Kerberos authentication fail on ASA 5505 -Decrypt integrity-

Similar Messages

• Exchange 2010 sp2 emc initialization error using "kerberos" authentication failed

  We use exchange 2010 SP2.
  We have 2 management stations, both w2k8 R2 SP1.
  I have one mangement station on which the emc and ems works ok.
  On the other management staiton (which is also in another ad site) the emc and ems don't work.
  I get the following error message : The attempt to connect to
  http://fqdnCasServer/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
  I have checked the time on the management station and on the exchange server and this is ok.
  It is not a permissions issue because the user functions ok on the other management station.
  On the bad management station I can open the emc once and after a minute I get an error message and the message access denied. From then on I can't connect any more.
  What am I doing wrong?
  Anyone any tips?
  Thanks,
  JB 

  This is what I get in the eventlog of the bad management station.
  Log Name:      MSExchange Management
  Source:        MSExchange CmdletLogs
  Date:          1/10/2012 11:39:27
  Event ID:      6
  Task Category: (1)
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      Server.domain.com
  Description:
  The description for Event ID 6 from source MSExchange CmdletLogs cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  If the event originated on another computer, the display information had to be saved with the event.
  The following information was included with the event:
  Get-ExchangeServer
  {Identity=Servername}
  Domain/ou/ou/ou/ou/username
  Exchange Management Console-Local
  3080
  22
  00:00:00.3593888
  View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DN }'
  Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMTSTATION' couldn't be found on 'FQDN DC'.
  Context
  the message resource is present but the message is not found in the string/message table
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="MSExchange CmdletLogs" />
      <EventID Qualifiers="49152">6</EventID>
      <Level>2</Level>
      <Task>1</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2012-10-01T09:39:27.000000000Z" />
      <EventRecordID>11</EventRecordID>
      <Channel>MSExchange Management</Channel>
      <Computer>FQDN MGMT STATION</Computer>
      <Security />
    </System>
    <EventData>
      <Data>Get-ExchangeServer</Data>
      <Data>{Identity=MGMT STATION}</Data>
      <Data>domain/ou/ou/ou/ou/username</Data>
      <Data>
      </Data>
      <Data>
      </Data>
      <Data>Exchange Management Console-Local</Data>
      <Data>3080</Data>
      <Data>
      </Data>
      <Data>22</Data>
      <Data>00:00:00.3593888</Data>
      <Data>View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DC }'</Data>
      <Data>Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMT STATION' couldn't be found on 'FQDN DC'.</Data>
      <Data>Context</Data>
      <Data>
      </Data>
    </EventData>
  </Event>

• Remote PowerShell Connection to Lync Server With Kerberos authentication Fails

  Hi everyone ,
  Remote PowerShell to Lync Server With Kerberos authentication Fails .. Is there any reason for not being able to connect when authentication specified as Kerberos . But exactly same code works when Authentication is specified as "Negotiate"
  E.g :
  Error -
  $session=New-PSSession -ConfigurationName Microsoft.Powershell -ConnectionUri https://serverName.lync.com/ocspowershell/ -Credential $cred -Authentication Kerberos
  [serverName.lync.com] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. The authentication mechanism requested by the client is not supported by the server or unencrypted traffic is disabled in
  the service configuration. Verify the unencrypted traffic setting in the service configuration or specify one of the authentication mechanisms supported by the server.  To use Kerberos, specify the computer name as the remote destination. Also verify
  that the client computer and the destination computer are joined to a domain.To use Basic, specify the computer name as the remote destination, specify Basic authentication and provide user name and password. Possible authentication mechanisms reported by
  server:   Digest Negotiate For more information, see the about_Remote_Troubleshooting Help topic.
      + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
     eption
      + FullyQualifiedErrorId : PSSessionOpenFailed
  Works  -
  $session=New-PSSession -ConfigurationName Microsoft.Powershell -ConnectionUri https://serverName.lync.com/ocspowershell/ -Credential $cred -Authentication Negotiate

  Hi,
  Please double check if Windows Update is the latest version, if not, please update and then test again.
  Please also ensure that the workstation you are using has network access to the Certificate Authority that signed the certificate.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Exchange Management Console couldn't start with Kerberos authentication failed

  When I was making changes to Client Access\owa settings, chaning from Basic authentication to Form authentication (upn name) then changed to Basic again. It was ok after changing to Form authentication but moment after changing back to Basic, I couldn't
  no longer access owa (blank page when one vertical line) and in Exchange Management Console, I got "Initialization failed" - The following error occured while attempting to connect to the specified Exchange server 'sgp-ex1.mydomain.com':
  The attempt to connect to http://sgp-ex1.mydomain.com/powershell using "Kerberos" authentication failed: Connecting to the remote server failed with the following error message: The WinRM client cannto process
  the request. It cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalid. For more information, see the about_Remote_Troubleshooting Help topic.
  I tried the troubleshooting tool from Exchange team blog:
  http://blogs.technet.com/b/exchange/archive/2010/12/07/3411644.aspx. It give 3 possible causes for this error: 1. WSMan module entry is missing from global module section of c:\Windows\System32\InetSrv\Config\ApplicationHost.config; 2. Kerbauth module shows
  up as Managed module or has been loaded in the Default Web Site Level; 3. The Path of the Powershell virtual directory has been modified.
  I checked carefully, all the 3 causes do not apply to my situation as WSman entry is in order, the Kerbauth is native and local and the path of Powershell virtual directory is correct.
  I find that in Application log, there are Event 2297 and 2307 dumped at the time of failure:
  The worker process for application pool 'MSExchangeSyncAppPool' encountered an error 'Confiugration file in not well-formed XML' trying to read configuration data from file '\\?\C:\inetpubl\temp\apppools\MSExchangeSyncAppPool\MSExchangeSyncAppPool.config',
  line number '2'. The data field contains the error code.
  Help is very much appreciated.
  Valuable skills are not learned, learned skills aren't valuable.

  Unfortunately, all the links you provided didn't help.
  The first link contains 3 methods:1 Removing WinRM feature and reinstalling. 2 Rename the web.config file in location C:\inetpub\wwwroot 3 Have you installed Microsoft Dynamics CRM 4. I?
  As my server is Windows 2008 R2, the first method does not apply. I couldn't find any web.config in c:\Inetpub\wwwroot. The web.config however is found in many times in .netframework and winsxs directories. The 3rd method doesn't apply as I don't have CRM.
  The 2nd link contains 3 possible causes. The first 2 are the same as the ones I mentioned in my initial post. I couldn't verify the last cause because when open Exchange Management Shell, I got this error: [sgp.ex1.mydomain.com] connecting to remote server
  failed with the following server failed with the following error message: The WinRM client cannot process the request, it cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalide. For more
  information, see the about_Remote_Troubleshooting Help topic.
  I do not think the user is not remote powershell enabled because the problem happened suddenly, while I was making changes to Authentication settings of OWA(default) in Client Access in Exchange Management Console. If the user account is not remote powershell
  enabled, then I couldn't event connect to EMC in the first place.
  The last link didn't help because I could open up modules under PowerShell virtual directory in IIS.
  I think since the event log is saying MSExchangeSyncAppPool.config and DefaultAppPool.config not well-formed XML, that might be a clue.
  In the event id 2307 this is the message:
  The worker process for application pool 'DefaultAppPool' encountered an error 'Configuration file is not well-formed XML
  ' trying to read configuration data from file '\\?\C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config', line number '2'.  The data field contains the error code.
  Valuable skills are not learned, learned skills aren't valuable.

• "Kerberos" authentication failed while trying to access EMC or EMS

  Salam,
  I have successfully installed Exchange 2010 SP1 on a transitional environment, the installation went smooth without any problem and I've done most of the trasitioning configuration from Exchange Server 2003 to Exchange Server 2010.
  Currently we're in the process of moving the mailboxes, but I've come across a problem recently which stopped all my work and I can no longer commence with this transition unless its solved.
  Sometimes when I try to access EMC or EMS I get the hereunder error:
  The following error occurred while attempting to connect to the specified Exchange server 'afhmail.arabfinancehouse.com.lb':
  The attempt to connect to http://afhmail.arabfinancehouse.com.lb/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed
  with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
  I've read most of the articles found on the internet including
  http://msexchangeteam.com/archive/2010/02/04/453946.aspx to try to troubleshoot this problem but nothing has worked so far, I tried removing Win RM IIS extensions as well then adding them again with a restart and nothing. I tried the Kerbauth dll removal
  also nothing and the problem keeps to occur and the situation is not stable.
  Also I read in a KB article somewhere that if we have multiple domain controllers a single domain controller should be assigned on the Exchange Server (Organization Configuration, Server Configuration, Recipient Configuration) so I assigned the PDC to be selected
  by those configurations at startup, yet I am still facing the same problem.
  Again I emphasis that the problem comes and goes, at a time I can access EMS and at another is just gives me the Kerberos error.
  Thank you very much in advance,
  Kindest Regards.
  Abdullah Abdullah

  Hi Abdullah,
  Can you open the EMS?
  If yes, please run the WinRM QC and post the results here.
  If possible, please use another admin's account to log on to Exchange to try to open EMC.
  Frank Wang
  TechNet Subscriber Support
  in forum
  If you have any feedback on our support, please contact
  [email protected]
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Kerberos Authentication fails two hours before TGT expires

  Hi,
  We have implemented a Sinlge Sign On solution based on Kerberos and the Java GSS-API. The implementation pretty much follows the
  examples given in the JAAS Tutorials. It is now running
  in my company and it works fine except until there are less than two hours until your TGT expires. Then an exception is thrown
  in the call to InitSecContext with the error "No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE
  credentials failed! (null))". Here is a transcript of the debug output:
  Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  Acquire TGT from Cache
  KinitOptions cache name is C:\Documents and Settings\PWL\krb5cc_pwlAcquire default native Credentials
  Obtained TGT from LSA: Credentials:
  [email protected]
  server=krbtgt/[email protected]
  authTime=20061024024852Z
  startTime=20061024024852Z
  endTime=20061024124852Z
  renewTill=20061031024852Z
  flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
  EType (int): 23
  Using builtin default etypes for default_tgs_enctypes
  default etypes for default_tgs_enctypes: 3 1 23 16 17.
  CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
  EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
  KrbKdcReq send: kdc=dc2 UDP:88, timeout=30000, number of retries =3, #bytes=1307
  KDCCommunication: kdc=dc2 UDP:88, timeout=30000,Attempt =1, #bytes=1307
  KrbKdcReq send: #bytes read=1292
  KrbKdcReq send: #bytes read=1292
  EType: sun.security.krb5.internal.crypto.ArcFourHmacETypeTicket could not be renewed : Message stream modified (41)
  Principal is null
  null credentials from Ticket Cache
            [Krb5LoginModule] authentication failed
  Unable to obtain Princpal Name for authentication
  GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
       at sun.security.jgss.krb5.Krb5InitCredential.getTgtFromSubject(Unknown Source)
       at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
       at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
       at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
       at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
       at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
       at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
       at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
       at com.maconomy.gss.MKerberosSingleLoginCredentials.getTicket(MKerberosSingleLoginCredentials.java:102)
       at com.maconomy.gss.MKerberosSingleLoginCredentials.getTicket(MKerberosSingleLoginCredentials.java:30)
       at com.maconomy.client.portal.SingleLoginApplet$SingleLoginThread.run(SingleLoginApplet.java:97)
  Caused by: javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication
       at com.sun.security.auth.module.Krb5LoginModule.promptForName(Unknown Source)
       at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
       at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at javax.security.auth.login.LoginContext.invoke(Unknown Source)
       at javax.security.auth.login.LoginContext.access$000(Unknown Source)
       at javax.security.auth.login.LoginContext$4.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
       at javax.security.auth.login.LoginContext.login(Unknown Source)
       at sun.security.jgss.LoginUtility.login(Unknown Source)
       at sun.security.jgss.krb5.Krb5Util.getTicketFromSubject(Unknown Source)
       at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       ... 13 moreI've also used the Klist (Microsoft) tool to get information about the tickets and the information about the TGT looks like this:
  Cached TGT:
  ServiceName: krbtgt
  TargetName: krbtgt
  FullServiceName: pwl
  DomainName: MACONOMY.COM
  TargetDomainName: MACONOMY.COM
  AltTargetDomainName: MACONOMY.COM
  TicketFlags: 0x40e00000
  KeyExpirationTime: 1/1/1601 2:00:00
  StartTime: 10/24/2006 5:48:52
  EndTime: 10/24/2006 15:48:52
  RenewUntil: 10/31/2006 5:48:52
  TimeSkew: 1/1/1601 2:00:00          Now we also have a C implemtation we use for our native Windows client, which uses the Microsoft version of GSS (SSPI),
  and it works fine, so the problem must be connected to the Java implementation. I've used Ethereal to find out what happens
  when login fails and I can see that two requests are send to the KDC and that the last one is a request for the renewal of the TGT.
  The replies from the KDC looks fine and doesn't contain any error messages.
  If anyone has an idea as to what is causing this problem I would be very grateful. I should mention that the KDC is Active Directory
  running on a Windows 2003 server, and that we use JRE version 1.5_08. We haven't changed the default parameters in AD, so the default life time for a TGT is 10 hours.
  Message was edited by:
  peter_waern
  Message was edited by:
  peter_waern stack traces updated
  peter_waern

  Hi again,
  In connection with changing from daylight saving time I found out some more about this problem.
  It seems like the Java interpretation of the TGT expiration time is dependent on the time zone of the client computer.
  I set up my Active Directory to have a service ticket lifetime of 4 hours and then tried to change the
  time zone on my client computer with the following results:
  GMT+01:00
  TGT information from klist.exe:
  ServiceName: krbtgt
  TargetName: krbtgt
  FullServiceName: pwaern
  DomainName: EXAMPLE.MAC
  TargetDomainName: EXAMPLE.MAC
  AltTargetDomainName: EXAMPLE.MAC
  TicketFlags: 0xe00000
  KeyExpirationTime: 1/1/1601 1:00:00
  StartTime: 11/1/2006 10:20:22
  EndTime: 11/1/2006 14:20:22
  RenewUntil: 11/8/2006 10:20:22
  TimeSkew: 1/1/1601 1:00:00
  Java debug output:
  Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  Acquire TGT from Cache
  KinitOptions cache name is C:\Documents and Settings\pwaern\krb5cc_pwaernAcquire default native Credentials
  Obtained TGT from LSA: Credentials:
  [email protected]
  server=krbtgt/[email protected]
  authTime=20061101082022Z
  startTime=20061101082022Z
  endTime=20061101122022Z
  renewTill=20061108082022Z
  flags: RENEWABLE;INITIAL;PRE-AUTHENT
  EType (int): 3
  Principal is [email protected]
  Commit Succeeded
  Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Wed Nov 01 13:20:22 CET 2006
  GMT+03:30
  TGT information from klist.exe:
  ServiceName: krbtgt
  TargetName: krbtgt
  FullServiceName: pwaern
  DomainName: EXAMPLE.MAC
  TargetDomainName: EXAMPLE.MAC
  AltTargetDomainName: EXAMPLE.MAC
  TicketFlags: 0xe00000
  KeyExpirationTime: 1/1/1601 3:30:00
  StartTime: 11/1/2006 12:41:02
  EndTime: 11/1/2006 16:41:02
  RenewUntil: 11/8/2006 12:41:02
  TimeSkew: 1/1/1601 3:30:00
  Java debug output:
  Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  Acquire TGT from Cache
  KinitOptions cache name is C:\Documents and Settings\pwaern\krb5cc_pwaernAcquire default native Credentials
  Obtained TGT from LSA: Credentials:
  [email protected]
  server=krbtgt/[email protected]
  authTime=20061101054102Z
  startTime=20061101054102Z
  endTime=20061101094102Z
  renewTill=20061108054102Z
  flags: RENEWABLE;INITIAL;PRE-AUTHENT
  EType (int): 3
  Principal is [email protected]
  Commit Succeeded
  Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Wed Nov 01 13:11:02 IRST 2006
  GMT-08:00
  TGT information from klist.exe:
  ServiceName: krbtgt
  TargetName: krbtgt
  FullServiceName: pwaern
  DomainName: EXAMPLE.MAC
  TargetDomainName: EXAMPLE.MAC
  AltTargetDomainName: EXAMPLE.MAC
  TicketFlags: 0xe00000
  KeyExpirationTime: 0/41/4 0:00:10776
  StartTime: 11/1/2006 1:16:56
  EndTime: 11/1/2006 5:16:56
  RenewUntil: 11/8/2006 1:16:56
  TimeSkew: 11/8/2006 1:16:56
  Java debug output:
  Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  Acquire TGT from Cache
  KinitOptions cache name is C:\Documents and Settings\pwaern\krb5cc_pwaernAcquire default native Credentials
  Obtained TGT from LSA: Credentials:
  [email protected]
  server=krbtgt/[email protected]
  authTime=20061101171759Z
  startTime=20061101171759Z
  endTime=20061101181759Z
  renewTill=20061108171656Z
  flags: RENEWABLE;PRE-AUTHENT
  EType (int): 3
  Principal is [email protected]
  Commit Succeeded
  Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Wed Nov 01 10:17:59 PST 2006
  As you can see the exiration time found by the Java application is highly dependent on the time zone.
  I should add that if you are at GMT the Java expiration time matches the one from klist.exe.
  So clearly there is a problem somewhere.
  The question is whether it is something in my setup or it is a bug in either Active Directory or Java. Can anyone help?
  Thanks,

• Server log having multiple Kerberos Authentication failed events

  I my windows server log i  can see so many Kerberos Authentication failure Events, Could you please explain why this is happening and how to resolve this?

  Hello Friend,
  here is the log
  Time of Day
  Name
  Source Country
  Destination IP
  Destination Country
  Destination Port
  Event Count
  2014-12-10 09
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  2
  2014-12-10 08
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  6
  2014-12-10 08
  4768: A Kerberos Authentication Ticket (tgt) Was Requested
  N/A
  Not Reported
  N/A
  Not Reported
  2
  2014-12-10 08
  4771: Kerberos Pre-authentication Failed
  N/A
  Not Reported
  N/A
  Not Reported
  2
  2014-12-10 07
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  14
  2014-12-10 07
  4768: A Kerberos Authentication Ticket (tgt) Was Requested
  N/A
  Not Reported
  N/A
  Not Reported
  1
  2014-12-10 06
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  12
  2014-12-10 06
  4768: A Kerberos Authentication Ticket (tgt) Was Requested
  N/A
  Not Reported
  N/A
  Not Reported
  2
  2014-12-10 05
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  16
  2014-12-10 05
  4768: A Kerberos Authentication Ticket (tgt) Was Requested
  N/A
  Not Reported
  N/A
  Not Reported
  1
  2014-12-10 04
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  22
  2014-12-10 03
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  8
  2014-12-10 03
  4768: A Kerberos Authentication Ticket (tgt) Was Requested
  N/A
  Not Reported
  N/A
  Not Reported
  1
  2014-12-10 02
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  11
  2014-12-10 02
  4768: A Kerberos Authentication Ticket (tgt) Was Requested
  N/A
  Not Reported
  N/A
  Not Reported
  4

• EMC won't open. kerberos authentication failed. After SP3 update

  Sorry for the long story but please read and help me out.
  I have just upgraded Exchange 2010 from SP1 to SP3.  I have two Exchange servers both running Windows Server 2008 R2 and both are VMs on VMWare ESXi 5, one has the CAS role and the other has the Hub and Mailbox Role.  Had problems during the upgrade
  process.  I upgraded the schema and the CAS server first and they were fine.  The Hub/Mailbox server had a problem stopping Exchange services and i had to remove VMWare Tools and reboot the server, this then broken the MBR and i had to restore the
  server from a backup i took before the start of the upgrade process.  After the restore of the Hub/Mailbox server Exchange came backup fine with the CAS on SP3 and Hub/Mailbox on SP1.  So i started the upgrade process again on the Hub/Mailbox server
  and it gave errors about Powershell on the Hub Transport upgrade task.  I followed these guides to fix the problem and enabled me to install SP3 on the server:
  Click    Click
  Also followed another guide that i can't find the link to telling me to remove the PowerShell and PowerShell-Proxy from IIS on the CAS server.  This enabled the install or SP3 on the Hub/Mailbox server and Exchange has come up and is working fine.
  However when i try and open the EMC or EMS on the CAS server i receive the following error:
  I assume it's to do with the missing PowerShell and PowerShell-Proxy from IIS on the CAS server.  I have tried recreating the PowerShell and Powershell-Proxy on the CAS server in IIS using the same settings as on the Hub/Mailbox server, but that hasn't
  worked as i guess the registry and AD objects are now missing to.  I really need to get this working as a third party Email archive system uses the CAS server to change Exchange settings and that isn't working now.
  Thanks

  Please check this.
  http://technet.microsoft.com/en-in/library/dd351136%28en-us%29.aspx
  Make sure all the prerequisites are installed as per :
  http://technet.microsoft.com/hi-in/library/bb691354(en-us).aspx
  1. Make sure IIS WinRM extension is installed
  2. open powershell and run command : WinRM Quickconfig
  3. Open IIS go to Powershell virtual directory and check that SSL in disabled and authentification is set only to Anonymous
  4. Open Windows powershell modules
  5. run Remove-PowershellVirtualDirectory command
  6. run New-PowershellVirtuallirectory command
  7. IISreset
  Thanks, MAS
  Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• Question about Java GSS-Kerberos authentication

  Hi,
  I am new to GSS API. I have a client requirement to use Java GSS Kerberos Authentication instead of using IIS for Integrated Windows Authentication. In IWA, the IE browser automatically picks up the logged-in windows user credentials and passes it to IIS, which authenticates you against Active Directory and returns SUCCESS.
  We are planning to write a Servlet/JSP code on Apache Tomcat on Solaris 10, which uses Java GSS API to do Kerberos Authentication and return SUCCESS to the user. When I look at the examples:
  http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/AcnOnly.html#RunAc
  it says:
  "You will be prompted for your Kerberos user name and password, and the underlying Kerberos authentication mechanism specified in the login configuration file will log you into Kerberos. If your login is successful, you will see the following message: Authentication succeeded!"
  Does this mean that in Kerberos Authentication using Java GSS API, the user will have to enter his windows credentials for authentication? Is there a way for the credentials to be passed from Windows automatically to the API, without user intervention?
  Any links detailing the procedure would be of great help.
  Thanks,
  shetty2k

  We are having a similar requirement from our end. To make situation worst I do not even have an idea about an approach.
  What are the ways that we can use windows credentials to authenticate against IIS with tomcat?
  any help is greatly appreciated.
  R.

• Kerberos Authentication: "Integrity check on decrypted field failed"

  Hi,
  I have configured a portal (NW 7.0 SP13) for Kerberos Authentication. I have another portal with exactly the same configuration (same MS-ADS etc, just a different user) which is working fine. But this one is giving me the error "Integrity check on decrypted field failed" (and Kerberos Auth fails).
  Any ideas?? I get the same error whether I use the keytab from the SPNEGO wizard, or the keytab from "ktpass -princ host/%HOST%@%DOMAIN% -pass %PASSWORD% -out keytab -mapUser %USER% +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL"
  The only difference I can see between the ldifde outputs of the two users (the one that works and the one that doesn't) is the one that doesn't has an extra SPN "HTTP/" - would that cause this error??
  Has anyone else had this error & what causes it?
  Many thanks in advance.
  Regards
  Jane
  Full error text:
  JGSS_DBG_CTX Creating context, initiator = no, input cred = not null
  JGSS_DBG_CRED getCred: only one cred, returning it
  JGSS_DBG_CRED getName found name: host/[email protected], mech=1.2.840.113554.1.2.2
  JGSS_DBG_CRED Krb5 name type = 0
  JGSS_DBG_CTX Creating context, cred usage = 2
  GSS Context created
  JGSS_DBG_UNMARSH Real token len 1641
  JGSS_DBG_UNMARSH Token oid 1.2.840.113554.1.2.2
  JGSS_DBG_UNMARSH inner token len 1630
  JGSS_DBG_PROV getFactory: index = 0 found factory
  JGSS_DBG_PROV getMechs: Mechanism(s) supported by provider IBMJGSSProvider
  JGSS_DBG_PROV 1.2.840.113554.1.2.2
  JGSS_DBG_PROV getMechs: 1 unique mechanism(s) found
  JGSS_DBG_PROV [0]: 1.2.840.113554.1.2.2
  JGSS_DBG_CTX Default list of negotiable mechs:
  1.2.840.113554.1.2.2
  JGSS_DBG_CTX ticket enc type = des-cbc-md5
  com.ibm.security.krb5.internal.KrbException, status code: 31
  message: Integrity check on decrypted field failed
  at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:31)
  at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:15)
  at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:32)
  at com.ibm.security.krb5.EncryptedData.decrypt(EncryptedData.java:106)
  at com.ibm.security.jgss.mech.krb5.k.a(k.java:248)
  at com.ibm.security.jgss.mech.krb5.k.b(k.java:188)
  at com.ibm.security.jgss.mech.krb5.k.acceptSecContext(k.java:533)
  at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:155)
  at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:153)
  at com.sap.security.core.server.jaas.SPNegoLoginModule.doHandshake(SPNegoLoginModule.java:738)
  at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:362)
  at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
  at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
  at java.security.AccessController.doPrivileged(AccessController.java:242)
  at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
  at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
  at java.lang.reflect.Method.invoke(Method.java:391)
  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
  at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
  at java.security.AccessController.doPrivileged(AccessController.java:242)
  at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
  at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
  at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:146)
  at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
  at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
  at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
  at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
  at java.security.AccessController.doPrivileged(AccessController.java:242)
  at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
  at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
  at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(AccessController.java:215)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
  com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
  JGSS_DBG_CTX Error authenticating request. Reporting to client
  Major code = 11, Minor code = 31
  org.ietf.jgss.GSSException, major code: 11, minor code: 31
  major string: General failure, unspecified at GSSAPI level
  minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.KrbException, status code: 31
  message: Integrity check on decrypted field failed

  Hi Désirée,
  Yes the service user has "Use DES encryption" set.
  In the end, it was resolved by changing the password and running the SPNEGO wizard again to generate a new keytab with the new password.
  Regards
  Jane

• ASA 5505 initial build - Failed to locate egress interface (Please help :-) )

  Hi, I have just purchased a ASA 5505 and have completed the initial setup via the wizard.  I am currently unable to access services on the outside of the ASA. 
  The error: 'Failed to locate egress interface for UDP from inside'....  appears when ever my DNS server attempts a lookup. 
  I have configured this several times from scratch using the wizard and I am unable to figure out the issue with the NAT / Routing config. 
  If I run the packet tracer I get the error: "(no-route) no route to host", however I do have a default route configured so I suspect it maybe my NAT configuration. 
  Overview, 192.168.10.0/24 inside the ASA, 192.168.1.0/24 outside the ASA, 192.168.1.1 is the gateway to the internet.  I ideally want the ASA to use PAT to mask the 192.168.10.0/24 network behind the ASAs 192.168.1.0/24 network address but still allow clients to gain internet access. 
  Full config follows, screen shots attached, any help would be very gratefully received. 
  Result of the command: "sh run"
  : Saved
  ASA Version 9.0(1)
  hostname firewall
  enable password (REMOVED) encrypted
  passwd (REMOVED) encrypted
  names
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif inside
   security-level 100
   ip address 192.168.10.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 192.168.1.254 255.255.255.0
  interface Vlan5
   no nameif
   security-level 50
   ip address dhcp
  ftp mode passive
  object network obj_any
   subnet 0.0.0.0 0.0.0.0
  object network Server1
   host 192.168.10.10
  object network GoogleDNS1
   host 8.8.8.8
   description Google DNS Server
  object network GoogleDNS2
   host 8.8.4.4
   description Google DNS Server
  object network 192.168.10.x
   subnet 192.168.10.0 255.255.255.0
  object network InternetRouter
   host 192.168.1.1
  object-group network DM_INLINE_NETWORK_1
   network-object object GoogleDNS1
   network-object object GoogleDNS2
  object-group service DM_INLINE_TCP_1 tcp
   port-object eq www
   port-object eq https
  access-list inside_access_in remark External DNS Lookups
  access-list inside_access_in extended permit udp object Server1 object-group DM_INLINE_NETWORK_1 eq domain
  access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any object-group DM_INLINE_TCP_1
  access-list inside_access_in extended deny ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (inside,outside) source dynamic any interface
  object network obj_any
   nat (inside,outside) dynamic interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 255.255.255.255 192.168.1.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.10.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh timeout 5
  ssh version 2
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:(REMOVED)
  : end

  Just to want to be sure, can you post output from show int ip brie and show route? And try to remove your ACL for testing purpose or at least don't applied it anywhere yet. 
  Once done, try do another packet-tracer to 8.8.8.8 using icmp packet instead of UDP paste the whole the output here. Before doing this, add icmp any any outside command on the ASA.
  I know this should have anything to do with your issue, because if ACL is the issue then you will see output being denied by ACL on the packet tracer output. Let us know the results.

• SAP Business One Integration Services Authentication Failed

  Dear ,
  ALL SAP forum members,
  Iam Using SAP Business One 8.81 PL 06, Micorsoft SQL 2008 R2
  In SLD B1DI and  JDBC, the connections were tested successfully.
  Whenever I log into SBO, I am getting "SAP Business One Integration Services Authentication Failed" error message. I did extensive research on all possible SBO documents dating 1 year back especially in B1ic Troubleshooting Document (New and Old) and searched the length of the SBO forums, but I could not a solution.
  I uninstalled and reinstalled the B1f package many a time. The integration services we re also restarted many times and the connections were all tested successfully. Firewall, AntiVirus also checked.
  In the B1f, in the Monitoring Window, the login is "Ok" but the AuthCheck is "Failed". I checked Authent.Monitor->Authentic Info  and I found the following message under Action message "Wrong Usrname and Password".
  I debugged and i found again "/com.sap.b1i.vplatform.scenarios.authen/sap.Xcelsius/Authenticate_Check.bfd
  But could not understand much of it.
  But i could go no further. The experts are requested to suggest their solutions, If any, to me as Iam stuck in this phase for the last 3 week
  I hope some experts will guide me over this issue
  Thanks and regards
  Ashish Gupte

  Hi Konstantin Ryahovsky
  Thanks for your reply. My problem is solved.
  And frankly speaking i dont know how it was solved. I have not uninstall, install ,not even i had restarted the server also.
  only change i did in SLD >> Maintainance >>> cfg Runtime >>>> Put server IP address instead of server Name and restarted the services.
  Thanks & regards
  Ashish Gupte

• Kerberos Authentication between Sharepoint 2013 Foundation - SSRS 2012 - Oracle 11g failing with ORA-12638: Credential retrieval failed

  I have set up SharePoint 2013 Foundation, SharePoint Reporting Services and SQL Server 2012 in a single server. I then created a Data Connection to Oracle 11g. Upon testing the connection, it throws the error “ORA-12638: Credential retrieval failed”.
  Given below are the steps of installation and configuration.
  Installation till basic authentication:
  The installation has been done in a
  single server.
  Installed SQL Server 2012 (Developer version).
  Selected only the following features:
  Database Engine Services
  Analysis Services
  Reporting Services – SharePoint
  Reporting Services Add-in for SharePoint Products
  Management Tools – Basic
  - Management Tools - Complete
    2. Installed SQL Server 2012 SP1.
    3. Installed SQL Server 2012 SP2.
    4. Installed SharePoint Foundation 2013.
    5. Created web application (without Kerberos; we did not even create the SPNs).
        The application pool has been configured to use Reporting Services account since it is a single server installation. This account has been registered as a managed
  account.
    6. Created Site Collection.
    7. Verified that Reporting Services is not installed.
    8. Installed SharePoint Reporting Services from SharePoint 2013 Management Shell.
    9. Verified that Reporting Services is installed.
   10. Created a new SQL Server Reporting Services Service Application and associated the Web Application to the new SQL server Reporting Services Service Application.
    11. Verified that SQL Server Reporting Services Service Application and its proxy have started. Reset IIS.
    12. Created a Site.
    13. Created a Data Connection library with “Report Data Source” content type.
    14. Created a Report Model library with “Report Builder Model” content type.
    15. Created a Report library with “Report Builder Report” content type.
    16. Uploaded an SMDL to the Report Model library.
    17. Added the top level site to Local Intranet instead of as a Trusted Site in the browser settings.
    18. Able to create and save a report using Report Builder.
  Hence, basic authentication is working and SSRS is able to connect to Oracle database.
  Next we have to configure Kerberos settings between SharePoint and SQL Server.
  Implementation of Kerberos authentication
  In the Report Server machine, opened the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\WebServices\Reporting\rsreportserver.config  and added the Authentication Types of RSWindowsNegotiate
  and RSWindowsKerberos.
   2.  Set up the following SPNs.
                 a) SQL Server Database Engine service (sqlDbSrv2):
                  setspn -S MSSQLSvc/CER1110:1433 CERDEMO\sqlDbSrv2
                  setspn -S MSSQLSvc/CER1110.cer.demo.com:1433 CERDEMO\sqlDbSrv2
               In the Delegation tab of the account, selected "Trust this user for delegation to any service (Kerberos only)".
  b) Account: SharePoint Setup Admin account (spAdmin2)
       setspn -S HTTP/CER1110:9999 CERDEMO\spAdmin2
                  setspn -S HTTP/CER1110.cer.demo.com:9999 CERDEMO\spAdmin2
                  In the Delegation tab of the account, selected "Trust this user for delegation to any  service
  (Kerberos only)".
  c) Account: SQL Server Reporting Service account (sqlRepSrv2)
                     setspn -S HTTP/CER1110 CERDEMO\sqlRepSrv2
                     setspn -S HTTP/CER1110.cer.demo.com CERDEMO\sqlRepSrv2
                     In the Delegation tab of the account, selected "Trust this user for delegation to any service
  (Kerberos only)".
    3. Configure the Web Application to use “Negotiate (Kerberos)”.
    4. Logged in as SharePoint Administrator to the SharePoint server and opened the top level site in the IE browser.
       The Event Viewer logged the login process for the SharePoint Administration account as
  Negotiate and not Kerberos.
    5. Implemented Kerberos for Oracle database and client.
       Able to connect to the Oracle database via Kerberos authentication using SQL Plus.
    6. Turn on Windows Firewall.
    7. While testing the site's data connection using Kerberos settings, got the error
  “Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials.”
        Note: The Data Connection for basic authentication still worked.
    8. Created a Claims to Windows Token Service account (spC2WTS2).
    9. Started the Claims to Windows Token Service.
   10. Registered the Claims to Windows Token Service account as a Managed Account.
   11. Changed the Claims To Windows Token Service to use the above managed account.
   12. Verified that the Claims to Windows Token Service account (spC2WTS2) is automatically added to the WSS_WPG local group on the SharePoint box.
        Note: The Reporting Services service account is also a part of the WSS_WPG local group.
   13. Added the Claims to Windows Token Service account (spC2WTS2) to the Local Admin Group on the machine having the SharePoint App Server.
   14. In the SharePoint box, added the Claims to Windows Token Service account (spC2WTS2) in the Act as part of the operating system policy right.
   15. The Claims to Windows Token Service account (spC2WTS2) has the WSS_WPG group configured.
        When the C2WTS service was configured to use the managed account Claims to Windows Token Service account (spC2WTS2) earlier, the spC2WTS2 account was automatically
  added to the WSS_WPG local group on the SharePoint box. The WSS_WPG group in turn is configured in c2wtshost.exe.config file.
   16. Verified that the Reporting Services account is a managed account and part of the WSS_WPG group.
   17. Earlier Service Application Pool - SQL Server Reporting Services App Pool service was associated with the SharePoint Admin account.
        Changed this to associate the Reporting Service account with the Service Application Pool - SQL Server Reporting Services App Pool service.
   18. Changed the delegation of the Reporting Service account to constrained delegation with Protocol Transitioning. This is because we are transitioning from one authentication scheme (Claims) to another (Windows Token).
        For this, the delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use
  any authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
        Note: The Reporting Service account already had an HTTP SPN.
   19. Next, the goal was to make the Claims To Windows Token Service account match the Reporting Service account.
         For this, we created a fake SPN for the Claims To Windows Token Service account since the delegation tab was missing.
         The delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use any
  authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
   20. Restarted the SharePoint server.
   21. Tested the data connection with the Kerberos settings again.
         Got the error
  “ORA-12638: Credential retrieval failed”.
  Can anyone tell me what is wrong with this setup?

  http://www.freeoraclehelp.com/2011/10/kerberos-authentication-for-oracle.html
  Problem4: ORA-12638: Credential retrieval failed
  Solution:  Make sure that SQLNET.KERBEROS5_CC_NAME is set in sqlnet.ora and okinit has been run before attempting to connect to the database.
  Do check 
  http://webcache.googleusercontent.com/search?q=cache:5a2Pf3FH7vkJ:externaltable.blogspot.com/2012/06/kerberos-authentication-and-proxy-users.html+&cd=5&hl=en&ct=clnk&gl=in
  If this helped you resolve your issue, please mark it Answered. You can reach me through http://itfreesupport.com/

• ASA 5505 Failed to unzip the Anyconenct Package

  There is ASA 5505:
  - 8.4(2) IOS
  - FLASH: 128 Mb
  - DRAM: 256 Mb
  Requirements for 8.4(2) are acomplished:
  For the ASA 5505, only the Unlimited Hosts license and the Security Plus license with failover enabled require 512 MB; other licenses can use 256 MB.
  Are installed latest AnyConnect packeges for linux, some smatphones (each 4-5 MB). But for Windoes it's 21 MB and we got error "Failed to unzip the Anyconenct Package". In prior IOS version there was command cache-fs limit, by default it was 20 Mb. As i understand ASA now dinamically determines amount of cache memory and it's not enough.
  Because of the increased size of the AnyConnect package from 4MB in AnyConnect 2.5 to 21 MB in AnyConnect 3.0, you may need to upgrade the ASA flash and memory card first.
  If your ASA has only the default internal flash memory size or the default DRAM size (for cache memory) you could have problems storing and loading multiple AnyConnect client packages on the ASA. Even if you have enough space on the flash to hold the package files, the ASA could run out of cache memory when it unzips and loads the client images.
  So there is a question, after DRAM upgrade to 512 MB will be there enough cache memory for Anyconnect packeges with total size 35-40 Mb?

  I have having the same issue on an ASA-5510 with 256MB DRAM 256MB Flash.  I do not have this issue on an ASA-5550 with 4GB DRAM 256MB Flash, so I'm guessing the issue is with the memory size.
  Also, from:  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html
  Flash and DRAM Requirements for Upgrade
  Check for the space available before proceeding with the AnyConnect 3.0 upgrade. You can use one of the following methods to do so:
  •CLI—Enter the show memory command.
  asa3# show memory     
  Free memory:       304701712 bytes (57%)
  Used memory:       232169200 bytes (43%)
  Total memory:      536870912 bytes (100%)
  •ASDM—Choose Tools > File Management. The File Management window displays flash space.
  Because of the increased size of the AnyConnect package from 4MB in AnyConnect 2.5 to 21 MB in AnyConnect 3.0, you may need to upgrade the ASA flash and memory card first.
  Caution The minimum flash memory required is 128MB for an ASA 5505; however, we strongly recommend 256 or preferably 512 MB. To support multiple endpoint operating systems and enable logging and debugging on the ASA, you will most likely need 512 MB of flash memory.
  If your ASA has only the default internal flash memory size or the default DRAM size (for cache memory) you could have problems storing and loading multiple AnyConnect client packages on the ASA. Even if you have enough space on the flash to hold the package files, the ASA could run out of cache memory when it unzips and loads the client images. For internal memory requirements for each ASA model, see Memory Requirements for the Cisco ASA Adaptive Security Appliances Software Version 8.3 and Later. For additional information about the ASA memory requirements and upgrading ASA memory, see the latest release notes for the Cisco ASA 5500 series.

• OBIA 7.9.5 EBS Integration Not Logged On nQSError 43001 Authentication Fail

  Hi,
  I'm attempting to get Oracle Business Intelligence Applications 7.9.5 / OBIEE 10.1.3.3.2 integrated into the eBusiness Suite 11.5.10.2 per Metalink Note 552735.1. At the moment not an action link, just menu option to SA Administrator.
  I've run into and worked around a number of problems with the Initialization block variables setup in OracleBIAnalyticsApps.rpd and now no longer get errors in the NQServer.log after disabling Initialization Blocks for Siebel/Peoplesoft and disabling 2 EBS specific Init blocks that were erroring; 'Inventory Organizations' and 'Ledgers' I'll fix those later.
  However, now I get an error in the sawlog0.log file as follows:
  File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
  Properties: ConnId-6,6;ThreadID-1145072560
  Location:
  saw.odbc.connection.open
  saw.connectionPool.getConnection
  saw.threadPool
  saw.threads
  Odbc driver returned an error (SQLDriverConnectW).
  State: 08004. Code: 10018. NQODBC [SQL_STATE: 08004|http://forums.oracle.com/forums/] [nQSError: 10018|http://forums.oracle.com/forums/] Access for the requested connection is refused.
  [nQSError: 43001|http://forums.oracle.com/forums/] Authentication failed for in repository Star: invalid user/password. (08004)
  Type: Error
  Severity: 42
  Time: Wed Dec 3 07:13:16 2008
  File: project/webconnect/connection.cpp Line: 276
  Properties: ThreadID-1145072560
  Location:
  saw.connectionPool.getConnection
  saw.threadPool
  saw.threads
  Authentication Failure.
  Odbc driver returned an error (SQLDriverConnectW).
  Can anyone point me in the right direction here?
  Thanks,
  Gareth

  The strange thing is both Gareth and I have configured OBIA/OBIEE on a Linux server and local authentication works fine. Once we enable external EBS authentication, we get the error listed above.
  Does anyone who has done the OBIA EBS integration with OBIEE running on Linux have an example of the odbc.ini file. It appears that even though we have reconfigured OracleBIAnalyticsApps.rpd to use OCI everywhere, that there is still some hard coded ODBC references for external authentication.
  We are configuring instanceconfig.xml as directed:
  Integrating Oracle Business Intelligence Applications with Oracle E-Business Suite
  https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=552735.1
  Configuring InstanceConfig.xml for External Authentication
  1. Modify the instanceconfig.xml file for the Oracle BI Presentation Services as shown below:
  <?xml version="1.0"?>
  <WebConfig>
  <ServerInstance>
  <CatalogPath>c:\temp\default</CatalogPath>
  <DSN>AnalyticsWeb</DSN>
  <Auth>
  <ExternalLogon enabled="true">
  <ParamList>
  <Param name="NQ_SESSION.ICX_SESSION_COOKIE"
  source="cookie"
  nameInSource="EBSAppsDatabaseSID"/>
  <Param name="NQ_SESSION.ACF"
  source="url"
  nameInSource="ACF"/>
  </ParamList>
  </ExternalLogon>
  </Auth>
  <!-- Other settings here. -->
  </ServerInstance>
  </WebConfig>
  2. The nameInSource for the cookie should be the same as the Oracle E-Business Suite application database SID name. To verify the name of the cookie, using Firefox, check the name of the cookie created under the us.oracle.com domain (or the domain where your Oracle E-Business Suite Application server is running). Please note that the cookie name is case sensitive.