IMAP & GSSAPI & Kerberos
i am developing a simple mail client. I want that when client computer joined in a Domain like ActiveDirectory, he can be able to connect his IMAP account without using his password. I think it can be done by using Kerberos tickets (?is it true?) and gssapi mechanism. As IMAP provider i am using JAVAMAIL and mail server is Exchange2007.
I have asked to javamail forum about that.
The answer is:
"Currently only the JavaMail IMAP protocol provider supports SASL. According to The Java SASL API Programming and Deployment Guide, GSSAPI is supported."
But i cant figure out how can i do it. At least can yo tell me if i am in a wrong way or not? What i have to do?
Thanks..
GSSAPI is a SASL mechanism, which means you can use the SASL API to perform GSS operations. See
http://java.sun.com/javase/6/docs/technotes/guides/security/sasl/sasl-refguide.html
So you can just try JavaMail to see if it works with Exchange2007.
Similar Messages
-
Error=49 from the LDAP server for GSSAPI Kerberos authentication
I am trying to find solution for ldapsearch failure with GSSAPI Kerberos authentication . I am running Sun Directory Server 5.2 P4 on a Solaris-9 sparc machine..
Steps :
bash-2.05# kinit tester1
Password for [email protected]:
bash-2.05#
When I do ldapsearch , I am getting following logs on the server :
tail -f /var/Sun/mps/slapd-bf1r-dsun-1/logs/access
[22/Feb/2007:01:44:16 -0700] conn=32 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
[22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
[22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
[22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
[22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
[22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=4 - UNBIND
[22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=-1 - closing - U1
[22/Feb/2007:01:44:17 -0700] conn=32 op=-1 msgId=-1 - closed.
[22/Feb/2007:01:45:50 -0700] conn=33 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
[22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
[22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
[22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
[22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
[22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=4 - UNBIND
[22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=-1 - closing - U1
[22/Feb/2007:01:45:51 -0700] conn=33 op=-1 msgId=-1 - closed.
I am using default Identiy Mapping and the ldif file looks like this :
dn: cn=default,cn=GSSAPI,cn=identity mapping,cn=config
objectClass: dsIdentityMapping
objectClass: nsContainer
objectClass: dsPatternMatching
objectClass: top
cn: default
dsMatching-pattern: ${Principal}
creatorsName: cn=directory manager
createTimestamp: 20070220045812Z
dsMatching-regexp: uid=(.*)
dsSearchBaseDN: ou=people,dc=test1,dc=com
dsMappedDN: uid=${Principal},ou=people,dc=test1,dc=com
modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
t
modifyTimestamp: 20070221082740Z
Following is the snoop for LDAP on the server :
bash-2.05# !snoop
snoop -v port 389 | grep LDAP
Using device /dev/eri (promiscuous mode)
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 0: Bind Request]
LDAP: [Version]
LDAP: [Object Name]
LDAP: uid=tester1,ou=people,dc=test1,d
LDAP: c=com
LDAP: Authentication: SASL *[3]
LDAP: [OctetString]
LDAP: GSSAPI
LDAP: [OctetString]
LDAP: *** NOT PRINTED - Too long value ***
LDAP:
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 1: Bind Response]
LDAP: [Result Code]
LDAP: SASL Bind In Progress
LDAP: [Matched DN]
LDAP: [Error Message]
LDAP: SASL Credentials [7]
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 0: Bind Request]
LDAP: [Version]
LDAP: [Object Name]
LDAP: uid=tester1,ou=people,dc=test1,d
LDAP: c=com
LDAP: Authentication: SASL *[3]
LDAP: [OctetString]
LDAP: GSSAPI
LDAP:
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 1: Bind Response]
LDAP: [Result Code]
LDAP: SASL Bind In Progress
LDAP: [Matched DN]
LDAP: [Error Message]
LDAP: SASL Credentials [7]
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 0: Bind Request]
LDAP: [Version]
LDAP: [Object Name]
LDAP: uid=tester1,ou=people,dc=test1,d
LDAP: c=com
LDAP: Authentication: SASL *[3]
LDAP: [OctetString]
LDAP: GSSAPI
LDAP: [OctetString]
LDAP:
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation *[APPL 1: Bind Response]
LDAP: [Result Code]
LDAP: 1
LDAP: Invalid Credentials
LDAP: [Matched DN]
LDAP: [Error Message]
LDAP: SASL(-1): generic failure:
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- Lightweight Directory Access Protocol Header -----
LDAP: *[LDAPMessage]
LDAP: [Message ID]
LDAP: Operation [APPL 2: Unbind Request]
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
TCP: Destination port = 389 (LDAP)
LDAP: ----- LDAP: -----
LDAP:
LDAP: ""
LDAP:
Please help me on how to fix this issue.
Thanks,
RadhakrishnanI did reply on the other thread of yours...
Ludovic -
I am looking at the sun documentation of using GSSAPI to authenticate users by going to a Kerberos server. It isn't clear how the directory knows where the Kerberos server is located.
How does the directory know where Kerberos is located? Does it use the domain found in the identity mappings? I have two server in the same domain, one directory and one kerberos server. How do I point the directory to the kerberos server?
ThanksIf you haven't already, check out the LDAP in the Solaris Operating Environment - Deploying Secure Directory Services book. It details the steps needed for GSSAPI Kerberos support on pages 81 to 93.
Briefly, you need DNS and NTP running for Kerberos.
Then you set up the krb5.conf kdc.conf and kadm5.acl files for your Kerberos realm.
Move kerberos_v5 to the first line of the /etc/gss/mech file.
Use kadmin.local to create a new admin principal.
Start the Kerberos daemons.
Use kinit and klist to verify your principal is working.
Now ldapsearch for supportedSASLMechanisms looking for GSSAPI and ldapsearch cn=SASL,cn=security,cn=config for the dsSaslPluginsEnable=GSSAPI.
Edit the example identity-mapping.ldif found in your serverroot/slapdserver/ldif directory.
Use ldapmodify to add the ident mapping ldif.
Verify it works with an ldapsearch -o mech=GSSAPI and it should return the same outpout and a non-GSSAPI search. -
Help with GSSAPI Kerberos in tomcat JNDIRealm
Greetings,
I could use some help with getting tomcat 5.5.12 to use Kerberos against Microsoft Active Directory.
I have been using Ethereal to sniff the packets going back and forth from tomcat and I verified that with a normal server.xml entry (remove the authentication attribute keyword below), it uses 'simple'
authentication (clear text passwords).
My original server.xml works just fine but now I'm trying to take it to next level and I found documentation (jdk-1_5_0-doc.zip\docs\guide\jndi\jndi-ldap.html)
specifies that there are the following values:
- EXTERNAL (RFC 2222). This mechanism obtains authentication information from an external source (such as SSL/TLS or IPsec).
- DIGEST-MD5 (RFC 2831) is for Digest Authentication.
- GSSAPI (RFC 2222) is for Kerberos V5 authentication.
I wish to use GSSAPI to talk with Active Directory so I setup my server.xml with the following :
<Realm className="org.apache.catalina.realm.JNDIRealm"
debug="4"
authentication="GSSAPI"
connectionName="CN=Klotz\, Dennis,OU=myou,DC=company,DC=com"
connectionPassword="myPassword"
connectionURL="ldap://10.16.0.xx:389"
alternateURL="ldap://10.16.0.xx:389"
userBase="OU= myou,DC=company,DC=com"
userSearch="(sAMAccountName={0})"
userSubtree="true"
userRoleName="memberOf"
/>And now I get a different type of error from Catalina.out:
Oct 28, 2005 2:28:47 PM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential
.java:133)
.....At least the GSSAPI is being recognized! My next step was talking with IT; they suggested a c:\winnt\krb5.ini with the following contents:
[libdefaults]
default_realm = COMPANY.COM
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
[realms]
COMPANY.COM = {
kdc = addy.mycompany.com:88
admin_server = addy. mycompany.com:88
kpasswd_server = addy. mycompany.com:464 default_domain = COMPANY.COM }And that I then execute:
$ kinit DKlotz
Password for [email protected]:mypassword New ticket is stored in cache file C:\Documents and Settings\DKlotz\krb5cc_dklotzBut as you can see from the previous tomcat error log that something is still missing. Do I need to move the cache file or do other commands so that the code within ldap.jar can use it?
At this time tomcat never tries connecting to the LDAP server as it can't get out of the starting gate. I've got something wrong / missing from the Kerberos setup.
Any help is greatly appreciated!!
-Dennis KlotzOk I've made progress, whether it is backwards or not, I don't know yet.
I've added :
-Djavax.security.auth.useSubjectCredsOnly=false
To my Catalina options environment variable in Catalina.bat.
Now I get the error:
WARNING: Exception performing authentication
java.lang.SecurityException: Unable to locate a login configuration
at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:97)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
at java.lang.Class.newInstance0(Class.java:350)
at java.lang.Class.newInstance(Class.java:303)
at javax.security.auth.login.Configuration$3.run(Configuration.java:216)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:210)
at javax.security.auth.login.LoginContext$1.run(LoginContext.java:237)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.init(LoginContext.java:234)
at javax.security.auth.login.LoginContext.<init>(LoginContext.java:403)
at sun.security.jgss.LoginUtility.login(LoginUtility.java:72)
at sun.security.jgss.krb5.Krb5Util.getTicketFromSubject(Krb5Util.java:137)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:331)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5InitCredential.getTgtFromSubject(Krb5InitCredential.java:328)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:131)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:72)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:37)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:96)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:178)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:155)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:1515)
at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:1601)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1004)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1012)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
at org.apache.catalina.core.StandardService.start(StandardService.java:450)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:683)
at org.apache.catalina.startup.Catalina.start(Catalina.java:537)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:271)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409)
Caused by: java.io.IOException: Unable to locate a login configuration
at com.sun.security.auth.login.ConfigFile.init(ConfigFile.java:206)
at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:95)
... 56 moreAm I moving in the right direction?
-Dennis -
GSSAPI Kerberos Authentication
I have installed directory server 5.2 patch3 in x86 system. i cannot authenticate with kerberos principal. It gives me error as show below:
ldapsearch -h ldap-server.ga.bcrlscsu.net -p 389 -o mech=GSSAPI -o authzid="user1" -b "" -s base "(objectclass=*)"
ldap_sasl_interactive_bind_s: Invalid credentials
ldap_sasl_interactive_bind_s: additional info: SASL(-1): generic failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible (No error)
Could anyone please help me out, here!There's a viable Directory Server discussion forum,
over at the Java ES tab of the fromt page of this forum site.
http://forum.java.sun.com/index.jspa?tab=es
You might consider placing your question there
so that those with DS skills would see it. -
GSSAPI Kerberos authentication and WS-Security
Hi,
We have a requirement to perform Kerberos authentication to a web service.
The client is to be written in C# using Microsoft's Web Services
Enhancements (WSE 3.0). WSE (which uses SSPI) has support for
Kerberos authentication. The application server does not support Kerberos.
The intention is to use the Java GSSAPI on the web service side to process
a limited part of the WS-Security header.
I've successfully processed the <wsse:BinarySecurityToken> to performed
the actual authentication, I'm now left with checking the signatures.
The values of the <DigestValue> and <SignatureValue> appear to always be
20 bytes long (when decoded from Base64) which suggests they're the
output from SHA1.
The outputs from GSSContext.getMIC and GSSContext.wrap always start
with the ASN.1 value 0x60. The <SignatureValue> donen't, therefore
attempting to use verifyMIC or unwrap fail with:
"GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)"
It appears that the digest algorithm is SHA1 and the signature algorithm is
HMAC-SHA1. So the <DigestValue> is probably just the SHA1 of the
Canonical XML of the SOAP:Body. The HMAC algorithm requires access to
the Kerberos private session key, which doesn't appear to be made
available through the GSSAPI interface, so implementing our own functions
doesn't seem to be an option.
I've included the portion of the SOAP header I'm looking at below, apologies
if the format's messed up.
So what I'm looking for is:
1) A way of Canonicalising the SOAP:Body so I can feed it into SHA1
(java.security.MessageDigest).
2) A way of getting at the Kerberos session key through the GSSAPI so I
can produce the <SignatureValue> from the <DigestValue> for
verification (javax.crypto.Mac).
Any ideas ?
Cheers
Phil
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-343caad4-454a-4dcd-b206-3e6bf4ad0116">
<wsu:Created>2006-04-27T13:00:48Z</wsu:Created>
<wsu:Expires>2006-04-27T13:05:48Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-2c5a4b4a-4408-4ee8-8e32-9378c063d422">YIIB1AYJKoZIh<snip>==</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
<Reference URI="#Id-73b189ca-2ddd-4fcb-a60e-025e71857802">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>BRyjTgrnalo2YXtWUi80pzgoVso=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>ddTO413OprTwFPWj3NDx94PidZc=</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-2c5a4b4a-4408-4ee8-8e32-9378c063d422" ValueType="http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ" />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>Hi Osman,
Hope this blog will answer your Query: /people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter
Documentation SOAP adapter - http://help.sap.com/saphelp_nw04/helpdata/en/69/a6fb3fea9df028e10000000a1550b0/content.htm
Security settings for SOAP adapter - http://help.sap.com/saphelp_nw04/helpdata/en/56/992d4142badb2be10000000a1550b0/content.htm
Regards
Pothana -
Preauthentication failed whit gssapi kerberos authentication
Hello,
I am trying to authenticate whit kerberos, but I keep on running in to the same problem.
kinit and other kerberos utils work. But when I am trying to authenticat whit my own java code I get a preauthentication error:
***Trace:
[java] default etypes for default_tkt_enctypes: 16 1.
[java] default etypes for default_tkt_enctypes: 16 1.
[java] >>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
[java] >>> KrbAsReq calling createMessage
[java] >>> KrbAsReq in createMessage
[java] >>> KrbKdcReq send: kdc=tower.mivz.spugium.net UDP:88, timeout=30000, number ofretries =3, #bytes=230
[java] >>> KDCCommunication: kdc=tower.mivz.spugium.net UDP:88, timeout=30000,Attempt =1, #bytes=230
[java] >>> KrbKdcReq send: #bytes read=193
[java] >>> KrbKdcReq send: #bytes read=193
[java] >>> KDCRep: init() encoding tag is 126 req type is 11
[java] >>>KRBError:
[java] cTime is Sat Nov 20 02:23:05 CET 2004 1100913785000
[java] sTime is Fri Nov 19 03:32:50 CET 2004 1100831570000
[java] suSec is 750731
[java] error code is 24
[java] error Message is Pre-authentication information was invalid
[java] crealm is MIVZ.SPUGIUM.NET
[java] cname is root
[java] realm is MIVZ.SPUGIUM.NET
[java] sname is krbtgt/MIVZ.SPUGIUM.NET
[java] etext is Preauthentication failed
[java] Kerberos password for [email protected]: Unexpected Exception - unable to continue
[java] javax.security.auth.login.LoginException: Pre-authentication information was invalid (24) - Preauthentication failed
[java] at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652)
[java] at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)
[java] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[java] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
[java] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
[java] at java.lang.reflect.Method.invoke(Method.java:585)
[java] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
[java] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
[java] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
[java] at java.security.AccessController.doPrivileged(Native Method)
[java] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
[java] at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
[java] at org.spugium.spine.plug.webadmin.Login.main(Login.java:166)
[java] Caused by: KrbException: Pre-authentication information was invalid (24) - Preauthentication failed
[java] at sun.security.krb5.KrbAsRep.<init>(DashoA12275:67)
[java] at sun.security.krb5.KrbAsReq.getReply(DashoA12275:345)
[java] at sun.security.krb5.Credentials.acquireTGT(DashoA12275:370)
[java] at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:642)
[java] ... 12 more
[java] Caused by: KrbException: Identifier doesn't match expected value (906)
[java] at sun.security.krb5.internal.ah.a(DashoA12275:133)
[java] at sun.security.krb5.internal.av.a(DashoA12275:58)
[java] at sun.security.krb5.internal.av.<init>(DashoA12275:53)
[java] at sun.security.krb5.KrbAsRep.<init>(DashoA12275:50)
[java] ... 15 more
[java] Java Result: 255
***krb5.conf
[libdefaults]
ticket_lifetime = 600
default_realm = MIVZ.SPUGIUM.NET
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
MIVZ.SPUGIUM.NET = {
kdc = tower.mivz.spugium.net:88
admin_server = tower.mivz.spugium.net:749
[domain_realm]
.mivz.spugium.net = MIVZ.SPUGIUM.NET
mivz.spugium.net = MIVZ.SPUGIUM.NET
***csLogin.conf`
org.spugium.spine.plug.webadmin.Webadmin {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true principal="[email protected]";
***System.propertys:
System.setProperty("java.security.krb5.conf","/etc/krb5.conf");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
System.setProperty("javax.security.auth.useTicketCache", "true");
System.setProperty("java.security.auth.login.config", "csLogin.conf");
System.setProperty("sun.security.krb5.debug", "true");
Could someone help me whit a hint?
Thank you,
Harrie HoogeveenHi All,
Wee also facing the same issue, but in a different way.
our java application accepts first 100(around) krb auth requests and the rest of the requests are droped out, during the droping it simply show the message like pre-authentication failed
What is doubt is, do we have any constraint on number of concurrent access in krb?
im using tomcat and casified sakai with apache2 -
Mail client: 10.7.4
Mail server: 10.6.8
Mail protocol: imap
Authentication: Kerberos V5
The problem: when I login on my client, a TGT is acquired normally, klist shows it, and if I launch Mail, mail get a imap service ticket and all works fine.
When my TGT expires, I cannot get a new TGT otherwise than a kinit, which is unacceptable for my users. Before, whith Snow Leopard or Leopard mail client, if no TGT was present on client, mail poped up a specific kerberos dialog box to ask the password and then get a new TGT and imap service ticket. It is anyway the actual behavior with others services as AFP for example.
I have try to create an user Launch Agent which make a kinit periodically, but when the Mac client get out of long sleep state, the TGT is expired and I have no way to launch my script at this moment.
To reproduce the problem with no ticket at sequence start:
foo-mac1:~ foo$ klist
klist: krb5_cc_get_principal: No credentials cache file found
foo-mac1:~ foo$ kinit kinit [email protected]
foo-mac1:~ foo$ klist
Credentials cache: API:501:12
Principal: [email protected]
Issued Expires Principal
Jul 5 10:41:50 Jul 5 20:41:50 krbtgt/[email protected]
A this point, I launch Mail, a service ticket is created, my account is connected and well working.
foo-mac1:~ foo$ klist
Credentials cache: API:501:12
Principal: foo@XSERVER1. MYDOMAIN.NET
Issued Expires Principal
Jul 5 10:41:50 Jul 5 20:41:50 krbtgt/XSERVER1. MYDOMAIN.NET@XSERVER1. MYDOMAIN.NET
Jul 5 11:01:22 Jul 5 20:41:50 imap/xserver3.mydomain.net@XSERVER1. MYDOMAIN.NET
I quit mail and delete my TGT.
foo-mac1:~ foo$ kdestroy
foo-mac1:~ foo$ klist
klist: krb5_cc_get_principal: No credentials cache file found
If I launch Mail, my account cannot connect and does not propose password dialog as precedent versions so I cannot re-create TGT and imap service ticket otherwise than kinit.
moreover, Mail log a logic entry:
03/07/12 17:04:52,838 Mail: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found (negative cache))
03/07/12 17:04:52,838 Mail: [<_LibSasl2SASLClient: 0x7f951dd4f080> mechanism: GSSAPI security layer: no] Failed to start the SASL connection
SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found (negative cache))
Do you have an idea to make Mail propose an user friendly dialog box when TGT expires or do you have an idea to launch a script when a Mac get out of sleep?No solution at this point. Now we are seeing the same problem trying to authenticate radius users. Extremely frustrating!
/var/log/system.log:
Sep 19 11:22:58 hostname /usr/sbin/PasswordService[54]: wrong-sized secret 32
Sep 19 11:22:58 hostname /usr/sbin/PasswordService[54]: Unexpected State Reached in MS-CHAPv2 plugin
Sep 19 11:24:05 hostname /usr/sbin/PasswordService[54]: wrong-sized secret 32
Sep 19 11:24:05 hostname /usr/sbin/PasswordService[54]: Unexpected State Reached in MS-CHAPv2 plugin
Sep 19 11:26:27 hostname /usr/sbin/PasswordService[54]: wrong-sized secret 32
Sep 19 11:26:27 hostname /usr/sbin/PasswordService[54]: Unexpected State Reached in MS-CHAPv2 plugin
/var/log/radius/radius.log:
Fri Sep 19 14:21:56 2008 : Error: rlm_mschap: authentication failed -14090
Fri Sep 19 14:28:31 2008 : Auth: rlm_opendirectory: Could not get the user's uuid.
Fri Sep 19 14:28:31 2008 : Auth: rlm_opendirectory: Could not get the user's uuid.
Fri Sep 19 14:28:31 2008 : Auth: rlm_opendirectory: Could not get the user's uuid.
Fri Sep 19 14:28:48 2008 : Auth: rlm_opendirectory: Could not get the user's uuid.
I'm wondering if it's trying to use the wrong auth mech at first. I see the user come in with a successful DIGEST-MD5 during the problem, then successful MS-CHAPv2 following the password reset. Resetting the user's password "fixes" the issue. Until it happens again at an unspecified time. -
I have a relatively simple question:
some of my co-workers would like to know if it is possible to use their iPhone and Blackberry devices with our current mail system.
We're running 10.4.7 on the Mail server (2x2.3Ghz G5 XServe, 4GB ram), running imap, non-kerberos authentication, and I have ssl for smtp and imap in use, but not required.
Since it seems like the simplest solution to outside attacks, we just block all incoming SMTP traffic (port 25) on our Watchguard firewall appliance - also, all our incoming mail is filtered for spam and viruses by a filtering company.
I'd love to know if there's a way I can still stay "secure" but let folks with smartphones in our organization use that functionality.
Any ideas or questions? I can post config files and such if needed.The applicable server command for IMAP is IMAP IDLE. This simulates the "push" email that you are looking for.
There is a plug-in for the iPhone (a search for IMAP IDLE iPhone turns up results).
I don't know if blackberry supports IMAP IDLE.
Does the iPhone support IMAP over SSL? If it does then you could implement a self-signed cert, and get the iPhone to access mail via IMAP with SSL. This site has some very good information on allowing SMTP and IMAP over SSL: http://cutedgesystems.com/software/PostfixEnabler/
Regards. -
Safari fails GSSAPI authentication when hostname is a CNAME (DNS alias)
Hi,
we heavily use kerberos as authentication mechanism for web sites. The Safari users among us discovered that they were unable to use GSSAPI (Kerberos) authentication for URLs that contain a CNAME instead of an A-record.
Example:
+http://statusmeldungen.uni-paderborn.de+ contains the hostname statusmeldungen.uni-paderborn.de which is just a CNAME to haldus.uni-paderborn.de.
So the browser must request the service ticket HTTP/haldus.uni-paderborn.de
Firefox does this, but Safari tries to fetch HTTP/statusmeldungen.uni-paderborn.de which does not exist, so it fails.
Is this a known bug? Is this going to be fixed some day?
Thanks,
ChristopherHi,
{quote}domain.com and http://www.domain.com work as URLs, but http://domain.com does not}
Are you saying http://www.domain.com works as an outward directed request but http://domain.com does not?
I presume you have the domain name registrar pointing domain.com to your IP address So all traffic to domain.com comes to your server. If you want to direct some of that traffic away then you can send it via a subdomain such as www.domain.com.
If you want to redirect domain.com as an http request then setup a web site on your server for domain.com and redirect to the www.domain.com url.
HTH,
Harry -
On our Email server, SSL is not yet used.
I want to allow only Kerberos and CRAM-MD5 for SMTP and IMAP and Kerberos and APOP for POP. I want to disable Login, PLAIN and Clear authentication types. I noticed that these settings work in Apple's Mail client. But not in Outlook Express and MS-Outlook. How to configure these clients to check for Kerberos and CRAM-MD5 only ? Is it even possible ?EAP-Fast or LEAP are probably your best shot.
Good Luck
Scott -
Hello everyone,
I will need your help on some things regarding mail and webmail.
First of all I am not an expert on mac as it is the first time that I'm setting up a server so please be lenient with my mistakes.
OK let's begin.
I have a mac mini running 10.6.4 and I have setup 2 domains. www.domain1.com & www.domain2.com
2 DNS zones.
1st zone hostname: domain1.com
Nameservers:
zone: domain1.com Nameserver Hostname: server.domain1.com
Mail exchanger: mail.domain1.com Priority: 10
1 Machine: Machine Name: mail.
IP Address: my external IP.
2nd zone hostname: domain2.com
Nameservers:
zone: domain2.com Nameserver Hostname: server.domain2.com
Mail exchanger: mail.domain2.com Priority: 10
1 Machine: Machine Name: mail.
IP Address: my external IP.
Mail Service:
Domain name: mail
Host Name: server.domain1.com
SMTP: ON
Allow incoming: ON
IMAP/POP: ON
Security:
SMTP IMAP/POP:
Kerberos: ON
CRAM-MD5: ON
APOP: ON
LOGIN: ON
SSL: Don't use
Hosting:
Enable virtual hosting: ON
domain1.com
domain2.com
I have create 4 users:
[email protected]
[email protected]
[email protected]
[email protected]
In Workgroup Manager I have also added a second short name for each user for overlapping, in the mail option the mail server for users in domain1 is the default: sever.domain1.com and for users in domain 2: server.domain2.com
The problems are:
1. When I send a mail from my users in hotmail it returns back as: Undelivered Mail Returned to Sender.
2.How can I configure this emails on PCs?
3.I want to create web services for both my domains without the users from domain1 can log in domain2.
When I tried to active 2 separate web services for each domain the user from domain1 had access to domain2.
For example
In https://www.domain1.com should only login users who belong to this domain (domain1).
Thanks for your time!!To control access to your web pages use Server Admin, select the sites tab, and then select realms.
Add a realm for each of your domains, and then exclude all users except the ones applicable to that domain.
Have you enabled mail for the users in Open Directory? What does your smtp log say when you try to send email? -
Remote Desktop Network Level Authentication
Recently, I began getting failed connections from a Windows 7 Enterprise client to another Windows 7 Enterprise host where the host is requiring NLA. This has been a problem on and off for YEARS and I have found no link that can tell me to configure something
that I haven't already configured. Neither system underwent any configurations changes that I know of with the exception of Windows security updates/patches. In fact, some people in my company have the same issue while other do not. I can find no rhyme or
reason to it. Heres where I'm at:
"The remote computer requires Network Level Authentication, which your computer does not support. For assistance, contact your system administrator or technical support."
But I do. when i click the upper left hand corner of my RDP client window and select "About", I see this:
"Remote Desktop Connection
Shell Version 6.1.7601
Control Version 6.1.7601
Network Level Authentication Supported.
Remote Desktop Protocol 7.1 supported."
And the above info is exactly what it says on the host.
Here's the SecurityProvider registry settings on the client:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="credssp.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SaslProfiles]
"GSSAPI"="Kerberos"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest]
"Debuglevel"=dword:00000000
"Negotiate"=dword:00000000
"UTF8HTTP"=dword:00000001
"UTF8SASL"=dword:00000001
"DigestEncryptionAlgorithms"="3des,rc4"
Every link I have looked at tells me to look at those things. Anyone got something new? :)
Also if someone knows how to log the RDP failures that would be cool too. Presently I have turned on Audit Other Security Events in GPO but it doesn't tell me if someone attempted to authenticate with a less then desirable security protocol.
As a fix, for now, I have reduced the security requirements on the host to not require NLA. <-- This is the only consistent fix I have ever seen that works.
By the way, just about every link I see also starts talking about setting up RD session host service. I am not running Windows Server 2008. This a Windows 7 to Windows 7 problemHi,
On both Windows 7, Please go to System Properties,
Remote tab and make sure that Allow connections only from computers running Remote Desktop with Network Level Authentication
is unchecked.
If problem persists, please check if there was any Windows updates need to install, if so, try to install updates for test.
Roger Lu
TechNet Community Support -
Connecting to Audi A5 without the MMI system
Is there a way of connecting my Nokia to an Audi A5 replicating the MMI system (ie using the phone controls on the car rather than the phone) as my new company car hasnt the built in Audi option to allow this
The Audi webiste has it as follows:
"- uses Bluetooth interface with no physical connection to your A5, including roof aerial for optimal reception. Please note that your mobile phone must have SIM-Access Profile facility. (Only in combination with Satellie Navigation system Plus)"
But i would like to replicate this not using Audi...is this possible?Refer to the post titled JNDI, Active Directory and Authentication (Part 1) (Kerberos) at http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
If your JAAS Login Configuration includes the entry useTicketCache=true, then it will use your existing Kerberos ticket to provide a Single Sign On experience.
On the other hand if this is a browser based application, you will want to investigate the use of either NTLM or GSSAPI (Kerberos) on the web server. There are also third party solutions from Quest & Centrify that simplify this task for Apache etc. -
GSSAPI with IMAP on Exchange 2013 SP1
We are setting up Exchange 2013 SP1 in our Exchange 2010 test environment to verify our upcoming migration. I have found out that for some reason I can't get the IMAP service in Exchange 2013 to work with Kerberos (GSSAPI) authentication with Thunderbird
as a client. It does work fine in Exchange 2010 SP3 though.
Exchange 2010 SP3 response in Thunderbird:
* CAPABILITY IMAP4 IMAP4rev1 AUTH=NTLM AUTH=GSSAPI AUTH=PLAIN UIDPLUS CHILDREN IDLE NAMESPACE LITERAL+
Exchange 2013 SP1 response in Thunderbird:
* CAPABILITY IMAP4 IMAP4rev1 AUTH=PLAIN UIDPLUS CHILDREN IDLE NAMESPACE LITERAL+
AUTH=GSSAPI is missing and therefore I can't blame Thunderbird from complaining about this. If I compare the output from Get-ImapSettings I can't find anything that would indicate why I shouldn't work. EnableGSSAPIAndNTLMAuth is $true on both server
and LoginType is SecureLogin.
On
http://technet.microsoft.com/en-us/library/jj619283(v=exchg.150).aspx I found out that NTLM is not supported on Exchange 2013 for POP3 and IMAP4 but Kerberos (GSSAPI) and Plain Text Authentication with SSL still is.
Has anyone got IMAP to work with Kerberos authentication on Exchange 2013 SP1?Hello,
According to your description, we are unable to see the AUTH=GSSAPI in Exchange 2013.
My environment is Exchange 2013 CU1. I get the same result as yours. Looks Like Exchange 2013 IMAP does not support GSSAPI as authentication mechanism.
Cara Chen
TechNet Community Support
Maybe you are looking for
-
World Traveller creates a task
I have been facing a problem in all FWs with World Traveller. Whenever I run it, it creates a task. How can I avoid this unwanted task creation? Was this post helpful? If so, please click on the white "Kudos!" star to the left. Thank you! Solved! Go
-
I have been using my 27" iMac for various software testing. Now that my testing is complete I want to wipe the drive and start fresh. In Disk Utility there are many options to choose from when going to Erase > Security Options. Is there any benefit t
-
Windows 7 64 Bit machine with Instant Client and 32Bit application
Hello everybody, the last days a tried to get a 32Bit application to run on a Windows 7 SP1 64 Bit machine ... unfortunately with no success. The application runs on XP Pro and Vista Pro 32 Bit machines against a 11g RDBMS for years. As a refenence w
-
Please, I hd not paid my adobe plain, so, it´s canceled ... ok ... but just on few days I paid. My payments, today is OK, bur, all the time I opened my sotwares, I receive messages talking about I have, only, few days to use my softwares ... like "Yo
-
I have visa, mastercard, amex, discover and paypal - no "None" option for payment method. What do I do now? Assuming I don't want Apple to have my credit card info for no reason.