JAAS - Kerberos - windows 2000 domain - groups
I need to find out if a user is in 2 different groups. If they are in group a, I display results a.m. If they are in group b, I display results b.n. If they are in a and b, then I display a.m union b.n. Any ideas?
I am validating the user through kerberos already. Windows NT domain says they are valid if correct username/domain/password are enterted. Now I need to find out if they are part of a group on a domain. Any ideas? Am I making sense. Mail me at perry2of5 at yahoo.com if you need clarification or have ideas and don't want to post here.
I suspect i need to use the subject from the original login and ask for access to the group, but I don't know how to do this. Help!
I've a very simular problem (maybe even simpler).
My webapp (Struts) is running on a Tomcat and the user login has to be proofen against a Win2000 active directory server. If login is successfull I'll need the users roles from the W2k ADS. That's it.
What I know till know:
- authentication uses Kerberos
- communication with ADS uses LDAP
Has anybody an easy solution (example). I've already read all the JAAS stuff from Sun, but I'm still not sure how to implement it.
Thx, Chrise
Similar Messages
-
ISE with per-windows 2000 domain
Hi
I am experiencing a problem with AD authentication.
I have joined the ISE appliance to the windows AD and I can browse the groups and attributes.
But the problem I am experincing is that the users logon to the domain using the pre-windows 2000 domain name.
FQDN format : ab.cdef.com - ISE is joined to this
pre-windows 2000 name : abcd - Users logon with this
So wen the users authenticate I get the following error : 22056 Subject not found in the applicable identity store.
Also tried to logon with [email protected] with no luck.
Does someone have any suggestions?
ThanksThe 802.11 Mac Layer is a bit longer than the ethernet mac layer. This sometimes cause problem with domain login because they are done using UDP by default. The frame are sometime drop. To test if this is your problem, I recomand changing the MTU on the 2000server(DC) and the host to something lesser than the actuel MTU on the interface. (configure the DC and host @1300 leaving the network @1500)
A Windows 2003 server as a default mtu of 13?? something to get around this problem. I usaully tell my users to install the cisco vpn client if they want to use domain in wireless because the installation of this client lower the MTU of every interface to 1300.
Another path you can look into is forcing kerberos to use TCP insted of UDP. (look on MS TechNet for method) -
Problem Starting WLS 5.1 from windows 2000 program group
Hi
I couldn't able to start Weblogic server 5.1 from windows 2000 program
group(start > Programs > Weblogic 5.10 > Weblogic Server). I can start WLS
without any problem from the console . I've check every configuration and
environment setting, the problem still come out. Whenever I start WLS from
program group , a window dialog with error messages will come out , here's
the error messages :
wlserver.exe - Application Error
The instruction at "0x04d5d0d6" referenced memory at
"0x00000000". The memory could not be "written".
Click on OK to terminate the program
Click on CANCEL to debug the program
Any suggestions/solution will be appreciated .
Thanks
Chew Leong
[email protected]look for weblogic.system.password property in your weblogic.properties
file and see what's in there.
Shailesh Mungikar wrote:
I am trying to install WLS 5.1 SP12 on my Windows 2000 machine.
I have WLS 6.1 already installed my PC.
When I try to install, at the very end when
"System" password required
dialog pops up, I get another dialog box saying
WLPASS~1.exe Application Error
The exception Floating point division by zero (0xc000008e) occured in
the application at location 0x50147c14
When I press OK, it kill the "System password" dialog.
The installation seems to be complete.
If I go ahead and try to start weblogic, I get Exceptio
java.security.AccessControlException: access denied
(java.lang.RuntimePermission createSecurityManager)
Any solution/workaround?
thanks,
_shailesh -
Adding mac in Windows 2000 domain
Hello, I need add a mac OS 10.3.9 in a windows 2000 domain,
for sharing files and printers. Is possible??
Thanks, DiegoHi dbeihswingert try these documents
http://www.wazmac.com/wazza/networking/networkpages/basic_sharing/networkintegration.html
especially
Macs to a Win Domain (pdf - 250k)
Configure OSX 10.3.3 so Macs can authenticate with Active Directory, and store their home folders on a Windows 2000/3 server.
I have found this to be a good resource.
Cheers. -
Can I join my Sun Solaris 8 server running Samba to a Windows 2000 domain so that all the users that logon or use shares will authenticate thru the domain controllers with their Win accounts?
I dont want to create 1500 Solaris accounts.there is a sun product called Sun PC Net Link that could help you
synchronazing user accounts in Windows env. and Solaris
you can map the accounts from one env. to the other.
we use this product since many years and have migrate fm
windows NT to Windows 2000 Terminal Server without major
problems, including user maps.
good luck ...
[email protected] -
Windows server domain group membership with functional level 2003 - windows API
Hello,
I am a programmer trying to get members of a global domain group using windows server 2008 enterprise edition,
in the past there wasn't a functional level 2003 on windows server, but when 2003 functional level appeared a new features were added like adding
a global group as a member to another global group in the domain,
in the past the API written could get the members if the member was a user, but it can't get a member if it was a global group.
I am using this API "NetGroupGetUsers" to get a members of a global domain group, and it gets the users but it doesn't get the
members if they were global groups...
I tried another API "NetLocalGroupGetMembers" it is getting a global group as a member but it is working only if the owner group was a local group on the server
or on another machine that is added to the server, but this API doesn't work if the owner group was a domain global group.
My question is how to get members of a global group including the members that are global groups too???
Thanks,
- Shomaf> I am using this API "NetGroupGetUsers" to get a members of a global
This interface is based on Win 2000, and since Win 2000 did not support
global group nesting, this interface does not, too...
> domain group, and it gets the users but it doesn't get the
> members if they were global groups...
You should use
http://msdn.microsoft.com/library/aa706032.aspx - and
don't forget to track down the nestings :)
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Different Pre-Windows 2000 domain and FQDC.
I have a SBS 2003 box that was originally migrated from SBS2000. i just finished install new 2012 standard server and installed AD service on it, but when i trying promote to DC, it won't do it until functional level raise to least 2003 level.
My question is following:
when user login, user uses pre-windows 2000 login name.
For example, DC11\user but FQDC is DC1.local. we have no DC11 exist.
When user trying login as DC1\user, it won't able to login. even Administrator has to login as DC11\administrator not DC1\administrator.
When i look user properties account login name user @dc1.local and pre-Windows 2000 name DC11\ user are listed.
if i raised to Windows 2003 function level, did user can't login? or any effect?
ThanksDC11 is the NetBIOS name of your domain and it can be changed using Active Directory Domain rename tools -
http://technet.microsoft.com/en-us/windowsserver/bb405948.aspx - if you don't want to use DC11 in your environment. However, this could have impact other applications like Exchange,
as Exchange doesn't support domain rename.
Another option for you would be to deploy a new Forest or domain with the names that you desire and migrate stuff - Users/Workstations/Servers/Application and get rid of old domain.
UPNs ([email protected]) is easy to change but changing NetBIOS is a complex process and needs to be done with extreme care.
- Sarvesh Goel - Enterprise Messaging Administrator -
Windows 2000 user account migrate to new Windows 2012 R2 domain
Hi all
I have a customer using Windows 2000 domain with many user accounts and file share service.
Now they want to use a new Windows 2012 domain without upgrade from old 2000 domain due to some hidden problem.
Customer requested to keep user name, password, uid for existing file share access.
May I know any tools for migrate user account from Windows 2000 domain to Windows 2012 domain?
thx
Q KHi,
Can you please confirm your requirement, that is you will be using a new Windows 2012 domain with only the user accounts from Windows 2000 domain.
If the above text matches your requirement, I would suggest you the following steps,
1. You can use CSVDE - command line tool to export the AD user information as CSV file from Windows 2000 domain,
http://www.techrepublic.com/blog/data-center/simplify-admin-tasks-by-exporting-active-directory-data-with-csvde/
2. Then, you can import the CSV file with required user attributes (domain details modified according to the target domain) to Windows 2012 domain using PowerShell as
shown in the link given below,
http://blogs.technet.com/b/bettertogether/archive/2011/01/09/import-bulk-users-to-active-directory.aspx
Regards,
Gopi
www.jijitechnologies.com -
10.4 and Windows 2003 Domain
Hello,
We're a 40% Mac environment where all the Macs are bound to our domain and users log in with Mobile accounts. When we first decided to do this, all the Macs played very nicely with our Windows 2000 domain.
About three months ago, we upgraded our Windows 2000 domain to a Windows 2003 domain and began enforcing stronger password security. Now all of the Mobile accounts on all of our 10.4 machines refuse to let the users change their passwords. Doing so through the Log In window when a password expires does not work. Neither do the controls in System Preferences/Accounts. Neither do the controls in the Kerberos app. It sits and pinwheels for a few minutes, then returns an error about not being able to change the user's password to the password specified.
I tried adding myself to a few of these computers as a Mobile user and then changing my password, but that didn't work either. So it isn't something held over in the user accounts from the old domain, and it isn't a permissions thing since I'm an administrator on the domain.
I've dumped all the Directory Access preferences files. Doesn't help.
Sometimes this behavior can be fixed by unbinding a machine from the domain, deleting the computer's account in Active Directory, then rebinding it to the domain. Lately, that fix has stopped working, and if I remove a machine from the domain, I cannot rebind it to the domain unless I do so using a different computer name - even though the computer account in Active Directory has been deleted.
Mobile accounts on all of our 10.5 machines can change their passwords without a problem.
I'm stumped. Anybody got any brilliant ideas? Information on Macs interacting with Windows domains is pretty scarce.Hi Scott, and a warm welcome to the forums!
What Workgroup do you have set on the Mac in Directory Access Utility?
See if these 2 links help also...
http://www.macosxhints.com/article.php?story=20050302023720578
http://allinthehead.com/retro/218/accessing-a-windows-2003-share-from-os-x -
OS authentication w/ 10.2 database and Windows 2000
Not a new issue - but still not too easy for me...
Got a Windows 2000 domain, a 10g enterprise database server on Windows 2003 as part of this domain and a client machine running a 10.2 client on Windows 2000 in the same domain.
remote_os_authent is FALSE.
OS_AUTH_PREFIX_DOMAIN is not set.
On both sides sqlnet.ora contains the line SQLNET.AUTHENTICATION_SERVICES= (NTS)
A database account exists as <domainname>\<username> with create session priviledge granted. <domainname> is the same as Windows' %USERDOMAIN%. <username> is the ID to which one logs into that domain on the client machine.
But still "sqlplus /" raises exception 01017. Password authenticated connects do work. What am I missing?
Thanks a lot..Assuming it still doesn't work: sorry no, as I recall this info from a Metalink note, and the Metalink note worked for me. The only thing I can remember right now is one needs to enclose the Oracle account in double quotes, or it wouldn't work, due to the \. If that also doesn't help, I'm stuck.
Sybrand Bakker
Senior Oracle DBA -
JAAS, JGSS Kerberos and windows 2000 newbie question
Hi
I have setup a Kerberos server on windows 2000, now i want to write code in java to authenticate and authorize user using Kerberos , I know I have to use JAAS, JGSS,
is there a how to document to setup a client machine, like setup krb4.ini file and other security files so i can use java to authorize and authenticate, i am using j2sdk1.4.2
I have following code
GSSManager manager = GSSManager.getInstance();
Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
// Identify who the client wishes to be
GSSName userName = manager.createName("test02EIM", GSSName.NT_USER_NAME);
// Identify the name of the server. This uses a Kerberos specific
// name format.
GSSName serverName = manager.createName("krbsvr400/[email protected]",
krb5PrincipalNameType);
System.out.println("server name " +serverName.getStringNameType());
// Acquire credentials for the user
GSSCredential userCreds = manager.createCredential(userName,
GSSCredential.DEFAULT_LIFETIME,
krb5Mechanism,
GSSCredential.INITIATE_ONLY);
// Instantiate and initialize a security context that will be
// established with the server
GSSContext context = manager.createContext(serverName,
krb5Mechanism,
userCreds,
GSSContext.DEFAULT_LIFETIME);
and krb5.ini file looks like below
[libdefaults]
default_realm = GL1AMR.PFIZER1.TEST
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
forwardable = true
proxiable = true
[realms]
GL1AMR.PFIZER1.TEST= {
kdc = gl1mopsamrdc01.gl1amr.pfizer1.test:88
admin_server = gl1mopsamrdc03.gl1amr.pfizer1.test
default_domain = gl1amr.pfizer1.test
[domain_realm]
.gl1amr.pfizer1.test = GL1AMR.PFIZER1.TEST
gl1amr.pfizer1.testm = GL1AMR.PFIZER1.TEST
[login]
krb4_convert = true
krb4_get_tickets = true
i get following error
SSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:143)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:70)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.pfizer.maps.sso.TestGSS.useGSS(TestGSS.java:41)
at com.pfizer.maps.sso.TestGSS.main(TestGSS.java:59)
what am i missingMy JAVA FILE having the code as follows , when i run this code iam geeting the Folowing error
Error
D:\Ramesh_Dump\KerbersTools>java GSSAPI
GSSException: No valid credentials provided (Mechanism level: Failed to find any
Kerberos Ticket)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredent
ial.java:133)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechF
actory.java:72)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.
java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:37)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java
:96)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
78)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
58)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5
Client.java:155)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.ja
va:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.jav
a:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:6
67)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:1
34)
at GSSAPI.main(GSSAPI.java:34)
Problem searching directory: javax.naming.AuthenticationException: GSSAPI [Root
exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by G
SSException: No valid credentials provided]]
JAVA CODE
import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
import java.util.*;
import java.util.Calendar.*;
import java.text.*;
public class GSSAPI {
* @param args
public static void main(String[] args) {
Hashtable env = new Hashtable();
String adminName = "[email protected]";//"[email protected]";
String adminPassword = "Password12";
String ldapURL = "ldap://172.20.55.97:389/";
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
//env.put(Context.SECURITY_PRINCIPAL,adminName);
//env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//env.put("javax.security.sasl.server.authentication","true");
//connect to my domain controller
env.put(Context.PROVIDER_URL,ldapURL);
try {
//Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
//lets get the domain lockout duration policy
Attributes attrs = ctx.getAttributes("dc=globalv,dc=com");
//System.out.println("test arttr"+attrs.get(""));
System.out.println("Lockout policy for " + attrs.get("distinguishedName").get());
System.out.println("Duration: " + attrs.get("lockoutDuration").get());
System.out.println("Threshold: " + attrs.get("lockoutThreshold").get());
long lockoutDuration = Long.parseLong(attrs.get("lockoutDuration").get().toString());
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"sn","givenName","mail","lockoutTime"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//Create the correct LDAP search filter
//Win32 file time is based from 1/1/1601
//Java date/time is based from 1/1/1970
/*GregorianCalendar Win32Epoch = new GregorianCalendar(1601,Calendar.JANUARY,1);
GregorianCalendar Today = new GregorianCalendar();
long Win32Date = Win32Epoch.getTimeInMillis();
long TodaysDate = Today.getTimeInMillis();
long TimeSinceWin32Epoch = TodaysDate - Win32Date;
long lockoutDate = (TimeSinceWin32Epoch * 10000) + lockoutDuration;
System.out.println("Lockout (Long): " + lockoutDate);*/
//System.out.println("Lockout (Date): " + DisplayWin32Date(lockoutDate));
//String searchFilter = "(&(objectClass=user)(lockoutTime>=" + lockoutDate + "))";
String searchFilter = "(objectclass=user)";
//Specify the Base for the search
String searchBase = "dc=globalv,dc=com";
//initialize counter to total the results
int totalResults = 0;
//Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println(">>>" + sr.getName());
// Print out some of the attributes, catch the exception if the attributes have no values
attrs = sr.getAttributes();
if (attrs != null) {
try {
System.out.println(" name: " + attrs.get("givenName").get() + " " + attrs.get("sn").get());
System.out.println(" mail: " + attrs.get("mail").get());
System.out.println(" locked: " + attrs.get("lockoutTime").get().toString());
//System.out.println(" locked: " + DisplayWin32Date(attrs.get("lockoutTime").get().toString()));
catch (NullPointerException e) {
System.err.println("Problem listing attributes: " + e);
// System.out.println("Total results: " + totalResults);
ctx.close();
catch (NamingException e) {
System.err.println("Problem searching directory: " + e);
import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
import java.util.*;
import java.util.Calendar.*;
import java.text.*;
public class GSSAPI {
* @param args
public static void main(String[] args) {
Hashtable env = new Hashtable();
String adminName = "[email protected]";//"[email protected]";
String adminPassword = "Password12";
String ldapURL = "ldap://172.20.55.97:389/";
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
//env.put(Context.SECURITY_PRINCIPAL,adminName);
//env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//env.put("javax.security.sasl.server.authentication","true");
//connect to my domain controller
env.put(Context.PROVIDER_URL,ldapURL);
try {
//Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
//lets get the domain lockout duration policy
Attributes attrs = ctx.getAttributes("dc=globalv,dc=com");
//System.out.println("test arttr"+attrs.get(""));
System.out.println("Lockout policy for " + attrs.get("distinguishedName").get());
System.out.println("Duration: " + attrs.get("lockoutDuration").get());
System.out.println("Threshold: " + attrs.get("lockoutThreshold").get());
long lockoutDuration = Long.parseLong(attrs.get("lockoutDuration").get().toString());
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"sn","givenName","mail","lockoutTime"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//Create the correct LDAP search filter
//Win32 file time is based from 1/1/1601
//Java date/time is based from 1/1/1970
/*GregorianCalendar Win32Epoch = new GregorianCalendar(1601,Calendar.JANUARY,1);
GregorianCalendar Today = new GregorianCalendar();
long Win32Date = Win32Epoch.getTimeInMillis();
long TodaysDate = Today.getTimeInMillis();
long TimeSinceWin32Epoch = TodaysDate - Win32Date;
long lockoutDate = (TimeSinceWin32Epoch * 10000) + lockoutDuration;
System.out.println("Lockout (Long): " + lockoutDate);*/
//System.out.println("Lockout (Date): " + DisplayWin32Date(lockoutDate));
//String searchFilter = "(&(objectClass=user)(lockoutTime>=" + lockoutDate + "))";
String searchFilter = "(objectclass=user)";
//Specify the Base for the search
String searchBase = "dc=globalv,dc=com";
//initialize counter to total the results
int totalResults = 0;
//Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println(">>>" + sr.getName());
// Print out some of the attributes, catch the exception if the attributes have no values
attrs = sr.getAttributes();
if (attrs != null) {
try {
System.out.println(" name: " + attrs.get("givenName").get() + " " + attrs.get("sn").get());
System.out.println(" mail: " + attrs.get("mail").get());
System.out.println(" locked: " + attrs.get("lockoutTime").get().toString());
//System.out.println(" locked: " + DisplayWin32Date(attrs.get("lockoutTime").get().toString()));
catch (NullPointerException e) {
System.err.println("Problem listing attributes: " + e);
// System.out.println("Total results: " + totalResults);
ctx.close();
catch (NamingException e) {
System.err.println("Problem searching directory: " + e);
} -
Bug in JAAS Kerberos module on Windows XP?
We have a large application with its own user management. A recent addition to this application is a single sign-on using the Microsoft Active Directory.
Specifically we use the Sun provided Kerberos login provider for JAAS to retrieve the currently logged in user. This works perfectly on Windows 2000 Professional.
On Windows XP however, the login provider does not return the currently logged in user. What am I missing?
JAAS configuration file:
PbsJaas {
com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true dontPrompt=true;
Test program:
package test;
import java.io.*;
import javax.security.auth.login.*;
import javax.security.auth.*;
import java.util.*;
import java.security.*;
* Testing Single Sign On with Microsoft Active Directory
public class SsoTest {
private static String getAuthenticatedUser() {
String ssoUser = null;
try {
File confFile = new File( "C:/test", "pbsjaas.conf" );
System.setProperty("java.security.auth.login.config",confFile.getAbsolutePath());
System.setProperty("java.security.krb5.realm", "MY.DOMAIN");
System.setProperty("java.security.krb5.kdc", "DOMAINSERVER");
LoginContext lc = new LoginContext( "PbsJaas" );
lc.login();
Subject s = lc.getSubject();
for (Iterator iter = s.getPrincipals().iterator(); iter.hasNext(); ) {
Principal p = (Principal) iter.next();
ssoUser = p.getName();
break;
catch (Exception ex) {
System.out.println("exception during sso authentication - assuming not authenticated");
ex.printStackTrace(System.out);
ssoUser = null;
return ssoUser;
public static void main(String[] args) {
try {
String ssoUser = getAuthenticatedUser();
System.out.println("user?: "+ssoUser);
catch (Exception ex) {
ex.printStackTrace();
System.exit(0);
The output on Windows XP is:
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Principal is null
null credentials from Ticket Cache
[Krb5LoginModule] authentication failed
No CallbackHandler available to garner authentication information from the user
exception during sso authentication - assuming not authenticated
javax.security.auth.login.LoginException: No CallbackHandler available to garner authentication information from the user
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:626)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:544)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at pbs.test.SsoTest.getAuthenticatedUser(SsoTest.java:23)
at pbs.test.SsoTest.main(SsoTest.java:50)
user?: null
Again, on Windows 2000 Professional everything works fine, and I get the currently logged in user.
We are running Windows 2000 Server.
Any help would be greatly appreciated.
David SykesFirstly there appears to be a bug in the Kerberos libraries where it does not look at the local cache on XP. Try with -Dos.name="Windows 2000". This should trick the java libraries into thinking it's on W2K and look at the LSA cache. There appears to be other issues here but still trying to investigate further.
Secondly you haven't specified a CallBackHandler yet you have DoNotPrompt =false. Thus Kerberos will try to ask for the username and password (since it doesn't talk to LSA) yes none is defined in your call to LoginContext. -
Migrating Users and Groups from Windows 2000 server to Windows 2013 Standard.
OK...let me see if I can get this question out the way I need to....
I inherited a Windows 2000 Server that's on it's last legs. We have a new server, a Windows 2013 Standard machine that we just recently purchased. I need to migrate the users and groups over to the new server, but there are two things that are
making it difficult:
The 2000 machine is NOT a Domain Controller
The 2000 machine is NOT running Active Directory
This is a file server that hangs onto another network of which I have no control of. It has its' own IP address and there is NO WAY we can run Active Directory or make it a domain controller.
I have close to 300 users, groups, and printers to bring over to the new server. Rather than kill myself doing manual input, is there any other way to do this?Hi,
When you import the CSV file to new server, you need to create a new user account then import the CSV.
http://blogs.technet.com/b/heyscriptingguy/archive/2014/10/01/use-powershell-to-create-local-users.aspx
If you have any issue, i suggest you could ask in PowerShell forums:
https://social.technet.microsoft.com/Forums/en-US/home?forum=winserverpowershell
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Import Windows 2000 Group Policies
Hi!
We currently have our group policies coming from a Windows 2000 server.
We would like to change this so all group policies come from Zenworks.
We are running Zfd 3.2. Has anyone done this before or have any ideas
what the best way to do this would be?
Thanks...Thanks Jared!
Jared L Jennings wrote:
> Kathy Morrison,
>
>
>> We are running Zfd 3.2. Has anyone done this before or have any
>>ideas what the best way to do this would be?
>
>
> Unless I am forgetting something,
>
> You can in the ZEN GP import the policy from a domain, or copy the
> Grouppolicies from the w2k server to your novell server and then setup
> the ZEN policies.
>
> As long as you have the workstation manager installed, then your ZFD
> policies should apply.
> -
Domain group validation hangs during ECC 6.0 install on windows server 2008
Hello to the group.
We are installing ECC 6.0 R3 on a windows server 2008 system (with SQL 2008) and the install is hanging in the user/group creation steps. Specifically, the install is able to create a group at the domain level but hangs when it tries to verify that group.
What's funny is the system is able to create two local domain groups without any issues.
Have any of you run into this same issue? We've tried updating sapinst and restarting the install process using a known good domain admin account (we are also creating a ticket to SAP support).
Thanks for any help!
J. Haynes> This is actually a Domain based install.
ok
> So far after 12 hours the install is still hung. So we are looking at both network and issues with the AD related DLLS.
You can doubleclick on the orange icon (the sapinst backend process) next to the clock on the desktop and scroll down. There you may find a hint why it's taking so long.
Maybe you have a wrong/missing DNS server entry so the server is unable to find the domain controller, maybe the firewall is enabled and blocking asynchronous answers.
Markus
Maybe you are looking for
-
More iMac sleep and overheating problems - any ideas?
My iMac is about 2.5 years old now. It was working fine until the power supply had problems and was replaced under warranty. It then had could not mount DVDs or CDs and that was replaced under warranty, at the same time it was performing really, real
-
Creating Disk Utility-compatible CD-R Image
This is something I´ve been wondering about for a long time. Every once in a while I need to transfer a premaster cd to a customer via an FTP-server. Unfortunately Waveburner will only BURN a red book CD, not write a CDR-image to disk. Has anybody fi
-
I have not had it but less then a year ago
My setting is telling me to update the software ,can u help me please.
-
Scripts In Different Languages
Hi , In One Interview I was Asked that If you want to Print Script in More than How can You Handle ? How can you the Language ? I thought By Using the use login Language.. Can Any one expalin it .... ?
-
Itunes freezing on non purchased music
I just started using Itunes through a MacBook as opposed to my old PC. Now on non Itunes Store purchases music, whether in Itunes or on Ipod, it will just stop playing, appearing to freeze then after awhile skip to next song. I am ready to retur Ma