Kerberos, Active Directory & WLS 10.3.5 on Solaris 10 (also UCM 11g)

Similar Messages

• WLS 7.0 Active Directory authenticator - problems starting managed server (Solaris 8)

  Has anyone managed to setup a WLS 7.0 Active Directory authenticator and booted
  a managed server using the node manager? I can boot the server without the AD
  authenticator and I can also boot the server using a script and successfully authenticate
  through AD. My AD control flag is set to OPTIONAL and I have also setup a default
  authenticator to boot weblogic - the control flag here is set to SUFFICIENT. This
  configuration works fine with weblogic running on W2K, but not on Solaris (it
  looks like the control flag is being ignored). Errors as follows
  ####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01> <main>
  <kernel identity> <> <000000> <FileLo
  gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
  <kernel identity> <> <000415> <System
  has file descriptor limits of - soft: 1,024, hard: 1,024>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
  <kernel identity> <> <000416> <Using e
  ffective file descriptor limit of: 1,024 open sockets/files.>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01> <main>
  <kernel identity> <> <000418> <Allocat
  ing: 3 POSIX reader threads>
  ####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine> <server01>
  <main> <kernel identity> <> <0003
  64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
  Problem instantiating
  Authentication Providerjavax.management.RuntimeOperationsException: RuntimeException
  thrown by the getAttribute method of the Dynam
  icMBean for the attribute Credential>
  weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
  Authentication Providerjavax.management.RuntimeOper
  ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
  for the attribute Credential
  at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
  at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
  at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
  at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
  at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
  at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)
  ####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine> <server01>
  <main> <kernel identity> <> <000
  342> <Unable to initialize the server: Fatal initialization exception
  Throwable: weblogic.security.service.SecurityServiceRuntimeException: Problem
  instantiating Authentication Providerjavax.management.
  RuntimeOperationsException: RuntimeException thrown by the getAttribute method
  of the DynamicMBean for the attribute Credential
  weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
  Authentication Providerjavax.management.RuntimeOper
  ationsException: RuntimeException thrown by the getAttribute method of the DynamicMBean
  for the attribute Credential
  at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
  at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
  at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
  at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
  at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
  at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)

  Solved the problem. The 'domain root' directory specified in the remote start configuration,
  must contain a copy of the file 'SerializedSystemIni.dat' that was created along
  with the domain, in order to boot when an AD authenticator is configured. If an
  AD authenticator is not configured, no file is required. This was not a platform
  specific issue; on Win2K I had configured the 'domain root' remote start parameter
  to point to an existing domain root and not a new directory.
  "Andrew Walker" <[email protected]> wrote:
  >
  Has anyone managed to setup a WLS 7.0 Active Directory authenticator
  and booted
  a managed server using the node manager? I can boot the server without
  the AD
  authenticator and I can also boot the server using a script and successfully
  authenticate
  through AD. My AD control flag is set to OPTIONAL and I have also setup
  a default
  authenticator to boot weblogic - the control flag here is set to SUFFICIENT.
  This
  configuration works fine with weblogic running on W2K, but not on Solaris
  (it
  looks like the control flag is being ignored). Errors as follows
  ####<Oct 1, 2002 1:59:08 PM BST> <Info> <Logging> <mymachine> <server01>
  <main>
  <kernel identity> <> <000000> <FileLo
  gger Opened at /opt/app/live/appserver/domains/test/NodeManager/server01/server01.log>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
  <main>
  <kernel identity> <> <000415> <System
  has file descriptor limits of - soft: 1,024, hard: 1,024>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
  <main>
  <kernel identity> <> <000416> <Using e
  ffective file descriptor limit of: 1,024 open sockets/files.>
  ####<Oct 1, 2002 1:59:09 PM BST> <Info> <socket> <mymachine> <server01>
  <main>
  <kernel identity> <> <000418> <Allocat
  ing: 3 POSIX reader threads>
  ####<Oct 1, 2002 1:59:19 PM BST> <Critical> <WebLogicServer> <mymachine>
  <server01>
  <main> <kernel identity> <> <0003
  64> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException:
  Problem instantiating
  Authentication Providerjavax.management.RuntimeOperationsException:
  RuntimeException
  thrown by the getAttribute method of the Dynam
  icMBean for the attribute Credential>
  weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
  Authentication Providerjavax.management.RuntimeOper
  ationsException: RuntimeException thrown by the getAttribute method of
  the DynamicMBean
  for the attribute Credential
  at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
  at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
  at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
  at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
  at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
  at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)
  ####<Oct 1, 2002 1:59:19 PM BST> <Emergency> <WebLogicServer> <mymachine>
  <server01>
  <main> <kernel identity> <> <000
  342> <Unable to initialize the server: Fatal initialization exception
  Throwable: weblogic.security.service.SecurityServiceRuntimeException:
  Problem
  instantiating Authentication Providerjavax.management.
  RuntimeOperationsException: RuntimeException thrown by the getAttribute
  method
  of the DynamicMBean for the attribute Credential
  weblogic.security.service.SecurityServiceRuntimeException: Problem instantiating
  Authentication Providerjavax.management.RuntimeOper
  ationsException: RuntimeException thrown by the getAttribute method of
  the DynamicMBean
  for the attribute Credential
  at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:186)
  at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:236)
  at weblogic.security.service.SecurityServiceManager.doATN(SecurityServiceManager.java:1506)
  at weblogic.security.service.SecurityServiceManager.initializeRealm(SecurityServiceManager.java:1308)
  at weblogic.security.service.SecurityServiceManager.loadRealm(SecurityServiceManager.java:1247)
  at weblogic.security.service.SecurityServiceManager.initializeRealms(SecurityServiceManager.java:1364)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:1107)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)

• SharePoint, Active Directory and GMail

  Dears,
  I have SharePoint 2013 connected to Active Directory with <MyDomain> as domain name, i also have gmail domain <MyDomain> - same name-, we are creating users on our firm to have the same id and email address on both domains,
  my questions are:
  1- how can i sync this process automatically?
  2- SharePoint is not sending email to users on Gmail, knowing that i used the following code to send email from my sharepoint server and it's working fine,
  sing (SPSite site = new SPSite("http://onlinesrv/"))
                  using (SPWeb web = site.RootWeb)
                      bool sent = SPUtility.SendEmail(web, true, false, "user@<MyDomain>.com", "Test gmail", "From SharePoint Portal using gmail account as smtp");
                      Console.WriteLine(sent.ToString());
  Any help ??!

  Hi Omar,
  According to your description, my understanding is that you want to send email to users that have Gmail in AD.
  Whether you have installed SMTP. You need to install SMTP for using Gmail , more information, please refer to the link:
  Configuring Outgoing email settings in SharePoint with Gmail SMTP
  Also, you need to create a User Profile Service Application, then start a full sync to sync the user profile.
  More information, please take a look at:
  http://maxteo.wordpress.com/2013/01/16/configure-sharepoint-2013-outgoing-email-using-gmail-smtp-and-resolving-user-profile-synchronization/
  I hope this helps.
  Thanks,
  Wendy
  Wendy Li
  TechNet Community Support

• Query on DNS setup for Active Directory for a new data center

  I have third party DNS appliances providing DNS Service for Active Directory (Windows 2008 R2) and there are also secondary DNS servers, which are MS DNS server with a secondary zone configured, for redundancy. I have to setup a new data center
  and move servers/services to this data center. In this scenario, can I install a new Microsoft DNS server with a secondary zone and use this as the primary DNS Server for all the member servers at this new location ? I am aware that this new DNS server will
  not be able to make any updates to the secondary zone and for that purpose, is there anyway to redirect such requests to the DNS appliances in my current data center across the WAN ? I am trying to avoid purchasing a new DNS appliance for the new data center
  and want to know what are the alternatives I have.
   

  im not entirely sure by your setup, as normally you would use AD integrated zones for DNS in an AD environment - although there are other options as you have already setup.
  the fact the zone is a secondary zone in DNS server terms doesn't mean you can't point your clients to it as their primary dns server. They will quite happily resolve names using a secondary server.
  so as long as your dns devices are correctly setup to support the additional secondary zone I see no reason why you couldn't do this.
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  My Blog
  LinkedIn:

• AD Redesign / R​estructure / Tools which further Improve / Enhance Active Directory's USABILITY-CONSUMERIZATION

  Hello,
  This Study/Discussion can be beneficial for all of us,
  As we will be able to know or find out what all is best from the both Business as well as Technical aspects to
  in terms :
  AD as a Service.
  AD as an Application.
  Checking IPD for AD does provide details which for the most part are technical which is right as these details are more of best practices irrespective of the nature of function of any company.
  Still there are many tools/utilities/apps/solutions which an organization with
  1. Over 60,000 users/machines
  2. Over 100 Trust Relationships
  3.  Manufacturing sites/locations with equipment's/machinery whose operations-functionality must not be disturbed ever...
  These are few of Real and Practical scenarios Organizations has to manage and with AD once deployed you have to restrict or rather say live with it as this Directory-Service solution is not as Modular as some others are....
  This could be very exhaustive as it is purely an organizations decision.
  However with the help of this forum I want to know which are the best known and recommended tools/apps/solutions regarding the following: 
  1. User/Employee Type Differentiation- Attribute basis, Group-Membership basis more.. which are the known and recommended tools ?
           -  Tool 1
           -  Tool 2
           -  Tool 3
  2. Delegation Model -Delegation of Control/Management of AD objects (Dept./Role Specific) ?
           -  Tool 1
           -  Tool 2
           -  Tool 3
  3. Control Access Rights and Privileges so that resource is only accessible by the respective dept. - Security Policies - User Rights, App-locker/Software-Restriction, NTFS permissions-Claims Token which are other known tools and which all are recommended
  ones..?
           -  Tool 1
           -  Tool 2
           -  Tool 3
  Thanks!
  BR,
  An Extremist

  Hi,
  With Active Directory installed, we have below tools to use to manage AD:
  Active Directory Users and Computers
  Active Directory Domains and Trusts
  Active Directory Sites and Services
  In addition, we also have below command tools:
  Dcdiag, repadmin, adsiedit, ntdsutil and so on
  Please also refer to the below link for Active Directory Management Support Tools
  http://technet.microsoft.com/en-us/library/cc738135(v=ws.10).aspx
  Regards,
  Yan Li
  Regards, Yan Li

• What is Azure? Can it replace an on premise Active Directory?

  As you might guess, I'm a complete newbie to Azure and have no knowledge of it at all.
  I have a project for which I need to find the most efficient and cost effective solution. Rather than me ask questions, perhaps its better I explain the project and hopefully someone will be able to tell me if Azure will provide a solution.
  I have an on premise SBS 2003 R2 server which I need to replace due to the end of life of Server 2003 R2. This server provides, AD, Exchange and File & Print services to around 40 users. I have been given the remit of 'spend as little as possible
  and use Cloud services as much as possible' to achieve the migration but I don't want it to be at the expense of productivity and end user harmony.
  I have started trialling Office 365, which will hopefully take care of the File and Exchange side of things. So far the users have found it a bit frustrating trying to navigate to files on SharePoint. They are unable to effectively map a drive or explore
  to SharePoint and they are frequently asked to enter their O365 password, on top of their local domain password. Although I've not tried Single Sign On, it sounds like this might resolve the issues we're having with O365.
  From what I've heard, I'd need an on premise AD server in order to implement Single Sign On, so this means buying a new on premise 2012 server to replace the 2003 SBS server. This obviously means expense. I'm wondering if there is an alternative solution
  that addresses the Single Sign On problem and gives me AD features, such as group policy, but without the necessity for an on premise server. Ideally it would also give me print server features too.
  Has anyone any idea if Azure can provide an effective solution to my project or have any other solutions. If not, I'll have to get the on premise server.

  Hi TIMTAM73,
  This is actually a great topic around the position of Azure for the Enterprise environment and how Azure AD might help.
  You've earlier mentioned that you're currently trial-ing O365, for which I truly congratulate you. In my opinion, that's by far the best SaaS product for organizations looking for a professional Exchange, SharePoint and CRM solution.
  Please let me also introduce a new term to the discussion, namely Azure Active Directory (AAD, for short). AAD is what the entire Office 365 users & groups repository is based on.
  In terms of Windows Server Active Directory, if you're looking to domain-join your organizational computers after you ditch your ancient-WS2003 server, please be advised that AAD won't help, because currently AAD is NOT an LDAP, meaning that it's only
  a little more than a user&groups repository and that's it. However, because you were advised to look more into cloud services, please note that there's always the option of deploying a VM with Windows Server 2012 R2 installed and install the role of Active
  Directory Domain Services on it. This also means that you get LDAP, but on a newer system.
  Afterwards, you'll have to worry how your organizational computers will join the domain you created "in the cloud". Here's where Azure Virtual Networks come in. Considering that you have a decent router, you have the option of creating a site-to-site
  VPN and thus connect your local LAN to a network of cloud services which will be hosted on the same IP classes where your computers are: voila, you get domain-joined computers on a cloud-hosted VM.
  Lastly, because Exchange might be too expensive to acquire and maintain, I suggest you look into Office 365. Here, you have the option of using the so-called AD Connect (or the generally available and tested DirSync option) which will synchronize your users
  and (optionally) password hashes. Additionally, there's also the option of Single-Sing-On (SSO), which will help your users from having to regulary input their credentials.
  As for the File and Exchange things, you have a few options:
  Use OneDrive for Business and thus your users will get a OneDrive repo directly in File Explorer
  Deploy a VM on your cloud service which has the File and Document role installed, with the Work Folders feature and afterwords configure Work Folders on your users' Windows 7/8 PCs
  ...or simply use a SMB share or FTP on that VM on Azue
  Please keep in mind that when it comes to document sharing, it would be best to add at least an additional data drive (with no write caching) and configure the shares on this/these drives. Never use the D:\ drive on the VM - that a temporary storage solution
  designed for caching in IIS, for example - or C:\ - the OS disk has write caching applied and you'll eventually get into lots of trouble with your users for loosing their data :).
  I hope this helps. I'll be happy to give you more insights and put you on the right track if you miss finding the right documentation.
  Alex

• Best Way to Remove Server from Active Directory

  I was wondering the best practice to remove a server from AD according to Microsoft.  
  Option 1 :
  Login to server and take it off the domain and put it into a workgroup
  Then login to AD and make sure it is removed
  Confirm removal from DNS
  Option 2 :
  Login to Domain Server and manually remove
  Confirm removal from DNS
  Thanks
  Also the servers are running Windows 2008 R2

  So if its just a file server, I would just go with option 1 to ensure the cleanest removal from Active Directory?
  What would happen if I just removed it from Active Directory after powering it down?  Still a clean result?  Or is it considered best practice to take the server off the domain from the server then power it down and then remove from Active Directory?
   Please let me know and also if you want me to clarify.
  I am not sure if I understood you correctly but if you just right click the computer object in Active Directory and delete it you have to manually delete the DNS records as well or wait for scavenging period to delete the outdated DNS records.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Help with Active Directory Integration and kerberos

  Hello,
  I’m encountering a bug preventing me to use Active Directory integration with kerberos :
  Our domain name is CORP.DOMAIN.COM.
  When we request the GC in this domain :
  bash-3.00# nslookup -query=any gc.tcp.corp.domain.com
  Server: 1.2.1.6
  Address: 1.2.1.6#53
  ** server can't find gc.tcp.corp.domain.com: NXDOMAIN
  there is no answer.
  But when we request without corp, we find the servers :
  bash-3.00# nslookup -query=any gc.tcp.domain.com | grep sis
  gc.tcp.domain.com service = 0 100 3268 serveur02.corp.domain.com.
  gc.tcp.domain.com service = 0 100 3268 serveur01.corp.domain.com.
  bash-3.00#
  Is-it possible to add the possibility to enter the domain name where reside the gc.tcp ?
  Thank you.

  Hello
  the domain.com domain exist, but it's not our domain.
  so, when I put domain.com, it search with no result (nothing appends).
  our kdc.conf :
  [kdcdefaults]
  kdc_ports = 88,750
  [realms]
  CORP.DOMAIN.COM = {
  profile = /etc/krb5/krb5.conf
  database_name = /var/krb5/principal
  admin_keytab = /etc/krb5/kadm5.keytab
  acl_file = /etc/krb5/kadm5.acl
  kadmind_port = 749
  max_life = 8h 0m 0s
  max_renewable_life = 7d 0h 0m 0s
  default_principal_flags = +preauth
  krb.conf
  [libdefaults]
  default_realm = CORP.DOMAIN.COM
  default_checksum = rsa-md5
  [realms]
  CORP.DOMAIN.COM = {
  kdc = dc01.corp.domain.com
  kdc = dc02.corp.domain.com
  [domain_realm]
  .corp.domain.com = CORP.DOMAIN.COM
  corp.domain.com = CORP.DOMAIN.COM
  in every domain, I think the GC are in corp.domain.com. but in my company, it's in domain.com...
  Thank you,

• Unable to add Active Directory: Kerberos Client trace scenario configuraiton

  Hi,
  While trying to add Active Directory: Kerberos Client trace scenario configuraiton, I am getting this error message in the log (see below).
  What am I missing?
  Thanks
  Alex.
  6/24/2014 10:09:18 AM Information running ETW Manifest Import Adapter on supplemental OPN: done
  6/24/2014 10:09:18 AM Warning Cannot create ETW manifest loader for Active Directory: Kerberos Client: The system cannot find the file specified. Please check that the manifest is properly installed
  6/24/2014 10:09:18 AM Information running ETW Manifest Import Adapter on Active_Directory__Kerberos_Client: completed successfully
  6/24/2014 10:09:18 AM Error running ETW Manifest Import Adapter on Active_Directory__Kerberos_Client: Unexpected exception happened: The given key was not present in the dictionary. stacktrace:    at Microsoft.Opn.Runtime.Messaging.Etw.GeneratedOpnCacheManager.ImportEtwProviderMetadata(Guid
  providerId, EtwManifestResolver manifestResolver, Boolean reportConflicts)
  Product Technical Specialist in Identity Management, Microsoft Canada. http://blogs.msdn.com/alextch

  Active Directory: Kerberos Client is MOF based ETW provider.
  Looks like PEF/Message Analyzer version which your using doesn't have parsing of events from MOF based providers.
  We added support MOF based ETW providers in PEF/MA v1.0.2 . What is PEF/MA version your using?
  Alternatively, you can use LinkLayer/Firewall Trace Scenarios to get the Kerberos Network traffic or other Kerberos Manifest based ETW providers for example "Microsoft-Windows-Security-Kerberos" etw provider if these providers produce any ETW events.

• Authentication on Active Directory under Kerberos v5

  Hi!!
  I�m trying to authenticate a user in Active Directory (with kerberos v5) and I get this message error:
  C:\j2sdk1.4>java -Djava.security.auth.login.config=gsseg_jaas.conf -Djava.security.krb5.conf=krb5.conf -Dsun.security.kr
  b5.debug=true GssExample
  Parametros introducidos ...
  Nombre de usuario de Kerberos [AAL]: Administrador
  Contrase�a de Kerberos de Administrador: swtest03
  EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
  KrbAsReq calling createMessage
  KrbAsReq in createMessage
  KrbAsReq etypes are: 3 1
  KrbKdcReq send: kdc=192.168.80.109, port=88, timeout=30000, number of retries =3, #bytes=239
  KrbKdcReq send: #bytes read=125
  KDCRep: init() encoding tag is 126 req type is 11
  KRBError:sTime is Tue Mar 25 18:52:52 CET 2003 1048614772000
  suSec is 447772
  error code is 14
  realm is BRUJULATEST.LOCAL
  sname is krbtgt/BRUJULATEST.LOCAL
  eData provided.
  Authentication attempt failedjavax.security.auth.login.LoginException: KDC has no support for encryption type (14)
  javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
  at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:568)
  at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:458)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:324)
  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
  at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
  at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
  at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
  at GssExample.main(GssExample.java:74)
  Caused by: KrbException: KDC has no support for encryption type (14)
  at sun.security.krb5.KrbAsRep.<init>(DashoA6275:62)
  at sun.security.krb5.KrbAsReq.getReply(DashoA6275:308)
  at sun.security.krb5.Credentials.acquireTGT(DashoA6275:333)
  at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:559)
  ... 12 more
  Caused by: KrbException: Identifier doesn't match expected value (906)
  at sun.security.krb5.internal.af.a(DashoA6275:129)
  at sun.security.krb5.internal.au.a(DashoA6275:58)
  at sun.security.krb5.internal.au.<init>(DashoA6275:53)
  at sun.security.krb5.KrbAsRep.<init>(DashoA6275:48)
  ... 15 more
  Is there anyone who can help me???
  Thanks to everybody!!

  I�ve got it!!!
  I can authenticate any user less than Administrator.
  But I can do it with a user, that I created, with administrator permissions.

• Active Directory multi forest Kerberos authentication Tomcat

  Sorry. It is wrong forum. I forwarded my question to Business Objects forum.
  Hi,
  I have Business Objects Enterprise XI R2 with Tomcat installed on Windows 2003. My BO server and users are placed in different Active Directory forests (BO domain x forest A, users domain y forest B). I would like to authenticate users from domain y in my BO using Kerberos.
  There is a trust between whose domains. I also set SPN and configured "Windows AD" tab in Central Management Console.
  I can add AD group from domain y and list users from that domain in Central Mangement Console. But when user from domain y tries to logon to BO he gets error java.lang.NullPointerException. Due to this error, he is unable to connect.
  There is also an error logged in Tomcat stdout.log file:
  70051106 [http-8080-Processor22] ERROR com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction  - LoginContext failed. No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
  If anyone has come across this situation, please share the solution.
  Thanks & Regards,
  Piotr
  Edited by: Piotr Heise on Mar 27, 2009 2:08 PM

  Hi
  Is your enterprise is configured to a Java Active Directory?
  Then there can bemultiple causes:
  - The Java and the Central Management Server (CMS) are using encryption types that do not match.
  - The Service Principal Name in the CMC is incorrect
  Then to resolve this perform the following steps:
  - In the Central Configuration Manager, double-click the CMS, and note the service account used.
  - In Windows Domain users and computers, go to account properties for the CMS service account.
  - Select Use DES encryption types for this account. In large AD deployments this change can take time to propagate.
  - Login to the CMC and verify (Authentication -> Active Directory -> Service Principal Name) is in the format BOBJCentralMS/HOSTNAME.DOMAIN.COM
  - Restart the CMS server and log on.
  In a clustered CMS environment ensure that all CMS's are running under the same domain account.
  Hope this helps!!!
  Regards
  Sourashree

• How to configure Active Directory LADP with WLS 8.1

  Hi
  somebody help me configure LDAP Active Directory with BEA WebLogic 8.1
  I can't understand what i should do.
  ThanX

  WLS 8.1 sp1 has couple of issues with Active Directory. You need to get fixes from
  BEA. sp2 is supposed to have these fixes included.
  Anant
  "Neil" <Neil-reply-in-newsgroup> wrote:
  This seems strange. I would make sure your installation is correct
  (particularly the lib/mbeantypes directory). If that is correct, I would
  test it with a new domain created with the domain configuration wizard
  to
  rule out any strange configuration possibilities. If both of those fail,
  I'd
  file a support case.
  - Neil
  "Max" <[email protected]> wrote in message
  news:[email protected]...
  Jay Zimmett <[email protected]> wrote:
  Read this:
  http://edocs.bea.com/wls/docs81/secmanage/providers.html#1172008
  Max KUlinich wrote:
  Hi
  somebody help me configure LDAP Active Directory with BEA WebLogic8.1
  I can't understand what i should do.
  ThanX
  I try do this but no god results. I get this exeption :
  java.lang.reflect.InvocationTargetException
  atweblogic.security.providers.authentication.LDAPAtnDelegate$LDAPFactory.newIn
  stance(LDAPAtnDelegate.java:3129)
  at weblogic.security.utils.Pool.getInstance(Pool.java:57)
  atweblogic.security.providers.authentication.LDAPAtnDelegate.getConnection(LDA
  PAtnDelegate.java:2646)
  atweblogic.security.providers.authentication.LDAPAtnDelegate.listUsers(LDAPAtn
  Delegate.java:1814)
  atweblogic.security.providers.authentication.LDAPAuthenticatorImpl.listUsers(L
  DAPAuthenticatorImpl.java:167)
  at sun.reflect.GeneratedMethodAccessor184.invoke(Unknown Source)
  atsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl
  .java:25)
  at java.lang.reflect.Method.invoke(Method.java:324)
  atjavax.management.modelmbean.RequiredModelMBean.invoke(RequiredModelMBean.jav
  a:1304)
  atweblogic.management.commo.CommoModelMBean.invoke(CommoModelMBean.java:464)
  atcom.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1557)
  atcom.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1525)
  atweblogic.management.internal.RemoteMBeanServerImpl.invoke(RemoteMBeanServerI
  mpl.java:765)
  atweblogic.management.console.utils.Security.getUserList(Security.java:1436)
  atweblogic.management.console.actions.security.ListUsersAction.updateContents(
  ListUsersAction.java:56)
  atweblogic.management.console.actions.security.ListLWSecurityAction.getContent
  s(ListLWSecurityAction.java:85)
  atweblogic.management.console.tags.security.LWTableTag.getRowData(LWTableTag.j
  ava:462)
  atweblogic.management.console.tags.security.LWTableTag.printTable(LWTableTag.j
  ava:141)
  atweblogic.management.console.tags.security.LWTableTag.doEndTag(LWTableTag.jav
  a:133)
  atweblogic.management.console.webapp._security.__usertable._jspService(__usert
  able.java:327)
  at weblogic.servlet.jsp.JspBase.service(JspBase.java:33)
  atweblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(Servle
  tStubImpl.java:1053)
  atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :387)
  atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :305)
  atweblogic.servlet.internal.RequestDispatcherImpl$ForwardAction.run(RequestDis
  patcherImpl.java:382)
  atweblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubjec
  t.java:317)
  atweblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
  atweblogic.servlet.internal.RequestDispatcherImpl.forward(RequestDispatcherImp
  l.java:286)
  at weblogic.servlet.jsp.PageContextImpl.forward(PageContextImpl.java:151)
  atweblogic.management.console.actions.ForwardAction.perform(ForwardAction.java
  :35)
  atweblogic.management.console.actions.internal.ActionServlet.doAction(ActionSe
  rvlet.java:173)
  atweblogic.management.console.actions.internal.ActionServlet.doGet(ActionServl
  et.java:91)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  atweblogic.servlet.internal.ServletStubImpl$ServletInvocationAction.run(Servle
  tStubImpl.java:1053)
  atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :387)
  atweblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.java
  :305)
  atweblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(W
  ebAppServletContext.java:6310)
  atweblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubjec
  t.java:317)
  atweblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
  atweblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletCo
  ntext.java:3622)
  atweblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java
  :2569)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
  Caused by: netscape.ldap.LDAPException: error result (49); 80090308:LdapErr:
  DSID-0C09030F, comment: AcceptSecurityContext error, data 525, vece;Invalid credentials
  at netscape.ldap.LDAPConnection.checkMsg(LDAPConnection.java:4852)
  at netscape.ldap.LDAPConnection.internalBind(LDAPConnection.java:1757)
  at netscape.ldap.LDAPConnection.authenticate(LDAPConnection.java:1294)
  at netscape.ldap.LDAPConnection.authenticate(LDAPConnection.java:1303)
  at netscape.ldap.LDAPConnection.bind(LDAPConnection.java:1613)
  atweblogic.security.providers.authentication.LDAPAtnDelegate$LDAPFactory.newIn
  stance(LDAPAtnDelegate.java:3108)
  ... 43 more

• Kerberos authentication with Active Directory

  I have tried using JAAS to authenticate to MS Active Directory and keep getting "javax.security.auth.login.LoginException: Pre-Authentication Information was invalid"
  I have tried authenticating with multiple user accounts and on three different realms (Active Directory domains).
  How do I need to format the username? I know that when using JNDI to access Active Directory I have to use the format "[email protected]" or the RDN. I have tried it both ways with JAAS kerberos authentication as well as with just the username by itself. I don't think that the username format is the problem though because if I set the account lockout policy to 5 failed attempts, sure enough my account will be locked out after running my code 5 times. If I give a username that doesn't exist in Active Directory I get the error "javax.security.auth.login.loginexception: Client not found in Kerberos database" Is there something special that I have to do to the password?
  I know that there is just something stupid that I'm missing. Here is the simplest example of code that I'm working with:
  import java.io.*;
  import javax.security.auth.callback.*;
  import javax.security.auth.login.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  public class krb5ADLogin1 {
  public static void main(String[] args){
  LoginContext lc = null;
  try {
  lc=new LoginContext("krb5ADLogin1", new TextCallbackHandler());
  lc.login();
  catch(Exception e){
  e.printStackTrace();
  Here is my config file:
  krb5ADLogin1 {
  com.sun.security.auth.module.Krb5LoginModule required;
  The command I use to start the program is:
  java -Djava.security.krb5.realm=mydomain.com
  -Djava.security.krb5.kdc=DomainController.mydomain.com
  -Djava.security.auth.login.config=sample.conf krb5ADLogin1

  Hi there ... the Sun web site has the following snippet:
  http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorials/Troubleshooting.html
  + javax.security.auth.login.LoginException: KrbException::
  Pre-authentication information was invalid (24) - Preauthentication failed
  Cause 1: The password entered is incorrect.
  Solution 1: Verify the password.
  Cause 2: If you are using the keytab to get the key (e.g., by
  setting the useKeyTab option to true in the Krb5LoginModule entry
  in the JAAS login configuration file), then the key might have
  changed since you updated the keytab.
  Solution 2: Consult your Kerberos documentation to generate a new
  keytab and use that keytab.
  Cause 3: Clock skew - If the time on the KDC and on the client
  differ significanlty (typically 5 minutes), this error can be
  returned.
  Solution 3: Synchronize the clocks (or have a system administrator
  do so).
  Good luck,
  -Derek

• Authentication with Active Directory Group in WLS 10.0

  Hi,
  By using the Active Directory authenticator in WLS 10.0, I managed to get connected to the AD and can see the groups and users in the administration console.
  But, I am having troubles setting up the security role(s) in my web app. I can't figure out how to configure it so that I can actually sign in to my web app using an AD group.
  Here are the web.xml & weblogic.xml files:
  web.xml
  <web-app>
  <welcome-file-list>
  <welcome-file>/SecuredPage.jsp</welcome-file>
  </welcome-file-list>
  <security-constraint>
  <display-name/>
  <web-resource-collection>
  </web-resource-collection>
  <auth-constraint>
  <description>Constraint for aduser</description>
  <role-name>aduser</role-name>
  </auth-constraint>
  </security-constraint>
  <!-- Login Config -->
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>myrealm</realm-name>
  </login-config>
  <!-- Security Roles -->
  <security-role>
  <description>Users of myADgroup</description>
  <role-name>aduser</role-name>
  </security-role>
  </web-app>
  weblogic.xml
  <weblogic-web-app>
  <security-role-assignment>
  <role-name>aduser</role-name>
  <principal-name>ADUserGroup</principal-name>
  </security-role-assignment>
  </weblogic-web-app>
  For the above config, my intention is to give access only the members of ADUserGroup to my webapp. This group is listed in myrealm at WLS as well as members of this group (ADUserGroup). But while trying to login as any members of this group, got 403 error!
  Any siggestion!!
  Thanx in advance!
  Any help would be appreciated!

  Okay, guys, now it seems working as I changed group type from distrubtion to security in Active Directory.
  Edited by ronobi at 02/18/2008 6:27 AM

• Using Active Directory to control WLS administration console access

  Hello,
  We have bound our WLS 12c instance to our Active Directory service for authentication, and this appears to be working. Next I would like to create an AD group - let's call it "WebLogic-Admin" - whose members (in AD) will have access to the WLS admin console just as if they were a member of the local Administrators group. When I load my WebLogic-Admin group and click on the Membership tab, I have no option to add it to any Parent Groups.
  So how can I use my AD group to delegate administrator privilege?
  Thanks,
  Bill

  cd ('/SecurityConfiguration/' + domain_name + '/Realms/myrealm/RoleMappers/XACMLRoleMapper')
  cmo.setRoleExpression(None,"Admin","{Grp(Administrators)|Grp(WebLogic-Admin)}")
  or
  Home >Summary of Security Realms >myrealm >Realm Roles >Edit Global Role >Realm Roles >Edit Global Role and add your AD group to admin global role.
  Edited by: 923288 on 5.10.2012 16:53