JAAS & Kerberos
I have been using Sun's JAAS Authentication with Kerberos tutorial (../security/jgss/tutorials/AcnOnly.html), and I have a question. When I test it using my username & password, I get the message:
Authentication failed:
Pre-authentication information was invalid (24)
My password is correct so to test it for the other possible reasons I used an administrative name and password and it worked. I next tried another user's name/password and this time received:
Authentication failed:
KDC has no support for encryption type (14)
There is no IT person today to discuss this with so if anyone has any suggestions as to what the problem might be and how I can fix it I would appreciate it.
Thanks
Tom
I've just tried the tutorial against 3 KDCs (w2k kdc, win2003 kdc and mit kdc) with jdk1.4.1_01, and with several accounts and it worked.
For account with encryption other than DES it failed with 'Pre-authentication information was invalid (24)'...
Sorry it did not help...
Similar Messages
-
Bug in JAAS Kerberos module on Windows XP?
We have a large application with its own user management. A recent addition to this application is a single sign-on using the Microsoft Active Directory.
Specifically we use the Sun provided Kerberos login provider for JAAS to retrieve the currently logged in user. This works perfectly on Windows 2000 Professional.
On Windows XP however, the login provider does not return the currently logged in user. What am I missing?
JAAS configuration file:
PbsJaas {
com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true dontPrompt=true;
Test program:
package test;
import java.io.*;
import javax.security.auth.login.*;
import javax.security.auth.*;
import java.util.*;
import java.security.*;
* Testing Single Sign On with Microsoft Active Directory
public class SsoTest {
private static String getAuthenticatedUser() {
String ssoUser = null;
try {
File confFile = new File( "C:/test", "pbsjaas.conf" );
System.setProperty("java.security.auth.login.config",confFile.getAbsolutePath());
System.setProperty("java.security.krb5.realm", "MY.DOMAIN");
System.setProperty("java.security.krb5.kdc", "DOMAINSERVER");
LoginContext lc = new LoginContext( "PbsJaas" );
lc.login();
Subject s = lc.getSubject();
for (Iterator iter = s.getPrincipals().iterator(); iter.hasNext(); ) {
Principal p = (Principal) iter.next();
ssoUser = p.getName();
break;
catch (Exception ex) {
System.out.println("exception during sso authentication - assuming not authenticated");
ex.printStackTrace(System.out);
ssoUser = null;
return ssoUser;
public static void main(String[] args) {
try {
String ssoUser = getAuthenticatedUser();
System.out.println("user?: "+ssoUser);
catch (Exception ex) {
ex.printStackTrace();
System.exit(0);
The output on Windows XP is:
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Principal is null
null credentials from Ticket Cache
[Krb5LoginModule] authentication failed
No CallbackHandler available to garner authentication information from the user
exception during sso authentication - assuming not authenticated
javax.security.auth.login.LoginException: No CallbackHandler available to garner authentication information from the user
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:626)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:544)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at pbs.test.SsoTest.getAuthenticatedUser(SsoTest.java:23)
at pbs.test.SsoTest.main(SsoTest.java:50)
user?: null
Again, on Windows 2000 Professional everything works fine, and I get the currently logged in user.
We are running Windows 2000 Server.
Any help would be greatly appreciated.
David SykesFirstly there appears to be a bug in the Kerberos libraries where it does not look at the local cache on XP. Try with -Dos.name="Windows 2000". This should trick the java libraries into thinking it's on W2K and look at the LSA cache. There appears to be other issues here but still trying to investigate further.
Secondly you haven't specified a CallBackHandler yet you have DoNotPrompt =false. Thus Kerberos will try to ask for the username and password (since it doesn't talk to LSA) yes none is defined in your call to LoginContext. -
JAAS - Kerberos - windows 2000 domain - groups
I need to find out if a user is in 2 different groups. If they are in group a, I display results a.m. If they are in group b, I display results b.n. If they are in a and b, then I display a.m union b.n. Any ideas?
I am validating the user through kerberos already. Windows NT domain says they are valid if correct username/domain/password are enterted. Now I need to find out if they are part of a group on a domain. Any ideas? Am I making sense. Mail me at perry2of5 at yahoo.com if you need clarification or have ideas and don't want to post here.
I suspect i need to use the subject from the original login and ask for access to the group, but I don't know how to do this. Help!I've a very simular problem (maybe even simpler).
My webapp (Struts) is running on a Tomcat and the user login has to be proofen against a Win2000 active directory server. If login is successfull I'll need the users roles from the W2k ADS. That's it.
What I know till know:
- authentication uses Kerberos
- communication with ADS uses LDAP
Has anybody an easy solution (example). I've already read all the JAAS stuff from Sun, but I'm still not sure how to implement it.
Thx, Chrise -
JAAS Kerberos Feature Request:-- Option: forwardable = true in configfile
Hello,
in order to request a forwardable ticket from the kdc (without using native cache)
you have to provide the krb5.ini (or krb5.conf) file
with proper krb connection infos (REALM, domain ...)
AND
forwardable = true
It is not possible to configure
com.sun.security.auth.module.Krb5LoginModule with this option.
folowing jaas.conf should work
KerberosClient {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=false
forwardable = true
};thanksI have just been pulling my hair out with this same issue! I'm fairly new to Illustrator, so figured it was me just not knowing how to do something simple.
Also I don't think the pen tool in Ideas is really a pen tool as we know it. -
JAAS, Kerberos v5 and credentials
Hi,
I've recently heard about you could use GSS-API to implement SSO for use in both Windos. I'd like my system to retreiev kerberos key from local cache to use as credentials. I don't want the user to explicitly have to provide cerdentials as in the use of i.e. TextCallbackHandler.
I read about some flag:
useSubjectCredsOnlyThat should be set to false in order to make this work?
Well, I'm a newbie to this, so I wondering how the code instantiating the LoginContext should look like?
Here's the "usual" way:
LoginContext lc = new LoginContext("myModule", new TextCallbackHandler());But what should it be when trying to implement SSO with Kerberos and not want the user to explicitly provide credentials?
Kind regards, AndreasThanks for your respons.
Yeah, I know that callback is never made when you define these options correctly. But then why would I have to specify a CallbackHandler except for when a authentication fails and I want a callback on failure?
Now I just set any CallbackHandler, doesn't mather which 'cause it aint going to be used. But the code really looks crappy and hard to read at first glance if you specifiy something that's never going to be used.
Regards, Andreas -
Kerberos Authentication ignores expired credentials?
JDK: J2SE 1.4.2
OS: Win 2000
I have an app that uses JAAS Kerberos for Authentication and it seems that the reference implementation from sun for Krb5LoginModule is not respecting when the credentials cache has expired.
Without the useTicketCache="true" option in my login context config file, my app always pops up SWING dialogs to capture the user id and password to authenticate to the Kerberos KDC. This works fine. When using the "useTicketCache" option I can then use the kinit program to create the TGT cache which stores my credentials for future use. This works fine also. And when I run my app, the sun Kerberos reference implementation correctly finds the credentials cache and uses that and doesn't prompt me for a userid and password--single sign on heaven!
However, once the credentials have expired, the sun ref impl is still allowing authentication to continue and my app to run when it SHOULD be telling me that my TGT has expired and I need to do another "kinit".
Can anyone help me here? This issue defeats one of the key strengths of Kerberos--that of timed sessions. I'm hoping it is all just a configuration error on my part...
Below are config file, credentials cache file name, krb5.ini, and a listing of principals from my Kerberos KDC:
My config file looks like this:
com.apisconsulting.ucped.UCPEDApplication {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache="true";
in my client code, I have a corresponding call like this:
lc = new LoginContext("com.apisconsulting.ucped.UCPEDApplication", new DialogCallbackHandler());
My credentials cache is stored in the default location in:
${user.home}/krb5cc_${user.name}
which on my Win2k client is:
C:\Documents and Settings\Administrator\krb5cc_Administrator
and my krb5.ini file is also stored in the default location for windows (c:\winnt) and is the following:
------------------------ start of file krb5.ini ---------------
[libdefaults]
default_realm = NEUHAUS.WILTON-ASSOCIATES.COM
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
forwardable = true
proxiable = true
[realms]
NEUHAUS.WILTON-ASSOCIATES.COM= {
kdc = kerberos.wilton-associates.com:88
admin_server = kerberos.wilton-associates.com
default_domain = wilton-associates.com
[domain_realm]
.wilton-associates.com = NEUHAUS.WILTON-ASSOCIATES.COM
wilton-associates.com = NEUHAUS.WILTON-ASSOCIATES.COM
[login]
krb4_convert = true
krb4_get_tickets = true
================== end of file krb5.ini =============================
and when I do a "listprincs" on the Kerberos kdc, it lists the following test principals:
kadmin.local: listprincs
K/[email protected]
admin/[email protected]
[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
root/[email protected]
and when I do "kinit" on my client it authenticates me as:
[email protected]
and when I do a "klist" I see something like the following:
Credentials cache: C:\[snip]...\krb5cc_Administrator
Default principal: [email protected], 1 entry found.
[1] Service Principal: krbtgt/[email protected]
Valid starting: Aug 27, 2003 16:19
Expires: Aug 28, 2003 02:19
But after the "Expires" date, the SUN ref impl still uses these stored credentials. Any ideas...?
bauhaus9Not certain but this could be an issue of renewable tickets. Windows 2000 issues a renewable krbtgt so you be getting an updated tickets. Does this still happen if you leave it for at least a day (24 hours)?
-
Kerberos authentication with Active Directory
I have tried using JAAS to authenticate to MS Active Directory and keep getting "javax.security.auth.login.LoginException: Pre-Authentication Information was invalid"
I have tried authenticating with multiple user accounts and on three different realms (Active Directory domains).
How do I need to format the username? I know that when using JNDI to access Active Directory I have to use the format "[email protected]" or the RDN. I have tried it both ways with JAAS kerberos authentication as well as with just the username by itself. I don't think that the username format is the problem though because if I set the account lockout policy to 5 failed attempts, sure enough my account will be locked out after running my code 5 times. If I give a username that doesn't exist in Active Directory I get the error "javax.security.auth.login.loginexception: Client not found in Kerberos database" Is there something special that I have to do to the password?
I know that there is just something stupid that I'm missing. Here is the simplest example of code that I'm working with:
import java.io.*;
import javax.security.auth.callback.*;
import javax.security.auth.login.*;
import javax.security.auth.Subject;
import com.sun.security.auth.callback.TextCallbackHandler;
public class krb5ADLogin1 {
public static void main(String[] args){
LoginContext lc = null;
try {
lc=new LoginContext("krb5ADLogin1", new TextCallbackHandler());
lc.login();
catch(Exception e){
e.printStackTrace();
Here is my config file:
krb5ADLogin1 {
com.sun.security.auth.module.Krb5LoginModule required;
The command I use to start the program is:
java -Djava.security.krb5.realm=mydomain.com
-Djava.security.krb5.kdc=DomainController.mydomain.com
-Djava.security.auth.login.config=sample.conf krb5ADLogin1Hi there ... the Sun web site has the following snippet:
http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorials/Troubleshooting.html
+ javax.security.auth.login.LoginException: KrbException::
Pre-authentication information was invalid (24) - Preauthentication failed
Cause 1: The password entered is incorrect.
Solution 1: Verify the password.
Cause 2: If you are using the keytab to get the key (e.g., by
setting the useKeyTab option to true in the Krb5LoginModule entry
in the JAAS login configuration file), then the key might have
changed since you updated the keytab.
Solution 2: Consult your Kerberos documentation to generate a new
keytab and use that keytab.
Cause 3: Clock skew - If the time on the KDC and on the client
differ significanlty (typically 5 minutes), this error can be
returned.
Solution 3: Synchronize the clocks (or have a system administrator
do so).
Good luck,
-Derek -
How do I login to a Windows computer that is NOT on a domain.
I'm writing a server side web app and I want to validate the client's credentials against those of the Windows server that is not on the domain.
If the server is on the domain, I can use Java JAAS + Kerberos stuff. However, if the server is not on any domain, and I want to try to validate a local Windows login, how do I do that? Can I use Kerberos or do I need to use something else?
Thanks!NTLM?
I know Java's HTTP support NTLM, but possibly no general API like JGSS. -
How to use GSS and JAAS with kerberos
Hi,
I am new to this subject, I have setup a kerberos server on win 2000, and i have registered my other servers to it, this setup works fine , now what i have to do is the following
1, Display a HTML page where i will take the user id and password for domain 1,
2 Validate this user id and password using JAAS
3 Create a connection object with domain 2, (which is AS400)
So how do i setup my websphere to do so, also can any one provide java code to get GSS credentials and create connection to any other server
AshishLook for "Single Sign-on Using Kerberos in Java" in google or on Sun's web site. Maybe this paper will help you.
Claude -
Query on SSO using Kerberos and JAAS
We have created a LAN of two computers one being an IIS server (windows 2000 Server) and the other the client (Windows 2000 PRO)
When the server program and the applet is run on the server machine the authentication is done properly and the context is established.
But now we want the other terminal to be the client.
Now we have hosted the applet from the server and we are accessing the hosted page from the client terminal and now we get the following exception:
javax.security.auth.login.LoginException: trainee.Trainee123.Local: trainee.Trainee123.Local
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:572)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:458)
at sun.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at GSSClient.login(GSSClient.java:110)
at GSSClientApplet.login(GSSClientApplet.java:127)
at GSSClientApplet.access$000(GSSClientApplet.java:14)
at GSSClientApplet$1.actionPerformed(GSSClientApplet.java:74)
at java.awt.Button.processActionEvent(Button.java:381)
at java.awt.Button.processEvent(Button.java:350)
at java.awt.Component.dispatchEventImpl(Component.java:3639)
at java.awt.Component.dispatchEvent(Component.java:3480)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:450)
at java.awt.EventDispatchThread.pumpOneEventForHierarchy(EventDispatchThread.java:197)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:150)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:144)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:136)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:99)
Caused by: java.net.UnknownHostException: trainee.Trainee123.Local: trainee.Trainee123.Local
at java.net.InetAddress.getAllByName0(InetAddress.java:999)
at java.net.InetAddress.getAllByName0(InetAddress.java:969)
at java.net.InetAddress.getAllByName(InetAddress.java:963)
at java.net.InetAddress.getByName(InetAddress.java:883)
at sun.security.krb5.internal.bg.<init>(DashoA6275:51)
at sun.security.krb5.KrbKdcReq$KdcCommunication.run(DashoA6275:185)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.krb5.KrbKdcReq.send(DashoA6275:148)
at sun.security.krb5.KrbAsReq.send(DashoA6275:401)
at sun.security.krb5.KrbAsReq.send(DashoA6275:293)
at sun.security.krb5.Credentials.acquireTGT(DashoA6275:332)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:559)
... 24 more
--(the server address being trainee.Trainee123.Local.)
we referred the following site:
http://www-128.ibm.com/developerworks/java/library/j-gss-sso/index.html
Suggest some solution to this problem.Hi there,
I need to implement a J2ee struts based web application where the authentication should be against the user profiles in the Windows Active Directory Services using JAAS.
I do not know how to start and is it possible for you to throw some light on this. Like how kerberos works with ADS and others.
Thanks,
Diva -
JAAS, JGSS Kerberos and windows 2000 newbie question
Hi
I have setup a Kerberos server on windows 2000, now i want to write code in java to authenticate and authorize user using Kerberos , I know I have to use JAAS, JGSS,
is there a how to document to setup a client machine, like setup krb4.ini file and other security files so i can use java to authorize and authenticate, i am using j2sdk1.4.2
I have following code
GSSManager manager = GSSManager.getInstance();
Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
// Identify who the client wishes to be
GSSName userName = manager.createName("test02EIM", GSSName.NT_USER_NAME);
// Identify the name of the server. This uses a Kerberos specific
// name format.
GSSName serverName = manager.createName("krbsvr400/[email protected]",
krb5PrincipalNameType);
System.out.println("server name " +serverName.getStringNameType());
// Acquire credentials for the user
GSSCredential userCreds = manager.createCredential(userName,
GSSCredential.DEFAULT_LIFETIME,
krb5Mechanism,
GSSCredential.INITIATE_ONLY);
// Instantiate and initialize a security context that will be
// established with the server
GSSContext context = manager.createContext(serverName,
krb5Mechanism,
userCreds,
GSSContext.DEFAULT_LIFETIME);
and krb5.ini file looks like below
[libdefaults]
default_realm = GL1AMR.PFIZER1.TEST
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
forwardable = true
proxiable = true
[realms]
GL1AMR.PFIZER1.TEST= {
kdc = gl1mopsamrdc01.gl1amr.pfizer1.test:88
admin_server = gl1mopsamrdc03.gl1amr.pfizer1.test
default_domain = gl1amr.pfizer1.test
[domain_realm]
.gl1amr.pfizer1.test = GL1AMR.PFIZER1.TEST
gl1amr.pfizer1.testm = GL1AMR.PFIZER1.TEST
[login]
krb4_convert = true
krb4_get_tickets = true
i get following error
SSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:143)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:70)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.pfizer.maps.sso.TestGSS.useGSS(TestGSS.java:41)
at com.pfizer.maps.sso.TestGSS.main(TestGSS.java:59)
what am i missingMy JAVA FILE having the code as follows , when i run this code iam geeting the Folowing error
Error
D:\Ramesh_Dump\KerbersTools>java GSSAPI
GSSException: No valid credentials provided (Mechanism level: Failed to find any
Kerberos Ticket)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredent
ial.java:133)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechF
actory.java:72)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.
java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:37)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java
:96)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
78)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
58)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5
Client.java:155)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.ja
va:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.jav
a:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:6
67)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:1
34)
at GSSAPI.main(GSSAPI.java:34)
Problem searching directory: javax.naming.AuthenticationException: GSSAPI [Root
exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by G
SSException: No valid credentials provided]]
JAVA CODE
import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
import java.util.*;
import java.util.Calendar.*;
import java.text.*;
public class GSSAPI {
* @param args
public static void main(String[] args) {
Hashtable env = new Hashtable();
String adminName = "[email protected]";//"[email protected]";
String adminPassword = "Password12";
String ldapURL = "ldap://172.20.55.97:389/";
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
//env.put(Context.SECURITY_PRINCIPAL,adminName);
//env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//env.put("javax.security.sasl.server.authentication","true");
//connect to my domain controller
env.put(Context.PROVIDER_URL,ldapURL);
try {
//Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
//lets get the domain lockout duration policy
Attributes attrs = ctx.getAttributes("dc=globalv,dc=com");
//System.out.println("test arttr"+attrs.get(""));
System.out.println("Lockout policy for " + attrs.get("distinguishedName").get());
System.out.println("Duration: " + attrs.get("lockoutDuration").get());
System.out.println("Threshold: " + attrs.get("lockoutThreshold").get());
long lockoutDuration = Long.parseLong(attrs.get("lockoutDuration").get().toString());
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"sn","givenName","mail","lockoutTime"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//Create the correct LDAP search filter
//Win32 file time is based from 1/1/1601
//Java date/time is based from 1/1/1970
/*GregorianCalendar Win32Epoch = new GregorianCalendar(1601,Calendar.JANUARY,1);
GregorianCalendar Today = new GregorianCalendar();
long Win32Date = Win32Epoch.getTimeInMillis();
long TodaysDate = Today.getTimeInMillis();
long TimeSinceWin32Epoch = TodaysDate - Win32Date;
long lockoutDate = (TimeSinceWin32Epoch * 10000) + lockoutDuration;
System.out.println("Lockout (Long): " + lockoutDate);*/
//System.out.println("Lockout (Date): " + DisplayWin32Date(lockoutDate));
//String searchFilter = "(&(objectClass=user)(lockoutTime>=" + lockoutDate + "))";
String searchFilter = "(objectclass=user)";
//Specify the Base for the search
String searchBase = "dc=globalv,dc=com";
//initialize counter to total the results
int totalResults = 0;
//Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println(">>>" + sr.getName());
// Print out some of the attributes, catch the exception if the attributes have no values
attrs = sr.getAttributes();
if (attrs != null) {
try {
System.out.println(" name: " + attrs.get("givenName").get() + " " + attrs.get("sn").get());
System.out.println(" mail: " + attrs.get("mail").get());
System.out.println(" locked: " + attrs.get("lockoutTime").get().toString());
//System.out.println(" locked: " + DisplayWin32Date(attrs.get("lockoutTime").get().toString()));
catch (NullPointerException e) {
System.err.println("Problem listing attributes: " + e);
// System.out.println("Total results: " + totalResults);
ctx.close();
catch (NamingException e) {
System.err.println("Problem searching directory: " + e);
import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
import java.util.*;
import java.util.Calendar.*;
import java.text.*;
public class GSSAPI {
* @param args
public static void main(String[] args) {
Hashtable env = new Hashtable();
String adminName = "[email protected]";//"[email protected]";
String adminPassword = "Password12";
String ldapURL = "ldap://172.20.55.97:389/";
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
//env.put(Context.SECURITY_PRINCIPAL,adminName);
//env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//env.put("javax.security.sasl.server.authentication","true");
//connect to my domain controller
env.put(Context.PROVIDER_URL,ldapURL);
try {
//Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
//lets get the domain lockout duration policy
Attributes attrs = ctx.getAttributes("dc=globalv,dc=com");
//System.out.println("test arttr"+attrs.get(""));
System.out.println("Lockout policy for " + attrs.get("distinguishedName").get());
System.out.println("Duration: " + attrs.get("lockoutDuration").get());
System.out.println("Threshold: " + attrs.get("lockoutThreshold").get());
long lockoutDuration = Long.parseLong(attrs.get("lockoutDuration").get().toString());
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"sn","givenName","mail","lockoutTime"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//Create the correct LDAP search filter
//Win32 file time is based from 1/1/1601
//Java date/time is based from 1/1/1970
/*GregorianCalendar Win32Epoch = new GregorianCalendar(1601,Calendar.JANUARY,1);
GregorianCalendar Today = new GregorianCalendar();
long Win32Date = Win32Epoch.getTimeInMillis();
long TodaysDate = Today.getTimeInMillis();
long TimeSinceWin32Epoch = TodaysDate - Win32Date;
long lockoutDate = (TimeSinceWin32Epoch * 10000) + lockoutDuration;
System.out.println("Lockout (Long): " + lockoutDate);*/
//System.out.println("Lockout (Date): " + DisplayWin32Date(lockoutDate));
//String searchFilter = "(&(objectClass=user)(lockoutTime>=" + lockoutDate + "))";
String searchFilter = "(objectclass=user)";
//Specify the Base for the search
String searchBase = "dc=globalv,dc=com";
//initialize counter to total the results
int totalResults = 0;
//Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println(">>>" + sr.getName());
// Print out some of the attributes, catch the exception if the attributes have no values
attrs = sr.getAttributes();
if (attrs != null) {
try {
System.out.println(" name: " + attrs.get("givenName").get() + " " + attrs.get("sn").get());
System.out.println(" mail: " + attrs.get("mail").get());
System.out.println(" locked: " + attrs.get("lockoutTime").get().toString());
//System.out.println(" locked: " + DisplayWin32Date(attrs.get("lockoutTime").get().toString()));
catch (NullPointerException e) {
System.err.println("Problem listing attributes: " + e);
// System.out.println("Total results: " + totalResults);
ctx.close();
catch (NamingException e) {
System.err.println("Problem searching directory: " + e);
} -
JAAS write to Kerberos Cache...
JAAS write to Kerberos Cache...
I can get JAAS to read Kerberos Cache by setting jaas.conf useTicketCache, but it does NOT write to cache.
I found that KerberosTicket.getEncoded() get the ASN.1 Kerberos Ticket.
I guess decode that and write it to /tmp/krbcc_0 might works but how do I decode it?
thankskinit is only included in Windows because most other systems already have their own native version of kinit.
Please use your the software installer on your Linux system to install Kerberos client package. -
Authenitication using AD and Kerberos with JAAS servers
Hello,
pleas help me!!!!!!!!!!!!!!!!!!!!!!
Im very unhappy, becasue I cant set up the authenitication.
I set up it by the admin quide, but I cant set-up the AD plug-in. It wrote this error
Error updating Windows AD authentication properties: The Active Directory plugin failed to verify the provided SPN. Please ensure the SPN identifies a valid account.
Error updating Windows AD authentication properties: The secWinAD security plugin is not available. Please contact your system administrator for details
Thank you very much!!!
Marika
Edited by: Marika Visnova on Aug 19, 2008 3:07 PMHello,
I have BO Enterprise XI Release 2, OS Windosws 2003.
I used this guide
http://help.sap.com/businessobject/product_guides/boexir2/en/xir2_bip_deploy_en.pdf
And in this I set up to the site 297
I cant put the AD Administration Name and Default AD Domain, it give me back the error
Error updating Windows AD authentication properties: The Active Directory plugin failed to verify the provided SPN. Please ensure the SPN identifies a valid account.
Error updating Windows AD authentication properties: The secWinAD security plugin is not available. Please contact your system administrator for details
What I cant put it too is site 296 Granting the service account rights the dot 6.
6. Ensure that the Local Policy Setting check box is selected, and click
OK.
7. Repeat the above steps on each machine running a BusinessObjects
Enterprise server.
Note: It is important that the Effective Right ends up being checked after Act
as part of the operating system is selected. Typically, you will need to restart
the server for this to occur. If, after restarting the server, this option is still not
on, your Local Policy settings are being overridden by your Domain Policy
settings.
I dont know how I can set up it???
Thank you very very very much for your answer,
Marika -
Configuring Windows XP to use IIS w/ Kerberos
I need to build a Windows XP SSO solution using IIS 5.1 with Integrated Windows Authentication using Kerberos protocol. IIS will then pass the request over to another application which will need to use a Kerberos JAAS module to authenticate the respective users to the application.
Does anyone have any instructions or tips on accomplishing these set of tasks? I have very limited experience with Kerberos. Any help would be much appreciated.
Note: I've gotten this to work using NTLM, so I would like to know the level of difficulty in making the switch over to Kerberos.
Thanks a lot in advance!
Message was edited by:
YvesGBecause in SAP Help on topics <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm">Single Sign-On with Microsoft Kerberos SSP</a> and
<a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm">Configuring the Application Server</a>, tell to copyt the gsskrb5.dll file(see SAP Note 595341), to the following directory on the central instance: Drive:\%windir%\system32.
This text let me think that central instance is installed on a Windows Server, but on SAP Help docs I didn't found the specific information that the central instance must be installed on a Windows Server. -
Plans to change JAAS/GSS for Windows XP SP2 and beyond
Are there any plans to reimplement JAAS GSS on the windows platform to account for this issue:
Cause 2: This exception is thrown when using native ticket cache on some Windows platforms. Microsoft has added a new feature in which they no longer export the session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT obtained on Windows has an "empty" session key and null EType. The effected platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) and Windows XP SP2.
Solution 2: You need to update the Windows registry to disable this new feature. The registry key allowtgtsessionkey should be added--and set correctly--to allow session keys to be sent in the Kerberos Ticket-Granting Ticket.
Thanks!
-BobThis is an old thread, but one of my clients has run into the same problem. Hopefully someone is still monitoring....
The answer is that the implementation should not be trying to do anything directly with keys. Delegation works just fine if it has been configured correctly in AD. Simply impersonate the context on the server side and then call the appropriate API to get a new service ticket and it will use the forwarded TGT. Credential delegation solved.
MS was correct to "fix" the session key interface since it allowed user code to attain a "password equivalent". The JAAS implementation should be fixed to use the Windows authentication interfaces correctly.
Thanks,
Dave
Feel free to contact me offline for more information or pointers at [email protected] (remove the no-spams).
Maybe you are looking for
-
K8N sli Platinum & 3800 + x2 freeze
i got my pc two weeks ago. AMD 3800+ x2 (toledo E6 in Cpu-Z) MSI K8N Neo 4 Sli (came with 3.6 bios upgraded to 3.7 and 2 days ago 3.8) Sapphire x1600 256 pci e 2x512 Corsair VS512MB400 value select(2,5,3,3,8 1T) Tagan TG480-U01 The first day after
-
Using Mac to play DVDs on HD-ready LCD TV
This is probably a basic question, but I'm learning so humour me I am about to shell out my hard-earned cash on an LCD TV (26 or 32" - possibly a Sony Bravia) and a Mac Mini to hook up to it, as well as dvd player/recorder. I have read in various for
-
I have a couple of servers on Standard 2012R2 (a Domain Controller & File Server) virtualized on VMWare ESXi 5.1. Server Manager tells me that they have never checked or updated (although they show 40 updates applied). Set to download updates and n
-
Hi, Under is my post from tech powerup. So as last thing I post it on your forum. Quote Hi, I need some advice what to do ... Today, I turned on my pc (see specs watched some news, facebook ,etc.) I noticed that I have 1 left FAN for my PC from work
-
Deep linking integrating with Cairngorm 3 Navigation Library
Hi there, I wonder if the Cairngorm 3 Navigation Library will integrate deep linking in future? Furthermore, it would be great to know how deep linking could be used in coexistence with the Cairngorm 3 Navigation Library! Any thoughts about it? Thank