Kerberos & AFP fails to login via kerberos
Hi,
I am unable to login via afp using kerberos. When i used the kadmin.local -q listprincs comand to list the principals the afpserver is listed. When i change the authorization to kerberos. I revice a : "Connection Failed! The User Authentication Method required by this server can't be found." It was working under 10.4.3 is there any changes since.
PowerMac G5 DP 2.0 Mac OS X (10.4.4)
You get this message:
<blockquote>The server has rejected your login. Please verify that your user name and password are correct. Error Code: 800cccd1 </blockquote>
And Thunderbird can successfully receive/send on the test account but not on your own account, with the same server/port/SSL settings?
Other than the possibility that your password is incorrect...
Does your server require or have you tried entering your login username in this format:
domain\username
I don't know whether the following is relevant to your mailbox (server-side issue): [http://support.microsoft.com/kb/949926 Error when you use an IMAP4 client or a POP3 client to log on to a delegate mailbox of Exchange Server 2007: "800cccd1"].
Similar Messages
-
AFP login via Kerberos from 10.5 clients to 10.4 server broken
I don't know if this is connected to the problem laid out by William W. Higgins in [Open Directory or LDAP Problem with 10.5 Client and 10.4 Server|http://discussions.apple.com/thread.jspa?threadID=2163645&tstart=0]. The symptoms are... somewhat different, so I'll start a new thread.
We've got a small office with a bunch of 10.5.8 clients, a couple of 10.6 clients, one lone Windows 2000 client, and a number of remote users. I've had my OS X Server 10.4.11 machine (a PowerMac G5 single 1.8GHz, fwiw) working happily as an OD Master for the past few weeks. It's mostly a file server and a back DNS server for our public web site—we have web service turned on, but it's mostly to allow remote users to download files (or upload via WebDAV). The server has a secondary NIC that's hooked up to the cable modem in the DMZ. Everything else is behind the modem's NAT.
We've had some things show up on the logs that are making us want to tighten security, both in the LAN and over the internet. We've gone to HTTPS for the web server and are using TLS/SSL for the PureFTPd server. We closed the SMB ports on the external firewall—something we should have done years ago, probably.
I wanted to switch the AFP service over to Kerberos authentication only. However, when I make that change in Admin Server>AFP>Settings>Access, none of the clients can log on; they get an error reading:
+*Connection Failed*+
+There was an error connecting to the server. Check the server name or IP address and try again.+
+If you are unable to resolve the problem, contact your network administrator.+
Then, after you click on OK, you get the following:
+Sorry, the operation could not be completed because an unknown error occurred.+
+(Error code -5002)+
That code seems to indicate a Kerberos problem.
And when I try to log on as a network user from one of the clients, I get this message:
*+You are unable to log in to the user account "user" at this time+*
+Logging in failed because an error occurred.+
Gee, that's helpful!
Server Admin shows OD and Kerberos as up and running. The Password Service log has the following entry:
+Jan 21 2010 09:18:21 AUTH2: {0x4b4df87638fa1ec80000003400000034, bound-client-machine$} CRAM-MD5 authentication succeeded.+
So the log-on didn't go through Kerberos, for some reason, though it's been working fine that way for weeks.
I tried using +sso_util configure -r KERBEROS.REALM -a diradmin afp+ to make sure that single sign-on was running for AFP. No change.
I can use +dscl -u username -p localhost read /LDAPv3/Users/username+ and read the information on the user's home directory.
I can use /System/Library/CoreServices/Kerberos (or Ticket Agent) to request and receive a ticket. (Side note: does Kerberos really not allow login by secondary short names??? That's a pain! If I add principals for the secondary short names, will it authenticate correctly to the proper account???)
FTP is working. Web authentication is working. If I turn Kerberos authentication off for AFP, everything else seems to return to normal... but then the passwords are passed as cleartext, which isn't acceptable.
So... Is this a bug? Is this a conflict with PureFTPd? Am I doing something wrong?
Message was edited by: David KudlerPost-reboot:
Well, the good news is that the kdc now shows up in the kadmin log as starting up:
Jan 26 11:43:02 localhost kadmind[98](info): Seeding random number generator
Jan 26 11:43:03 localhost kadmind[98](info): No dictionary file specified, continuing without one.
Jan 26 11:43:04 localhost kadmind[98](info): starting
The lack of dictionary file I believe is a minor error, right?
The bad news is that a) clients are no longer able to receive tickets (+*Kerberos Error* Configuration does not specify default realm+) and b) clients can't log on at all—not even via the Finder>Go>Connect to Server... command. Not even when you use the static IP address of the server rather than the DNS name.
DNS still seems to be working. I can get reverse lookup:
*cerberus:~ root#* dig -x 10.1.10.2
; << DiG 9.3.6-APPLE-P2 << -x 10.1.10.2
;; global options: printcmd
;; Got answer:
;; -HEADER<<- opcode: QUERY, status: NOERROR, id: 45389
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2
;; QUESTION SECTION:
;2.10.1.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
2.10.1.10.in-addr.arpa. 3600 IN PTR cerberus.limbo.jcf.org.
;; AUTHORITY SECTION:
10.1.10.in-addr.arpa. 3600 IN NS ns1.jcf.org.
10.1.10.in-addr.arpa. 3600 IN NS cerberus.limbo.jcf.org.
10.1.10.in-addr.arpa. 3600 IN NS 10.1.10.1.
;; ADDITIONAL SECTION:
ns1.jcf.org. 86400 IN A 207.58.140.213
cerberus.limbo.jcf.org. 3600 IN A 10.1.10.2
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 26 11:50:51 2010
;; MSG SIZE rcvd: 163</div>
*cerberus:~ root#* dig cerberus.hades.jcf.org
; <<>> DiG 9.3.6-APPLE-P2 <<>> cerberus.hades.jcf.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36453
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;cerberus.hades.jcf.org. IN A
;; ANSWER SECTION:
cerberus.hades.jcf.org. 86400 IN A 10.0.1.2
;; AUTHORITY SECTION:
hades.jcf.org. 86400 IN NS cerberus.hades.jcf.org.
hades.jcf.org. 86400 IN NS 10.1.10.1.
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 26 11:51:46 2010
;; MSG SIZE rcvd: 93
</div>
*cerberus:~ root#* changeip -checkhostname
Primary address = 10.1.10.2
Current HostName = cerberus.limbo.jcf.org
DNS HostName = cerberus.limbo.jcf.org
The names match. There is nothing to change.
(The DNS also checks out from the clients.)
But.... fubar.
When I run +kadmin.local listprincs+, it lists all of the users and computers I've added—plus a couple that I don't recognize but that seem to be the products of bound computers (the names are along these lines, rather than the actual computer names for the clients: +LKDC:SHA1.59B886209B027XXXXXXXXXXXXXXXXXXXXXXXXXXX$@CERBERUS.LIMBO.JCF.ORG+). But when I run +kadmin.local list_policies *+, it just pops down to the next prompt. There don't seem to be any policies defined. That can't be right, can it????
Further weirdness: I tried rebinding the client that I'm working from (an iMac running 10.6.2), also using the IP address. It goes through the binding process, but no dice—when I try to run System/Library/CoreServices/Kerberos.app, I still can't get a ticket. And the weird bit is, there doesn't seem to be a /Library/Preferences/edu.mit.Kerberos plist file on the client. Well, no wonder the client's Kerberos app can't authenticate the realm—there's no local file in which the data is stored!
I should note that when I rebooted this morning, I first booted to the backup drive and ran Disk Utility; I repaired permissions—more than once—and repaired the disk directory as well. Perhaps I have confused the **** out of it. Though how the permissions got fouled in the first place is beyond me.
I have other things to do (as it says in my profile, I'm the local IT guy by default)—though everyone where I work needs this problem solved.
At this point my options seem to be:
1.) Back up, demote, promote and reload the OD server.
2) Reinstall from scratch.
If anyone has any suggestions in the next hour or so, I'd love to hear them!
Message was edited by: David Kudler -
Failed to login via Internet Explorer 8 in Oracle Secure Backup
I cannot login via explorer 8. when i enter admin as user name and my password. It returns to the same page (LOGIN Page).
When you go to the login page or log out it removes (or attempts to)
any previous cookies and recreates new cookies. I have been having a
problem with Internet Explorer 8 where it seems to be returning
something to my site that Coldfusion can't handle. I get
java.lang.nullPointerException. The error messages say the error
occurs either at line -1, with no idea what tag is involved, or line 6,
which is in the middle of my cfapplication tag. The diagnostics line
is always null other than the line number. From that, though, the
error seems to occur before my cfapplication tag even runs.
That suggests to me that the previous cookie is removed, but no new cookie is being created. The null would therefore refer to the non-existent cookie object. One way out might be to create new cookies without attempting to remove previous ones. -
Checksum failed while authenticating via Kerberos
Hi All,
I having a problem getting authentication using kerberos to work, I get the message checksum failed. The environment is Windows 2008 Server as DC and IE 8 as client and the application is running inside JBoss (in this case I am using the negotiation-toolkit) and the following trace is in the server.log. Can someone point me in the right direction for solving this problem, i've configured two local environments using w2k3 and w2k8 which are both working just fine but in the customers network it fails with the following trace:
l
2011-03-30 11:33:21,845 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8888-1) Setting threadlocal:{}
2011-03-30 11:33:21,846 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8888-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
2011-03-30 11:33:21,846 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (http-0.0.0.0-8888-1) Authenticating user
2011-03-30 11:33:21,846 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (http-0.0.0.0-8888-1) Header - Negotiate 2011-03-30 11:33:21,847 TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Base64] (http-0.0.0.0-8888-1) 2011-03-30 11:33:21,847 TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Hex] (http-0.0.0.0-8888-1)2011-03-30 11:33:21,848 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (http-0.0.0.0-8888-1) associate 176127440
2011-03-30 11:33:21,850 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) Begin isValid, principal:FFE8282EB0A470619839BBD7EDF16A5E, cache info: null
2011-03-30 11:33:21,850 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) defaultLogin, principal=FFE8282EB0A470619839BBD7EDF16A5E
2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) Begin getAppConfigurationEntry(SPNEGO), size=13
2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) End getAppConfigurationEntry(SPNEGO), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.negotiation.spnego.SPNEGOLoginModule
ControlFlag: LoginModuleControlFlag: requisite
Options:
name=serverSecurityDomain, value=host
name=password-stacking, value=useFirstPass
[1]
LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=usersProperties, value=props/spnego-users.properties
name=rolesProperties, value=props/spnego-roles.properties
name=password-stacking, value=useFirstPass
2011-03-30 11:33:21,850 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) initialize
2011-03-30 11:33:21,850 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Security domain: SPNEGO
2011-03-30 11:33:21,850 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) serverSecurityDomain=host
2011-03-30 11:33:21,850 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) login
2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) Begin getAppConfigurationEntry(host), size=13
2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) End getAppConfigurationEntry(host), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: com.sun.security.auth.module.Krb5LoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=principal, value=host/[email protected]
name=useKeyTab, value=true
name=storeKey, value=true
name=keyTab, value=/DATA/jbossserver.host.keytab
name=debug, value=true
name=doNotPrompt, value=true
2011-03-30 11:33:21,850 INFO [STDOUT] (http-0.0.0.0-8888-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /DATA/jbossserver.host.keytab refreshKrb5Config is false principal is host/[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
2011-03-30 11:33:21,850 INFO [STDOUT] (http-0.0.0.0-8888-1) KeyTab instance already exists
2011-03-30 11:33:21,850 INFO [STDOUT] (http-0.0.0.0-8888-1) Added key: 23version: 4
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Ordering keys wrt default_tkt_enctypes list
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Using builtin default etypes for default_tkt_enctypes
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) default etypes for default_tkt_enctypes:
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 3
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 1
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 23
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 16
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 17
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) .
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) principal's key obtained from the keytab
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Acquire TGT using AS Exchange
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Using builtin default etypes for default_tkt_enctypes
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) default etypes for default_tkt_enctypes:
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 3
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 1
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 23
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 16
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 17
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) .
2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbAsReq calling createMessage
2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbAsReq in createMessage
2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbKdcReq send: kdc=rm-hq-dc1.shipyard.local UDP:88, timeout=30000, number of retries =3, #bytes=158
2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KDCCommunication: kdc=rm-hq-dc1.shipyard.local UDP:88, timeout=30000,Attempt =1, #bytes=158
2011-03-30 11:33:21,853 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbKdcReq send: #bytes read=633
2011-03-30 11:33:21,854 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbKdcReq send: #bytes read=633
2011-03-30 11:33:21,854 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
2011-03-30 11:33:21,854 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbAsRep cons in KrbAsReq.getReply host/jbossserver
2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) principal is host/[email protected]
2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 4F C6 44 97 D0 B8 9C 96 A9 79 5B 87 EB 44 71 33 O.D......y[..Dq3
2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) Added server's keyKerberos Principal host/[email protected] Version 4key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 4F C6 44 97 D0 B8 9C 96 A9 79 5B 87 EB 44 71 33 O.D......y[..Dq3
2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) [Krb5LoginModule] added Krb5Principal host/[email protected] to Subject
2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) Commit Succeeded
2011-03-30 11:33:21,858 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Subject = Subject:
Principal: host/[email protected]
Private Credential: Ticket (hex) =
0000: 61 82 01 1F 30 82 01 1B A0 03 02 01 05 A1 13 1B a...0...........
0120: 9E 96 D4 ...
Client Principal = host/[email protected]
Server Principal = krbtgt/[email protected]
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 81 5B 77 9E C3 74 46 AC 87 26 B0 00 5C B6 56 6E .[w..tF..&..\.Vn
Forwardable Ticket false
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Wed Mar 30 11:33:17 CEST 2011
Start Time = Wed Mar 30 11:33:17 CEST 2011
End Time = Wed Mar 30 21:33:17 CEST 2011
Renew Till = null
Client Addresses Null
Private Credential: Kerberos Principal host/[email protected] Version 4key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 4F C6 44 97 D0 B8 9C 96 A9 79 5B 87 EB 44 71 33 O.D......y[..Dq3
2011-03-30 11:33:21,858 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Logged in 'host' LoginContext
2011-03-30 11:33:21,858 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Creating new GSSContext.
2011-03-30 11:33:21,866 INFO [STDOUT] (http-0.0.0.0-8888-1) Found key for host/[email protected](23)
2011-03-30 11:33:21,867 INFO [STDOUT] (http-0.0.0.0-8888-1) Entered Krb5Context.acceptSecContext with state=STATE_NEW
2011-03-30 11:33:21,868 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
2011-03-30 11:33:21,869 ERROR [STDERR] (http-0.0.0.0-8888-1) Checksum failed !
2011-03-30 11:33:21,870 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Result - GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
2011-03-30 11:33:21,870 ERROR [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Unable to authenticate
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:118)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
... 35 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)
... 41 more
2011-03-30 11:33:21,871 INFO [STDOUT] (http-0.0.0.0-8888-1) [Krb5LoginModule]: Entering logout
2011-03-30 11:33:21,871 INFO [STDOUT] (http-0.0.0.0-8888-1) [Krb5LoginModule]: logged out Subject
2011-03-30 11:33:21,872 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) abort
2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) initialize
2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Security domain: SPNEGO
2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) findResource: null
2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Properties file=vfsfile:/DATA/jboss-5.1.0.GA/server/default/conf/props/spnego-users.properties, defaults=null
2011-03-30 11:33:21,872 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Loaded properties, users=[]
2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) findResource: null
2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Properties file=vfsfile:/DATA/jboss-5.1.0.GA/server/default/conf/props/spnego-roles.properties, defaults=null
2011-03-30 11:33:21,872 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Loaded properties, users=[[email protected], [email protected]]
2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) abort
2011-03-30 11:33:21,872 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) Login failure
javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:141)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
2011-03-30 11:33:21,873 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) End isValid, false
2011-03-30 11:33:21,873 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (http-0.0.0.0-8888-1) clear 176127440
2011-03-30 11:33:21,873 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8888-1) Setting threadlocal:null
2011-03-30 11:33:21,873 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8888-1) Setting threadlocal:nullThanks! That did the trick.
For those who aren't sure what we're talking about, here are the details. In the inspector tab of the user's record in Workgroup Manager, there's an item called AuthenticationAuthority. For servers that use Kerberos, it should have at least two attributes, one for ApplePasswordServer and one for Kerberos.
The Kerberos entry should look something like this:
;Kerberosv5;0x4de7dafb19f92bf00000008b0000207c;[email protected];
MYSERVER.MYDOMAIN.COM;1024 35 1501888096699469040706569854027123220425732604738787130135110270232071940183724 3
78199029604219894640418726569868666187867257570714183982184166144733112632082318
21356466533532379022305132046121848691642928615842396713606475071069113591094835
025483043226511805720826544139932983788313141311383927555379596135211 [email protected]:123.45.67.89
When you copy the attribute from a working user, there are two items that need to be changed (assuming you have only one kerberos realm). The first item is the long string of letters and numbers after ;Kerberosv5; in the first line. That's the user's UUID. The second is the user's short name ("fred" in the example above). The easiest way to make the changes is to paste the attribute into a text editor (TextEdit, or TextWrangler if you have it). Copy the user's UUID from the problematic account, and paste it over the one in the text you previously copied and pasted. Then change the short name to match the problematic user. Then copy the entire block from your text editor, select AuthenticationAuthority and click the New Value button. Click in the Text: field and paste. The Hex field will take care of itself. Click OK, then Save your changes.
Of course before you start making changes like this to your directory, make sure you have a good back up to revert back to in case something gets messed up. -
Problem getting an LDAPContext after authenticating via Kerberos
Hi,
I am trying to create a Java program that can query an Active Directory server using the currenlty logged in Windows user's credentials to authenticate via LDAP.
I am getting the following error in my output when trying to create the LdapContext object.
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
The full output is as follows
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
KinitOptions cache name is C:\Documents and Settings\Administrator.THALES-3D8PWWDM\krb5cc_AdministratorAcquire default native Credentials
Obtained TGT from LSA: Credentials:
[email protected]
server=krbtgt/[email protected]
authTime=20090618162927Z
startTime=20090618162927Z
endTime=20090619022927Z
renewTill=20090625162927Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 23
Principal is [email protected]
Commit Succeeded
Subject:
Principal: [email protected]
Private Credential: Ticket (hex) =
0000: 61 82 03 BC 30 82 03 B8 A0 03 02 01 05 A1 0A 1B a...0...........
<REMOVED>4 8A 8C BE 6B FD 65 5D 2F .R..t#@d...k.e]/
Client Principal = [email protected]
Server Principal = krbtgt/[email protected]
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: C0 62 F6 3F 5C 29 F4 7B C1 FC AB A0 77 D1 E7 E0 .b.?\)......w...
Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket true
Initial Ticket true
Auth Time = Thu Jun 18 17:29:27 BST 2009
Start Time = Thu Jun 18 17:29:27 BST 2009
End Time = Fri Jun 19 03:29:27 BST 2009
Renew Till = Thu Jun 25 17:29:27 BST 2009
Client Addresses Null
Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri Jun 19 03:29:27 BST 2009
KinitOptions cache name is C:\Documents and Settings\Administrator.THALES-3D8PWWDM\krb5cc_AdministratorAcquire default native Credentials
Obtained TGT from LSA: Credentials:
[email protected]
server=krbtgt/[email protected]
authTime=20090618162927Z
startTime=20090618162927Z
endTime=20090619022927Z
renewTill=20090625162927Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 23
Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri Jun 19 03:29:27 BST 2009
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at com.thalesgroup.planit.ldap.LDAPAction.performLDAPOperation(Main.java:87)
at com.thalesgroup.planit.ldap.LDAPAction.run(Main.java:66)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at com.thalesgroup.planit.ldap.Main.main(Main.java:46)
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate I am running this using the following VM arguments
-Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=true
Finally my jaas config file is as follows
fsta {
com.sun.security.auth.module.Krb5LoginModule required
debug=true client=false useTicketCache=true;
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};I am running this locally on the AD server (running Windows Server 2003).
Does anybody know how I can get rid of the exception and create an authenticated LdapContext?
Any suggestions would be greatly appreciated.
Thanks
GraemeMy java source is as follows (its a modified example I found online)
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import com.sun.security.auth.callback.TextCallbackHandler;
public class Main {
public static void main(String[] args) {
java.util.Properties p = new java.util.Properties(System.getProperties());
p.setProperty("java.security.krb5.realm", "fsta.com");
p.setProperty("java.security.krb5.kdc", "192.168.1.10");
p.setProperty("java.security.auth.login.config", "C:\\jaas.conf");
System.setProperties(p);
// 1. Log in (to Kerberos)
LoginContext lc = null;
try {
lc = new LoginContext("fsta", new TextCallbackHandler());
// Attempt authentication
lc.login();
} catch (LoginException le) {
System.err.println("Authentication attempt failed" + le);
System.exit(-1);
Subject subject = lc.getSubject();
System.out.println(subject.toString());
// 2. Perform JNDI work as logged in subject
Subject.doAs(subject, new LDAPAction(args));
// 3. Perform LDAP Action
* The application must supply a PrivilegedAction that is to be run
* inside a Subject.doAs() or Subject.doAsPrivileged().
class LDAPAction implements java.security.PrivilegedAction {
private String[] args;
private static String[] sAttrIDs;
private static String sUserAccount = new String("Administrator");
public LDAPAction(String[] origArgs) {
this.args = origArgs.clone();
public Object run() {
performLDAPOperation(args);
return null;
private static void performLDAPOperation(String[] args) {
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
// Must use fully qualified hostname
env.put(Context.PROVIDER_URL, "ldap://192.168.1.10:389");
// Request the use of the "GSSAPI" SASL mechanism
// Authenticate by using already established Kerberos credentials
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
// env.put("javax.security.sasl.server.authentication", "true");
try {
/* Create initial context */
DirContext ctx = new InitialDirContext(env);
/* Get the attributes requested */
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"sn","givenName","mail"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//specify the LDAP search filter
String searchFilter = "(&(objectClass=user)(mail=*))";
//Specify the Base for the search
String searchBase = "DC=fsta,DC=com";
//initialize counter to total the results
int totalResults = 0;
// Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println(">>>" + sr.getName());
// Print out some of the attributes, catch the exception if the attributes have no values
Attributes attrs = sr.getAttributes();
if (attrs != null) {
try {
System.out.println(" surname: " + attrs.get("sn").get());
System.out.println(" firstname: " + attrs.get("givenName").get());
System.out.println(" mail: " + attrs.get("mail").get());
catch (NullPointerException e) {
System.err.println("Error listing attributes: " + e);
System.out.println("RABOTIII");
System.out.println("Total results: " + totalResults);
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}Edited by: GraemeK on Jun 18, 2009 11:56 AM -
How can I set up ssh via kerberos on MacOS 10.5 (Leopard)?
I am the de facto mac sysadmin for a few mac labs on a campus that is primarily Windows-using, and we have the Macs configured to do single sign-on via Kerberos and get their directory info via LDAP and home directories via NFS. This works fine for someone physically sitting at the machine, but I am running into a brick wall when it comes to sshing into these machines. ssh itself definitely works: I can ssh into the machine with a local user and password. And as I said, the kerberized login works fine from console. It's just getting the two to talk to each other.... Furthermore, there is a Linux box that we can successfully log into via kerberos/sso, so it's unlikely to be anything on the client side.
Things I've tried:
* Editing /etc/authorization and changing "authinternal" under system.login.tty to "builtin:krb5authnoverify,privileged" (I think this used to work; the same change to system.login.console is definitely what makes the console logins work)
* Editing /etc/sshd_config and setting "GSSAPIAuthentication yes" (this makes it match the sshd_config on the linux box we can log in to)
* In the same file, turning on "KerberosAuthentication" and friends (just because it looked promising)
Any ideas?It's not completely obvious. What you have to do in Spaces is to position your cursor to the upper right of the screen, after which faint + (plus) sign appears in that area. Click that, upon which another Desktop will appear.
The + may be difficult or impossible to see with some desktop backgrounds (black, for instance): -
Failed to find any Kerberos Key
Hi All,
I've all ready done all the steps in note 994791 (SPNego Wizard) for SSO configuration between Portal and ADS. After finishing the configuration I checked the login and still appears the authentification login page. I have checked Defaultrace log and it shows the following:
Cannot initializa login module [EXCEPTION]
com.sap.security.core.server.jaas.SPNgoLoginModule#java.lang.RuntimeException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
......... etc.
I have no clue what may go wrong and what I can check for fixing this issue. I did some notes like: Note 1130190 - SPNego fails with "Failed to find any Kerberos Key" and the configuration looks OK. What Could I do or check for this problem??? any help will be rewarded.
Thanks in advanced.Hi,
can you please have a look at the blogs
Configuring and troubleshooting SPNego -- Part 3
Configuring and troubleshooting SPNego -- Part 2
Configuring and troubleshooting SPNego -- Part 1
Maybe the troubleshooting section in the Part 3 can be of help.
Regards,
Holger. -
No valid credentials provided: Failed to find any Kerberos Ticket
I'm running a java routine on a Windows 2000 workstation and trying to use JAAS to authenticate against a RedHat based kerberos server. When I do a login I get the following debug information:
Debug is true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null KeyTab is null principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: drrobison/admin
principal is drrobison/[email protected]
Added server's keyKerberos Principal drrobison/[email protected] Version 0key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: 76 9B 32 9D 02 AB 23 4C
[Krb5LoginModule] added Krb5Principal drrobison/[email protected] to Subject
Commit Succeeded
When I print out the returned subject I get
Subject:
Principal: drrobison/[email protected]
Private Credential: Ticket (hex) =
Client Principal = drrobison/[email protected]
Server Principal = krbtgt/[email protected]
Session Key = EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: 4F A7 BA 6D B0 E5 E5 6D
Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket true
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Mon Nov 25 17:16:35 EST 2002
Start Time = Mon Nov 25 17:16:35 EST 2002
End Time = Tue Nov 26 03:16:35 EST 2002
Renew Till = Null
Client Addresses Null
Private Credential: Kerberos Principal drrobison/[email protected] Version 0key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: 76 9B 32 9D 02 AB 23 4C
THen when I try to use the GSSManager.createCredential I get the following error:
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:142)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:70)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
GSSException No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket): No valid credentials provided: Failed to find any Kerberos Ticket
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.orci.OpenTMS.CctvGUI.SimpleNTSCApp.<init>(SimpleNTSCApp.java:115)
at com.orci.OpenTMS.CctvGUI.SimpleNTSCApp.main(SimpleNTSCApp.java:227)
Any ideas what the problem might be?
Many thanks in advance...Hi ,
I hope first that you solved your problem.
In fact I'm using Tomcat on Windows 2000 and I try to get tickets for a Kerberos V installation on a Linux Box, using a Krb5LoginModule.
To do so , I would like to know how do you tell your windows box where to find the destination realm (in your case OPENROADSCONSULTING.COM) .
If it is in the jaas.config file , could you send yours to me please
Thanx by advance
Yann -
Windows 8 - user login and Kerberos Realm problems.
Hi,
Just installed Windows 8 Enterprise x64 from our MDT into our production enviroment for some final testing. I have done this with both Consumer and the Release Preview just to make sure our infrastructure can support user that want to run Windows 8 (Win
7 Enterprise will still be the default OS for our client desktops).
The problem I reported here with the Consumer Preview
http://social.technet.microsoft.com/Forums/en-US/W8ITProPreRel/thread/069f59be-b89c-4005-8cd2-ff5fd756825a is still alive and kicking.
Logon after fresh reboot. (Windows 8)
Username: XWYZ
Password: *********
Sign in to: "OURKERBEROSREALM.SE"
We authenticate all our users with our Kerberos Realm and in our AD's all user passwords are random dummy placeholders, and are linked to the Kerberos realm.
When a user lock their computer, or put it in sleep mode, they should see this at their login.
XWYZ (their full name)
"OURKERBEROSREALM.SE\XWYZ(their username)
Locked
Password: ********
But it does not show this… it shows:
XWYZ (their full name)
WINDOWS DOMAIN NAME\XWYZ(their username)
Locked
Password: ********
This meens that when they want to unlock their desktop, or login after sleep, it will try and authenticate their login on the domain AD and not the Kerberos realm. Howver if you choose to go back and select "other user" it defaults back to using "OURKERBEROSREALM.se"
as "Sign in to:" domain.
This worked flawlessly in XP, Vista and Windows 7, but not in Windows 8. Not having our Kerberos realm as default login in every scenario is kind of a bummer.I had some brief time looking into this, and my awesome workbuddy found that you can poke about the keys found in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\1
With the LastLoggedONSAMUser and LastLoggedOnUser values I changed from from "domain"\username to "kerberosrealm"\user, and when locking my computer or restating, I now have no need to choose "other user" every time I want to login again.
Atleast somewhere to start. -
Exchange 2010 sp2 emc initialization error using "kerberos" authentication failed
We use exchange 2010 SP2.
We have 2 management stations, both w2k8 R2 SP1.
I have one mangement station on which the emc and ems works ok.
On the other management staiton (which is also in another ad site) the emc and ems don't work.
I get the following error message : The attempt to connect to
http://fqdnCasServer/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
I have checked the time on the management station and on the exchange server and this is ok.
It is not a permissions issue because the user functions ok on the other management station.
On the bad management station I can open the emc once and after a minute I get an error message and the message access denied. From then on I can't connect any more.
What am I doing wrong?
Anyone any tips?
Thanks,
JBThis is what I get in the eventlog of the bad management station.
Log Name: MSExchange Management
Source: MSExchange CmdletLogs
Date: 1/10/2012 11:39:27
Event ID: 6
Task Category: (1)
Level: Error
Keywords: Classic
User: N/A
Computer: Server.domain.com
Description:
The description for Event ID 6 from source MSExchange CmdletLogs cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Get-ExchangeServer
{Identity=Servername}
Domain/ou/ou/ou/ou/username
Exchange Management Console-Local
3080
22
00:00:00.3593888
View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DN }'
Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMTSTATION' couldn't be found on 'FQDN DC'.
Context
the message resource is present but the message is not found in the string/message table
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchange CmdletLogs" />
<EventID Qualifiers="49152">6</EventID>
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-10-01T09:39:27.000000000Z" />
<EventRecordID>11</EventRecordID>
<Channel>MSExchange Management</Channel>
<Computer>FQDN MGMT STATION</Computer>
<Security />
</System>
<EventData>
<Data>Get-ExchangeServer</Data>
<Data>{Identity=MGMT STATION}</Data>
<Data>domain/ou/ou/ou/ou/username</Data>
<Data>
</Data>
<Data>
</Data>
<Data>Exchange Management Console-Local</Data>
<Data>3080</Data>
<Data>
</Data>
<Data>22</Data>
<Data>00:00:00.3593888</Data>
<Data>View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DC }'</Data>
<Data>Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMT STATION' couldn't be found on 'FQDN DC'.</Data>
<Data>Context</Data>
<Data>
</Data>
</EventData>
</Event> -
Kerberos authentication fail on ASA 5505 -Decrypt integrity-
Hi,
I'm trying to configure Kerberos authentication on ipsec-l2tp vpn tunnel. However, when I use my domain user to establish a connection I get this error:
ASA-Oslo# kerberos mkreq: 0x176
kip_lookup_by_sessID: kip with id 374 not found
alloc_kip 0xd9b9bdf0
new request 0x176 --> 11 (0xd9b9bdf0)
add_req 0xd9b9bdf0 session 0x176 id 11
In kerberos_build_request
In kerberos_open_connection
In kerberos_send_request
********** START: KERBEROS PACKET DECODE ************
Kerberos: Message type KRB_AS_REQ
Kerberos: Option forwardable
Kerberos: Option renewable
Kerberos: Option renewable accepted
Kerberos: Client Name antonio.torres
Kerberos: Client Realm IBISTIC.LOCAL
Kerberos: Server Name krbtgt
Kerberos: Start time 0
Kerberos: End time -643858960
Kerberos: Renew until time -653409600
Kerberos: Nonce 0x5242a360
Kerberos: Encryption type rc4-hmac-md5
Kerberos: Encryption type des-cbc-md5
Kerberos: Encryption type des-cbc-crc
Kerberos: Encryption type des-cbc-md4
Kerberos: Encryption type des3-cbc-sha1
Kerberos: Address 10.40.49.1
********** END: KERBEROS PACKET DECODE ************
In kerberos_recv_msg
In kerberos_process_response
********** START: KERBEROS PACKET DECODE ************
Kerberos: Message type KRB_AS_REP
Kerberos: Client Name antonio.torres
Kerberos: Client Realm IBISTIC.LOCAL
********** END: KERBEROS PACKET DECODE ************
Kerberos library reports: "Decrypt integrity check failed"
In kerberos_close_connection
remove_req 0xd9b9bdf0 session 0x176 id 11
free_kip 0xd9b9bdf0
kerberos: work queue empty
I've been looking for documentation about this error but I was not able to figure out what's wrong. I've already also turned off 'Do not require pre-authentication' on account option.
Some one get also this error?
Any help will be more than welcome,
Thanks in advance,
AntonioHi,
I'm trying to configure Kerberos authentication on ipsec-l2tp vpn tunnel. However, when I use my domain user to establish a connection I get this error:
ASA-Oslo# kerberos mkreq: 0x176
kip_lookup_by_sessID: kip with id 374 not found
alloc_kip 0xd9b9bdf0
new request 0x176 --> 11 (0xd9b9bdf0)
add_req 0xd9b9bdf0 session 0x176 id 11
In kerberos_build_request
In kerberos_open_connection
In kerberos_send_request
********** START: KERBEROS PACKET DECODE ************
Kerberos: Message type KRB_AS_REQ
Kerberos: Option forwardable
Kerberos: Option renewable
Kerberos: Option renewable accepted
Kerberos: Client Name antonio.torres
Kerberos: Client Realm IBISTIC.LOCAL
Kerberos: Server Name krbtgt
Kerberos: Start time 0
Kerberos: End time -643858960
Kerberos: Renew until time -653409600
Kerberos: Nonce 0x5242a360
Kerberos: Encryption type rc4-hmac-md5
Kerberos: Encryption type des-cbc-md5
Kerberos: Encryption type des-cbc-crc
Kerberos: Encryption type des-cbc-md4
Kerberos: Encryption type des3-cbc-sha1
Kerberos: Address 10.40.49.1
********** END: KERBEROS PACKET DECODE ************
In kerberos_recv_msg
In kerberos_process_response
********** START: KERBEROS PACKET DECODE ************
Kerberos: Message type KRB_AS_REP
Kerberos: Client Name antonio.torres
Kerberos: Client Realm IBISTIC.LOCAL
********** END: KERBEROS PACKET DECODE ************
Kerberos library reports: "Decrypt integrity check failed"
In kerberos_close_connection
remove_req 0xd9b9bdf0 session 0x176 id 11
free_kip 0xd9b9bdf0
kerberos: work queue empty
I've been looking for documentation about this error but I was not able to figure out what's wrong. I've already also turned off 'Do not require pre-authentication' on account option.
Some one get also this error?
Any help will be more than welcome,
Thanks in advance,
Antonio -
Why Oracle Access Manger only works via Kerberos in IE/Mozilla?
Hi,
OAM is working only on Chrome/Safari, Why it is not working with IE/Mozilla. Why it is working only via Kerberos? Please help us in understanding this as we are very new to OAM.
Thanks,
DurgaHi Durga,
could you be more specific? Please provide the version number of OAM and the platform.
I run OAM 10.1.4.3 and OAM 11.1.1.3 on Red Hat Linux 5. 64-bit with Firefox 3.x and IE 7 as front ends without any issues.
--olaf -
Remote PowerShell Connection to Lync Server With Kerberos authentication Fails
Hi everyone ,
Remote PowerShell to Lync Server With Kerberos authentication Fails .. Is there any reason for not being able to connect when authentication specified as Kerberos . But exactly same code works when Authentication is specified as "Negotiate"
E.g :
Error -
$session=New-PSSession -ConfigurationName Microsoft.Powershell -ConnectionUri https://serverName.lync.com/ocspowershell/ -Credential $cred -Authentication Kerberos
[serverName.lync.com] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. The authentication mechanism requested by the client is not supported by the server or unencrypted traffic is disabled in
the service configuration. Verify the unencrypted traffic setting in the service configuration or specify one of the authentication mechanisms supported by the server. To use Kerberos, specify the computer name as the remote destination. Also verify
that the client computer and the destination computer are joined to a domain.To use Basic, specify the computer name as the remote destination, specify Basic authentication and provide user name and password. Possible authentication mechanisms reported by
server: Digest Negotiate For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
eption
+ FullyQualifiedErrorId : PSSessionOpenFailed
Works -
$session=New-PSSession -ConfigurationName Microsoft.Powershell -ConnectionUri https://serverName.lync.com/ocspowershell/ -Credential $cred -Authentication NegotiateHi,
Please double check if Windows Update is the latest version, if not, please update and then test again.
Please also ensure that the workstation you are using has network access to the Certificate Authority that signed the certificate.
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support -
Exchange Management Console couldn't start with Kerberos authentication failed
When I was making changes to Client Access\owa settings, chaning from Basic authentication to Form authentication (upn name) then changed to Basic again. It was ok after changing to Form authentication but moment after changing back to Basic, I couldn't
no longer access owa (blank page when one vertical line) and in Exchange Management Console, I got "Initialization failed" - The following error occured while attempting to connect to the specified Exchange server 'sgp-ex1.mydomain.com':
The attempt to connect to http://sgp-ex1.mydomain.com/powershell using "Kerberos" authentication failed: Connecting to the remote server failed with the following error message: The WinRM client cannto process
the request. It cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalid. For more information, see the about_Remote_Troubleshooting Help topic.
I tried the troubleshooting tool from Exchange team blog:
http://blogs.technet.com/b/exchange/archive/2010/12/07/3411644.aspx. It give 3 possible causes for this error: 1. WSMan module entry is missing from global module section of c:\Windows\System32\InetSrv\Config\ApplicationHost.config; 2. Kerbauth module shows
up as Managed module or has been loaded in the Default Web Site Level; 3. The Path of the Powershell virtual directory has been modified.
I checked carefully, all the 3 causes do not apply to my situation as WSman entry is in order, the Kerbauth is native and local and the path of Powershell virtual directory is correct.
I find that in Application log, there are Event 2297 and 2307 dumped at the time of failure:
The worker process for application pool 'MSExchangeSyncAppPool' encountered an error 'Confiugration file in not well-formed XML' trying to read configuration data from file '\\?\C:\inetpubl\temp\apppools\MSExchangeSyncAppPool\MSExchangeSyncAppPool.config',
line number '2'. The data field contains the error code.
Help is very much appreciated.
Valuable skills are not learned, learned skills aren't valuable.Unfortunately, all the links you provided didn't help.
The first link contains 3 methods:1 Removing WinRM feature and reinstalling. 2 Rename the web.config file in location C:\inetpub\wwwroot 3 Have you installed Microsoft Dynamics CRM 4. I?
As my server is Windows 2008 R2, the first method does not apply. I couldn't find any web.config in c:\Inetpub\wwwroot. The web.config however is found in many times in .netframework and winsxs directories. The 3rd method doesn't apply as I don't have CRM.
The 2nd link contains 3 possible causes. The first 2 are the same as the ones I mentioned in my initial post. I couldn't verify the last cause because when open Exchange Management Shell, I got this error: [sgp.ex1.mydomain.com] connecting to remote server
failed with the following server failed with the following error message: The WinRM client cannot process the request, it cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalide. For more
information, see the about_Remote_Troubleshooting Help topic.
I do not think the user is not remote powershell enabled because the problem happened suddenly, while I was making changes to Authentication settings of OWA(default) in Client Access in Exchange Management Console. If the user account is not remote powershell
enabled, then I couldn't event connect to EMC in the first place.
The last link didn't help because I could open up modules under PowerShell virtual directory in IIS.
I think since the event log is saying MSExchangeSyncAppPool.config and DefaultAppPool.config not well-formed XML, that might be a clue.
In the event id 2307 this is the message:
The worker process for application pool 'DefaultAppPool' encountered an error 'Configuration file is not well-formed XML
' trying to read configuration data from file '\\?\C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config', line number '2'. The data field contains the error code.
Valuable skills are not learned, learned skills aren't valuable. -
"Kerberos" authentication failed while trying to access EMC or EMS
Salam,
I have successfully installed Exchange 2010 SP1 on a transitional environment, the installation went smooth without any problem and I've done most of the trasitioning configuration from Exchange Server 2003 to Exchange Server 2010.
Currently we're in the process of moving the mailboxes, but I've come across a problem recently which stopped all my work and I can no longer commence with this transition unless its solved.
Sometimes when I try to access EMC or EMS I get the hereunder error:
The following error occurred while attempting to connect to the specified Exchange server 'afhmail.arabfinancehouse.com.lb':
The attempt to connect to http://afhmail.arabfinancehouse.com.lb/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed
with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
I've read most of the articles found on the internet including
http://msexchangeteam.com/archive/2010/02/04/453946.aspx to try to troubleshoot this problem but nothing has worked so far, I tried removing Win RM IIS extensions as well then adding them again with a restart and nothing. I tried the Kerbauth dll removal
also nothing and the problem keeps to occur and the situation is not stable.
Also I read in a KB article somewhere that if we have multiple domain controllers a single domain controller should be assigned on the Exchange Server (Organization Configuration, Server Configuration, Recipient Configuration) so I assigned the PDC to be selected
by those configurations at startup, yet I am still facing the same problem.
Again I emphasis that the problem comes and goes, at a time I can access EMS and at another is just gives me the Kerberos error.
Thank you very much in advance,
Kindest Regards.
Abdullah AbdullahHi Abdullah,
Can you open the EMS?
If yes, please run the WinRM QC and post the results here.
If possible, please use another admin's account to log on to Exchange to try to open EMC.
Frank Wang
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
[email protected]
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Maybe you are looking for
-
IPad crashed w/ iTunes logo, Apple store restore it, now I can't get my app
I'm pretty new in Apple world, iPad is pretty much my very first Apple product. I love it but this problem been driving me nuts in the last couple days. My ipad crashed last week, the one w/ the plugged into itunes logo. I had to bring to Apple store
-
Airport utility can not find extreme station after upgrade to 7.5.2
i been using extreme for about 3 years and it was fine until yesterday i upgrade to 7.5.2, it result i lost the internet. opened airport utility from my macbook, said" it can not find any wireless device" but on the top right of mac windows, the sign
-
Update itunes 7.0 and firmware 1.2 or not?
Hi, i have a 30gb ipod video (not the newly released version) and realize that apple introduced firmware 1.2 for the old ipod video. However, i have noticed many people are experiencing difficulties to update their ipods w/ the new firmware. I am int
-
Ipod problem, just like everyone else!
If there is a fix to this frozen button issue, can someone please fill me in...?!?! My ipod is in mint condition, and yet one day I went to use it and the click wheel was frozen. The lock works but that's it! This is the second time this has happened
-
Add_tree_data - tree node label cannot be null
I have a hierarchical tree displayed and when the user expands a node I'm calling add_tree_data using a record group to add items to the expanded node. This works for the first node I expand, if I try to expand another node I get frm-47337 Tree node