JAAS - Kerberos - windows 2000 domain - groups

Similar Messages

• ISE with per-windows 2000 domain

  Hi
  I am experiencing a problem with AD authentication.
  I have joined the ISE appliance to the windows AD and I can browse the groups and attributes.
  But the problem I am experincing is that the users logon to the domain using the pre-windows 2000 domain name.
  FQDN format : ab.cdef.com       - ISE is joined to this
  pre-windows 2000 name : abcd  - Users logon with this
  So wen the users authenticate I get the following error : 22056 Subject not found in the applicable identity store.
  Also tried to logon with [email protected] with no luck.
  Does someone have any suggestions?
  Thanks

  The 802.11 Mac Layer is a bit longer than the ethernet mac layer. This sometimes cause problem with domain login because they are done using UDP by default. The frame are sometime drop. To test if this is your problem, I recomand changing the MTU on the 2000server(DC) and the host to something lesser than the actuel MTU on the interface. (configure the DC and host @1300 leaving the network @1500)
  A Windows 2003 server as a default mtu of 13?? something to get around this problem. I usaully tell my users to install the cisco vpn client if they want to use domain in wireless because the installation of this client lower the MTU of every interface to 1300.
  Another path you can look into is forcing kerberos to use TCP insted of UDP. (look on MS TechNet for method)

• Problem Starting WLS 5.1 from windows 2000 program group

  Hi
  I couldn't able to start Weblogic server 5.1 from windows 2000 program
  group(start > Programs > Weblogic 5.10 > Weblogic Server). I can start WLS
  without any problem from the console . I've check every configuration and
  environment setting, the problem still come out. Whenever I start WLS from
  program group , a window dialog with error messages will come out , here's
  the error messages :
  wlserver.exe - Application Error
  The instruction at "0x04d5d0d6" referenced memory at
  "0x00000000". The memory could not be "written".
  Click on OK to terminate the program
  Click on CANCEL to debug the program
  Any suggestions/solution will be appreciated .
  Thanks
  Chew Leong
  [email protected]

  look for weblogic.system.password property in your weblogic.properties
  file and see what's in there.
  Shailesh Mungikar wrote:
  I am trying to install WLS 5.1 SP12 on my Windows 2000 machine.
  I have WLS 6.1 already installed my PC.
  When I try to install, at the very end when
  "System" password required
  dialog pops up, I get another dialog box saying
  WLPASS~1.exe Application Error
  The exception Floating point division by zero (0xc000008e) occured in
  the application at location 0x50147c14
  When I press OK, it kill the "System password" dialog.
  The installation seems to be complete.
  If I go ahead and try to start weblogic, I get Exceptio
  java.security.AccessControlException: access denied
  (java.lang.RuntimePermission createSecurityManager)
  Any solution/workaround?
  thanks,
  _shailesh

• Adding mac in Windows 2000 domain

  Hello, I need add a mac OS 10.3.9 in a windows 2000 domain,
  for sharing files and printers. Is possible??
  Thanks, Diego

  Hi dbeihswingert try these documents
  http://www.wazmac.com/wazza/networking/networkpages/basic_sharing/networkintegration.html
  especially
  Macs to a Win Domain (pdf - 250k)
  Configure OSX 10.3.3 so Macs can authenticate with Active Directory, and store their home folders on a Windows 2000/3 server.
  I have found this to be a good resource.
  Cheers.

• Joining a Windows 2000 domain

  Can I join my Sun Solaris 8 server running Samba to a Windows 2000 domain so that all the users that logon or use shares will authenticate thru the domain controllers with their Win accounts?
  I dont want to create 1500 Solaris accounts.

  there is a sun product called Sun PC Net Link that could help you
  synchronazing user accounts in Windows env. and Solaris
  you can map the accounts from one env. to the other.
  we use this product since many years and have migrate fm
  windows NT to Windows 2000 Terminal Server without major
  problems, including user maps.
  good luck ...
  [email protected]

• Windows server domain group membership with functional level 2003 - windows API

  Hello,
  I am a programmer trying to get members of a global domain group using windows server 2008 enterprise edition,
  in the past there wasn't a functional level 2003 on windows server, but when 2003 functional level appeared a new features were added like adding 
  a global group as a member to another global group in the domain, 
  in the past the API written could get the members if the member was a user, but it can't get a member if it was a global group.
  I am using this API "NetGroupGetUsers" to get a members of a global domain group, and it gets the users but it doesn't get the
  members if they were global groups...
  I tried another API "NetLocalGroupGetMembers" it is getting a global group as a member but it is working only if the owner group was a local group on the server 
  or on another machine that is added to the server, but this API doesn't work if the owner group was a domain global group.
  My question is how to get members of a global group including the members that are global groups too???
  Thanks,
  - Shomaf

  > I am using this API "NetGroupGetUsers" to get a members of a global
  This interface is based on Win 2000, and since Win 2000 did not support
  global group nesting, this interface does not, too...
  > domain group, and it gets the users but it doesn't get the
  > members if they were global groups...
  You should use
  http://msdn.microsoft.com/library/aa706032.aspx - and
  don't forget to track down the nestings :)
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Different Pre-Windows 2000 domain and FQDC.

  I have a SBS 2003 box that was originally migrated from SBS2000. i just finished install new 2012 standard server and installed AD service on it, but when i trying promote to DC, it won't do it until functional level raise to least 2003 level.
  My question is following:
  when user login, user uses pre-windows 2000 login name.  
  For example, DC11\user but FQDC is DC1.local.  we have no DC11 exist. 
  When user trying login as DC1\user, it won't able to login. even Administrator has to login as DC11\administrator not DC1\administrator. 
   When i look user properties account login name user @dc1.local and pre-Windows 2000 name DC11\ user are listed. 
  if i raised to Windows 2003 function level, did user can't login? or any effect? 
  Thanks

  DC11 is the NetBIOS name of your domain and it can be changed using Active Directory Domain rename tools -
  http://technet.microsoft.com/en-us/windowsserver/bb405948.aspx - if you don't want to use DC11 in your environment. However, this could have impact other applications like Exchange,
  as Exchange doesn't support domain rename.
  Another option for you would be to deploy a new Forest or domain with the names that you desire and migrate stuff - Users/Workstations/Servers/Application and get rid of old domain.
  UPNs ([email protected]) is easy to change but changing NetBIOS is a complex process and needs to be done with extreme care.
  - Sarvesh Goel - Enterprise Messaging Administrator

• Windows 2000 user account migrate to new Windows 2012 R2 domain

  Hi all
  I have a customer using Windows 2000 domain with many user accounts and file share service.
  Now they want to use a new Windows 2012 domain without upgrade from old 2000 domain due to some hidden problem.
  Customer requested to keep user name, password, uid for existing file share access.
  May I know any tools for migrate user account from Windows 2000 domain to Windows 2012 domain?
  thx
  Q K

  Hi,
  Can you please confirm your requirement, that is you will be using a new Windows 2012 domain with only the user accounts from Windows 2000 domain. 
  If the above text matches your requirement, I would suggest you the following steps,
  1. You can use CSVDE - command line tool to export the AD user information as CSV file from  Windows 2000 domain,
  http://www.techrepublic.com/blog/data-center/simplify-admin-tasks-by-exporting-active-directory-data-with-csvde/
  2. Then, you can import the CSV file with required user attributes (domain details modified according to the target domain) to Windows 2012 domain using PowerShell as
  shown in the link given below,
  http://blogs.technet.com/b/bettertogether/archive/2011/01/09/import-bulk-users-to-active-directory.aspx
  Regards,
  Gopi
  www.jijitechnologies.com

• 10.4 and Windows 2003 Domain

  Hello,
  We're a 40% Mac environment where all the Macs are bound to our domain and users log in with Mobile accounts. When we first decided to do this, all the Macs played very nicely with our Windows 2000 domain.
  About three months ago, we upgraded our Windows 2000 domain to a Windows 2003 domain and began enforcing stronger password security. Now all of the Mobile accounts on all of our 10.4 machines refuse to let the users change their passwords. Doing so through the Log In window when a password expires does not work. Neither do the controls in System Preferences/Accounts. Neither do the controls in the Kerberos app. It sits and pinwheels for a few minutes, then returns an error about not being able to change the user's password to the password specified.
  I tried adding myself to a few of these computers as a Mobile user and then changing my password, but that didn't work either. So it isn't something held over in the user accounts from the old domain, and it isn't a permissions thing since I'm an administrator on the domain.
  I've dumped all the Directory Access preferences files. Doesn't help.
  Sometimes this behavior can be fixed by unbinding a machine from the domain, deleting the computer's account in Active Directory, then rebinding it to the domain. Lately, that fix has stopped working, and if I remove a machine from the domain, I cannot rebind it to the domain unless I do so using a different computer name - even though the computer account in Active Directory has been deleted.
  Mobile accounts on all of our 10.5 machines can change their passwords without a problem.
  I'm stumped. Anybody got any brilliant ideas? Information on Macs interacting with Windows domains is pretty scarce.

  Hi Scott, and a warm welcome to the forums!
  What Workgroup do you have set on the Mac in Directory Access Utility?
  See if these 2 links help also...
  http://www.macosxhints.com/article.php?story=20050302023720578
  http://allinthehead.com/retro/218/accessing-a-windows-2003-share-from-os-x

• OS authentication w/ 10.2 database and Windows 2000

  Not a new issue - but still not too easy for me...
  Got a Windows 2000 domain, a 10g enterprise database server on Windows 2003 as part of this domain and a client machine running a 10.2 client on Windows 2000 in the same domain.
  remote_os_authent is FALSE.
  OS_AUTH_PREFIX_DOMAIN is not set.
  On both sides sqlnet.ora contains the line SQLNET.AUTHENTICATION_SERVICES= (NTS)
  A database account exists as <domainname>\<username> with create session priviledge granted. <domainname> is the same as Windows' %USERDOMAIN%. <username> is the ID to which one logs into that domain on the client machine.
  But still "sqlplus /" raises exception 01017. Password authenticated connects do work. What am I missing?
  Thanks a lot..

  Assuming it still doesn't work: sorry no, as I recall this info from a Metalink note, and the Metalink note worked for me. The only thing I can remember right now is one needs to enclose the Oracle account in double quotes, or it wouldn't work, due to the \. If that also doesn't help, I'm stuck.
  Sybrand Bakker
  Senior Oracle DBA

• JAAS, JGSS Kerberos  and windows 2000 newbie question

  Hi
  I have setup a Kerberos server on windows 2000, now i want to write code in java to authenticate and authorize user using Kerberos , I know I have to use JAAS, JGSS,
  is there a how to document to setup a client machine, like setup krb4.ini file and other security files so i can use java to authorize and authenticate, i am using j2sdk1.4.2
  I have following code
  GSSManager manager = GSSManager.getInstance();
                 Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
                 Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
                 // Identify who the client wishes to be
                 GSSName userName = manager.createName("test02EIM", GSSName.NT_USER_NAME);
                 // Identify the name of the server. This uses a Kerberos specific
                 // name format.
                 GSSName serverName = manager.createName("krbsvr400/[email protected]",
                                                                   krb5PrincipalNameType);
            System.out.println("server name " +serverName.getStringNameType());
                 // Acquire credentials for the user
                 GSSCredential userCreds = manager.createCredential(userName,
                                                                   GSSCredential.DEFAULT_LIFETIME,
                                                                   krb5Mechanism,
                                                                   GSSCredential.INITIATE_ONLY);
                 // Instantiate and initialize a security context that will be
                 // established with the server
                 GSSContext context = manager.createContext(serverName,
                                                                        krb5Mechanism,
                                                                        userCreds,
                                                                        GSSContext.DEFAULT_LIFETIME);
  and krb5.ini file looks like below
  [libdefaults]
  default_realm = GL1AMR.PFIZER1.TEST
  default_tgs_enctypes = des-cbc-crc
  default_tkt_enctypes = des-cbc-crc
  forwardable = true
  proxiable = true
  [realms]
  GL1AMR.PFIZER1.TEST= {
  kdc = gl1mopsamrdc01.gl1amr.pfizer1.test:88
  admin_server = gl1mopsamrdc03.gl1amr.pfizer1.test
  default_domain = gl1amr.pfizer1.test
  [domain_realm]
  .gl1amr.pfizer1.test = GL1AMR.PFIZER1.TEST
  gl1amr.pfizer1.testm = GL1AMR.PFIZER1.TEST
  [login]
  krb4_convert = true
  krb4_get_tickets = true
  i get following error
  SSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
       at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:143)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:70)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
       at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
       at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
       at com.pfizer.maps.sso.TestGSS.useGSS(TestGSS.java:41)
       at com.pfizer.maps.sso.TestGSS.main(TestGSS.java:59)
  what am i missing

  My JAVA FILE having the code as follows , when i run this code iam geeting the Folowing error
  Error
  D:\Ramesh_Dump\KerbersTools>java GSSAPI
  GSSException: No valid credentials provided (Mechanism level: Failed to find any
  Kerberos Ticket)
  at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredent
  ial.java:133)
  at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechF
  actory.java:72)
  at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.
  java:149)
  at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
  at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
  at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:37)
  at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java
  :96)
  at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
  78)
  at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
  58)
  at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5
  Client.java:155)
  at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
  at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
  at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
  at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193
  at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.ja
  va:136)
  at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.jav
  a:66)
  at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:6
  67)
  at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247
  at javax.naming.InitialContext.init(InitialContext.java:223)
  at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:1
  34)
  at GSSAPI.main(GSSAPI.java:34)
  Problem searching directory: javax.naming.AuthenticationException: GSSAPI [Root
  exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by G
  SSException: No valid credentials provided]]
  JAVA CODE
  import java.util.Hashtable;
  import javax.naming.ldap.*;
  import javax.naming.directory.*;
  import javax.naming.*;
  import java.util.*;
  import java.util.Calendar.*;
  import java.text.*;
  public class GSSAPI {
       * @param args
       public static void main(String[] args) {
       Hashtable env = new Hashtable();
       String adminName = "[email protected]";//"[email protected]";
       String adminPassword = "Password12";
       String ldapURL = "ldap://172.20.55.97:389/";
       env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
       //set security credentials, note using simple cleartext authentication
       env.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
       //env.put(Context.SECURITY_PRINCIPAL,adminName);
       //env.put(Context.SECURITY_CREDENTIALS,adminPassword);
       //env.put("javax.security.sasl.server.authentication","true");
       //connect to my domain controller
       env.put(Context.PROVIDER_URL,ldapURL);
       try {
            //Create the initial directory context
            LdapContext ctx = new InitialLdapContext(env,null);
            //lets get the domain lockout duration policy
            Attributes attrs = ctx.getAttributes("dc=globalv,dc=com");
            //System.out.println("test arttr"+attrs.get(""));
            System.out.println("Lockout policy for " + attrs.get("distinguishedName").get());
            System.out.println("Duration: " + attrs.get("lockoutDuration").get());
            System.out.println("Threshold: " + attrs.get("lockoutThreshold").get());
            long lockoutDuration = Long.parseLong(attrs.get("lockoutDuration").get().toString());
            //Create the search controls           
            SearchControls searchCtls = new SearchControls();
            //Specify the attributes to return
            String returnedAtts[]={"sn","givenName","mail","lockoutTime"};
            searchCtls.setReturningAttributes(returnedAtts);
            //Specify the search scope
            searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
            //Create the correct LDAP search filter
            //Win32 file time is based from 1/1/1601
            //Java date/time is based from 1/1/1970
            /*GregorianCalendar Win32Epoch = new GregorianCalendar(1601,Calendar.JANUARY,1);
            GregorianCalendar Today = new GregorianCalendar();
            long Win32Date = Win32Epoch.getTimeInMillis();
            long TodaysDate = Today.getTimeInMillis();
            long TimeSinceWin32Epoch = TodaysDate - Win32Date;
            long lockoutDate = (TimeSinceWin32Epoch * 10000) + lockoutDuration;
            System.out.println("Lockout (Long): " + lockoutDate);*/
            //System.out.println("Lockout (Date): " + DisplayWin32Date(lockoutDate));
            //String searchFilter = "(&(objectClass=user)(lockoutTime>=" + lockoutDate + "))";
            String searchFilter = "(objectclass=user)";
            //Specify the Base for the search
            String searchBase = "dc=globalv,dc=com";
            //initialize counter to total the results
            int totalResults = 0;
            //Search for objects using the filter
            NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
            //Loop through the search results
            while (answer.hasMoreElements()) {
                 SearchResult sr = (SearchResult)answer.next();
                 totalResults++;
                 System.out.println(">>>" + sr.getName());
                 // Print out some of the attributes, catch the exception if the attributes have no values
                 attrs = sr.getAttributes();
                 if (attrs != null) {
                      try {
                           System.out.println(" name: " + attrs.get("givenName").get() + " " + attrs.get("sn").get());
                           System.out.println(" mail: " + attrs.get("mail").get());
                           System.out.println(" locked: " + attrs.get("lockoutTime").get().toString());
                           //System.out.println(" locked: " + DisplayWin32Date(attrs.get("lockoutTime").get().toString()));
                      catch (NullPointerException e)     {
                           System.err.println("Problem listing attributes: " + e);
  //          System.out.println("Total results: " + totalResults);
            ctx.close();
       catch (NamingException e) {
            System.err.println("Problem searching directory: " + e);
  import java.util.Hashtable;
  import javax.naming.ldap.*;
  import javax.naming.directory.*;
  import javax.naming.*;
  import java.util.*;
  import java.util.Calendar.*;
  import java.text.*;
  public class GSSAPI {
       * @param args
       public static void main(String[] args) {
       Hashtable env = new Hashtable();
       String adminName = "[email protected]";//"[email protected]";
       String adminPassword = "Password12";
       String ldapURL = "ldap://172.20.55.97:389/";
       env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
       //set security credentials, note using simple cleartext authentication
       env.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
       //env.put(Context.SECURITY_PRINCIPAL,adminName);
       //env.put(Context.SECURITY_CREDENTIALS,adminPassword);
       //env.put("javax.security.sasl.server.authentication","true");
       //connect to my domain controller
       env.put(Context.PROVIDER_URL,ldapURL);
       try {
            //Create the initial directory context
            LdapContext ctx = new InitialLdapContext(env,null);
            //lets get the domain lockout duration policy
            Attributes attrs = ctx.getAttributes("dc=globalv,dc=com");
            //System.out.println("test arttr"+attrs.get(""));
            System.out.println("Lockout policy for " + attrs.get("distinguishedName").get());
            System.out.println("Duration: " + attrs.get("lockoutDuration").get());
            System.out.println("Threshold: " + attrs.get("lockoutThreshold").get());
            long lockoutDuration = Long.parseLong(attrs.get("lockoutDuration").get().toString());
            //Create the search controls           
            SearchControls searchCtls = new SearchControls();
            //Specify the attributes to return
            String returnedAtts[]={"sn","givenName","mail","lockoutTime"};
            searchCtls.setReturningAttributes(returnedAtts);
            //Specify the search scope
            searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
            //Create the correct LDAP search filter
            //Win32 file time is based from 1/1/1601
            //Java date/time is based from 1/1/1970
            /*GregorianCalendar Win32Epoch = new GregorianCalendar(1601,Calendar.JANUARY,1);
            GregorianCalendar Today = new GregorianCalendar();
            long Win32Date = Win32Epoch.getTimeInMillis();
            long TodaysDate = Today.getTimeInMillis();
            long TimeSinceWin32Epoch = TodaysDate - Win32Date;
            long lockoutDate = (TimeSinceWin32Epoch * 10000) + lockoutDuration;
            System.out.println("Lockout (Long): " + lockoutDate);*/
            //System.out.println("Lockout (Date): " + DisplayWin32Date(lockoutDate));
            //String searchFilter = "(&(objectClass=user)(lockoutTime>=" + lockoutDate + "))";
            String searchFilter = "(objectclass=user)";
            //Specify the Base for the search
            String searchBase = "dc=globalv,dc=com";
            //initialize counter to total the results
            int totalResults = 0;
            //Search for objects using the filter
            NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
            //Loop through the search results
            while (answer.hasMoreElements()) {
                 SearchResult sr = (SearchResult)answer.next();
                 totalResults++;
                 System.out.println(">>>" + sr.getName());
                 // Print out some of the attributes, catch the exception if the attributes have no values
                 attrs = sr.getAttributes();
                 if (attrs != null) {
                      try {
                           System.out.println(" name: " + attrs.get("givenName").get() + " " + attrs.get("sn").get());
                           System.out.println(" mail: " + attrs.get("mail").get());
                           System.out.println(" locked: " + attrs.get("lockoutTime").get().toString());
                           //System.out.println(" locked: " + DisplayWin32Date(attrs.get("lockoutTime").get().toString()));
                      catch (NullPointerException e)     {
                           System.err.println("Problem listing attributes: " + e);
  //          System.out.println("Total results: " + totalResults);
            ctx.close();
       catch (NamingException e) {
            System.err.println("Problem searching directory: " + e);
  }

• Bug in JAAS Kerberos module on Windows XP?

  We have a large application with its own user management. A recent addition to this application is a single sign-on using the Microsoft Active Directory.
  Specifically we use the Sun provided Kerberos login provider for JAAS to retrieve the currently logged in user. This works perfectly on Windows 2000 Professional.
  On Windows XP however, the login provider does not return the currently logged in user. What am I missing?
  JAAS configuration file:
  PbsJaas {
  com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true dontPrompt=true;
  Test program:
  package test;
  import java.io.*;
  import javax.security.auth.login.*;
  import javax.security.auth.*;
  import java.util.*;
  import java.security.*;
  * Testing Single Sign On with Microsoft Active Directory
  public class SsoTest {
  private static String getAuthenticatedUser() {
  String ssoUser = null;
  try {
  File confFile = new File( "C:/test", "pbsjaas.conf" );
  System.setProperty("java.security.auth.login.config",confFile.getAbsolutePath());
  System.setProperty("java.security.krb5.realm", "MY.DOMAIN");
  System.setProperty("java.security.krb5.kdc", "DOMAINSERVER");
  LoginContext lc = new LoginContext( "PbsJaas" );
  lc.login();
  Subject s = lc.getSubject();
  for (Iterator iter = s.getPrincipals().iterator(); iter.hasNext(); ) {
  Principal p = (Principal) iter.next();
  ssoUser = p.getName();
  break;
  catch (Exception ex) {
  System.out.println("exception during sso authentication - assuming not authenticated");
  ex.printStackTrace(System.out);
  ssoUser = null;
  return ssoUser;
  public static void main(String[] args) {
  try {
  String ssoUser = getAuthenticatedUser();
  System.out.println("user?: "+ssoUser);
  catch (Exception ex) {
  ex.printStackTrace();
  System.exit(0);
  The output on Windows XP is:
  Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  Principal is null
  null credentials from Ticket Cache
            [Krb5LoginModule] authentication failed
  No CallbackHandler available to garner authentication information from the user
  exception during sso authentication - assuming not authenticated
  javax.security.auth.login.LoginException: No CallbackHandler available to garner authentication information from the user
       at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:626)
       at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:544)
       at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
       at pbs.test.SsoTest.getAuthenticatedUser(SsoTest.java:23)
       at pbs.test.SsoTest.main(SsoTest.java:50)
  user?: null
  Again, on Windows 2000 Professional everything works fine, and I get the currently logged in user.
  We are running Windows 2000 Server.
  Any help would be greatly appreciated.
  David Sykes

  Firstly there appears to be a bug in the Kerberos libraries where it does not look at the local cache on XP. Try with -Dos.name="Windows 2000". This should trick the java libraries into thinking it's on W2K and look at the LSA cache. There appears to be other issues here but still trying to investigate further.
  Secondly you haven't specified a CallBackHandler yet you have DoNotPrompt =false. Thus Kerberos will try to ask for the username and password (since it doesn't talk to LSA) yes none is defined in your call to LoginContext.

• Migrating Users and Groups from Windows 2000 server to Windows 2013 Standard.

  OK...let me see if I can get this question out the way I need to....
  I inherited a Windows 2000 Server that's on it's last legs.  We have a new server, a Windows 2013 Standard machine that we just recently purchased.  I need to migrate the users and groups over to the new server, but there are two things that are
  making it difficult:
   The 2000 machine is NOT a Domain Controller
  The 2000 machine is NOT running Active Directory
  This is a file server that hangs onto another network of which I have no control of.  It has its' own IP address and there is NO WAY we can run Active Directory or make it a domain controller.
  I have close to 300 users, groups, and printers to bring over to the new server.  Rather than kill myself doing manual input, is there any other way to do this? 

  Hi,
  When you import the CSV file to new server, you need to create a new user account then import the CSV.
  http://blogs.technet.com/b/heyscriptingguy/archive/2014/10/01/use-powershell-to-create-local-users.aspx
  If you have any issue, i suggest you could ask in PowerShell forums:
  https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverpowershell
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Import Windows 2000 Group Policies

  Hi!
  We currently have our group policies coming from a Windows 2000 server.
  We would like to change this so all group policies come from Zenworks.
  We are running Zfd 3.2. Has anyone done this before or have any ideas
  what the best way to do this would be?
  Thanks...

  Thanks Jared!
  Jared L Jennings wrote:
  > Kathy Morrison,
  >
  >
  >> We are running Zfd 3.2. Has anyone done this before or have any
  >>ideas what the best way to do this would be?
  >
  >
  > Unless I am forgetting something,
  >
  > You can in the ZEN GP import the policy from a domain, or copy the
  > Grouppolicies from the w2k server to your novell server and then setup
  > the ZEN policies.
  >
  > As long as you have the workstation manager installed, then your ZFD
  > policies should apply.
  >

• Domain group validation hangs during ECC 6.0 install on windows server 2008

  Hello to the group.
  We are installing ECC 6.0 R3 on a windows server 2008 system (with SQL 2008) and the install is hanging in the user/group creation steps. Specifically, the install is able to create a group at the domain level but hangs when it tries to verify that group.
  What's funny is the system is able to create two local domain groups without any issues.
  Have any of you run into this same issue? We've tried updating sapinst and restarting the install process using a known good domain admin account (we are also creating a ticket to SAP support).
  Thanks for any help!
  J. Haynes

  > This is actually a Domain based install.
  ok
  > So far after 12 hours the install is still hung. So we are looking at both network and issues with the AD related DLLS.
  You can doubleclick on the orange icon (the sapinst backend process) next to the clock on the desktop and scroll down. There you may find a hint why it's taking so long.
  Maybe you have a wrong/missing DNS server entry so the server is unable to find the domain controller, maybe the firewall is enabled and blocking asynchronous answers.
  Markus