04 server master[52]: process 423 exited, status 0
    The server is running Mac OS X Server 10.4.11 and cannot be upgraded any further than as it is ancient hardware.
    Any thoughts?
    Cheers,
    Derek

    Makes perfect sense to me that ending one session by logging out enables him to begin a new session by logging back in. I give the young man credit for figuring out how to get around this deficiency in Parental Controls, as, deep down, I'm sure you do, too.
    If you can't trust him to stick to his agreed upon half an hour a day, you can always (threaten to) lock him out of the computer for 23.5 hrs/day using the Bedtime settings. ; )

  • Portal Drive Single Sign On and Kerberos Authentication

    Hi,
    We are using NW2004s SP10 Portal and we have successfully configured Kerberos authentication with Windows Active Directory 2003. To access the KM Content in windows explorer format, we are using Portal Drive but Portal Drive still asks for authentication i.e. SSO is not working for Portal Drive. I have understood from the forums and sap help site that SSO from portal drive will work only for NTLM authentication and client certificates. Can you please help regarding below questions.
    1. Can Kerberos and NTLM authentication be configured together.
    2. If yes, what are the steps to configure NTLM authentication for NW2004s SAP Portal and Active Directory 2003.
    3. Any other approach to make Portal Drive SSO work.
    Helpful answers will be rewarded.
    Regards,
    Chandra

    Hi Gregor,
    I did two things:
    first i made a change in the portalapp.xml in the PAR file "com.sap.km.cm.par". In the section authentication scheme for "docs" I changed the authentication scheme to "default" to make sure that documents are opened using the default authentication scheme (SPNego) instead of basic authentication
    second, I used the SPNego wizard to configure SPNego. So I didn't adjust anything in the Visual Admin or the authentication template apart from adding the Template to the Ticket policy configuration.
    Again, this only worked after installing the latest vesion.
    Hope this helps
    Marcel

  • BO XI Release 2 - NLTM versus Kerberos Authentication

    Hello,
    I have some problem with Authentication. At first time I set up only in CMS Kerberos Authentication, but now I would like to change it to NLTM, but if I clear the Use Kerberos authentication and I mark off Use NTLM authentication and I set up update, it doesn´t work.
    Authentication Options
    Use NTLM authentication 
    Use Kerberos authentication
             Cache security context (required for SSO to database) 
           Service principal name:  
    Thank you very much for your answer,
    unhappy:( Marika

    You can set up kerberos for both, it's required for java. .net will support both kerberos and NTLM although unless you are trying to delegate credentials all the way to your DB, then it usually isn't desired in .net because the configuration is far more complex
    You can simple look at your logon url to figure out if you are hitting IIS (urls end in aspx and no port #) or tomcat(urls end in .do and port 8080).
    Regards,
    Tim

  • Kerberos Authentication between Sharepoint 2013 Foundation - SSRS 2012 - Oracle 11g failing with ORA-12638: Credential retrieval failed

    I have set up SharePoint 2013 Foundation, SharePoint Reporting Services and SQL Server 2012 in a single server. I then created a Data Connection to Oracle 11g. Upon testing the connection, it throws the error “ORA-12638: Credential retrieval failed”.
    Given below are the steps of installation and configuration.
    Installation till basic authentication:
    The installation has been done in a
    single server.
    Installed SQL Server 2012 (Developer version).
    Selected only the following features:
    Database Engine Services
    Analysis Services
    Reporting Services – SharePoint
    Reporting Services Add-in for SharePoint Products
    Management Tools – Basic
    - Management Tools - Complete
      2. Installed SQL Server 2012 SP1.
      3. Installed SQL Server 2012 SP2.
      4. Installed SharePoint Foundation 2013.
      5. Created web application (without Kerberos; we did not even create the SPNs).
          The application pool has been configured to use Reporting Services account since it is a single server installation. This account has been registered as a managed
    account.
      6. Created Site Collection.
      7. Verified that Reporting Services is not installed.
      8. Installed SharePoint Reporting Services from SharePoint 2013 Management Shell.
      9. Verified that Reporting Services is installed.
     10. Created a new SQL Server Reporting Services Service Application and associated the Web Application to the new SQL server Reporting Services Service Application.
      11. Verified that SQL Server Reporting Services Service Application and its proxy have started. Reset IIS.
      12. Created a Site.
      13. Created a Data Connection library with “Report Data Source” content type.
      14. Created a Report Model library with “Report Builder Model” content type.
      15. Created a Report library with “Report Builder Report” content type.
      16. Uploaded an SMDL to the Report Model library.
      17. Added the top level site to Local Intranet instead of as a Trusted Site in the browser settings.
      18. Able to create and save a report using Report Builder.
    Hence, basic authentication is working and SSRS is able to connect to Oracle database.
    Next we have to configure Kerberos settings between SharePoint and SQL Server.
    Implementation of Kerberos authentication
    In the Report Server machine, opened the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\WebServices\Reporting\rsreportserver.config  and added the Authentication Types of RSWindowsNegotiate
    and RSWindowsKerberos.
     2.  Set up the following SPNs.
                   a) SQL Server Database Engine service (sqlDbSrv2):
                    setspn -S MSSQLSvc/CER1110:1433 CERDEMO\sqlDbSrv2
                    setspn -S MSSQLSvc/CER1110.cer.demo.com:1433 CERDEMO\sqlDbSrv2
                 In the Delegation tab of the account, selected "Trust this user for delegation to any service (Kerberos only)".
    b) Account: SharePoint Setup Admin account (spAdmin2)
         setspn -S HTTP/CER1110:9999 CERDEMO\spAdmin2
                    setspn -S HTTP/CER1110.cer.demo.com:9999 CERDEMO\spAdmin2
                    In the Delegation tab of the account, selected "Trust this user for delegation to any  service
    (Kerberos only)".
    c) Account: SQL Server Reporting Service account (sqlRepSrv2)
                       setspn -S HTTP/CER1110 CERDEMO\sqlRepSrv2
                       setspn -S HTTP/CER1110.cer.demo.com CERDEMO\sqlRepSrv2
                       In the Delegation tab of the account, selected "Trust this user for delegation to any service
    (Kerberos only)".
      3. Configure the Web Application to use “Negotiate (Kerberos)”.
      4. Logged in as SharePoint Administrator to the SharePoint server and opened the top level site in the IE browser.
         The Event Viewer logged the login process for the SharePoint Administration account as
    Negotiate and not Kerberos.
      5. Implemented Kerberos for Oracle database and client.
         Able to connect to the Oracle database via Kerberos authentication using SQL Plus.
      6. Turn on Windows Firewall.
      7. While testing the site's data connection using Kerberos settings, got the error
    “Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials.”
          Note: The Data Connection for basic authentication still worked.
      8. Created a Claims to Windows Token Service account (spC2WTS2).
      9. Started the Claims to Windows Token Service.
     10. Registered the Claims to Windows Token Service account as a Managed Account.
     11. Changed the Claims To Windows Token Service to use the above managed account.
     12. Verified that the Claims to Windows Token Service account (spC2WTS2) is automatically added to the WSS_WPG local group on the SharePoint box.
          Note: The Reporting Services service account is also a part of the WSS_WPG local group.
     13. Added the Claims to Windows Token Service account (spC2WTS2) to the Local Admin Group on the machine having the SharePoint App Server.
     14. In the SharePoint box, added the Claims to Windows Token Service account (spC2WTS2) in the Act as part of the operating system policy right.
     15. The Claims to Windows Token Service account (spC2WTS2) has the WSS_WPG group configured.
          When the C2WTS service was configured to use the managed account Claims to Windows Token Service account (spC2WTS2) earlier, the spC2WTS2 account was automatically
    added to the WSS_WPG local group on the SharePoint box. The WSS_WPG group in turn is configured in c2wtshost.exe.config file.
     16. Verified that the Reporting Services account is a managed account and part of the WSS_WPG group.
     17. Earlier Service Application Pool - SQL Server Reporting Services App Pool service was associated with the SharePoint Admin account.
          Changed this to associate the Reporting Service account with the Service Application Pool - SQL Server Reporting Services App Pool service.
     18. Changed the delegation of the Reporting Service account to constrained delegation with Protocol Transitioning. This is because we are transitioning from one authentication scheme (Claims) to another (Windows Token).
          For this, the delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use
    any authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
          Note: The Reporting Service account already had an HTTP SPN.
     19. Next, the goal was to make the Claims To Windows Token Service account match the Reporting Service account.
           For this, we created a fake SPN for the Claims To Windows Token Service account since the delegation tab was missing.
           The delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use any
    authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
     20. Restarted the SharePoint server.
     21. Tested the data connection with the Kerberos settings again.
           Got the error
    “ORA-12638: Credential retrieval failed”.
    Can anyone tell me what is wrong with this setup?

    http://www.freeoraclehelp.com/2011/10/kerberos-authentication-for-oracle.html
    Problem4: ORA-12638: Credential retrieval failed
    Solution:  Make sure that SQLNET.KERBEROS5_CC_NAME is set in sqlnet.ora and okinit has been run before attempting to connect to the database.
    Do check 
    http://webcache.googleusercontent.com/search?q=cache:5a2Pf3FH7vkJ:externaltable.blogspot.com/2012/06/kerberos-authentication-and-proxy-users.html+&cd=5&hl=en&ct=clnk&gl=in
    If this helped you resolve your issue, please mark it Answered. You can reach me through http://itfreesupport.com/

  • Updating hybrid configuration failed - Kerberos authentication: The network path was not found

    I'm configuring Exchange 2010 SP3 as a Hybrid server with Exchange Online. This is a single server running Exchange roles Mailbox, Client Access, Unified Messaging and Hub Transport.
    When I run the Manage Hybrid Configuration, I receive the following error:
    Updating hybrid configuration failed with error
    'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: The network
    path was not found.
    The full text from the Hybrid Configuration log file (C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration)
    [1/5/2014 21:21:1] INFO:Opening runspace to
    http://[servername]/powershell?serializationLevel=Full
    [1/5/2014 21:21:1] INFO:Disconnected from On-Premises session
    [1/5/2014 21:21:1] ERROR:Updating hybrid configuration failed with error 'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following
    error occured while using Kerberos authentication: The network path was not found. 
     Possible causes are:
      -The user name or password specified are invalid.
      -Kerberos is used when no authentication method and no user name are specified.
      -Kerberos accepts domain user names, but not local user names.
      -The Service Principal Name (SPN) for the remote computer name and port does not exist.
      -The client and remote computers are in different domains and there is no trust between the two domains.
     After checking for the above issues, try the following:
      -Check the Event Viewer for events related to authentication.
      -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
     Note that computers in the TrustedHosts list might not be authenticated.
       -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
       at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
       at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
       at System.Management.Automation.Runspaces.RunspacePool.Open()
       at System.Management.Automation.RemoteRunspace.Open()
       at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.Connect(PSCredential credentials, CultureInfo sessionUiCulture)
       at Microsoft.Exchange.Management.Hybrid.Engine.Execute(ILogger logger, String onPremPowershellHost, PSCredential onPremCredentials, PSCredential tenantCredentials, HybridConfiguration hybridConfiguration)
       at Microsoft.Exchange.Management.SystemConfigurationTasks.UpdateHybridConfiguration.InternalProcessRecord()'.
    I have sought help, posting on the forum at community.office365.com -
    http://community.office365.com/en-us/forums/158/t/212265.aspx. But I've got to a point where I believe the problem is more to do with how PowerShell is operating on the on-prem Exchange server.
    Has anyone else come across this problem running the Hybrid Configuration Wizard?

    Hello Darrell,
    Have you verified the settings of Powershell virtual directories for the on-premises Exchange Servers? The following article has a list of some common issues with that virtual directory and how to correct them:
    http://technet.microsoft.com/en-us/library/ff607221(v=exchg.80).aspxI would take a look at the one titled "Configure Kerberos Authentication" specifically to ensure everything
    looks good.
    As the article states you can run the Exchange BPA and it will check if any of these exist as well.

  • WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.

    I have two forests with a transitive on-way trust between them: PROD -> TEST (test trusts PROD). I had previously had kerberos authentication working with winrm from PROD to machines in TEST. I have verified the trust is healthy, I also verified users
    in TEST can use WINRM with kerberos just fine. Users from PROD cannot connect via kerberos to machines in TEST with winrm.
    I have verified the service has registered the appropriate SPNs. I ran dcdiag against all my PROD and TEST domain controllers and didn't find anything that would prevent kerberos from happening. I even tried disabling the firewall entirely on my TEST dcs
    but that didn't gain me anything.
    I've enabled kerberos logging but only see the expected errors such as it couldn't find a PROD SPN for the machine, which it shouldn't from what I understand, it should go to the TEST domain and find the SPN from there.
    I'm really out of next steps before I call PSS and hope someone here has run into this and could provide me some next steps.
    PowerShell Error:
    Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
     Possible causes are:
      -The user name or password specified are invalid.
      -Kerberos is used when no authentication method and no user name are specified.
      -Kerberos accepts domain user names, but not local user names.
      -The Service Principal Name (SPN) for the remote computer name and port does not exist.
      -The client and remote computers are in different domains and there is no trust between the two domains.
     After checking for the above issues, try the following:
      -Check the Event Viewer for events related to authentication.
      -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
     Note that computers in the TrustedHosts list might not be authenticated.
       -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
        + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
        + FullyQualifiedErrorId : PSSessionStateBroken
    winrs Error:
    Winrs error:
    WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
     Possible causes are:
      -The user name or password specified are invalid.
      -Kerberos is used when no authentication method and no user name are specified.
      -Kerberos accepts domain user names, but not local user names.
      -The Service Principal Name (SPN) for the remote computer name and port does not exist.
      -The client and remote computers are in different domains and there is no trust between the two domains.
     After checking for the above issues, try the following:
      -Check the Event Viewer for events related to authentication.
      -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
     Note that computers in the TrustedHosts list might not be authenticated.
       -For more information about WinRM configuration, run the following command: winrm help config.

    Hi Adam,
    I'm a little unclear about which SPNs you were looking for, in which case could you confirm you were checking that on the computer object belonging to the actual destination host it has the following SPNs registered?
    WSMAN/<NetBIOS name>
    WSMAN/<FQDN>
    If you were actually trying to use WinRM to connect to the remote forest's domain controllers, then what you said makes sense, but I was caught between assuming this was the case or you meant another member server in that remote forest.
    Also, from the client trying to connect to this remote server, are you able to telnet to port 5985? (If you've used something other than the default, try that port)
    If you can't, then you've got something else like a firewall (be that the Windows firewall on the destination or a hardware firewall somewhere in between) blocking you at the port level, or the listener on the remote box just isn't working as expected. I
    just replied to your other winrm post with steps for checking the latter, so I won't repeat myself here.
    If you can telnet to it and the SPNs exist, then you might be up against something called selective authentication which has to do with how the trust was defined. You can have a read of
    this to learn a bit more about selective trusts and whether or not it's affecting you.
    Cheers,
    Lain

  • The KDC encountered duplicate names while processing a Kerberos authentication request in a Domain controller server

    HI
    we have a sharepoint farm and in domain controller server, this error is in event viewer
    Log Name:      System
    Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
    Date:          9/15/2014 10:44:15 PM
    Event ID:      11
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      XXXAPP01.xxxportal.com
    Description:
    The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is HTTP/XXXWFE01.xxxportal.com (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent
    this from occuring remove the duplicate entries for HTTP/XXXWFE01.xxxportal.com in Active Directory.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" />
        <EventID Qualifiers="49152">11</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2014-09-15T19:44:15.000000000Z" />
        <EventRecordID>131824</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>System</Channel>
        <Computer>XXXAPP01.xxxportal.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="Name">HTTP/XXXWFE01.xxxportal.com</Data>
        <Data Name="Type">DS_SERVICE_PRINCIPAL_NAME</Data>
        <Binary>
        </Binary>
      </EventData>
    </Event>
    adil

    Hi adil,
    Service principal names (SPNs) are stored as a property of the associated account object in Active Directory
    Domain Services (AD DS). I noticed that you have used setpn –X to identify the duplicate SPN. Please refer to following articles and check if help you to solve this issue.
    Event ID 11 — Service Principal
    Name Configuration
    Event ID 11 in the System log of domain controllers
    Please also refer to following article and check if can help you.
    The problem with duplicate SPNs
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
    does not guarantee the accuracy of this information.
    If any update, please feel free to let me know.
    Hope this helps.
    Best regards,
    Justin Gu

  • Kerberos Authentication on Windows 7

    I'm trying to authenticate using Kerberos Authentication. Let's say the server is oracle.mydomain.com, and the kdc is kdc.sub.mydomain.com. Now, I have one machine that is joined to the sub.mydomain.com domain, and another machine which is on a totally different domain thatdomain.com.
    Now, I use this as my krb5.ini file
    [libdefaults]
    default_realm = sub.mydomain.com
    dns_lookup_kdc = true
    dns_lookup_realm = true
    [realms]
    sub.mydomain.com = {
    default_domain = sub.mydomain.com
    kdc = kdc.sub.mydomain.com
    and on the machine that is joined to the sub domain, it connects. If I use the same file for the other machine, I get "Status : Failure - Test failed: Peek timed out". Now I tried kinit on that machine "kinit testacct" and it properly gives me "Enter password for [email protected]" to which I enter the password and it gives me "New ticket is stored in cache file C:\Users\testacct\krb5cc_testacct", so that seems to be working, I just don't know why the SQL developer doesn't. Any ideas? Does the machine have to be joined to the domain in order to work with kerberos? FYI I have tried and I can ping the servers and telnet to the oracle server port, so it doesn't seem like a network issue...?
    The machine that is connecting is on the same subnet and uses the same DNS servers, it is just joined to a different domain.
    Edited by: 850630 on Apr 14, 2011 5:38 AM
    Edited by: 850630 on Apr 14, 2011 5:39 AM

    Hi ElementZero,
    I would still try to get thick kerberos working with for example sqlplus before you try thin.
    To help rule out kerberos version incompatibilities and configuration issues.
    For your information: my oracle krb5.conf set in database advanced properties was:
    [libdefaults]
    default_realm = example.COM
    [realms]
    US.ORACLE.COM = {
    kdc = KERBEROS_SERVER.example.com
    default_domain = example.com
    admin_server = KERBEROS_SERVER.example.com
    [domain_realm]
    .us.oracle.com = EXAMPLE.COM
    us.oracle.com = EXAMPLE.COM
    .ie.oracle.com = EXAMPLE.COM
    ie.oracle.com = EXAMPLE.COM
    If you set the kerberos cache entry in database advanced preferences to an new file you will have
    to enter a new password in sqldeveloper.
    Turloch
    -SQLDeveloper Team

  • Issue in confuguration of Kerberos authentication

    Hi all
    We are trying to configure Kerberos authentication for single sign-on on a SAP WAS 6.40 Java System. We configured the Kerberos using SPNEGO wizard. After configuring when we tried to login to UME, but it prompted for Username and Password which confirms that single sign on is not working.
    In default trace file we got the following info
    i. Key for the principal [email protected] not available in default key     tab
    ii. [Krb5LoginModule] authentication failed
         Unable to obtain password from user
    iii. Login module com.sun.security.auth.module.Krb5LoginModule from authentication stack com.sun.security.jgss.accept does not authenticate the caller.
    iv. LOGIN.FAILED
        Unable to obtain password from user
    1. Why password cannot be obtained from user?
    2. Is there a default keytab other than the one created by the spnego wizard?
    3. If there is one, then can we add the key for [email protected]  in         that file and how?
    4. How can this be resolved?
    Regards
    Deepu

    Your log files are recording an authentication error, so that usually means your login information is incorrect, or just corrupted. Try reseting your Kerberos password, and if that doesn't work, double-check your Kerberos connectivity and configuration settings.

Maybe you are looking for

  • Problem with Adobe Reader (GUI)

    Hi, I´ve got a problem with my Adobe Reader (v. 11.0.10). Everytime when I open some document, I´m getting graphical problems: Menu is hidden When I move by mouse over the menu, it dissappears. And when I maximize the window.. Thanks for your help.

  • Drag and Drop Photos in Design View?

    Hey all, I feel like I'm going insane!  I've used Dreamweaver for probably a decade now and the latest CC won't allow me to drop pictures into design view?  I'm using MAC OSX Mavericks.  Has this been disabled somehow?

  • Oracle Reports complex query

    Hi Friends, I am a newbie on oracle reports. I am ask to revise/debug a complex report. This is the partial source of the Oracle Report Query: select  mta.transaction_date,         &P_acct_flex,              DECODE(mta.transaction_source_type_id,1,to

  • How  and where does SAP standard programs update the master tables...

    Hello there, How  and where does SAP standard programs update the master tables... to be precise.. if a (any) transaction occurs  the programs behind it holds the data in temporary structures. where and when does it get updated in the master table. c

  • How do I make thumbnail from .mp4 movie?

    I need to make a thumbnail .jpg file of a frame of an .mp4 video. I've downloaded a couple of freeware apps (ScreenGrabber and Cocothumbx) that promised to do this but neither would work. I'm running OS 10.6.1. The .mp4 is about 76MB. Any tips?