Java/Active Directory problem

Similar Messages

• SharePoint Foundation Active Directory Problem

  Hey,
  I have a problem with the Active Directory connection to SharePoint Foundation.
  My Situation looks like this:
  I'm working on a kind of project controlling plattform. Each of our customers has its own site. Also each customer has an account in our Active Directory. For the administrative part, we have a list which contains some infos of the customer, the url to its
  site and the contact person.
  I wrote an import-script which creates a site and a new item in the list. To put the contact person in the list-item, I use a code-snippet like this:
  try
  user = web.EnsureUser(loginName);
  catch (Exception ex)
  throw new Exception("LoginName " + loginName + " not found");
  Now the problem is, that the try/catch block fails too often which means: SharePoint doesn't know the loginNames of some of our customers.
  Why does SharePoint not know maybe 1/5 of all our customers? All of them have an account in our active directory, none of them ever logged in the SharePoint (at the time they even doesn't know, that they have a SharePoint site for this project).
  I searched the internet for the problem but all I found where questions related to the synchronization of ad-properties to SharePoint Foundation. But I don't want to sync the phone-number or something like that - I want SharePoint only to know all the loginNames
  of our customers, not only 1/5 of them.
  How do I achive this, what am I doing wrong?
  Thank you!

  web.EnsureUser has nothing to do with the UPS at all. This has nothing to do with synchronisation (it does have a role but it's a maintenance one and nothing to do with authentication.
  The simplest answer is that the login names are being entered wrongly. Having said that there are a few areas you can look at to try to identify the problem:
  Does it fail repeatedly for the same username? Can you add that user to the site manually using a people picker control and if so will the script work afterwards? Are there any trends in the user accounts that SharePoint cannot find?

• 10.4.6 and Active Directory Problem - Volume cannot be found??

  I have bound six 10.4.6 to active directory. All went sweet with no problems. I have "force local home folder" off in Directory Access for AD. I can login to the Mac no problem using any user account from AD. If I login with a user the first time all goes well. The desktop icons show and the home directory is that of the users network home folder and can browse it. All good until I log out and login again. I get the desktop icons but the users home directory give the error "The Volume for %username% Cannot be found" when trying to access. I can browse the network to the user home folder without having to authenticate. The server (2003) shows no login errors, all looks fine. I have upgraded one Mac to 10.4.7 but made no differnce.
  I have installed "services for Mac and Appletalk" on the server but from what I have been told this shouldn't need to be installed but I did as I was getting no where anyway.
  Any ideas?
  PowerPC   Mac OS X (10.4.6)  

  Hi Chris!
  Before I comment, I want to define a couple of things. A "Mac home folder" stores a user's files (Documents, Library, etc.). This home folder can be stored locally on the workstation or it can be stored on a server. A "Windows home folder" is defined in a user's Active Directory account and can be used as the Mac home folder or simply as a network user folder for storage.
  While the idea of a network-based Mac home folder is nice, it can be clunky simply because the entire user experience is dependent on network speed and/or good file synchronization between your server and workstation. As someone who works in a group supporting about 300 Macs, I suggest enabling local home folders and not using a network-based Mac home folder.
  Next, File Services for Macintosh (AFP protocol) built into Windows Server will not support network-based Mac home folders. This is a dead end. You can install a third party product from Group Logic called ExtremeZ-IP, which does support network-based home folders over AFP.
  Therefore, what's happening in your network is that the network-based Mac home folders are being mounted via the SMB protocol, which uses Windows style file sharing. SMB in Mac OS X is good for limited use but I wouldn't recommend it for extensive use, which would include network-based Mac home folders.
  Here's what I suggest for your AD settings: 1.) Enable local home folders. 2.) Connect via SMB. This will keep your users' Mac home folders local to the machine but if their Windows network home folder is properly defined in their AD account settings then these should automatically mount on the Desktop via SMB at login.
  If you can get your Windows home folders to mount automtically on the users' Desktops then you can experiment with synchronization. After logging in, each user can visit Apple menu --> System Preferences... --> Accounts and the synchronization options will be available. A user can synchronize all or part of his local Mac home folder to his mounted Windows home folder.
  Hope this helps! bill
  1 GHz Powerbook G4   Mac OS X (10.4.7)  

• 10.5.5 Active directory problem for mobile users

  I an running 10.5.5 on a MBP 2.4. The computer is attached to Active Directory for authentication. The accounted is setup as a mobile user with automatic home sync. Below is the problem I'm experiencing after 10.5.5.
  Upgrade worked fine, everything went through as expected. When I got home with computer, couldn't login. I did eventually get logged in, computer became extremely unresponsive at intermittent times.
  At work next day, everything worked fine.
  I believe this is a problem with 10.5.5 computers that are bound to AD, when AD is not available (but internet is.) Some type of weird priority locking or timeout setting? It seems to fail immediately if no network is available, but if the internet is available it is like it gets "hung" waiting for a response.
  Anybody else having similar problems?
  Below are the details on the specific tests that brought me to this conclusion.
  1) Boot with work network cable connected - Works fine
  2) Boot with work wifi network enabled - works fine
  3) Boot with public wifi network enabled and work cable - works fine.
  4) Boot with only public wifi - appears "frozen" (turned off after 5 minutes of trying to login)
  5) Boot without network or wifi - works fine using cached mobile account info
  6) Boot with network cable and public wifi, remove network cable after login- works fine for a period becomes periodically frozen. attempts to do anything become queued, when computer starts responding queue emptys out (can see menus / applications switch around to correspond with clicks.)
  7) Change account to Manual sync of mobile account, again boot with network cable and public wifi, remove network cable- no freezing responds normaly.
  All steps repeated after rebinding computer to AD - same results.

  First rule of installing an upgrade, run permissions repair both before & after. Did you do that?
  I'm using a Mac dual bound to AD & OD, works perfectly. I can't speak for the exact setup of your network but I personally would be suspicious of AD. I had a similar issue some time back where my processor would go crazy with the net directory authentication running like crazy. Turned out AD had somehow forgotten my computer. It only happened away from work where my Mac couldn't contact the AD server (not exactly sure why). I'd try the following.
  1. While at work create a local administrative account on your Mac (you should always have a backup account anyway).
  2. Login as local admin account.
  3. open Directory Utility from the Applications/Utilities folder & remove the AD server (you'll need an account that can bind machines to AD).
  4. re-add your Mac to AD.
  This may resolve your issue & shouldn't hurt anything in the least.

• Binding to Active Directory Problem. I am a Newb! probably something stupid

  Hey All,
  Trying to get my apple xsever to join our windows domain. I got it to bind and the user accounts show up on the machine but then it askes me to join it to the Active Directory Kerberos realm. I am confused.
  what i am trying to do is joint it to the windows domain for my admin account on the actual server and then set up local user accounts on the machine so when my mac users log in they authenticate using the local mac account and not the windows domain account. Does this make sense? From what i read macs authenticate using the local account before going to the windows account which is what i want. I am a total newb to this so forgive me for the stupid questions.
  cheers all,
  jess

  Hi
  set up the xserve as an Open directory Master
  will it place nice on the network
  with the rest of the windows servers that we have.
  There should be no problem in doing this. All you need to do is decide whether you want your Mac Server to run its own DNS Service or to use the existing DNS service being provided by the AD Server. Open Directory Master requires DNS Services running somewhere.
  i just want to have a mac studio of about 35 people be
  kind of an island within a sea of windows users. If
  there can be cross over there then fine.. but really
  i want the mac to work well with the apple server and
  if i can get the windows clients hooked up also then
  fine.
  There should be no problem with this.
  When you say studio do you mean a graphics design studio? Or are you talking about a video production studio? If the answer is yes to either one or both then perhaps a simple file server would do. An Open Directory Master is OK in this environment but your network needs to be up to job. Ideally gigabit ethernet certainly for video production and also if your studio are heavy photoshop users. You could get away with 100Base-T but with 35 heavy users editing files stored on the server as well as Home folders it may be a bit too much. If this is the situation in your studio you would be better placed working locally and saving the files back to the server at the end of the day. You would set up your users with names and passwords in the OD directory node. Your studio can use those account details to log on to the server to access share points but still work locally if they need to. If you start windows services on the mac server then there should be no reason for windows clients to access share points on the mac server as well. Be careful how you configure windows services as you already have existing PC servers on the network.
  As you have already stated your aim is to keep the macs completely separate from the PCs then consider connecting all your macs to a separate switch and have them running of a different IP address range and subnet mask. You could then use an intervening router to handle traffic between the two networks, this way you control cross platform access to shared resources. If you understand networks, routers etc then you should be able to accomplish this without too much trouble. Again searching the Server forums should give you plenty of ideas and advice on the best way to achieve what you want. As ever defining and deciding what you want you want the server to do is half the problem.

• LDAP Active Directory Problem

  Hi,
  i have a win 2003 server (german) and apex 3.x. I (hope i ) have read all postings to this topic. Read the Apex Book, tried the Oracle Examples but all examples i have found won´t work for me. After three hours i found one solution that works:
  (Domain: marco.de)
  create or replace FUNCTION check_ldap_user(
  p_username IN VARCHAR2,
  p_password IN VARCHAR2
  ) RETURN boolean IS
  l_session DBMS_LDAP.session;
  l_ret binary_integer;
  BEGIN
  l_session := DBMS_LDAP.init (
  hostname => '192.168.178.100',
  portnum => '389');
  IF (DBMS_LDAP.simple_bind_s (
  ld => l_session,
  --dn => 'cn='||upper(p_username)||',cn=user,dc=marco,dc=de', /* <= This line does not work */
  dn => upper(p_username), /* <= This Version work */
  passwd => p_password)) = 0 AND p_password IS NOT NULL THEN
  l_ret:=DBMS_LDAP.UNBIND_S(ld=> l_session);
  RETURN True;
  ELSE
  RETURN False;
  END IF;
  EXCEPTION WHEN OTHERS THEN
  dbms_output.put_line(sqlerrm);
  RETURN FALSE;
  END;
  The Question is, if there any problems with a german Active Directory Server (Mayby the groups like "Domänen-Admins" are the problem)
  Thanks
  Marco

  Hi,
  Any help?

• Query Active Directory + Problem with thumbnailPhoto

  Hi<o:p></o:p>
  I have a problem and I don’t know if it is my SQL Query, so here goes
  <o:p></o:p>
  I have a view on my SQL server that Queries our Active Directory. I can see that there is data in the table.<o:p></o:p>
  But when I try to use the Image in some C# code I get an error on 60% of the images with the exception header missing or corrupted.
  My view is built with this Query:
  select
  * from
  openquery
  ADSI,'SELECT sAMAccountName, mail, title, displayName, telephoneNumber, mobile, sn, givenName,  department, thumbnailPhoto
  FROM ''LDAP:[REMOVED]''
  WHERE objectCategory = ''Person''
  Do you have any idea where the problem is? The photos shows up fine in Outlook, SharePoint, lync etc. I’m pretty sure that the C# code works correctly. Hope you can help.
  Regards
  If only I had time to learn everything I wanted ...

  Hi Latheesh
  I've tried with this script:
  SELECT ISNULL(ROW_NUMBER() OVER ( ORDER BY department ), -999) 'id' ,
  CONVERT(NVARCHAR(25), givenName) AS Fornavn ,
  CONVERT (NVARCHAR(50), sn) AS Efternavn ,
  CONVERT(CHAR(5), UPPER(SUBSTRING(mail, CHARINDEX(mail, N'@'),
  CHARINDEX(N'@', mail)))) AS 'initialer' ,
  CONVERT(NVARCHAR(255), mail) AS Mail ,
  CONVERT(NVARCHAR(75), title) AS Stilling ,
  CONVERT(NVARCHAR(120), department) AS Afdeling ,
  CONVERT(NVARCHAR(13), telephoneNumber) AS Fastnet ,
  CONVERT(NVARCHAR(13), mobile) AS Mobil ,
  CASE WHEN userAccountControl = 2 THEN 'Account is Disabled'
  WHEN userAccountControl = 16 THEN 'Account Locked Out'
  WHEN userAccountControl = 17
  THEN CONVERT (VARCHAR(48), 'Entered Bad Password')
  WHEN userAccountControl = 32
  THEN CONVERT (VARCHAR(48), 'No Password is Required')
  WHEN userAccountControl = 64
  THEN CONVERT (VARCHAR(48), 'Password CANNOT Change')
  WHEN userAccountControl = 512 THEN 'Normal'
  WHEN userAccountControl = 514 THEN 'Disabled Account'
  WHEN userAccountControl = 544
  THEN 'Account Enabled - Require user to change password at first logon'
  WHEN userAccountControl = 8192
  THEN 'Server Trusted Account for Delegation'
  WHEN userAccountControl = 524288
  THEN 'Trusted Account for Delegation'
  WHEN userAccountControl = 590336
  THEN 'Enabled, User Cannot Change Password, Password Never Expires'
  WHEN userAccountControl = 65536
  THEN CONVERT (VARCHAR(48), 'Account will Never Expire')
  WHEN userAccountControl = 66048
  THEN 'Enabled and Does NOT expire Paswword'
  WHEN userAccountControl = 66050
  THEN 'Normal Account, Password will not expire and Currently Disabled'
  WHEN userAccountControl = 66064
  THEN 'Account Enabled, Password does not expire, currently Locked out'
  WHEN userAccountControl = 8388608
  THEN CONVERT (VARCHAR(48), 'Password has Expired')
  ELSE CONVERT (VARCHAR(248), userAccountControl)
  END AS 'Disabled' ,
  CONVERT(NVARCHAR(75), givenName + ' ' + sn) AS 'DisplayName' ,
  CONVERT (VARBINARY(MAX), thumbnailPhoto) AS 'Photo'
  INTO ##adTemptable
  FROM openquery
  ADSI,'SELECT sAMAccountName, mail, title, displayName, telephoneNumber, mobile, sn, givenName, department, thumbnailPhoto,userAccountControl
  FROM ''[REMOVED]''
  WHERE objectCategory = ''Person''
  WHERE department IS NOT NULL
  But i still gets the same error on MANY rows
  OLE DB provider 'ADsDSOObject' for linked server 'ADSI' returned truncated data for column '[ADsDSOObject].thumbnailPhoto'. The actual data length is 6846 and truncated data length is 4000.
  OLE DB provider 'ADsDSOObject' for linked server 'ADSI' returned truncated data for column '[ADsDSOObject].thumbnailPhoto'. The actual data length is 7006 and truncated data length is 4000.
  OLE DB provider 'ADsDSOObject' for linked server 'ADSI' returned truncated data for column '[ADsDSOObject].thumbnailPhoto'. The actual data length is 6496 and truncated data length is 4000.
  If only I had time to learn everything I wanted ...

• Solaris 10 Active Directory problem

  I've been battling through the integration of Active Directory on our Solaris 10 systems, and have reached another brick wall. I am able to getent passwd <user> and kinit <user> without any problems, but any attempt to su or login via SSH shows the following:
  Apr 14 10:34:26 eddie su: [ID 537602 auth.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: New password cannot be zero length
  Using Samba version 3.0.23b, connecting to Windows Server 2003, with SP1. I've tried various fixes, tried installing and uninstalling other versions of ldap, pam, and krb5.
  If anyone could shed some light on this error, it would be much appreciated.
  Cheers,
  Dave

  have you checked this link?
  http://www.sun.com/bigadmin/features/articles/kerberos_s10.jsp?cid=e5595

• Yet another active directory problem

  Hi,
  I'm trying to bind a few Macs in my Windows 2003 Active Directory Domain, they're the first that comme with Lion 10.7.2 out of the box. I'va had my share of problems with AD binding of Macs, but I already have a lot of 10.6.8 Macs, and a few other that got upgraded from 10.6 to 10.7 without much problems and those work fine with my AD.
  That, of course, couldn't last and I now have a new problemes with my 10.7.2 Macs. The binding process in itself seems to work fine, I've got the green light in front of my AD domain and I can log with my AD accounts on my Macs. The problem start when I try to access the directory utility to change the default settings for "active directory" (any settings will do, create mobile acount for example) : this creates another AD binding in "network account server", I can still login with my ad accounts but none of the settings I set in the directory utility are effective.
  Both of those AD binding are shown with a green light, but the second one has a comment stating that it is not present in the auth scope rules. My AD DNS domain name is something like "domainname.com" (no .local), but the short netbios name is something like "dom" : the original AD binding on my 10.7.2 Macs is "dom", and the one created after I change some settings is "domainname". On my other Lion or SL Macs correctly joined to my domain, the domain only appears with the name "domainname" : it seems that for some reason Lion is now troubled by the fact that my netbios name is not the dns name minus the extension...
  If I unbind one of my correctly working upgraded 10.7.2 Macs, it exhibits the same issue when I try to rebind it.
  Does anyone else has a similar AD configuration, and does it work with 10.7.2 ? Does anyone has any idea of how to work around it ?
  Thanks

  Hi there,
  I have experienced the same problem with Macs in my Windows environment. I have found a work-around for it, but it is a little bit tedious. What I have found is that if you reinstall Lion (10.7 or 10.7.1) and bind it to the domain before patching to 10.7.2 it will bind correctly with only one entry in the network account server dialog. From there you can updagte to 10.7.2 and it will work correctly. There is a catch, though. If for any reason you need to unbind the machine from the domain, you will run into the same problem when you try to bind it again. I know it is not much of a fix, but it is what I have been doing to get around the problem. I hope this helps you out.
  Regards

• Active directory problem ?

  i have installed a brad new Xserver Intel Xenon dual core with 10.4.8, and i have manged to get the computer connected to our windows 2000 AD it´s on a windows 2003 server but the ad is in 2000 mode, and kerberized it, and the server is a domain member. I have populated the local group with AD users, and i have no problem to logon from our macs, but when i try the same account from one of the pc´s with XP sp2 they can´t logon, and i get the logfile like this. If i logon with a local server account from the pc there is no problem.
  NTSTATUS_WRONGPASSWORD
  User "davidedlund" failed to authenticate with "dsAuthMethodStandard:dsAuthSMBNTKey" (-14090)
  checkntlmpassword: Authentication for user [david.edlund] -> [david.edlund] FAILED with error NTSTATUS_WRONGPASSWORD
  netbios connect: name1=FILSERVER name2=DAVIDXP
  netbios connect: local=filserver remote=davidxp, name type = 0
  User "davidedlund" failed to authenticate with "dsAuthMethodStandard:dsAuthSMBNTKey" (-14090)
  checkntlmpassword: Authentication for user [david.edlund] -> [david.edlund] FAILED with error NTSTATUS_WRONGPASSWORD
  netbios connect: name1=FILSERVER name2=DAVIDXP
  netbios connect: local=filserver remote=davidxp, name type = 0
  User "davidedlund" failed to authenticate with "dsAuthMethodStandard:dsAuthSMBNTKey" (-14090)
  checkntlmpassword: Authentication for user [david.edlund] -> [david.edlund] FAILED with error NTSTATUS_WRONGPASSWORD
  Macbook Pro   Mac OS X (10.4.8)  
  Macbook Pro   Mac OS X (10.4.8)  

  If you completely remove it from your forest and partitions Yes that is possible. I have included some more links for you. 
  How to remove data in Active Directory after an unsuccessful domain
  controller demotion
  Active Directory – Remove a Domain Using NTDSUTIL
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Active Directory problems/client log in issues

  We have a Windows 2003 Active Directory Server running DNS, DHCP, and Active Directory.
  We have a xserve g5 file server that serves the files for our school.
  Our xserve will not join the kerberos domain on the 2003 Server. We have unbound, rebound, rebooted, repaired permisions, run the kron scrips, did a file system check, all that stuff. We have even done a check disk on the 2003 server. Any ideas as to what could be causing this?
  On top of that our Mac users are unable to log in using active directory. Our pc users are able to log in but there profile mount does not mount. We have no ideas left as to what do do. Please help

  Hi Leif
  I guess it would have been impossible to bind the
  server without having done that first?
  That is true, but I have had experience where the reverse pointer was not created due to a problem with DHCP reserved pools on the AD Server.
  Having said that, it seems the DNS reverse (PTR
  records) might not always be setup by AD setup
  wizards depending on what is chosen at setup time
  ("small" or "big" AD?).
  Exactly right. Forward lookup no problem, bound no problem, imported test users from AD user base, mcx etc, clients bind OK but can’t log in, tell-tale jiggle on the log in window everytime with the added ‘AFP or SMB is on another server etc’ message. Issuing host command reveals no reverse pointer for the ODM, you can never be too certain when it comes to DNS, its a good tip to test and test again and is saves a lot of problems later on.

• Active Directory Problems

  We have Windows Active Directory running here. I think I got the mac mini connected properly to active directory, I can login as AD users and that seems to work ok. My problem is the home folder. I need it to be set to a network location, not local. From everything I've found it appears to be setup correctly. I also set the home folder settings in AD, but it doesn't map a drive at all, let alone make it the home directory. Please help!

  Have you have specified in the AD accounts for your users the path to the home folder? Does this work correctly for you on a Windows machine? If so, then the setup is correct for the Mac as well.
  Also in the Active Directory plugin on the Mac have you adjusted your settings to connect to a network home folder via SMB?
  bill
  1 GHz Powerbook G4   Mac OS X (10.4.9)  

• Java activation framework problem

  Hi there,
  I'm almost running mad. Here's the story, I have implemented a Textviewer.class to test if i can write a bean to be used as a plugin.
  I want an application to be able to lookup the class using the mailcap Commandmap implementation. My TextViewer class implements the Commandobject interface, and when I lookup the CommandClass associated with the current Datahandler it shows:
  TextViewer
  my mailcap looks like this:
  text/plain;; x-java-view=TextViewer
  But when I want to instantiate the bean using:
  dh[index].getBean(ci);
  it doesnot instantiate the bean but it returns null.
  Am I leaving something out, should the bean be in a Jar file, in a Package? The bean is in the current package and in the current directory, and the directory is included in the CLASSPATH.
  If I try to retrieve the bean using the getCommandObject method in CommandInfo class like this:
  try {
  Object my_secbean = cmds[verb_choice.getSelectedIndex()].getCommandObject(dh[index],cmds[verb_choice.getSelectedIndex()].getClass().getClassLoader());
  } catch (IOException e) {             
  System.err.println("Message: " + e.getMessage());
  System.exit(-1);
  } catch (ClassNotFoundException e) {
  System.err.println("Class not found");
  System.err.println("Message: " + e.getMessage());
  System.exit(-1);
  it prints the following statement:
  Class not found
  Message: TextViewer
  So it seems the classloader is unable to find the class, the class resides in the directory where the application is started and the current directory "." is in the CLASSPATH variable.
  But where does the classloader look for the class?
  cheeerrrrs jan

  Hi there,
  I'm almost running mad. Here's the story, I have implemented a Textviewer.class to test if i can write a bean to be used as a plugin.
  I want an application to be able to lookup the class using the mailcap Commandmap implementation. My TextViewer class implements the Commandobject interface, and when I lookup the CommandClass associated with the current Datahandler it shows:
  TextViewer
  my mailcap looks like this:
  text/plain;; x-java-view=TextViewer
  But when I want to instantiate the bean using:
  dh[index].getBean(ci);
  it doesnot instantiate the bean but it returns null.
  Am I leaving something out, should the bean be in a Jar file, in a Package? The bean is in the current package and in the current directory, and the directory is included in the CLASSPATH.
  If I try to retrieve the bean using the getCommandObject method in CommandInfo class like this:
  try {
  Object my_secbean = cmds[verb_choice.getSelectedIndex()].getCommandObject(dh[index],cmds[verb_choice.getSelectedIndex()].getClass().getClassLoader());
  } catch (IOException e) {             
  System.err.println("Message: " + e.getMessage());
  System.exit(-1);
  } catch (ClassNotFoundException e) {
  System.err.println("Class not found");
  System.err.println("Message: " + e.getMessage());
  System.exit(-1);
  it prints the following statement:
  Class not found
  Message: TextViewer
  So it seems the classloader is unable to find the class, the class resides in the directory where the application is started and the current directory "." is in the CLASSPATH variable.
  But where does the classloader look for the class?
  cheeerrrrs jan

• JAAS and Active Directory Problem

  I am attempting to use the JAAS Tutorial code to authenticate against a Windows 2000 domain controller. The code as is works against a domain controller that I set up, but when I attempt to authenticate against a client's domain, I receive an exception:
  Authentication failed:
  Pre-authentication information was invalid (24)
  javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
  The troubleshooting documentation indicates that this could mean 3 things:
  1. the password is incorrect - since I am logging in with my account, I am certain the password is correct.
  2. you are using the keytab to obtain the key and the key may have changed since obtaining the keytab - I am not using the useKeyTab option in my configuration of the Krb5oginModule and the option defaults to false.
  3. clock skew. I am sure that there is no time difference between my computer and the server.
  That said, does anyone know of any other reason that authentication will fail?

  I am using....
  AppConfigurationEntry entry = new AppConfigurationEntry(
  "com.sun.security.auth.module.Krb5LoginModule",
  AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
  options);
  and I get the same thing. Running Win2K Pro. Trying to use GSS-API to do Kerberos authentication.
  Jay

• Checking to see whether a user exists in a Windows Active Directory

  I have a little java applet that has to run through a large list of users, and for one of its tasks, it has to check to see whether that user exists. Mostly this is the same as running with local users, with the one exception that I can't just check to see if a home directory exists.
  Right now I am checking the return code from "net user <username>", but executing this program for every potential user is extremely slow.
  Are any java facilities to deal with users on the local system? If not, does anyone else have any suggestions?
  Also, a note for any responses- I'm using java to get around the lack of any easy way to set up a good scripting environment on Windows. I have a completed tool, and I don't want to rewrite it.

  <sarcasm>
  I seem to remember this service - what's it called? Ah, Google. Yes.
  </sarcasm>
  Try http://www.google.com/search?q=java+active+directory+query