JAAS, Kerberos v5 and credentials

Similar Messages

• Kerberos/Keychain and PHD: Am I trying to do something silly?

  Howdy-
  I'm new to Mac OS server; and I've run into a slight issue - I've set up a Network Account with a roaming profile on OD, and that works fine - Kerberos/SSO all works, and the keychain shows my normal keychains.
  However, I'm forever transferring gigs of temporary data into and out of my user account - Which means that I'm constantly waiting for data to move onto and off of my server. I'm only on 100mbit lan, so this can take a while.
  So I thought if I switch my user to a Mobile account, I can work like a local user; and simply sync data at the beginning and end of session to keep my roaming profile up to date. This works beautifully albeit one caveat:
  Both kerberos/sso and my keychain don't work. So whenever I try to connect to a server, either for screen sharing or AFP, I get prompted for a username and password every time I connect.
  I've tried repairing the keychain; adding a new one, etc to no avail - So I'm wondering, am I being silly and I'm trying to do something which the system isn't designed to do?
  Many thanks any advice!
  - Kogen

  You've not provided a lot of detail so I am going to suggest that you look at a common point of trouble. But before I do, I will ask, is your DNS working properly (forward and reverse resolution), and if so, when you open /System/Library/CoreServices/Kerberos, do you have a valid TGT after login (this is a Kerberos ticket granting ticket)?
  Ok, if the answers to those questions are yes and yes, then try this:
  1: On the server, open Terminal
  2: Type the following command:
  sudo serveradmin settings afp:kerberosPrincipal
  3: You should get a result that look something like:
  afp:kerberosPrincipal = "afpserver/[email protected]"
  4: If you do not get this, then your AFP service is not configured to properly use Kerberos.
  5: Correct the value by using the serveradmin command line tool and determining your proper hostname (hostname) and realm name.
  Hope this helps. Oh, if the answers to either of the first two questions is no, then either fix DNS or resolve the issue of why you are not getting a TGT. Remember that time is critical. You client and server must be within 5 minutes delta for basic authentication. Less than that for many services. Time and DNS is the mantra.

• OD, Kerberos, SPNEGO and Single Sign-On

  I have been asked to identify ways to improve a company intranet, the entire network is Mac OS X for both clients and servers. The first thing I though of was using Kerberos for Single Sign-on functionality. Is anyone familiar with any issues surrounding setting this up in an all OS X environment. The Intranet hosts a number of web applications that would need to be converted to use Kerberos authentication and I just wanted to know if anyone is aware of any issues with the Apache mod_spnego or Safari 2.x's support for SPNEGO that could make things difficult. Also, I'm coming up blank for all my searches for any implementation instructions that might be out there so if anyone knows of any implementation descriptions that could be really helpful.
  Thanks,
  James

  Hi,
  the best thing would be the mapping, I thought it would work either the SSO was activated or not. I thought that once the system can't match the user with SSO it would try with the mapped user.
  The problem if I am not wrong is that the index_service user can't be created in R/3 side, the name is too long. I guess you'll have to find another workaround.
  Gregori Coll Ingles.

• JAAS, Subject and credentials

  Hi,
  I have to write a security framework for my J2EE application and it has to be
  portable between appservers. I`m thinking about using JAAS and programmatic security.
  I`ve written a LoginModule that does user authetication and loads all user credentials.
  These credentials are app specific classes like WindowPermission.
  How can I have access to these credentials from a servlet/EJB? Is there a way
  to get the Subject and not just the Principal from a servlet/EJB?
  Thanks,
  Leonardo

  Hi,
  That's what I think too. I guess the only way to get the credentials is to
  use a weblogic specific class that allows you to login an user from a servlet/jsp.
  It does returns the Subject instead of a principal, so you can get the credentials...
  seems like we'd need to change the J2EE api to further integrate JAAS with it.
  Welll... back to handling security on my own :\
  Regards,
  Leonardo Bueno
  "Utpal" <[email protected]> wrote:
  I think EJBContext.getCallerPrincipal() and
  HttpServletRequest.getRemoteUser() are the only method
  to get the principal. I don't think subject can be accessed in the
  EJB/Servlet using standard APIs.
  -utpal
  "Leonardo Bueno" <[email protected]> wrote in message
  news:3ef74da0$[email protected]..
  Hi,
  I have to write a security framework for my J2EE application and ithas to
  be
  portable between appservers. I`m thinking about using JAAS andprogrammatic security.
  I`ve written a LoginModule that does user authetication and loads alluser
  credentials.
  These credentials are app specific classes like WindowPermission.
  How can I have access to these credentials from a servlet/EJB? Is therea
  way
  to get the Subject and not just the Principal from a servlet/EJB?
  Thanks,
  Leonardo

• JAAS Authorization and Credentials

  Hi,
  I am adapting an access control system to operate as a JAAS authentication and authorization service. There is a lot of doco covering creation of custom authentication but far less on the authorization side. Any pointers welcome.
  My question is: What is the role of a Subject's "credentials" in the authorization scenario?
  From what I can see a Subject's credentials aren't even available to the authorization service under JAAS? When application code calls methods such as SecurityManager.checkPermission() it seems that a Subject's Principals are passed down to the authorization engine (the Policy) but not the Subject's credentials.
  A ProtectionDomain also has an array of Principals rather than credentials.
  I would like to base the access decisions made by the authorization engine (a custom Policy) on a Subject's credentials. Is there a way? I could just use my credential class as a Principal (with some minor changes) but the information in my class does not represent an idenity, it is a "credential"!
  Any tips gratefully received.

  When application code calls methods such as SecurityManager.checkPermission() it seems that a Subject's Principals are passed down to the authorization engine (the Policy) but not the Subject's credentials.The Subject's public credentials are available via Subject.getPublicCredentials if the JAAS login module has set them up. But the Policy shouldn't need them at this stage. The Subject has already been authenticated by the JAAS login module. All the Policy should be is interested in is what this Subject can do. The credentials aren't for that, they are for authenticating his identity. See below for further discussion.
  A ProtectionDomain also has an array of Principals rather than credentials.Again it doesn't need them. Only the JAAS login module needs them.
  I would like to base the access decisions made by the authorization engine (a custom Policy) on a Subject's credentials.You should base it on the Subject itself and its Principals. Specifically the idea is that he has one or more RolePrincipals that name the roles he is allowed to act as in the application.
  So you write a JAAS LoginModule that inspects the credentials, Principal, name etc and adds RolePrincipals to the subject according to what he is now allowed to do. Then your custom Policy just looks for the appopriate Principal in the Subject. If there, OK, if not, bang you're dead.
  From one point of view this is an efficiency measure. From another point of view it is an essential normalization. You could have millions of credential sets that all map to the same role. And you certainly don't want your Policy to be concerned with individual credentials, only with the Roles they map to.

• Bug in JAAS Kerberos module on Windows XP?

  We have a large application with its own user management. A recent addition to this application is a single sign-on using the Microsoft Active Directory.
  Specifically we use the Sun provided Kerberos login provider for JAAS to retrieve the currently logged in user. This works perfectly on Windows 2000 Professional.
  On Windows XP however, the login provider does not return the currently logged in user. What am I missing?
  JAAS configuration file:
  PbsJaas {
  com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true dontPrompt=true;
  Test program:
  package test;
  import java.io.*;
  import javax.security.auth.login.*;
  import javax.security.auth.*;
  import java.util.*;
  import java.security.*;
  * Testing Single Sign On with Microsoft Active Directory
  public class SsoTest {
  private static String getAuthenticatedUser() {
  String ssoUser = null;
  try {
  File confFile = new File( "C:/test", "pbsjaas.conf" );
  System.setProperty("java.security.auth.login.config",confFile.getAbsolutePath());
  System.setProperty("java.security.krb5.realm", "MY.DOMAIN");
  System.setProperty("java.security.krb5.kdc", "DOMAINSERVER");
  LoginContext lc = new LoginContext( "PbsJaas" );
  lc.login();
  Subject s = lc.getSubject();
  for (Iterator iter = s.getPrincipals().iterator(); iter.hasNext(); ) {
  Principal p = (Principal) iter.next();
  ssoUser = p.getName();
  break;
  catch (Exception ex) {
  System.out.println("exception during sso authentication - assuming not authenticated");
  ex.printStackTrace(System.out);
  ssoUser = null;
  return ssoUser;
  public static void main(String[] args) {
  try {
  String ssoUser = getAuthenticatedUser();
  System.out.println("user?: "+ssoUser);
  catch (Exception ex) {
  ex.printStackTrace();
  System.exit(0);
  The output on Windows XP is:
  Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  Principal is null
  null credentials from Ticket Cache
            [Krb5LoginModule] authentication failed
  No CallbackHandler available to garner authentication information from the user
  exception during sso authentication - assuming not authenticated
  javax.security.auth.login.LoginException: No CallbackHandler available to garner authentication information from the user
       at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:626)
       at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:544)
       at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
       at pbs.test.SsoTest.getAuthenticatedUser(SsoTest.java:23)
       at pbs.test.SsoTest.main(SsoTest.java:50)
  user?: null
  Again, on Windows 2000 Professional everything works fine, and I get the currently logged in user.
  We are running Windows 2000 Server.
  Any help would be greatly appreciated.
  David Sykes

  Firstly there appears to be a bug in the Kerberos libraries where it does not look at the local cache on XP. Try with -Dos.name="Windows 2000". This should trick the java libraries into thinking it's on W2K and look at the LSA cache. There appears to be other issues here but still trying to investigate further.
  Secondly you haven't specified a CallBackHandler yet you have DoNotPrompt =false. Thus Kerberos will try to ask for the username and password (since it doesn't talk to LSA) yes none is defined in your call to LoginContext.

• Kerberos SSO delegated credentials not persistent

  We have a Kerberos SSO enabled http listener application that uses bindows (ajax) that runs on IBM i5 (aka OS/400 and AS/400) that runs fine with IE. I have found info on configuring Firefox (windows) for SSO (see notes further down) so I am testing with our app.
  The initial connection authenticates just fine, but subsequent connections (according to our programmer reviewing our internal traces) are not sending a token with delegated credentials. So I guess the best way to describe this is lack of persistence within the session.
  There doesn't seem to be an official site documenting SSO config, but this is what I found by googling ...
  In url box type about:config, enter. A list of vars appears. Use filter to find network.*uris and set values to the domain name (ie mycorp.com). Additionally search for network.*-proxies and make sure values are set to "true". Additionally search for network.*sspi and make sure value is set to "true". To connect to site using SSO, specify the domain portion in the url (ie xxx.mycorp.com).
  I also found bugzilla 520668 that was about how ugly the process was and claiming sspi should be false, but that causes an authentication failure on the initial connection.
  Is there something I am doing wrong or missed in general set up and use ... or possibly some special token the application is supposed to pass back.

  Thank you for your assistance, Tim.  We have now resolved all remote access issues.  It turned out that we had four different remote access scenarios.  For future reference, here is what we found:
  1.  Users that remote via VPN couldn't log in:  Browser configuration issue - needed to add the domain to the Trusted Sites or Local Intranet (i.e. *.domain.com) because they weren't being authenticated when they turned on their personal machines that were off the network.
  2.  Users logging in to domain but not getting authenticated via SSO:  Browser configuration issue - one particular group was not set to use Windows Integrated Authentication in IE by default.
  3.  Users logging in to domain but not getting authentication via SSO:  Unknown browser configuration issue - although all browser settings seemed to be okay, one group had their browser settings reverted to default and everything started working.
  4.  Users logging into another domain first couldn't get logged into our BOE:  Trust issue - although a trust had been established between our two domains, lag time to actually get logged into the system was over 10 minutes.  We will be investigating Active Directory Federation Service as a way to create a "shortcut" between the two domains.  In the meantime we have deployed BOE enterprise accounts for those users.

• AD Authentication and credentials encryption

  Hello,
  I need to authenticate to Active Directory using different credentials through the System.DirectoryServices.DirectoryEntry in a PowerShell-script. Security is a huge deal in the environment I'm working in, and I have not been able to find a clear answer on
  this.
  As the DirectoryEntry.AuthenticationType documentation says, since .NET Framework 2.0, the default AuthenticationType is "Secure". Now, apparently using the Secure AuthenticationType in a AD context means the following: "Active Directory Domain
  Services uses Kerberos, and possibly NTLM, to authenticate the client." What I need to make sure of is that the credentials are not passed in clear-text over the network. Is it sufficient to rely on the Secure authentication type or should I specify additional
  AuthenticationTypes, in which case what would be the most secure combination?
  Additionally to this, another security concern would be that the password would be stored in local memory until the next time the .NET garbage collection takes place, since there is no native method of disposing System.String. Can I use the System.GC.Collect-method
  to remove the clear-text passwords from memory? I've read that this is not good practice as it can potentially cause performance issues, but looking at this from a security-perspective, it may be worth looking into anyways if it can remove the string from
  memory.
  I am not sure if this is the right forum to ask these kind of questions, but figured it would be worth a shot.
  Thanks,
  Andreas

  It's better to never store the password as a string at all (never mind the fact that it's sitting in a plain text PowerShell script file.)  For example, using a character array allows you to zero out the memory whenever you like:
  # The characters of "SecretPassword", obtained with the command:
  # [int[]]"SecretPassword".ToCharArray() -join ', '
  $chars = [char[]](83, 101, 99, 114, 101, 116, 80, 97, 115, 115, 119, 111, 114, 100)
  $securePassword = New-Object securestring
  foreach($char in $chars)
  $securePassword.AppendChar($char)
  $securePassword.MakeReadOnly()
  [Array]::Clear($chars, 0, $chars.Count)
  This is better than relying on the garbage collector for strings, which would simply make the string's memory available again (without zeroing it out), but it's still not perfect.  The CLR may have moved the character array around before it was zero'ed,
  leaving older copies of it around
  Best is to not hard-code the password at all, in any form.  Read it from secure storage somewhere directly into a SecureString (such as by using the ConvertTo-SecureString / ConvertFrom-SecureSting cmdlets without the -AsPlainText switch; this encrypts
  the data using DPAPI by default.)

• JAAS & Kerberos

  I have been using Sun's JAAS Authentication with Kerberos tutorial (../security/jgss/tutorials/AcnOnly.html), and I have a question. When I test it using my username & password, I get the message:
  Authentication failed:
  Pre-authentication information was invalid (24)
  My password is correct so to test it for the other possible reasons I used an administrative name and password and it worked. I next tried another user's name/password and this time received:
  Authentication failed:
  KDC has no support for encryption type (14)
  There is no IT person today to discuss this with so if anyone has any suggestions as to what the problem might be and how I can fix it I would appreciate it.
  Thanks
  Tom

  I've just tried the tutorial against 3 KDCs (w2k kdc, win2003 kdc and mit kdc) with jdk1.4.1_01, and with several accounts and it worked.
  For account with encryption other than DES it failed with 'Pre-authentication information was invalid (24)'...
  Sorry it did not help...

• JAAS - Kerberos - windows 2000 domain - groups

  I need to find out if a user is in 2 different groups. If they are in group a, I display results a.m. If they are in group b, I display results b.n. If they are in a and b, then I display a.m union b.n. Any ideas?
  I am validating the user through kerberos already. Windows NT domain says they are valid if correct username/domain/password are enterted. Now I need to find out if they are part of a group on a domain. Any ideas? Am I making sense. Mail me at perry2of5 at yahoo.com if you need clarification or have ideas and don't want to post here.
  I suspect i need to use the subject from the original login and ask for access to the group, but I don't know how to do this. Help!

  I've a very simular problem (maybe even simpler).
  My webapp (Struts) is running on a Tomcat and the user login has to be proofen against a Win2000 active directory server. If login is successfull I'll need the users roles from the W2k ADS. That's it.
  What I know till know:
  - authentication uses Kerberos
  - communication with ADS uses LDAP
  Has anybody an easy solution (example). I've already read all the JAAS stuff from Sun, but I'm still not sure how to implement it.
  Thx, Chrise

• JAAS Kerberos Feature Request:-- Option: forwardable = true in configfile

  Hello,
  in order to request a forwardable ticket from the kdc (without using native cache)
  you have to provide the krb5.ini (or krb5.conf) file
  with proper krb connection infos (REALM, domain ...)
  AND
  forwardable = true
  It is not possible to configure
  com.sun.security.auth.module.Krb5LoginModule with this option.
  folowing jaas.conf should work
  KerberosClient {  
     com.sun.security.auth.module.Krb5LoginModule required
     useTicketCache=false
     forwardable = true
  };thanks

  I have just been pulling my hair out with this same issue! I'm fairly new to Illustrator, so figured it was me just not knowing how to do something simple.
  Also I don't think the pen tool in Ideas is really a pen tool as we know it.

• Kerberos, vnc, and ssh

  Hi, I was wondering if anyone had seen these problems trying to enable vnc and ssh support on a Mavericks server (latest OS and Server versions).
  In particular, I get errors when I attempt to use sso_util:o_util -
  sso_util configure -R MYSERVER.MYDOMAIN.COM -a diradmin ssh
  /Local/Default
  /LDAPv3/127.0.0.1
  Creating the service list
  Creating the service principals
  OSStatus CreateKerberosPrincipals(CFStringRef, CFStringRef, const char *, CFMutableDictionaryRef, Boolean): Error adding principal to keytab:  kadmin: ext vnc/[email protected]: Principal does not exist
  Creating the keytab file
  Configuring services
  WriteSetupFile: setup file path = /temp.NOKc/setup
  $ sso_util configure -r MYSERVER.MYDOMAIN.COM -a diradmin ssh
  Password:
  /Local/Default
  /LDAPv3/127.0.0.1
  Creating the service list
  Creating the service principals
  OSStatus CreateKerberosPrincipals(CFStringRef, CFStringRef, const char *, CFMutableDictionaryRef, Boolean): Error adding principal to keytab:  kadmin: ext host/[email protected]: Principal does not exist
  Creating the keytab file
  Configuring services
  WriteSetupFile: setup file path = /temp.KZUY/setup
  I get the same errors if I use "kadmin -l" and attempt to create the principals using "add -r host/myserver.mydomain.com" and "add -r vnc/myserver.mydomain.com".  The principals don't exist if I try to list them.
  Kerberos is working fine for some other services, like imap and smtp.  The principals exist.
  Does anyone knwo why I can't create these?  Thanks!

  Check your TCP segment size. To find out what it should be you can try the following.
  From a PC at site A, ping a PC at Site B. You need to set some ICMP switches though.
  C:\>ping 10.10.2.100 -f -l 1500
  The -f is set the Do Not Fragment flag, the -l is the send buffer size. Continue to do this each time decreasing the packet size until you have a successful ping. When you find that number, that is your maximum TCP segment size. You can then set that on the router. Any packet that is too big, the router will respond to the sending device saying it is too big, send a smaller size. It will do that until the packet is less than or equal to the number you set. In most routers the largest size you can set is 1460, so that might save you some time. To set it in the router, go to the tunnel interface and enter "ip tcp adjust-mss
  HTH and please rate.

• JAAS, EJB, GlassFish2 and session key/id

  I use standalone EJB client to connect to GlassFish 2. I use custom login module on Aplication server side and ProgrammaticLogin to enter login and password.
  I see that every call to any of my remote methods is resulted in sending my login and password to Application server (to my login module).
  I do not want it sends login/password every time but only first time. I’d like to do smth as it is done in http session.
  I’d like to send login and password only once when I lookup my remote interface or when I do explicit login. Then if authentication is successes I’ve got smth like session key/id and use it for client identification.
  How I can implement it? How I can send session key back to client on successful login? Is it possible at all in JAAS/EJB world?

  I think there's something wrong with your application. Have you checked google? There's plenty of threads about this same problem here already please refer to them. Please copy paste your whole stacktrace here, we experts can't help you otherwise.
  Best Regards, Angus

• GSSAPI Kerberos authentication and WS-Security

  Hi,
  We have a requirement to perform Kerberos authentication to a web service.
  The client is to be written in C# using Microsoft's Web Services
  Enhancements (WSE 3.0). WSE (which uses SSPI) has support for
  Kerberos authentication. The application server does not support Kerberos.
  The intention is to use the Java GSSAPI on the web service side to process
  a limited part of the WS-Security header.
  I've successfully processed the <wsse:BinarySecurityToken> to performed
  the actual authentication, I'm now left with checking the signatures.
  The values of the <DigestValue> and <SignatureValue> appear to always be
  20 bytes long (when decoded from Base64) which suggests they're the
  output from SHA1.
  The outputs from GSSContext.getMIC and GSSContext.wrap always start
  with the ASN.1 value 0x60. The <SignatureValue> donen't, therefore
  attempting to use verifyMIC or unwrap fail with:
  "GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)"
  It appears that the digest algorithm is SHA1 and the signature algorithm is
  HMAC-SHA1. So the <DigestValue> is probably just the SHA1 of the
  Canonical XML of the SOAP:Body. The HMAC algorithm requires access to
  the Kerberos private session key, which doesn't appear to be made
  available through the GSSAPI interface, so implementing our own functions
  doesn't seem to be an option.
  I've included the portion of the SOAP header I'm looking at below, apologies
  if the format's messed up.
  So what I'm looking for is:
       1) A way of Canonicalising the SOAP:Body so I can feed it into SHA1           
            (java.security.MessageDigest).
       2) A way of getting at the Kerberos session key through the GSSAPI so I
            can produce the <SignatureValue> from the <DigestValue> for      
            verification (javax.crypto.Mac).
  Any ideas ?
  Cheers
  Phil
  <wsse:Security soap:mustUnderstand="1">
  <wsu:Timestamp wsu:Id="Timestamp-343caad4-454a-4dcd-b206-3e6bf4ad0116">
  <wsu:Created>2006-04-27T13:00:48Z</wsu:Created>
  <wsu:Expires>2006-04-27T13:05:48Z</wsu:Expires>
  </wsu:Timestamp>
  <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-2c5a4b4a-4408-4ee8-8e32-9378c063d422">YIIB1AYJKoZIh<snip>==</wsse:BinarySecurityToken>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
  <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
  <Reference URI="#Id-73b189ca-2ddd-4fcb-a60e-025e71857802">
  <Transforms>
  <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
  </Transforms>
  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
  <DigestValue>BRyjTgrnalo2YXtWUi80pzgoVso=</DigestValue>
  </Reference>
  </SignedInfo>
  <SignatureValue>ddTO413OprTwFPWj3NDx94PidZc=</SignatureValue>
  <KeyInfo>
  <wsse:SecurityTokenReference>
  <wsse:Reference URI="#SecurityToken-2c5a4b4a-4408-4ee8-8e32-9378c063d422" ValueType="http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ" />
  </wsse:SecurityTokenReference>
  </KeyInfo>
  </Signature>
  </wsse:Security>

  Hi Osman,
  Hope this blog will answer your Query: /people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter
  Documentation SOAP adapter - http://help.sap.com/saphelp_nw04/helpdata/en/69/a6fb3fea9df028e10000000a1550b0/content.htm
  Security settings for SOAP adapter - http://help.sap.com/saphelp_nw04/helpdata/en/56/992d4142badb2be10000000a1550b0/content.htm
  Regards
  Pothana

• Certs, kerberos tickets and binding

  Hello--
  I have server1 and server2 (2010 MacMinis w/ 10.9.1/3.0.2 and 10.9/3.0.1, respectively) providing services to a small group.  By doing a series of rebuilds and backtracks, I have a generally usable configuration as long as only single users use any given client.  Server1 provides DNS, DHCP, OD, contacts, calendars, and profile management.  Server2 provides secondary zone info, DHCP (a different segment of the network's addresses) and mail.  It used to provide an ODR but I destroyed that as part of the troubleshooting because it seemed to have issues synching.  Now server2 is bound to server1, but is not enrolled in Profile Manger. 
  Most of my testing has been on a Mavericks client, enrolled with Profile Manager, but I've also logged in, albeit with issues, on a ML client. On the Mavericks client, when another network user logs into the system and then logs out, the client must be restarted to allow the next user to log in and access services properly.  If not restarted first, problems exist involving internet passwords and access to datastores for the services.  Restarting after each use is an annoying workaround that is not acceptable to me in the long term.  Additionally, Mail.app cannot be successfully configured to use Kerberos for authentication against the mail server even though Open Directory is set as the means for authentication on the server.
  I use a profile payload to configure OD which does not provide SSL for that connection.  As I've tried to stick with defaults to the maximum extent possible, I've not tweaked this.
  I have stuck with an self-signed locally generated cert for OD (because that is more default).  Starting up keychain access on the server generates a lot of secd SecErrorGetOSStatus unknown error domain: com.apple.security.sos.error blah blah blah entrees.   All five of the APSP certs show, in red, "This certificate was signed by an unknown authority".  The other certs for the domain show green and can be traced back to the OD CA. 
  When I first log in and use klist on the client, I usually only see a TGT even though home directories are provided over AFP.  Most often if I bring up Finder and view the files in the home directory, I will still only see the TGT when running klist.  Likewise when I start up Calendar.  However, firing up Contacts causes two additional tickets, one for host/server1.mydomain.com and one for HTTP/server1.mydomain.com.  Shouldn't the host ticket be generated with the user first connects?
  I also have a number of log entries of Server not found in database for the following:
       krbtgt/[email protected]
       imap/server2.mydomain.com@...
       host/maverickclient.mydomain.com@...
       krbtgt/LOCAL@...
       cifs/server1.local@...  (although these may have stopped when I shifted home directory sharing to be over AFP instead of the default SMB)
  What are these errors likely telling me?
  Thanks.
  Tim

  I've continued to work this issue as I have had time, but no real progress.  I downloaded an root CA cert from Apple that allowed the red error messages with the APSP certs to change to valid.  Have other seen this or should the root CA integration cert have installed as part of the server set up?
  I also renewed the push cert and then re-enrolled a client along with enrolling server2.  No changes.
  I then removed the profile payloads other than enrollment.  This triggered the client to remake the local copies of service data and wiped out the passwords stored in Safari.  Several core data I/O errors from the networked home directory when this occured. 
  It would be really great if someone had a better way to test kerberos and OD other than rebuilding.  Any one?
  Thank you in advance.
  Tim