Kerberos & AFP fails to login via kerberos

Similar Messages

• AFP login via Kerberos from 10.5 clients to 10.4 server broken

  I don't know if this is connected to the problem laid out by William W. Higgins in [Open Directory or LDAP Problem with 10.5 Client and 10.4 Server|http://discussions.apple.com/thread.jspa?threadID=2163645&tstart=0]. The symptoms are... somewhat different, so I'll start a new thread.
  We've got a small office with a bunch of 10.5.8 clients, a couple of 10.6 clients, one lone Windows 2000 client, and a number of remote users. I've had my OS X Server 10.4.11 machine (a PowerMac G5 single 1.8GHz, fwiw) working happily as an OD Master for the past few weeks. It's mostly a file server and a back DNS server for our public web site—we have web service turned on, but it's mostly to allow remote users to download files (or upload via WebDAV). The server has a secondary NIC that's hooked up to the cable modem in the DMZ. Everything else is behind the modem's NAT.
  We've had some things show up on the logs that are making us want to tighten security, both in the LAN and over the internet. We've gone to HTTPS for the web server and are using TLS/SSL for the PureFTPd server. We closed the SMB ports on the external firewall—something we should have done years ago, probably.
  I wanted to switch the AFP service over to Kerberos authentication only. However, when I make that change in Admin Server>AFP>Settings>Access, none of the clients can log on; they get an error reading:
  +*Connection Failed*+
  +There was an error connecting to the server. Check the server name or IP address and try again.+
  +If you are unable to resolve the problem, contact your network administrator.+
  Then, after you click on OK, you get the following:
  +Sorry, the operation could not be completed because an unknown error occurred.+
  +(Error code -5002)+
  That code seems to indicate a Kerberos problem.
  And when I try to log on as a network user from one of the clients, I get this message:
  *+You are unable to log in to the user account "user" at this time+*
  +Logging in failed because an error occurred.+
  Gee, that's helpful!
  Server Admin shows OD and Kerberos as up and running. The Password Service log has the following entry:
  +Jan 21 2010 09:18:21 AUTH2: {0x4b4df87638fa1ec80000003400000034, bound-client-machine$} CRAM-MD5 authentication succeeded.+
  So the log-on didn't go through Kerberos, for some reason, though it's been working fine that way for weeks.
  I tried using +sso_util configure -r KERBEROS.REALM -a diradmin afp+ to make sure that single sign-on was running for AFP. No change.
  I can use +dscl -u username -p localhost read /LDAPv3/Users/username+ and read the information on the user's home directory.
  I can use /System/Library/CoreServices/Kerberos (or Ticket Agent) to request and receive a ticket. (Side note: does Kerberos really not allow login by secondary short names??? That's a pain! If I add principals for the secondary short names, will it authenticate correctly to the proper account???)
  FTP is working. Web authentication is working. If I turn Kerberos authentication off for AFP, everything else seems to return to normal... but then the passwords are passed as cleartext, which isn't acceptable.
  So... Is this a bug? Is this a conflict with PureFTPd? Am I doing something wrong?
  Message was edited by: David Kudler

  Post-reboot:
  Well, the good news is that the kdc now shows up in the kadmin log as starting up:
  Jan 26 11:43:02 localhost kadmind[98](info): Seeding random number generator
  Jan 26 11:43:03 localhost kadmind[98](info): No dictionary file specified, continuing without one.
  Jan 26 11:43:04 localhost kadmind[98](info): starting
  The lack of dictionary file I believe is a minor error, right?
  The bad news is that a) clients are no longer able to receive tickets (+*Kerberos Error* Configuration does not specify default realm+) and b) clients can't log on at all—not even via the Finder>Go>Connect to Server... command. Not even when you use the static IP address of the server rather than the DNS name.
  DNS still seems to be working. I can get reverse lookup:
  *cerberus:~ root#* dig -x 10.1.10.2
  ; << DiG 9.3.6-APPLE-P2 << -x 10.1.10.2
  ;; global options: printcmd
  ;; Got answer:
  ;; -HEADER<<- opcode: QUERY, status: NOERROR, id: 45389
  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 2
  ;; QUESTION SECTION:
  ;2.10.1.10.in-addr.arpa. IN PTR
  ;; ANSWER SECTION:
  2.10.1.10.in-addr.arpa. 3600 IN PTR cerberus.limbo.jcf.org.
  ;; AUTHORITY SECTION:
  10.1.10.in-addr.arpa. 3600 IN NS ns1.jcf.org.
  10.1.10.in-addr.arpa. 3600 IN NS cerberus.limbo.jcf.org.
  10.1.10.in-addr.arpa. 3600 IN NS 10.1.10.1.
  ;; ADDITIONAL SECTION:
  ns1.jcf.org. 86400 IN A 207.58.140.213
  cerberus.limbo.jcf.org. 3600 IN A 10.1.10.2
  ;; Query time: 2 msec
  ;; SERVER: 127.0.0.1#53(127.0.0.1)
  ;; WHEN: Tue Jan 26 11:50:51 2010
  ;; MSG SIZE rcvd: 163</div>
  *cerberus:~ root#* dig cerberus.hades.jcf.org
  ; <<>> DiG 9.3.6-APPLE-P2 <<>> cerberus.hades.jcf.org
  ;; global options: printcmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36453
  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;cerberus.hades.jcf.org. IN A
  ;; ANSWER SECTION:
  cerberus.hades.jcf.org. 86400 IN A 10.0.1.2
  ;; AUTHORITY SECTION:
  hades.jcf.org. 86400 IN NS cerberus.hades.jcf.org.
  hades.jcf.org. 86400 IN NS 10.1.10.1.
  ;; Query time: 4 msec
  ;; SERVER: 127.0.0.1#53(127.0.0.1)
  ;; WHEN: Tue Jan 26 11:51:46 2010
  ;; MSG SIZE rcvd: 93
  </div>
  *cerberus:~ root#* changeip -checkhostname
  Primary address = 10.1.10.2
  Current HostName = cerberus.limbo.jcf.org
  DNS HostName = cerberus.limbo.jcf.org
  The names match. There is nothing to change.
  (The DNS also checks out from the clients.)
  But.... fubar.
  When I run +kadmin.local listprincs+, it lists all of the users and computers I've added—plus a couple that I don't recognize but that seem to be the products of bound computers (the names are along these lines, rather than the actual computer names for the clients: +LKDC:SHA1.59B886209B027XXXXXXXXXXXXXXXXXXXXXXXXXXX$@CERBERUS.LIMBO.JCF.ORG+). But when I run +kadmin.local list_policies *+, it just pops down to the next prompt. There don't seem to be any policies defined. That can't be right, can it????
  Further weirdness: I tried rebinding the client that I'm working from (an iMac running 10.6.2), also using the IP address. It goes through the binding process, but no dice—when I try to run System/Library/CoreServices/Kerberos.app, I still can't get a ticket. And the weird bit is, there doesn't seem to be a /Library/Preferences/edu.mit.Kerberos plist file on the client. Well, no wonder the client's Kerberos app can't authenticate the realm—there's no local file in which the data is stored!
  I should note that when I rebooted this morning, I first booted to the backup drive and ran Disk Utility; I repaired permissions—more than once—and repaired the disk directory as well. Perhaps I have confused the **** out of it. Though how the permissions got fouled in the first place is beyond me.
  I have other things to do (as it says in my profile, I'm the local IT guy by default)—though everyone where I work needs this problem solved.
  At this point my options seem to be:
  1.) Back up, demote, promote and reload the OD server.
  2) Reinstall from scratch.
  If anyone has any suggestions in the next hour or so, I'd love to hear them!
  Message was edited by: David Kudler

• Failed to login via Internet Explorer 8 in Oracle Secure Backup

  I cannot login via explorer 8. when i enter admin as user name and my password. It returns to the same page (LOGIN Page).

  When you go to the login page or log out it removes (or attempts to)
  any previous cookies and recreates new cookies.  I have been having a
  problem with Internet Explorer 8 where it seems to be returning
  something to my site that Coldfusion can't handle.  I get
  java.lang.nullPointerException.  The error messages say the error
  occurs either at line -1, with no idea what tag is involved, or line 6,
  which is in the middle of my cfapplication tag.  The diagnostics line
  is always null other than the line number.  From that, though, the
  error seems to occur before my cfapplication tag even runs.
  That suggests to me that the previous cookie is removed, but no new cookie is being created. The null would therefore refer to the non-existent cookie object. One way out might be to create new cookies without attempting to remove previous ones.

• Checksum failed while authenticating via Kerberos

  Hi All,
  I having a problem getting authentication using kerberos to work, I get the message checksum failed. The environment is Windows 2008 Server as DC and IE 8 as client and the application is running inside JBoss (in this case I am using the negotiation-toolkit) and the following trace is in the server.log. Can someone point me in the right direction for solving this problem, i've configured two local environments using w2k3 and w2k8 which are both working just fine but in the customers network it fails with the following trace:
  l
  2011-03-30 11:33:21,845 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8888-1) Setting threadlocal:{}
  2011-03-30 11:33:21,846 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8888-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
  2011-03-30 11:33:21,846 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (http-0.0.0.0-8888-1) Authenticating user
  2011-03-30 11:33:21,846 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (http-0.0.0.0-8888-1) Header - Negotiate 2011-03-30 11:33:21,847 TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Base64] (http-0.0.0.0-8888-1) 2011-03-30 11:33:21,847 TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Hex] (http-0.0.0.0-8888-1)2011-03-30 11:33:21,848 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (http-0.0.0.0-8888-1) associate 176127440
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) Begin isValid, principal:FFE8282EB0A470619839BBD7EDF16A5E, cache info: null
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) defaultLogin, principal=FFE8282EB0A470619839BBD7EDF16A5E
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) Begin getAppConfigurationEntry(SPNEGO), size=13
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) End getAppConfigurationEntry(SPNEGO), authInfo=AppConfigurationEntry[]:
  [0]
  LoginModule Class: org.jboss.security.negotiation.spnego.SPNEGOLoginModule
  ControlFlag: LoginModuleControlFlag: requisite
  Options:
  name=serverSecurityDomain, value=host
  name=password-stacking, value=useFirstPass
  [1]
  LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
  ControlFlag: LoginModuleControlFlag: required
  Options:
  name=usersProperties, value=props/spnego-users.properties
  name=rolesProperties, value=props/spnego-roles.properties
  name=password-stacking, value=useFirstPass
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) initialize
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Security domain: SPNEGO
  2011-03-30 11:33:21,850 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) serverSecurityDomain=host
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) login
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) Begin getAppConfigurationEntry(host), size=13
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) End getAppConfigurationEntry(host), authInfo=AppConfigurationEntry[]:
  [0]
  LoginModule Class: com.sun.security.auth.module.Krb5LoginModule
  ControlFlag: LoginModuleControlFlag: required
  Options:
  name=principal, value=host/[email protected]
  name=useKeyTab, value=true
  name=storeKey, value=true
  name=keyTab, value=/DATA/jbossserver.host.keytab
  name=debug, value=true
  name=doNotPrompt, value=true
  2011-03-30 11:33:21,850 INFO [STDOUT] (http-0.0.0.0-8888-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /DATA/jbossserver.host.keytab refreshKrb5Config is false principal is host/[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  2011-03-30 11:33:21,850 INFO [STDOUT] (http-0.0.0.0-8888-1) KeyTab instance already exists
  2011-03-30 11:33:21,850 INFO [STDOUT] (http-0.0.0.0-8888-1) Added key: 23version: 4
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Ordering keys wrt default_tkt_enctypes list
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Using builtin default etypes for default_tkt_enctypes
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) default etypes for default_tkt_enctypes:
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 3
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 1
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 23
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 16
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 17
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) .
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) principal's key obtained from the keytab
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Acquire TGT using AS Exchange
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Using builtin default etypes for default_tkt_enctypes
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) default etypes for default_tkt_enctypes:
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 3
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 1
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 23
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 16
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 17
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) .
  2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbAsReq calling createMessage
  2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbAsReq in createMessage
  2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbKdcReq send: kdc=rm-hq-dc1.shipyard.local UDP:88, timeout=30000, number of retries =3, #bytes=158
  2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KDCCommunication: kdc=rm-hq-dc1.shipyard.local UDP:88, timeout=30000,Attempt =1, #bytes=158
  2011-03-30 11:33:21,853 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbKdcReq send: #bytes read=633
  2011-03-30 11:33:21,854 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbKdcReq send: #bytes read=633
  2011-03-30 11:33:21,854 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
  2011-03-30 11:33:21,854 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbAsRep cons in KrbAsReq.getReply host/jbossserver
  2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) principal is host/[email protected]
  2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 4F C6 44 97 D0 B8 9C 96 A9 79 5B 87 EB 44 71 33 O.D......y[..Dq3
  2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) Added server's keyKerberos Principal host/[email protected] Version 4key EncryptionKey: keyType=23 keyBytes (hex dump)=
  0000: 4F C6 44 97 D0 B8 9C 96 A9 79 5B 87 EB 44 71 33 O.D......y[..Dq3
  2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1)           [Krb5LoginModule] added Krb5Principal host/[email protected] to Subject
  2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) Commit Succeeded
  2011-03-30 11:33:21,858 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Subject = Subject:
       Principal: host/[email protected]
       Private Credential: Ticket (hex) =
  0000: 61 82 01 1F 30 82 01 1B A0 03 02 01 05 A1 13 1B a...0...........
  0120: 9E 96 D4 ...
  Client Principal = host/[email protected]
  Server Principal = krbtgt/[email protected]
  Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
  0000: 81 5B 77 9E C3 74 46 AC 87 26 B0 00 5C B6 56 6E .[w..tF..&..\.Vn
  Forwardable Ticket false
  Forwarded Ticket false
  Proxiable Ticket false
  Proxy Ticket false
  Postdated Ticket false
  Renewable Ticket false
  Initial Ticket false
  Auth Time = Wed Mar 30 11:33:17 CEST 2011
  Start Time = Wed Mar 30 11:33:17 CEST 2011
  End Time = Wed Mar 30 21:33:17 CEST 2011
  Renew Till = null
  Client Addresses Null
       Private Credential: Kerberos Principal host/[email protected] Version 4key EncryptionKey: keyType=23 keyBytes (hex dump)=
  0000: 4F C6 44 97 D0 B8 9C 96 A9 79 5B 87 EB 44 71 33 O.D......y[..Dq3
  2011-03-30 11:33:21,858 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Logged in 'host' LoginContext
  2011-03-30 11:33:21,858 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Creating new GSSContext.
  2011-03-30 11:33:21,866 INFO [STDOUT] (http-0.0.0.0-8888-1) Found key for host/[email protected](23)
  2011-03-30 11:33:21,867 INFO [STDOUT] (http-0.0.0.0-8888-1) Entered Krb5Context.acceptSecContext with state=STATE_NEW
  2011-03-30 11:33:21,868 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
  2011-03-30 11:33:21,869 ERROR [STDERR] (http-0.0.0.0-8888-1) Checksum failed !
  2011-03-30 11:33:21,870 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Result - GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
  2011-03-30 11:33:21,870 ERROR [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Unable to authenticate
  GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
       at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
       at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAs(Subject.java:337)
       at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:118)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
       at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
       at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
       at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
       at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
       at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
       at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
       at java.lang.Thread.run(Thread.java:619)
  Caused by: KrbException: Checksum failed
       at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85)
       at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)
       at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
       at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
       at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
       at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
       at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
       ... 35 more
  Caused by: java.security.GeneralSecurityException: Checksum failed
       at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388)
       at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)
       at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)
       ... 41 more
  2011-03-30 11:33:21,871 INFO [STDOUT] (http-0.0.0.0-8888-1)           [Krb5LoginModule]: Entering logout
  2011-03-30 11:33:21,871 INFO [STDOUT] (http-0.0.0.0-8888-1)           [Krb5LoginModule]: logged out Subject
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) abort
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) initialize
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Security domain: SPNEGO
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) findResource: null
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Properties file=vfsfile:/DATA/jboss-5.1.0.GA/server/default/conf/props/spnego-users.properties, defaults=null
  2011-03-30 11:33:21,872 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Loaded properties, users=[]
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) findResource: null
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Properties file=vfsfile:/DATA/jboss-5.1.0.GA/server/default/conf/props/spnego-roles.properties, defaults=null
  2011-03-30 11:33:21,872 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Loaded properties, users=[[email protected], [email protected]]
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) abort
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) Login failure
  javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
       at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:141)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
       at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
       at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
       at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
       at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
       at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
       at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
       at java.lang.Thread.run(Thread.java:619)
  2011-03-30 11:33:21,873 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) End isValid, false
  2011-03-30 11:33:21,873 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (http-0.0.0.0-8888-1) clear 176127440
  2011-03-30 11:33:21,873 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8888-1) Setting threadlocal:null
  2011-03-30 11:33:21,873 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8888-1) Setting threadlocal:null

  Thanks! That did the trick.
  For those who aren't sure what we're talking about, here are the details. In the inspector tab of the user's record in Workgroup Manager, there's an item called AuthenticationAuthority. For servers that use Kerberos, it should have at least two attributes, one for ApplePasswordServer and one for Kerberos.
  The Kerberos entry should look something like this:
  ;Kerberosv5;0x4de7dafb19f92bf00000008b0000207c;[email protected];
  MYSERVER.MYDOMAIN.COM;1024 35 1501888096699469040706569854027123220425732604738787130135110270232071940183724 3
  78199029604219894640418726569868666187867257570714183982184166144733112632082318
  21356466533532379022305132046121848691642928615842396713606475071069113591094835
  025483043226511805720826544139932983788313141311383927555379596135211 [email protected]:123.45.67.89
  When you copy the attribute from a working user, there are two items that need to be changed (assuming you have only one kerberos realm). The first item is the long string of letters and numbers after ;Kerberosv5; in the first line. That's the user's UUID. The second is the user's short name ("fred" in the example above). The easiest way to make the changes is to paste the attribute into a text editor (TextEdit, or TextWrangler if you have it). Copy the user's UUID from the problematic account, and paste it over the one in the text you previously copied and pasted. Then change the short name to match the problematic user. Then copy the entire block from your text editor, select AuthenticationAuthority and click the New Value button. Click in the Text: field and paste. The Hex field will take care of itself. Click OK, then Save your changes.
  Of course before you start making changes like this to your directory, make sure you have a good back up to revert back to in case something gets messed up.

• Problem getting an LDAPContext after authenticating via Kerberos

  Hi,
  I am trying to create a Java program that can query an Active Directory server using the currenlty logged in Windows user's credentials to authenticate via LDAP.
  I am getting the following error in my output when trying to create the LdapContext object.
  GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
  The full output is as follows
  Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  Acquire TGT from Cache
  KinitOptions cache name is C:\Documents and Settings\Administrator.THALES-3D8PWWDM\krb5cc_AdministratorAcquire default native Credentials
  Obtained TGT from LSA: Credentials:
  [email protected]
  server=krbtgt/[email protected]
  authTime=20090618162927Z
  startTime=20090618162927Z
  endTime=20090619022927Z
  renewTill=20090625162927Z
  flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
  EType (int): 23
  Principal is [email protected]
  Commit Succeeded
  Subject:
       Principal: [email protected]
       Private Credential: Ticket (hex) =
  0000: 61 82 03 BC 30 82 03 B8   A0 03 02 01 05 A1 0A 1B  a...0...........
  <REMOVED>4   8A 8C BE 6B FD 65 5D 2F  .R..t#@d...k.e]/
  Client Principal = [email protected]
  Server Principal = krbtgt/[email protected]
  Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
  0000: C0 62 F6 3F 5C 29 F4 7B   C1 FC AB A0 77 D1 E7 E0  .b.?\)......w...
  Forwardable Ticket true
  Forwarded Ticket false
  Proxiable Ticket false
  Proxy Ticket false
  Postdated Ticket false
  Renewable Ticket true
  Initial Ticket true
  Auth Time = Thu Jun 18 17:29:27 BST 2009
  Start Time = Thu Jun 18 17:29:27 BST 2009
  End Time = Fri Jun 19 03:29:27 BST 2009
  Renew Till = Thu Jun 25 17:29:27 BST 2009
  Client Addresses  Null
  Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri Jun 19 03:29:27 BST 2009
  KinitOptions cache name is C:\Documents and Settings\Administrator.THALES-3D8PWWDM\krb5cc_AdministratorAcquire default native Credentials
  Obtained TGT from LSA: Credentials:
  [email protected]
  server=krbtgt/[email protected]
  authTime=20090618162927Z
  startTime=20090618162927Z
  endTime=20090619022927Z
  renewTill=20090625162927Z
  flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
  EType (int): 23
  Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri Jun 19 03:29:27 BST 2009
  GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
       at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
       at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
       at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
       at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
       at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
       at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
       at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
       at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
       at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
       at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
       at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
       at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
       at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
       at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
       at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
       at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
       at javax.naming.InitialContext.init(Unknown Source)
       at javax.naming.InitialContext.<init>(Unknown Source)
       at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
       at com.thalesgroup.planit.ldap.LDAPAction.performLDAPOperation(Main.java:87)
       at com.thalesgroup.planit.ldap.LDAPAction.run(Main.java:66)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAs(Unknown Source)
       at com.thalesgroup.planit.ldap.Main.main(Main.java:46)
  javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate I am running this using the following VM arguments
  -Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=true
  Finally my jaas config file is as follows
  fsta {
       com.sun.security.auth.module.Krb5LoginModule required
  debug=true client=false useTicketCache=true;
  com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
  };I am running this locally on the AD server (running Windows Server 2003).
  Does anybody know how I can get rid of the exception and create an authenticated LdapContext?
  Any suggestions would be greatly appreciated.
  Thanks
  Graeme

  My java source is as follows (its a modified example I found online)
  import java.util.Hashtable;
  import javax.naming.Context;
  import javax.naming.NamingEnumeration;
  import javax.naming.NamingException;
  import javax.naming.directory.Attributes;
  import javax.naming.directory.DirContext;
  import javax.naming.directory.InitialDirContext;
  import javax.naming.directory.SearchControls;
  import javax.naming.directory.SearchResult;
  import javax.security.auth.Subject;
  import javax.security.auth.login.LoginContext;
  import javax.security.auth.login.LoginException;
  import com.sun.security.auth.callback.TextCallbackHandler;
  public class Main {
      public static void main(String[] args) {
      java.util.Properties p = new java.util.Properties(System.getProperties());
      p.setProperty("java.security.krb5.realm", "fsta.com");
      p.setProperty("java.security.krb5.kdc", "192.168.1.10");
      p.setProperty("java.security.auth.login.config", "C:\\jaas.conf");
      System.setProperties(p);
      // 1. Log in (to Kerberos)
      LoginContext lc = null;
      try {
              lc = new LoginContext("fsta", new TextCallbackHandler());
      // Attempt authentication
      lc.login();
      } catch (LoginException le) {
      System.err.println("Authentication attempt failed" + le);
      System.exit(-1);
      Subject subject = lc.getSubject();
      System.out.println(subject.toString());
      // 2. Perform JNDI work as logged in subject
      Subject.doAs(subject, new LDAPAction(args));
      // 3. Perform LDAP Action
      * The application must supply a PrivilegedAction that is to be run
      * inside a Subject.doAs() or Subject.doAsPrivileged().
      class LDAPAction implements java.security.PrivilegedAction {
      private String[] args;
      private static String[] sAttrIDs;
      private static String sUserAccount = new String("Administrator");
      public LDAPAction(String[] origArgs) {
      this.args = origArgs.clone();
      public Object run() {
      performLDAPOperation(args);
      return null;
      private static void performLDAPOperation(String[] args) {
      // Set up environment for creating initial context
      Hashtable env = new Hashtable(11);
      env.put(Context.INITIAL_CONTEXT_FACTORY,
      "com.sun.jndi.ldap.LdapCtxFactory");
      // Must use fully qualified hostname
      env.put(Context.PROVIDER_URL, "ldap://192.168.1.10:389");
      // Request the use of the "GSSAPI" SASL mechanism
      // Authenticate by using already established Kerberos credentials
      env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
  //    env.put("javax.security.sasl.server.authentication", "true");
      try {
      /* Create initial context */
      DirContext ctx = new InitialDirContext(env);
      /* Get the attributes requested */
      //Create the search controls        
      SearchControls searchCtls = new SearchControls();
      //Specify the attributes to return
      String returnedAtts[]={"sn","givenName","mail"};
      searchCtls.setReturningAttributes(returnedAtts);
      //Specify the search scope
      searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
      //specify the LDAP search filter
      String searchFilter = "(&(objectClass=user)(mail=*))";
      //Specify the Base for the search
      String searchBase = "DC=fsta,DC=com";
      //initialize counter to total the results
      int totalResults = 0;
      // Search for objects using the filter
      NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
      //Loop through the search results
      while (answer.hasMoreElements()) {
              SearchResult sr = (SearchResult)answer.next();
          totalResults++;
          System.out.println(">>>" + sr.getName());
          // Print out some of the attributes, catch the exception if the attributes have no values
          Attributes attrs = sr.getAttributes();
          if (attrs != null) {
              try {
              System.out.println("   surname: " + attrs.get("sn").get());
              System.out.println("   firstname: " + attrs.get("givenName").get());
              System.out.println("   mail: " + attrs.get("mail").get());
              catch (NullPointerException e)    {
              System.err.println("Error listing attributes: " + e);
      System.out.println("RABOTIII");
          System.out.println("Total results: " + totalResults);
      ctx.close();
      } catch (NamingException e) {
      e.printStackTrace();
  }Edited by: GraemeK on Jun 18, 2009 11:56 AM

• How can I set up ssh via kerberos on MacOS 10.5 (Leopard)?

  I am the de facto mac sysadmin for a few mac labs on a campus that is primarily Windows-using, and we have the Macs configured to do single sign-on via Kerberos and get their directory info via LDAP and home directories via NFS. This works fine for someone physically sitting at the machine, but I am running into a brick wall when it comes to sshing into these machines. ssh itself definitely works: I can ssh into the machine with a local user and password. And as I said, the kerberized login works fine from console. It's just getting the two to talk to each other.... Furthermore, there is a Linux box that we can successfully log into via kerberos/sso, so it's unlikely to be anything on the client side.
  Things I've tried:
  * Editing /etc/authorization and changing "authinternal" under system.login.tty to "builtin:krb5authnoverify,privileged" (I think this used to work; the same change to system.login.console is definitely what makes the console logins work)
  * Editing /etc/sshd_config and setting "GSSAPIAuthentication yes" (this makes it match the sshd_config on the linux box we can log in to)
  * In the same file, turning on "KerberosAuthentication" and friends (just because it looked promising)
  Any ideas?

  It's not completely obvious. What you have to do in Spaces is to position your cursor to the upper right of the screen, after which faint + (plus) sign appears in that area. Click that, upon which another Desktop will appear.
  The + may be difficult or impossible to see with some desktop backgrounds (black, for instance):

• Failed to find any Kerberos Key

  Hi All,
  I've all ready done all the steps in note 994791 (SPNego Wizard) for SSO configuration between Portal and ADS. After finishing the configuration I checked the login and still appears the  authentification login page. I have checked Defaultrace log and it shows the following:
  Cannot initializa login module [EXCEPTION]
  com.sap.security.core.server.jaas.SPNgoLoginModule#java.lang.RuntimeException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
  ......... etc.
  I have no clue what may go wrong and what I can check for fixing this issue. I did some notes like:  Note 1130190 - SPNego fails with "Failed to find any Kerberos Key"  and the configuration looks OK. What Could I do or check for this problem???  any help will be rewarded.
  Thanks in advanced.

  Hi,
  can you please have a look at the blogs
  Configuring and troubleshooting SPNego -- Part 3
  Configuring and troubleshooting SPNego -- Part 2
  Configuring and troubleshooting SPNego -- Part 1
  Maybe the troubleshooting section in the Part 3 can be of help.
  Regards,
  Holger.

• No valid credentials provided: Failed to find any Kerberos Ticket

  I'm running a java routine on a Windows 2000 workstation and trying to use JAAS to authenticate against a RedHat based kerberos server. When I do a login I get the following debug information:
  Debug is true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null KeyTab is null principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
            [Krb5LoginModule] user entered username: drrobison/admin
  principal is drrobison/[email protected]
  Added server's keyKerberos Principal drrobison/[email protected] Version 0key EncryptionKey: keyType=1 keyBytes (hex dump)=
  0000: 76 9B 32 9D 02 AB 23 4C
            [Krb5LoginModule] added Krb5Principal drrobison/[email protected] to Subject
  Commit Succeeded
  When I print out the returned subject I get
  Subject:
       Principal: drrobison/[email protected]
       Private Credential: Ticket (hex) =
  Client Principal = drrobison/[email protected]
  Server Principal = krbtgt/[email protected]
  Session Key = EncryptionKey: keyType=1 keyBytes (hex dump)=
  0000: 4F A7 BA 6D B0 E5 E5 6D
  Forwardable Ticket true
  Forwarded Ticket false
  Proxiable Ticket true
  Proxy Ticket false
  Postdated Ticket false
  Renewable Ticket false
  Initial Ticket false
  Auth Time = Mon Nov 25 17:16:35 EST 2002
  Start Time = Mon Nov 25 17:16:35 EST 2002
  End Time = Tue Nov 26 03:16:35 EST 2002
  Renew Till = Null
  Client Addresses Null
       Private Credential: Kerberos Principal drrobison/[email protected] Version 0key EncryptionKey: keyType=1 keyBytes (hex dump)=
  0000: 76 9B 32 9D 02 AB 23 4C
  THen when I try to use the GSSManager.createCredential I get the following error:
  GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
       at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:142)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:70)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
  GSSException No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket): No valid credentials provided: Failed to find any Kerberos Ticket
       at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
       at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
       at com.orci.OpenTMS.CctvGUI.SimpleNTSCApp.<init>(SimpleNTSCApp.java:115)
       at com.orci.OpenTMS.CctvGUI.SimpleNTSCApp.main(SimpleNTSCApp.java:227)
  Any ideas what the problem might be?
  Many thanks in advance...

  Hi ,
  I hope first that you solved your problem.
  In fact I'm using Tomcat on Windows 2000 and I try to get tickets for a Kerberos V installation on a Linux Box, using a Krb5LoginModule.
  To do so , I would like to know how do you tell your windows box where to find the destination realm (in your case OPENROADSCONSULTING.COM) .
  If it is in the jaas.config file , could you send yours to me please
  Thanx by advance
  Yann

• Windows 8 - user login and Kerberos Realm problems.

  Hi,
  Just installed Windows 8 Enterprise x64 from our MDT into our production enviroment for some final testing. I have done this with both Consumer and the Release Preview just to make sure our infrastructure can support user that want to run Windows 8 (Win
  7 Enterprise will still be the default OS for our client desktops).
  The problem I reported here with the Consumer Preview
  http://social.technet.microsoft.com/Forums/en-US/W8ITProPreRel/thread/069f59be-b89c-4005-8cd2-ff5fd756825a is still alive and kicking.
  Logon after fresh reboot. (Windows 8)
  Username: XWYZ
  Password: *********
  Sign in to: "OURKERBEROSREALM.SE"
  We authenticate all our users with our Kerberos Realm and in our AD's all user passwords are random dummy placeholders, and are linked to the Kerberos realm.
  When a user lock their computer, or put it in sleep mode, they should see this at their login.
  XWYZ (their full name)
  "OURKERBEROSREALM.SE\XWYZ(their username)
  Locked
  Password: ********
  But it does not show this… it shows:
  XWYZ (their full name)
  WINDOWS DOMAIN NAME\XWYZ(their username)
  Locked
  Password: ********
  This meens that when they want to unlock their desktop, or login after sleep, it will try and authenticate their login on the domain AD and not the Kerberos realm. Howver if you choose to go back and select "other user" it defaults back to using "OURKERBEROSREALM.se"
  as "Sign in to:" domain.
  This worked flawlessly in XP, Vista and Windows 7, but not in Windows 8. Not having our Kerberos realm as default login in every scenario is kind of a bummer.

  I had some brief time looking into this, and my awesome workbuddy found that you can poke about the keys found in
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\1
  With the LastLoggedONSAMUser and LastLoggedOnUser values I changed from from "domain"\username to "kerberosrealm"\user, and when locking my computer or restating, I now have no need to choose "other user" every time I want to login again.
  Atleast somewhere to start.

• Exchange 2010 sp2 emc initialization error using "kerberos" authentication failed

  We use exchange 2010 SP2.
  We have 2 management stations, both w2k8 R2 SP1.
  I have one mangement station on which the emc and ems works ok.
  On the other management staiton (which is also in another ad site) the emc and ems don't work.
  I get the following error message : The attempt to connect to
  http://fqdnCasServer/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
  I have checked the time on the management station and on the exchange server and this is ok.
  It is not a permissions issue because the user functions ok on the other management station.
  On the bad management station I can open the emc once and after a minute I get an error message and the message access denied. From then on I can't connect any more.
  What am I doing wrong?
  Anyone any tips?
  Thanks,
  JB 

  This is what I get in the eventlog of the bad management station.
  Log Name:      MSExchange Management
  Source:        MSExchange CmdletLogs
  Date:          1/10/2012 11:39:27
  Event ID:      6
  Task Category: (1)
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      Server.domain.com
  Description:
  The description for Event ID 6 from source MSExchange CmdletLogs cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  If the event originated on another computer, the display information had to be saved with the event.
  The following information was included with the event:
  Get-ExchangeServer
  {Identity=Servername}
  Domain/ou/ou/ou/ou/username
  Exchange Management Console-Local
  3080
  22
  00:00:00.3593888
  View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DN }'
  Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMTSTATION' couldn't be found on 'FQDN DC'.
  Context
  the message resource is present but the message is not found in the string/message table
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="MSExchange CmdletLogs" />
      <EventID Qualifiers="49152">6</EventID>
      <Level>2</Level>
      <Task>1</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2012-10-01T09:39:27.000000000Z" />
      <EventRecordID>11</EventRecordID>
      <Channel>MSExchange Management</Channel>
      <Computer>FQDN MGMT STATION</Computer>
      <Security />
    </System>
    <EventData>
      <Data>Get-ExchangeServer</Data>
      <Data>{Identity=MGMT STATION}</Data>
      <Data>domain/ou/ou/ou/ou/username</Data>
      <Data>
      </Data>
      <Data>
      </Data>
      <Data>Exchange Management Console-Local</Data>
      <Data>3080</Data>
      <Data>
      </Data>
      <Data>22</Data>
      <Data>00:00:00.3593888</Data>
      <Data>View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DC }'</Data>
      <Data>Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMT STATION' couldn't be found on 'FQDN DC'.</Data>
      <Data>Context</Data>
      <Data>
      </Data>
    </EventData>
  </Event>

• Kerberos authentication fail on ASA 5505 -Decrypt integrity-

  Hi,
  I'm trying to configure Kerberos authentication on ipsec-l2tp vpn tunnel. However, when I use my domain user to establish a connection I get this error:
  ASA-Oslo# kerberos mkreq: 0x176
  kip_lookup_by_sessID: kip with id 374 not found
  alloc_kip 0xd9b9bdf0
      new request 0x176 --> 11 (0xd9b9bdf0)
  add_req 0xd9b9bdf0 session 0x176 id 11
  In kerberos_build_request
  In kerberos_open_connection
  In kerberos_send_request
  ********** START: KERBEROS PACKET DECODE ************
  Kerberos: Message type KRB_AS_REQ
  Kerberos: Option forwardable
  Kerberos: Option renewable
  Kerberos: Option renewable accepted
  Kerberos: Client Name antonio.torres
  Kerberos: Client Realm IBISTIC.LOCAL
  Kerberos: Server Name krbtgt
  Kerberos: Start time 0
  Kerberos: End time -643858960
  Kerberos: Renew until time -653409600
  Kerberos: Nonce 0x5242a360
  Kerberos: Encryption type rc4-hmac-md5
  Kerberos: Encryption type des-cbc-md5
  Kerberos: Encryption type des-cbc-crc
  Kerberos: Encryption type des-cbc-md4
  Kerberos: Encryption type des3-cbc-sha1
  Kerberos: Address 10.40.49.1
  ********** END: KERBEROS PACKET DECODE ************
  In kerberos_recv_msg
  In kerberos_process_response
  ********** START: KERBEROS PACKET DECODE ************
  Kerberos: Message type KRB_AS_REP
  Kerberos: Client Name antonio.torres
  Kerberos: Client Realm IBISTIC.LOCAL
  ********** END: KERBEROS PACKET DECODE ************
  Kerberos library reports: "Decrypt integrity check failed"
  In kerberos_close_connection
  remove_req 0xd9b9bdf0 session 0x176 id 11
  free_kip 0xd9b9bdf0
  kerberos: work queue empty
  I've been looking for documentation about this error but I was not able to figure out what's wrong. I've already also turned off 'Do not require pre-authentication' on account option.
  Some one get also this error?
  Any help will be more than welcome,
  Thanks in advance,
  Antonio

  Hi,
  I'm trying to configure Kerberos authentication on ipsec-l2tp vpn tunnel. However, when I use my domain user to establish a connection I get this error:
  ASA-Oslo# kerberos mkreq: 0x176
  kip_lookup_by_sessID: kip with id 374 not found
  alloc_kip 0xd9b9bdf0
      new request 0x176 --> 11 (0xd9b9bdf0)
  add_req 0xd9b9bdf0 session 0x176 id 11
  In kerberos_build_request
  In kerberos_open_connection
  In kerberos_send_request
  ********** START: KERBEROS PACKET DECODE ************
  Kerberos: Message type KRB_AS_REQ
  Kerberos: Option forwardable
  Kerberos: Option renewable
  Kerberos: Option renewable accepted
  Kerberos: Client Name antonio.torres
  Kerberos: Client Realm IBISTIC.LOCAL
  Kerberos: Server Name krbtgt
  Kerberos: Start time 0
  Kerberos: End time -643858960
  Kerberos: Renew until time -653409600
  Kerberos: Nonce 0x5242a360
  Kerberos: Encryption type rc4-hmac-md5
  Kerberos: Encryption type des-cbc-md5
  Kerberos: Encryption type des-cbc-crc
  Kerberos: Encryption type des-cbc-md4
  Kerberos: Encryption type des3-cbc-sha1
  Kerberos: Address 10.40.49.1
  ********** END: KERBEROS PACKET DECODE ************
  In kerberos_recv_msg
  In kerberos_process_response
  ********** START: KERBEROS PACKET DECODE ************
  Kerberos: Message type KRB_AS_REP
  Kerberos: Client Name antonio.torres
  Kerberos: Client Realm IBISTIC.LOCAL
  ********** END: KERBEROS PACKET DECODE ************
  Kerberos library reports: "Decrypt integrity check failed"
  In kerberos_close_connection
  remove_req 0xd9b9bdf0 session 0x176 id 11
  free_kip 0xd9b9bdf0
  kerberos: work queue empty
  I've been looking for documentation about this error but I was not able to figure out what's wrong. I've already also turned off 'Do not require pre-authentication' on account option.
  Some one get also this error?
  Any help will be more than welcome,
  Thanks in advance,
  Antonio

• Why Oracle Access Manger only works via Kerberos in IE/Mozilla?

  Hi,
  OAM is working only on Chrome/Safari, Why it is not working with IE/Mozilla. Why it is working only via Kerberos? Please help us in understanding this as we are very new to OAM.
  Thanks,
  Durga

  Hi Durga,
  could you be more specific? Please provide the version number of OAM and the platform.
  I run OAM 10.1.4.3 and OAM 11.1.1.3 on Red Hat Linux 5. 64-bit with Firefox 3.x and IE 7 as front ends without any issues.
  --olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

• Remote PowerShell Connection to Lync Server With Kerberos authentication Fails

  Hi everyone ,
  Remote PowerShell to Lync Server With Kerberos authentication Fails .. Is there any reason for not being able to connect when authentication specified as Kerberos . But exactly same code works when Authentication is specified as "Negotiate"
  E.g :
  Error -
  $session=New-PSSession -ConfigurationName Microsoft.Powershell -ConnectionUri https://serverName.lync.com/ocspowershell/ -Credential $cred -Authentication Kerberos
  [serverName.lync.com] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. The authentication mechanism requested by the client is not supported by the server or unencrypted traffic is disabled in
  the service configuration. Verify the unencrypted traffic setting in the service configuration or specify one of the authentication mechanisms supported by the server.  To use Kerberos, specify the computer name as the remote destination. Also verify
  that the client computer and the destination computer are joined to a domain.To use Basic, specify the computer name as the remote destination, specify Basic authentication and provide user name and password. Possible authentication mechanisms reported by
  server:   Digest Negotiate For more information, see the about_Remote_Troubleshooting Help topic.
      + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
     eption
      + FullyQualifiedErrorId : PSSessionOpenFailed
  Works  -
  $session=New-PSSession -ConfigurationName Microsoft.Powershell -ConnectionUri https://serverName.lync.com/ocspowershell/ -Credential $cred -Authentication Negotiate

  Hi,
  Please double check if Windows Update is the latest version, if not, please update and then test again.
  Please also ensure that the workstation you are using has network access to the Certificate Authority that signed the certificate.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Exchange Management Console couldn't start with Kerberos authentication failed

  When I was making changes to Client Access\owa settings, chaning from Basic authentication to Form authentication (upn name) then changed to Basic again. It was ok after changing to Form authentication but moment after changing back to Basic, I couldn't
  no longer access owa (blank page when one vertical line) and in Exchange Management Console, I got "Initialization failed" - The following error occured while attempting to connect to the specified Exchange server 'sgp-ex1.mydomain.com':
  The attempt to connect to http://sgp-ex1.mydomain.com/powershell using "Kerberos" authentication failed: Connecting to the remote server failed with the following error message: The WinRM client cannto process
  the request. It cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalid. For more information, see the about_Remote_Troubleshooting Help topic.
  I tried the troubleshooting tool from Exchange team blog:
  http://blogs.technet.com/b/exchange/archive/2010/12/07/3411644.aspx. It give 3 possible causes for this error: 1. WSMan module entry is missing from global module section of c:\Windows\System32\InetSrv\Config\ApplicationHost.config; 2. Kerbauth module shows
  up as Managed module or has been loaded in the Default Web Site Level; 3. The Path of the Powershell virtual directory has been modified.
  I checked carefully, all the 3 causes do not apply to my situation as WSman entry is in order, the Kerbauth is native and local and the path of Powershell virtual directory is correct.
  I find that in Application log, there are Event 2297 and 2307 dumped at the time of failure:
  The worker process for application pool 'MSExchangeSyncAppPool' encountered an error 'Confiugration file in not well-formed XML' trying to read configuration data from file '\\?\C:\inetpubl\temp\apppools\MSExchangeSyncAppPool\MSExchangeSyncAppPool.config',
  line number '2'. The data field contains the error code.
  Help is very much appreciated.
  Valuable skills are not learned, learned skills aren't valuable.

  Unfortunately, all the links you provided didn't help.
  The first link contains 3 methods:1 Removing WinRM feature and reinstalling. 2 Rename the web.config file in location C:\inetpub\wwwroot 3 Have you installed Microsoft Dynamics CRM 4. I?
  As my server is Windows 2008 R2, the first method does not apply. I couldn't find any web.config in c:\Inetpub\wwwroot. The web.config however is found in many times in .netframework and winsxs directories. The 3rd method doesn't apply as I don't have CRM.
  The 2nd link contains 3 possible causes. The first 2 are the same as the ones I mentioned in my initial post. I couldn't verify the last cause because when open Exchange Management Shell, I got this error: [sgp.ex1.mydomain.com] connecting to remote server
  failed with the following server failed with the following error message: The WinRM client cannot process the request, it cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalide. For more
  information, see the about_Remote_Troubleshooting Help topic.
  I do not think the user is not remote powershell enabled because the problem happened suddenly, while I was making changes to Authentication settings of OWA(default) in Client Access in Exchange Management Console. If the user account is not remote powershell
  enabled, then I couldn't event connect to EMC in the first place.
  The last link didn't help because I could open up modules under PowerShell virtual directory in IIS.
  I think since the event log is saying MSExchangeSyncAppPool.config and DefaultAppPool.config not well-formed XML, that might be a clue.
  In the event id 2307 this is the message:
  The worker process for application pool 'DefaultAppPool' encountered an error 'Configuration file is not well-formed XML
  ' trying to read configuration data from file '\\?\C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config', line number '2'.  The data field contains the error code.
  Valuable skills are not learned, learned skills aren't valuable.

• "Kerberos" authentication failed while trying to access EMC or EMS

  Salam,
  I have successfully installed Exchange 2010 SP1 on a transitional environment, the installation went smooth without any problem and I've done most of the trasitioning configuration from Exchange Server 2003 to Exchange Server 2010.
  Currently we're in the process of moving the mailboxes, but I've come across a problem recently which stopped all my work and I can no longer commence with this transition unless its solved.
  Sometimes when I try to access EMC or EMS I get the hereunder error:
  The following error occurred while attempting to connect to the specified Exchange server 'afhmail.arabfinancehouse.com.lb':
  The attempt to connect to http://afhmail.arabfinancehouse.com.lb/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed
  with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
  I've read most of the articles found on the internet including
  http://msexchangeteam.com/archive/2010/02/04/453946.aspx to try to troubleshoot this problem but nothing has worked so far, I tried removing Win RM IIS extensions as well then adding them again with a restart and nothing. I tried the Kerbauth dll removal
  also nothing and the problem keeps to occur and the situation is not stable.
  Also I read in a KB article somewhere that if we have multiple domain controllers a single domain controller should be assigned on the Exchange Server (Organization Configuration, Server Configuration, Recipient Configuration) so I assigned the PDC to be selected
  by those configurations at startup, yet I am still facing the same problem.
  Again I emphasis that the problem comes and goes, at a time I can access EMS and at another is just gives me the Kerberos error.
  Thank you very much in advance,
  Kindest Regards.
  Abdullah Abdullah

  Hi Abdullah,
  Can you open the EMS?
  If yes, please run the WinRM QC and post the results here.
  If possible, please use another admin's account to log on to Exchange to try to open EMC.
  Frank Wang
  TechNet Subscriber Support
  in forum
  If you have any feedback on our support, please contact
  [email protected]
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.