Kerberos and SPNEGO
I wan trying to do sso for Oracle UCM 11g which uses weblogic 10.3.4 using Kerberos and SPNEGO as stated in Oracle documentation
I followed all steps on the following links
http://download.oracle.com/docs/cd/E17904_01/web.1111/e13707/sso.htm#i1102021
and
http://download.oracle.com/docs/cd/E17904_01/doc.1111/e10792/c03_security.htm#CDDDIHBA
My issue is strange there are no error no exception and SSO not working even if I added wrong info to krb5.conf or krb5login.conf, I have created JAAS configuration file, and I have specified krb5login.conf file location as a startup option in the WebLogic where I have added the following to startWeblogic.sh
JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=krb5login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true"
what do you think I am facing here???
Hi,
Apply SAP Note 1045019 (Example 3) and provide for analysis the errors (in red) from the collected traces.
Regards,
Dimitar
Similar Messages
-
Single sign-on using Kerberos and Ldap
I am currently setting up single sign-on using Kerberos for authentication and Ldap for authorization and information store.
The setup includes several Solaris 8 & 9 workstations, a couple of SGI's, as well as a M$ terminal server farm, several WinXP desktops and their associated Active Directory.
I am required to authenticate etc against the AD. (which has M$ SFU3.5 installed)
I have the Kerberos authentication and part of the Ldap service working via pam & nss.
ie. I can logon to the solaris worksatations using the AD username and password, mount the home directory from a M$ NFS server.
BUT...
id gives:- userID, groupID (primary group only)
groups :- primary group only. (no secondary groups are listed)
Question: what additional configuration information do I need in the pam, nss &/or ldap config files, so that I can list the secondary groups.
Thanks in advance for any help.After evaluating (giving up on, and finally throwing out) the Sun Directory server it looks like we are going to endup with a similar solution..
Sadly enough, the MS AD seems much more stable and easier to handle than Suns DS, kerberos and associated services.
Anyway, currently we are evaluating a product called vintela ( www.vintela.com ), and it seems very promising; its easy, robust, stable and does what we require it to do, as well as more :) It comes with an additional nss module called 'vas', so you easily can retrieve data like hosts/groups from your AD.
//M. -
Hello all,
I'm in the process of binding the Macintoshes to the AD environment and I'm running into a bit of an anomaly. I have the process scripted and I'm using local MCX settings with a LaunchD that determines the users OU at login and then will run the appropriate script, depending upon their department that will do a mount of the network drive. This works fine, except for a couple of 10.5.8 snow laptops.
The login and mount script work fine from my machine (10.6.6) but not the users (10.5.8) and then not all 10.5.8 machines are having this issue.
The command I'm running is this:
cifs://dns.name.of.server/volume/dept/data
On 10.6, it simply passes the Kerberos ticket and mounts the network mount. On 10.5.8, I enter the password and it says the password is incorrect.
I've deleted the keychain, the preferences and have destroyed the current Kerberos ticket and got a new one. I've repaired permissions and I've repaired the keychain.
Can anyone help me out here?
Thank you in advanced.Try the OS X Server forums. There should be one dealing with directory services, etc. Alternatively, search these forums for Kerberos and SSHD
-
Hello Community
I am considering Kerberos Authenication but there seems to be
2 kinds of Kerberos: constrained and unconstrained.
Since when creating Kerberos you are only offered things like "Negotiate\Kerberos"
Or "Negotiate" or "Setspn" the question is how do you create a constrained
or unconstrained Kerberos and since the back end has to match how do you
do you know whether the back end uses constrained or unconstrained Kerberos?
Thank you
ShabeautKerb is used for one of several scenarios:
- connecting SP to SQL databases, which provides assurances around the connection between the SP service accounts and the SQL service accounts
- connecting SP to external systems (such as SQL databases, which may be used by BCS, Excel, PerformancePoint, PowerPivot, etc).
Constrained Delegation is not necessary for SP to use Kerb when connecting to SQL. it IS necessary for SP to talk to external systems (since Constrained Delegation is also known as "Kerberos with protocol transition", since it's
transitioning a Claims based auth token to a kerberos based auth token).
The difference is a setting in AD's Delegation tab, for the service account that will be collecting the users' login (presumably the webapp), and for the service account that will be performing the double-hop (presumably the service apps)... in addition
to the kerb setting, you also need to specify EXACTLY which endpoints can be reached using the Kerb + CD... unconstrained delegation (the default) allows the Kerb token to be passed anywhere... constrained delegation only allows the Kerb token to be used
by the places you specify (in the delegation tab)... such as the SQL server that the PerformancePoint scorecards will be querying.
Links:
- Microsoft's Kerberos guide : http://www.microsoft.com/en-us/download/details.aspx?id=23176
- more links : http://www.sbrickey.com/Tech/Blog/Post/SharePoint_Troubleshooting_Kerberos_and_External_Data_from_Excel_Services
- some health analyzers to find problems and recommend solutions : http://sdssharepointlibrary.codeplex.com/releases/view/92022
Scott Brickey
MCTS, MCPD, MCITP
www.sbrickey.com
Strategic Data Systems - for all your SharePoint needs -
IChat 4, Kerberos and login issue
When using Kerberos I can get a ticket for the connection, but after the ticket exchange I get prompted for another authentication request with ID and password.
In the iChat server log I get the entry:
Apr 14 16:47:59 <servername> jabberd/c2s[76194]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Wrong principal in request)
Anybody an idea?Yes, it is. FQN.
I think a part of the issue is, that we use DNS Service entries.
The machine has "server<xyz>" as DNS name. The chatserver uses the DNS service entry "chat<xyz>" with its own ip. "chat<xyz>" is set in the server admin.app, I added a xmpp/chat<xyz> princial to kerberos and the ticket is issued when I try to connect with ichat.
Usernames used are <username>@chat<xyz>. These usernames work when kerberos is turned of (normal connection to 5223/ssl).
Now, if I turn kerberos on, and leave the ichat server setting in ical client to chat<xyz> and but switch the usernames to <username>@server<xyz> I can log in via Kerberos. (In the case that I add chat<xyz> and server<xyz> to the ichat server Host Domains in server admin.app.
Bit confusing. -
what needs to be done for sapwebdispatcher to work with spnego? we've done setspn for webdispatcher host, but it prompted us to login to webdispatcher server. Do we need to change any configuration in UME or j2ee engine?
Thanks
JaneHi
For using SPNEGO through a SAP webdispatcher you only need to create a SPN for the webdispatcher host like "setspn -A http/<webdisp-host> <j2ee-user>".
The <webdisp-host> must be FQDN like "host.domain.com" and the <j2ee-user> should be the J2EE service user created when configuring SPNEGO/kerberos for J2EE.
BR
Tom Bo -
Hi,
we already use the Netweaver Gateway to provide some OData services.
These services are consumed by some 3rd party software components.
To authenticate the user at the Gateway, these applications are using the SPNEGO authentication mechanism.
Now I wanted to start to develop my first UI5 app. Of course I'd like to consume the OData services from our existing gateway installation.
The main problem that I'm currently facing is, that I don't know how to use Single Sign On (based on Kerberos tickets) to consume the gateway services from an UI5 app. I would like to use SPNEGO but I didn't find any information on how to implement SPNEGO in an UI5 app.
Can you please provide me some information (or even some code snippets) on how to use SPNEGO authentication from an UI5 app!?!?
Thanks in advance
HolgerHi Michael,
Thanks for that. My opinion of secondary authentication is the same, but hey ho. The client insists. I think the main iview is the payslip iview, so it is on the same server as the portal.
My thinking was that as form based logon uses com.sap.portal.runtime.logon.certlogon and basic authentication uses com.sap.portal.runtime.logon.basicauthentication they could have different priorities set in authschemes.xml and consequently it asks for secondary authentication. However, I see your point that they are both in the ticket logon stack.
Paul -
Error while integrating with Kerberos and AD
Hi,
Implementing Kerberos as the Desktop Single Signon Solution
Environment : Peoplesoft
OS : Redhat Linux
webserver: Weblogic 10.3.4
appserver : tuxedo 10gr3
While doing this implementation I was able to complete it successfully with the JDK linux has provided(1.6.0_22). However the weblogic comes preconfigured with jrockit jdk version1.6.0_24-R28.1.3-4.0.1. When I start the weblogic with jrockit jdk as java_home I am getting the following error.
<Error> <HTTP> <BEA-101165> <Could not load user defined filter in web.xml: com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.
java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named krbServer
at com.bea.common.security.jdkutils.JAASConfiguration.getAppConfigurationEntry(JAASConfiguration.java:130)
at javax.security.auth.login.LoginContext.init(LoginContext.java:243)
at javax.security.auth.login.LoginContext.<init>(LoginContext.java:334)
at com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.init(KerberosSSOFilter.java:142)
at weblogic.servlet.internal.FilterManager$FilterInitAction.run(FilterManager.java:332)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.FilterManager.loadFilter(FilterManager.java:98)
at weblogic.servlet.internal.FilterManager.preloadFilters(FilterManager.java:59)
at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1878)
at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:3154)
at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1508)
at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:485)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:427)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:201)
at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:249)
at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:427)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:28)
at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:637)
at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:205)
at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:58)
at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
at weblogic.deploy.internal.targetserver.BasicDeployment.activate(BasicDeployment.java:184)
at weblogic.deploy.internal.targetserver.BasicDeployment.activateFromServerLifecycle(BasicDeployment.java:361)
at weblogic.management.deploy.internal.DeploymentAdapter$1.doActivate(DeploymentAdapter.java:52)
at weblogic.management.deploy.internal.DeploymentAdapter.activate(DeploymentAdapter.java:200)
at weblogic.management.deploy.internal.AppTransition$2.transitionApp(AppTransition.java:31)
at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:240)
at weblogic.management.deploy.internal.ConfiguredDeployments.activate(ConfiguredDeployments.java:170)
at weblogic.management.deploy.internal.ConfiguredDeployments.deploy(ConfiguredDeployments.java:124)
at weblogic.management.deploy.internal.DeploymentServerService.resume(DeploymentServerService.java:181)
at weblogic.management.deploy.internal.DeploymentServerService.start(DeploymentServerService.java:97)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)
these are my runtime parameters
java -jrockit -XnoOpt -XXnoJITInline -Xms512m -Xmx512m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0 -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=krbLogin.conf -Dsun.security.krb5.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.Chunksize=65536 -Djava.util.logging.config.file=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/logging.properties -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger -Dweblogic.Name=PIA -Dps_vault=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/psvault -Djavax.net.ssl.trustStore=/u01/app/psoft89/webserv/PREFRESH/piaconfig/keystore/pskey -Dweblogic.ProductionModeEnabled=true -Djava.security.policy=/u01/app/psoft89/weblogic/wlserver_10.3/server/lib/weblogic.policy -Dssl.debug=false -Dps_home=/u01/app/psoft89 weblogic.Server
The files krb5.conf and krbLogin.conf exists and have full access.
With the error above it seems that it is not able to pick the configuration file. But just by changing the JAVA_HOME to /usr/java/jdk1.6_022 it starts working.
I have raised this concern with Oracle almost a month before, but still haven't got any reply from them.
Please help.
Thanks and Regards
Anirudha SinghHi Faisal,
Thanks for your reply.
Yes I have given the complete path too.
This is the full command line of the weblogic server. I had modifed it to test if it is trying to pick it up from any default location.
java -jrockit -XnoOpt -XXnoJITInline -Xms512m -Xmx512m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0 -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/etc/krbLogin.conf -Dsun.security.krb5.debug=true -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dweblogic.Chunksize=65536 -Djava.util.logging.config.file=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/logging.properties -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Jdk14Logger -Dweblogic.Name=PIA -Dps_vault=/u01/app/psoft89/webserv/PREFRESH/piaconfig/properties/psvault -Djavax.net.ssl.trustStore=/u01/app/psoft89/webserv/PREFRESH/piaconfig/keystore/pskey -Dweblogic.ProductionModeEnabled=true -Djava.security.policy=/u01/app/psoft89/weblogic/wlserver_10.3/server/lib/weblogic.policy -Dssl.debug=false -Dps_home=/u01/app/psoft89 weblogic.Server
The file is located in /etc folder and has 777 permissions.
Thanks and Regards
Anirudha Singh -
Profile Manager, Push, Kerberos and other oddities
Hey all,
First time setting up a Mac Server on our network, thought we'd give Lion a try since we're seeing more and more Macs make their way into our ranks. I'm having issues with the following areas, hopefully someone could shed some light.
Push
I can't for the life of me get push to work behind our Firewall. I opened up TCP Port 5223 as outlined in the Apple Docs but that doesn't get me anywhere. Do I need to NAT that port to the lion server? I thought that push sent notifications down to individual machines and then they went and grabbed the new config from the server? How does a firewall with NAT know what machine to send the notification to? Any help would be appreciated.
Also, what are you supposed to manage users with, the Work Group Manager or the Profile Manager. It seems like apple is moving away from the WGM style of management, although you can't do everything in PM, like setting up home folders etc. Very confusing to a novice.
Email Addresses in Profile Manager configurations and Webmail.
I might be missing something really simple here, but no matter what I do the Profile Manager spits out a default payload for email with our FQDN as the email address for the user ([email protected]). I have set the local alias and checked the checkbox to allow our example.com domain to work. Manually setting the email address to [email protected] works just find. I'm a bit bothered that everytime I push a configuration out to a device I'll have to go back in and manually change the email address. Has anyone figured out how to change that?
In webmail it always lists the email address as [email protected] instead of [email protected]. You can go in and edit the identity and all is right with the world, but that's sort of a pain? Seems like common sense that you could set that as the default.
Kerberos
I was excited to get a Single Sign On solution going for our users since it would come in handy, however, straight out of the box it just doesn't work.I'm also not sure what to look for in the logs to make sure that things are working smoothly. I'm joinging the client machines to the server by going into users and clicking join. Selecting the server from the drop down and hitting submit. Do I have to set up a search order and all that jazz or is that set up automatically then. I can see that I'm getting tickets with the Ticket Viewer but I'm still getting prompted for passwords in mail, ichat, AFP etc. Close to giving up on that front.
Any help or general words of encouragement appreciated.Push
You've opened the secure iChat port to have push notifications working? Take a look here for the right ports:
http://help.apple.com/advancedserveradmin/mac/10.7/#apdCA9A73CE-5F0C-4BDC-93E8-2 952C362FA3E.
On that page are all port numbers you need to forward to your server.
Email
The addresses being displayed as [email protected] is a bug in Lion Server in my opinion, you can file a bug report at apple.com/feedback.
Kerberos
Is as poorly documented as invisible in OS X Lion Server. Single Sign-On is a great tool for making services more user-friendly, it should be top of mind at Apple. You can file an enhancement request at apple.com/feedback.
Regards,
Mark -
Query on SSO using Kerberos and JAAS
We have created a LAN of two computers one being an IIS server (windows 2000 Server) and the other the client (Windows 2000 PRO)
When the server program and the applet is run on the server machine the authentication is done properly and the context is established.
But now we want the other terminal to be the client.
Now we have hosted the applet from the server and we are accessing the hosted page from the client terminal and now we get the following exception:
javax.security.auth.login.LoginException: trainee.Trainee123.Local: trainee.Trainee123.Local
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:572)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:458)
at sun.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at GSSClient.login(GSSClient.java:110)
at GSSClientApplet.login(GSSClientApplet.java:127)
at GSSClientApplet.access$000(GSSClientApplet.java:14)
at GSSClientApplet$1.actionPerformed(GSSClientApplet.java:74)
at java.awt.Button.processActionEvent(Button.java:381)
at java.awt.Button.processEvent(Button.java:350)
at java.awt.Component.dispatchEventImpl(Component.java:3639)
at java.awt.Component.dispatchEvent(Component.java:3480)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:450)
at java.awt.EventDispatchThread.pumpOneEventForHierarchy(EventDispatchThread.java:197)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:150)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:144)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:136)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:99)
Caused by: java.net.UnknownHostException: trainee.Trainee123.Local: trainee.Trainee123.Local
at java.net.InetAddress.getAllByName0(InetAddress.java:999)
at java.net.InetAddress.getAllByName0(InetAddress.java:969)
at java.net.InetAddress.getAllByName(InetAddress.java:963)
at java.net.InetAddress.getByName(InetAddress.java:883)
at sun.security.krb5.internal.bg.<init>(DashoA6275:51)
at sun.security.krb5.KrbKdcReq$KdcCommunication.run(DashoA6275:185)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.krb5.KrbKdcReq.send(DashoA6275:148)
at sun.security.krb5.KrbAsReq.send(DashoA6275:401)
at sun.security.krb5.KrbAsReq.send(DashoA6275:293)
at sun.security.krb5.Credentials.acquireTGT(DashoA6275:332)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:559)
... 24 more
--(the server address being trainee.Trainee123.Local.)
we referred the following site:
http://www-128.ibm.com/developerworks/java/library/j-gss-sso/index.html
Suggest some solution to this problem.Hi there,
I need to implement a J2ee struts based web application where the authentication should be against the user profiles in the Windows Active Directory Services using JAAS.
I do not know how to start and is it possible for you to throw some light on this. Like how kerberos works with ADS and others.
Thanks,
Diva -
I'm working in a test environment to configure Solaris 10 hosts to authenticate against an Active Directory environment using LDAP and Kerberos. I have all of the hard parts done - I can login locally, ssh, telnet, ftp, etc to the Solaris 10 device using a username/password within the Active Directory.
I am having trouble, however, getting SSH to forward Kerberos tickets for passwordless authentication. I can login locally to a Solaris box, run a klist to verify that I have a Kerberos ticket, and the ssh to another Solaris 10/Kerberos box, but I am still prompted for my password. Below is a snippet of SSH debug traffic:
debug1: GSS-API error while calling GSS_Init_sec_context(): An invalid name was supplied
service not available
debug1: Skipping GSS-API mechanism kerberos_v5 (An invalid name was supplied
service not available
No amount of googling has been able to help me thus far. Perhaps you can.Apparantly my initial problem was related to hostname resolution; I initially was accessing everything by IP address because it was easier than setting up a DNS server in my testing environment. I have resolved those issues within my testing environment, but I still can't seem to get SSH to pass the Kerberos ticket along, or maybe SSHD isn't accepting it. This is what I see now, after getting a Kerberos ticket with kinit and attempting to ssh to another host:
debug1: Next authentication method: gssapi-with-mic
debug1: ssh_gssapi_init_ctx(<xxxxxxxxxxxxxxxxxxxx>)
debug3: ssh_gssapi_import_name: snprintf() returned 41, expected 42
debug2: we sent a gssapi-with-mic packet, wait for reply
But it moves on to the next method, never receiving a reply. What's up? -
Hi ,
We are using EP 7.0 EHP 1 portal for couple of purpose.
1) Anonymous Webpage composer site for intranet information portal purpose
2) SPNego SSO configured portal for ESS/MSS access.
Now the problem is when the users are accessing the anonymous portal url (http:hostname:port/irj/portal/anonymous it is actually does SPNego to the user and they get logged on to portal to see ESS/MSS roles.
I am not sure why launching the anonymous url does SPNego SSO. any clue on this?
Thanks,
SivaHi Simon,
Yes we have the default anonymous portal url as http://<portal_hostname>/irj/portal/anonymous.
The KDC is configured to issue a token for <portal_hostname>. So you mean to say because of this, the use gets the token when they logon to network and even if they access the anonymous url, they would be logged on to portal automatically?
Should i change the hostname for anonymous url like http://anonymous_hostname/irj/portal/anonymous ? will it would solve the problem.
Thanks,
Siva -
Authen and Auth via kerberos and ldap (hosted on linux)
Hello. I am trying to set up authentication via ldap and kerberos. I have usernames stored in a UNIX-style ldap server and kerberos running on the same machine. I am now trying to get the login window to use the ldap server for getting username/password and then to authenticate and get a ticket from kerberos. I have kerberos working (I can use kinit on the mac to get a ticket); if I have a ticket, I can use ldapsearch to get a dump of the ldap directory on the server. However, at the login window, there is no existing kerberos ticket for checking the ldap server, so it cannot be used and falls back to local login. How can I get a ticket or something that will function as such to kerberos so that login window can use the ldap server? Or, how can I get the login window to use the ldap server?
Any links or other ideas would be appreciated.
Thanks,
SeanThe user can be set in ST01 as the portal user for trace
-
Robert,
In a previous post you said,
"I've said this elsewhere on this forum, but in case you missed it, in certain
cases you might be forced to implement a servlet filter rather than use the SSPIs.
My case was using identity assertion with SPNEGO where you need to send back a
response to the browser which in turn sends back a token to the server."
Could you please explain how do we do SSPI for SPNEGO? I have a requirement where
we need to pass the credentials from WL portal to IIS server to access content
on IIS. Right now, as a temporary solution, we are doing https://uid:[email protected]
I am new to security and JAAS. If you could please give me pointers to accomplish
this in a cleaner way, I would really appreciate it.
Thanks,
AdamRobert,
Thats really awesome. Can we get this discussion offline from here? Could you
please e-mail me at [email protected]?
Thanks,
Adam
Robert Greig <[email protected]> wrote:
Adam Gilchrist wrote:
Robert,
In a previous post you said,
"I've said this elsewhere on this forum, but in case you missed it,in certain
cases you might be forced to implement a servlet filter rather thanuse the SSPIs.
My case was using identity assertion with SPNEGO where you need tosend back a
response to the browser which in turn sends back a token to the server."
Could you please explain how do we do SSPI for SPNEGO? I have a requirementwhere
we need to pass the credentials from WL portal to IIS server to accesscontent
on IIS. Right now, as a temporary solution, we are doing https://uid:[email protected]@mydomain.com.
First, here's how to do it in the "standard" web browser case (IE client
talking to WLS).
1) Don't use the WLS SSPIs. You don't have access to the http response
therefore it is not easy (perhaps not possible although maybe there are
evil hacks that I haven't come up with!).
2) Download the SPNEGO RFC. You'll need an ASN parser (unless you want
to do the encoding manually - I don't recommend that unless you're
familiar with ASN). Create an SPNEGO grammar your parser can understand
and generate java code from the grammar. I used the cryptix parser (open
source) but note that it had some bugs I had to fix first.
3) Write a servlet filter. It should send back 403 responses in order
to
get the base 64 encoded SPNEGO token (see the RFC for details). When
you
have a token, get the GSS initial context token from it and use the
GSSAPI to validate it. Then send back the appropriate response, having
put the appropriate details into the session so you don't have to
perform this for every request!
Second - I plan on open sourcing what I have done and writing an article
on it. Maybe I'm just sad and lonely but I certainly found it
interesting to do (having never done anything in this area before) and
I
found that it was not an area that is either mature or well documented.
This might be of some use to you. I am currently trying to get
permission from my employer to do this (I work for an investment bank
hence this is not entirely straightforward but I do now have agreement
in principle).
Third - to cover your case. You need to create an SPNEGO initial context
token (see the spec for details). This should be quite easy once you
have the ASN parser (just use the GSSAPI to get the underlying context
token). You will have to implement SPNEGO from a client-side perspective
however that should be easy (expect a 403 response from the server, then
put in the base 64 encoded SPNEGO token into a particular request header).
I am new to security and JAAS. If you could please give me pointersto accomplish
this in a cleaner way, I would really appreciate it.Do you need to use SPNEGO here? If you can write an ASP page to service
all requests then so long as you are happy using HTTPS you could put
the
username into a POST parameter. Or must you directly access the content
without going through an intermediary page? If direct username isn't
possible then you could even just ignore SPNEGO and put in the base 64
intial context token (which you can process using the Windows SSPI APIs).
I hope this is of some use to you.
Robert -
JAAS, JGSS Kerberos and windows 2000 newbie question
Hi
I have setup a Kerberos server on windows 2000, now i want to write code in java to authenticate and authorize user using Kerberos , I know I have to use JAAS, JGSS,
is there a how to document to setup a client machine, like setup krb4.ini file and other security files so i can use java to authorize and authenticate, i am using j2sdk1.4.2
I have following code
GSSManager manager = GSSManager.getInstance();
Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
// Identify who the client wishes to be
GSSName userName = manager.createName("test02EIM", GSSName.NT_USER_NAME);
// Identify the name of the server. This uses a Kerberos specific
// name format.
GSSName serverName = manager.createName("krbsvr400/[email protected]",
krb5PrincipalNameType);
System.out.println("server name " +serverName.getStringNameType());
// Acquire credentials for the user
GSSCredential userCreds = manager.createCredential(userName,
GSSCredential.DEFAULT_LIFETIME,
krb5Mechanism,
GSSCredential.INITIATE_ONLY);
// Instantiate and initialize a security context that will be
// established with the server
GSSContext context = manager.createContext(serverName,
krb5Mechanism,
userCreds,
GSSContext.DEFAULT_LIFETIME);
and krb5.ini file looks like below
[libdefaults]
default_realm = GL1AMR.PFIZER1.TEST
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
forwardable = true
proxiable = true
[realms]
GL1AMR.PFIZER1.TEST= {
kdc = gl1mopsamrdc01.gl1amr.pfizer1.test:88
admin_server = gl1mopsamrdc03.gl1amr.pfizer1.test
default_domain = gl1amr.pfizer1.test
[domain_realm]
.gl1amr.pfizer1.test = GL1AMR.PFIZER1.TEST
gl1amr.pfizer1.testm = GL1AMR.PFIZER1.TEST
[login]
krb4_convert = true
krb4_get_tickets = true
i get following error
SSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:143)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:70)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.pfizer.maps.sso.TestGSS.useGSS(TestGSS.java:41)
at com.pfizer.maps.sso.TestGSS.main(TestGSS.java:59)
what am i missingMy JAVA FILE having the code as follows , when i run this code iam geeting the Folowing error
Error
D:\Ramesh_Dump\KerbersTools>java GSSAPI
GSSException: No valid credentials provided (Mechanism level: Failed to find any
Kerberos Ticket)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredent
ial.java:133)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechF
actory.java:72)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.
java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:37)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java
:96)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
78)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
58)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5
Client.java:155)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.ja
va:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.jav
a:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:6
67)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:1
34)
at GSSAPI.main(GSSAPI.java:34)
Problem searching directory: javax.naming.AuthenticationException: GSSAPI [Root
exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by G
SSException: No valid credentials provided]]
JAVA CODE
import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
import java.util.*;
import java.util.Calendar.*;
import java.text.*;
public class GSSAPI {
* @param args
public static void main(String[] args) {
Hashtable env = new Hashtable();
String adminName = "[email protected]";//"[email protected]";
String adminPassword = "Password12";
String ldapURL = "ldap://172.20.55.97:389/";
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
//env.put(Context.SECURITY_PRINCIPAL,adminName);
//env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//env.put("javax.security.sasl.server.authentication","true");
//connect to my domain controller
env.put(Context.PROVIDER_URL,ldapURL);
try {
//Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
//lets get the domain lockout duration policy
Attributes attrs = ctx.getAttributes("dc=globalv,dc=com");
//System.out.println("test arttr"+attrs.get(""));
System.out.println("Lockout policy for " + attrs.get("distinguishedName").get());
System.out.println("Duration: " + attrs.get("lockoutDuration").get());
System.out.println("Threshold: " + attrs.get("lockoutThreshold").get());
long lockoutDuration = Long.parseLong(attrs.get("lockoutDuration").get().toString());
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"sn","givenName","mail","lockoutTime"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//Create the correct LDAP search filter
//Win32 file time is based from 1/1/1601
//Java date/time is based from 1/1/1970
/*GregorianCalendar Win32Epoch = new GregorianCalendar(1601,Calendar.JANUARY,1);
GregorianCalendar Today = new GregorianCalendar();
long Win32Date = Win32Epoch.getTimeInMillis();
long TodaysDate = Today.getTimeInMillis();
long TimeSinceWin32Epoch = TodaysDate - Win32Date;
long lockoutDate = (TimeSinceWin32Epoch * 10000) + lockoutDuration;
System.out.println("Lockout (Long): " + lockoutDate);*/
//System.out.println("Lockout (Date): " + DisplayWin32Date(lockoutDate));
//String searchFilter = "(&(objectClass=user)(lockoutTime>=" + lockoutDate + "))";
String searchFilter = "(objectclass=user)";
//Specify the Base for the search
String searchBase = "dc=globalv,dc=com";
//initialize counter to total the results
int totalResults = 0;
//Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println(">>>" + sr.getName());
// Print out some of the attributes, catch the exception if the attributes have no values
attrs = sr.getAttributes();
if (attrs != null) {
try {
System.out.println(" name: " + attrs.get("givenName").get() + " " + attrs.get("sn").get());
System.out.println(" mail: " + attrs.get("mail").get());
System.out.println(" locked: " + attrs.get("lockoutTime").get().toString());
//System.out.println(" locked: " + DisplayWin32Date(attrs.get("lockoutTime").get().toString()));
catch (NullPointerException e) {
System.err.println("Problem listing attributes: " + e);
// System.out.println("Total results: " + totalResults);
ctx.close();
catch (NamingException e) {
System.err.println("Problem searching directory: " + e);
import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
import java.util.*;
import java.util.Calendar.*;
import java.text.*;
public class GSSAPI {
* @param args
public static void main(String[] args) {
Hashtable env = new Hashtable();
String adminName = "[email protected]";//"[email protected]";
String adminPassword = "Password12";
String ldapURL = "ldap://172.20.55.97:389/";
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
//env.put(Context.SECURITY_PRINCIPAL,adminName);
//env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//env.put("javax.security.sasl.server.authentication","true");
//connect to my domain controller
env.put(Context.PROVIDER_URL,ldapURL);
try {
//Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
//lets get the domain lockout duration policy
Attributes attrs = ctx.getAttributes("dc=globalv,dc=com");
//System.out.println("test arttr"+attrs.get(""));
System.out.println("Lockout policy for " + attrs.get("distinguishedName").get());
System.out.println("Duration: " + attrs.get("lockoutDuration").get());
System.out.println("Threshold: " + attrs.get("lockoutThreshold").get());
long lockoutDuration = Long.parseLong(attrs.get("lockoutDuration").get().toString());
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"sn","givenName","mail","lockoutTime"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//Create the correct LDAP search filter
//Win32 file time is based from 1/1/1601
//Java date/time is based from 1/1/1970
/*GregorianCalendar Win32Epoch = new GregorianCalendar(1601,Calendar.JANUARY,1);
GregorianCalendar Today = new GregorianCalendar();
long Win32Date = Win32Epoch.getTimeInMillis();
long TodaysDate = Today.getTimeInMillis();
long TimeSinceWin32Epoch = TodaysDate - Win32Date;
long lockoutDate = (TimeSinceWin32Epoch * 10000) + lockoutDuration;
System.out.println("Lockout (Long): " + lockoutDate);*/
//System.out.println("Lockout (Date): " + DisplayWin32Date(lockoutDate));
//String searchFilter = "(&(objectClass=user)(lockoutTime>=" + lockoutDate + "))";
String searchFilter = "(objectclass=user)";
//Specify the Base for the search
String searchBase = "dc=globalv,dc=com";
//initialize counter to total the results
int totalResults = 0;
//Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println(">>>" + sr.getName());
// Print out some of the attributes, catch the exception if the attributes have no values
attrs = sr.getAttributes();
if (attrs != null) {
try {
System.out.println(" name: " + attrs.get("givenName").get() + " " + attrs.get("sn").get());
System.out.println(" mail: " + attrs.get("mail").get());
System.out.println(" locked: " + attrs.get("lockoutTime").get().toString());
//System.out.println(" locked: " + DisplayWin32Date(attrs.get("lockoutTime").get().toString()));
catch (NullPointerException e) {
System.err.println("Problem listing attributes: " + e);
// System.out.println("Total results: " + totalResults);
ctx.close();
catch (NamingException e) {
System.err.println("Problem searching directory: " + e);
}
Maybe you are looking for
-
Char restriction in Bex Query Designer
Hi Gurus, Can anyone explain what is the use of the Characteristic Restriction Area in in the BEx Query designer If i set 0CALYEAR =2008 in the Char Restriction and in the column definition i set the one of the column to display data from year 2009.
-
How to create a Dynpro Exit in my own report? (in 46c)
Hi all, i have written an report. the selection screen contains a tab strip for the parameters and select optios these are the standard parameters for the program. one of the tabstrips contains only a subscreen where customer specific parameters and
-
PDF printing with wrong colours
Hi, I have created a document in indesign 5 and have now converted to a PDF file, on screen all is well but when I print the file all the colours are changing in a big way. The file includes illustrator images, photoshop photographs and text from ind
-
Hi expert !! How can I perform a selection where the data supplied (via a parameter), is contained in a field but at fixed position (not just anywhere in the field) ? (exemple the user supplies 006 as a search criteria, the record 10060434 is selec
-
Hi, Suddenly I have this error with my client cisco AnnyConnect ver. 3.1.04063 connecting with my computer:windows vista SP2. Message appeared: "Login denied. "name_company" security policies have rejected your login" and nothing else. I tried to uni