Kerberos Authentication: "Integrity check on decrypted field failed"
Hi,
I have configured a portal (NW 7.0 SP13) for Kerberos Authentication. I have another portal with exactly the same configuration (same MS-ADS etc, just a different user) which is working fine. But this one is giving me the error "Integrity check on decrypted field failed" (and Kerberos Auth fails).
Any ideas?? I get the same error whether I use the keytab from the SPNEGO wizard, or the keytab from "ktpass -princ host/%HOST%@%DOMAIN% -pass %PASSWORD% -out keytab -mapUser %USER% +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL"
The only difference I can see between the ldifde outputs of the two users (the one that works and the one that doesn't) is the one that doesn't has an extra SPN "HTTP/" - would that cause this error??
Has anyone else had this error & what causes it?
Many thanks in advance.
Regards
Jane
Full error text:
JGSS_DBG_CTX Creating context, initiator = no, input cred = not null
JGSS_DBG_CRED getCred: only one cred, returning it
JGSS_DBG_CRED getName found name: host/[email protected], mech=1.2.840.113554.1.2.2
JGSS_DBG_CRED Krb5 name type = 0
JGSS_DBG_CTX Creating context, cred usage = 2
GSS Context created
JGSS_DBG_UNMARSH Real token len 1641
JGSS_DBG_UNMARSH Token oid 1.2.840.113554.1.2.2
JGSS_DBG_UNMARSH inner token len 1630
JGSS_DBG_PROV getFactory: index = 0 found factory
JGSS_DBG_PROV getMechs: Mechanism(s) supported by provider IBMJGSSProvider
JGSS_DBG_PROV 1.2.840.113554.1.2.2
JGSS_DBG_PROV getMechs: 1 unique mechanism(s) found
JGSS_DBG_PROV [0]: 1.2.840.113554.1.2.2
JGSS_DBG_CTX Default list of negotiable mechs:
1.2.840.113554.1.2.2
JGSS_DBG_CTX ticket enc type = des-cbc-md5
com.ibm.security.krb5.internal.KrbException, status code: 31
message: Integrity check on decrypted field failed
at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:31)
at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:15)
at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:32)
at com.ibm.security.krb5.EncryptedData.decrypt(EncryptedData.java:106)
at com.ibm.security.jgss.mech.krb5.k.a(k.java:248)
at com.ibm.security.jgss.mech.krb5.k.b(k.java:188)
at com.ibm.security.jgss.mech.krb5.k.acceptSecContext(k.java:533)
at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:155)
at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:153)
at com.sap.security.core.server.jaas.SPNegoLoginModule.doHandshake(SPNegoLoginModule.java:738)
at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:362)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
at java.security.AccessController.doPrivileged(AccessController.java:242)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
at java.security.AccessController.doPrivileged(AccessController.java:242)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:146)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
at java.security.AccessController.doPrivileged(AccessController.java:242)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:215)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
JGSS_DBG_CTX Error authenticating request. Reporting to client
Major code = 11, Minor code = 31
org.ietf.jgss.GSSException, major code: 11, minor code: 31
major string: General failure, unspecified at GSSAPI level
minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.KrbException, status code: 31
message: Integrity check on decrypted field failed
Hi Désirée,
Yes the service user has "Use DES encryption" set.
In the end, it was resolved by changing the password and running the SPNEGO wizard again to generate a new keytab with the new password.
Regards
Jane
Similar Messages
-
Jaas & Integrity check on decrypted field failed
I'm trying to do Kerberos authentication using JAAS and the jdk 1.4.1_02 under Mandrake 9.1. The Kerberos server is installed on a Redhat 9 machine. I'm using the login module com.sun.security.auth.module.Krb5LoginModule and the TextCallbackHandler class. The login fails with the error "Exception: krb_error 31 Integrity check on decrypted field failed (31) Integrity check on decrypted field failed". I get the same error if I use the kinit utility bundled with the jdk. Conversely all seems ok when I use the kinit utility bundled with the kerberos client programs of my Mandrake 9.1 distribution.
Anyone could help me?
MicheleI encountered the same problem--"Integrity check on decrypted field failed (31)" when trying to authenticate against a KDC (v5) running RedHat 8.0 (JASS and JDK 1.4.1_02)--but I was able to use Kerberized telnet and login from remote/local machines to get authenticated with this RedHat KDC. There is no problem authenticating against a KDC running Win2k AD/Kerberos with the same code. I am using the com.sun.security.auth.module.Krb5LoginModule.
Can anyone help me to resolve this issure? -
Error from sample JAAS: Integrity check on decrypted field failed (31)
I am trying to follow the tutorial for JAAS Authentication located here:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/AcnOnly.html
I am trying to run the sample JaasAcn.java but am getting a strange error when I try to log on to my Active Directory.
I am using Java version: jre1.6.0_03
I can login to Active Directory fine with the credentials I am providing, just not with this client, so I know the credentials are valid.
What could this mean?
The Error message is: [Krb5LoginModule] authentication failed
Integrity check on decrypted field failed (31)
Here is the full output:
C:\Progra~1\Java\jre1.6.0_03\bin\java -Dsun.security.krb5.debug=true -Djava.security.krb5.realm=PRSDev.local -Djava.security.krb5.kdc=192.168.40.72 -Djava.security.auth.login.config=jaas.conf JaasAcn
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fa
lse principal is null tryFirstPass is false useFirstPass is false storePass is f
alse clearPass is false
Kerberos username [ILea]: sra
Kerberos password for sra:
[Krb5LoginModule] user entered username: sra
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Acquire TGT using AS Exchange
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=192.168.40.72 UDP:88, timeout=30000, number of retries =3, #bytes=144
KDCCommunication: kdc=192.168.40.72 UDP:88, timeout=30000,Attempt =1, #bytes=144
KrbKdcReq send: #bytes read=587
KrbKdcReq send: #bytes read=587
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType[Krb5LoginModule] authentication failed
Integrity check on decrypted field failed (31)
Authentication failed:
Integrity check on decrypted field failed (31)FYI The fix for this was to chang the value for -Djava.security.krb5.realm to be all upper case
Once that change was made authentication passed
Edited by: IDL on Jan 2, 2008 9:25 AM -
SSO using Kerberso receiving "Integrity check on decrypted field failed (31
I am trying to implement SSO for an application that is running on a WebLogic Server. I have flagged the AD Service user for DES encryption, added spn through setspn, created the keytab file, reset the password (to the same value), moved the keytab file, updated krb5.ini and krb5Login.conf accordingly, modified WebLogic startup command accordingly. When Users try to access the application, authentication fails, and I see Integrity check on decrypted field failed (31) error in the WebLogic logs. Any ideas ? I am attaching the related lines from the log below.
<Sep 29, 2008 9:46:50 AM MDT> <Debug> <SecurityDebug> <000000> <Found Negotiate with SPNEGO token>
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null KeyTab is devmax01.http.keytab2 refreshKrb5Config is false principal is HTTP/[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
KeyTab: load() entry length: 60
KeyTabInputStream, readName(): DEV.DENVERWATER.ORG
KeyTabInputStream, readName(): HTTP
KeyTabInputStream, readName(): devmax01principal's key obtained from the keytab
principal is HTTP/[email protected]
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbAsReq etypes are: 3 1
KrbKdcReq send: kdc=dwdev01 UDP:88, timeout=30000, number of retries =3, #bytes=249
KDCCommunication: kdc=dwdev01 UDP:88, timeout=30000,Attempt =1, #bytes=249
KrbKdcReq send: #bytes read=1312
KrbKdcReq send: #bytes read=1312
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsRep cons in KrbAsReq.getReply HTTP/devmax01Added server's keyKerberos Principal HTTP/[email protected] Version 8key EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: 2F 02 76 AB 7F 8C B0 6E
[Krb5LoginModule] added Krb5Principal HTTP/[email protected] to Subject
Commit Succeeded
Found key for HTTP/[email protected]
Entered Krb5Context.acceptSecContext with state=STATE_NEW
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType<Sep 29, 2008 9:46:50 AM MDT> <Debug> <SecurityDebug> <000000> <GSS exception GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))FYI The fix for this was to chang the value for -Djava.security.krb5.realm to be all upper case
Once that change was made authentication passed
Edited by: IDL on Jan 2, 2008 9:25 AM -
Z61t - Integrity check for code area failed system halted
Saw the post for the T series which recommended to downgrade bios to 2.23.
Having this issue with the Z61ts since January 4, 2010.
-Docked and undocked
-With and without the network cable plugged in
-With and without peripherals plugged in
-Bios 2.26 and 2.27,
-SafeGuard Easy 4.3 and 4.5.2.
In some cases restoring the SafeguardEasy Kernel fixes the issue. In some cases the error reappears and either the kernel needs to be restored again, or the PC can just be rebooted. One case had 2 kernel restores, a reimage and a kernel restore.^ Same problem here.
How long it takes to create new fixed Bios-software.?
Moderator edit: Thinly disguised profanity removed. Please stick to the Community Rules. -
Kerberos authentication fail on ASA 5505 -Decrypt integrity-
Hi,
I'm trying to configure Kerberos authentication on ipsec-l2tp vpn tunnel. However, when I use my domain user to establish a connection I get this error:
ASA-Oslo# kerberos mkreq: 0x176
kip_lookup_by_sessID: kip with id 374 not found
alloc_kip 0xd9b9bdf0
new request 0x176 --> 11 (0xd9b9bdf0)
add_req 0xd9b9bdf0 session 0x176 id 11
In kerberos_build_request
In kerberos_open_connection
In kerberos_send_request
********** START: KERBEROS PACKET DECODE ************
Kerberos: Message type KRB_AS_REQ
Kerberos: Option forwardable
Kerberos: Option renewable
Kerberos: Option renewable accepted
Kerberos: Client Name antonio.torres
Kerberos: Client Realm IBISTIC.LOCAL
Kerberos: Server Name krbtgt
Kerberos: Start time 0
Kerberos: End time -643858960
Kerberos: Renew until time -653409600
Kerberos: Nonce 0x5242a360
Kerberos: Encryption type rc4-hmac-md5
Kerberos: Encryption type des-cbc-md5
Kerberos: Encryption type des-cbc-crc
Kerberos: Encryption type des-cbc-md4
Kerberos: Encryption type des3-cbc-sha1
Kerberos: Address 10.40.49.1
********** END: KERBEROS PACKET DECODE ************
In kerberos_recv_msg
In kerberos_process_response
********** START: KERBEROS PACKET DECODE ************
Kerberos: Message type KRB_AS_REP
Kerberos: Client Name antonio.torres
Kerberos: Client Realm IBISTIC.LOCAL
********** END: KERBEROS PACKET DECODE ************
Kerberos library reports: "Decrypt integrity check failed"
In kerberos_close_connection
remove_req 0xd9b9bdf0 session 0x176 id 11
free_kip 0xd9b9bdf0
kerberos: work queue empty
I've been looking for documentation about this error but I was not able to figure out what's wrong. I've already also turned off 'Do not require pre-authentication' on account option.
Some one get also this error?
Any help will be more than welcome,
Thanks in advance,
AntonioHi,
I'm trying to configure Kerberos authentication on ipsec-l2tp vpn tunnel. However, when I use my domain user to establish a connection I get this error:
ASA-Oslo# kerberos mkreq: 0x176
kip_lookup_by_sessID: kip with id 374 not found
alloc_kip 0xd9b9bdf0
new request 0x176 --> 11 (0xd9b9bdf0)
add_req 0xd9b9bdf0 session 0x176 id 11
In kerberos_build_request
In kerberos_open_connection
In kerberos_send_request
********** START: KERBEROS PACKET DECODE ************
Kerberos: Message type KRB_AS_REQ
Kerberos: Option forwardable
Kerberos: Option renewable
Kerberos: Option renewable accepted
Kerberos: Client Name antonio.torres
Kerberos: Client Realm IBISTIC.LOCAL
Kerberos: Server Name krbtgt
Kerberos: Start time 0
Kerberos: End time -643858960
Kerberos: Renew until time -653409600
Kerberos: Nonce 0x5242a360
Kerberos: Encryption type rc4-hmac-md5
Kerberos: Encryption type des-cbc-md5
Kerberos: Encryption type des-cbc-crc
Kerberos: Encryption type des-cbc-md4
Kerberos: Encryption type des3-cbc-sha1
Kerberos: Address 10.40.49.1
********** END: KERBEROS PACKET DECODE ************
In kerberos_recv_msg
In kerberos_process_response
********** START: KERBEROS PACKET DECODE ************
Kerberos: Message type KRB_AS_REP
Kerberos: Client Name antonio.torres
Kerberos: Client Realm IBISTIC.LOCAL
********** END: KERBEROS PACKET DECODE ************
Kerberos library reports: "Decrypt integrity check failed"
In kerberos_close_connection
remove_req 0xd9b9bdf0 session 0x176 id 11
free_kip 0xd9b9bdf0
kerberos: work queue empty
I've been looking for documentation about this error but I was not able to figure out what's wrong. I've already also turned off 'Do not require pre-authentication' on account option.
Some one get also this error?
Any help will be more than welcome,
Thanks in advance,
Antonio -
Exchange Management Console couldn't start with Kerberos authentication failed
When I was making changes to Client Access\owa settings, chaning from Basic authentication to Form authentication (upn name) then changed to Basic again. It was ok after changing to Form authentication but moment after changing back to Basic, I couldn't
no longer access owa (blank page when one vertical line) and in Exchange Management Console, I got "Initialization failed" - The following error occured while attempting to connect to the specified Exchange server 'sgp-ex1.mydomain.com':
The attempt to connect to http://sgp-ex1.mydomain.com/powershell using "Kerberos" authentication failed: Connecting to the remote server failed with the following error message: The WinRM client cannto process
the request. It cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalid. For more information, see the about_Remote_Troubleshooting Help topic.
I tried the troubleshooting tool from Exchange team blog:
http://blogs.technet.com/b/exchange/archive/2010/12/07/3411644.aspx. It give 3 possible causes for this error: 1. WSMan module entry is missing from global module section of c:\Windows\System32\InetSrv\Config\ApplicationHost.config; 2. Kerbauth module shows
up as Managed module or has been loaded in the Default Web Site Level; 3. The Path of the Powershell virtual directory has been modified.
I checked carefully, all the 3 causes do not apply to my situation as WSman entry is in order, the Kerbauth is native and local and the path of Powershell virtual directory is correct.
I find that in Application log, there are Event 2297 and 2307 dumped at the time of failure:
The worker process for application pool 'MSExchangeSyncAppPool' encountered an error 'Confiugration file in not well-formed XML' trying to read configuration data from file '\\?\C:\inetpubl\temp\apppools\MSExchangeSyncAppPool\MSExchangeSyncAppPool.config',
line number '2'. The data field contains the error code.
Help is very much appreciated.
Valuable skills are not learned, learned skills aren't valuable.Unfortunately, all the links you provided didn't help.
The first link contains 3 methods:1 Removing WinRM feature and reinstalling. 2 Rename the web.config file in location C:\inetpub\wwwroot 3 Have you installed Microsoft Dynamics CRM 4. I?
As my server is Windows 2008 R2, the first method does not apply. I couldn't find any web.config in c:\Inetpub\wwwroot. The web.config however is found in many times in .netframework and winsxs directories. The 3rd method doesn't apply as I don't have CRM.
The 2nd link contains 3 possible causes. The first 2 are the same as the ones I mentioned in my initial post. I couldn't verify the last cause because when open Exchange Management Shell, I got this error: [sgp.ex1.mydomain.com] connecting to remote server
failed with the following server failed with the following error message: The WinRM client cannot process the request, it cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalide. For more
information, see the about_Remote_Troubleshooting Help topic.
I do not think the user is not remote powershell enabled because the problem happened suddenly, while I was making changes to Authentication settings of OWA(default) in Client Access in Exchange Management Console. If the user account is not remote powershell
enabled, then I couldn't event connect to EMC in the first place.
The last link didn't help because I could open up modules under PowerShell virtual directory in IIS.
I think since the event log is saying MSExchangeSyncAppPool.config and DefaultAppPool.config not well-formed XML, that might be a clue.
In the event id 2307 this is the message:
The worker process for application pool 'DefaultAppPool' encountered an error 'Configuration file is not well-formed XML
' trying to read configuration data from file '\\?\C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config', line number '2'. The data field contains the error code.
Valuable skills are not learned, learned skills aren't valuable. -
I have set up SharePoint 2013 Foundation, SharePoint Reporting Services and SQL Server 2012 in a single server. I then created a Data Connection to Oracle 11g. Upon testing the connection, it throws the error “ORA-12638: Credential retrieval failed”.
Given below are the steps of installation and configuration.
Installation till basic authentication:
The installation has been done in a
single server.
Installed SQL Server 2012 (Developer version).
Selected only the following features:
Database Engine Services
Analysis Services
Reporting Services – SharePoint
Reporting Services Add-in for SharePoint Products
Management Tools – Basic
- Management Tools - Complete
2. Installed SQL Server 2012 SP1.
3. Installed SQL Server 2012 SP2.
4. Installed SharePoint Foundation 2013.
5. Created web application (without Kerberos; we did not even create the SPNs).
The application pool has been configured to use Reporting Services account since it is a single server installation. This account has been registered as a managed
account.
6. Created Site Collection.
7. Verified that Reporting Services is not installed.
8. Installed SharePoint Reporting Services from SharePoint 2013 Management Shell.
9. Verified that Reporting Services is installed.
10. Created a new SQL Server Reporting Services Service Application and associated the Web Application to the new SQL server Reporting Services Service Application.
11. Verified that SQL Server Reporting Services Service Application and its proxy have started. Reset IIS.
12. Created a Site.
13. Created a Data Connection library with “Report Data Source” content type.
14. Created a Report Model library with “Report Builder Model” content type.
15. Created a Report library with “Report Builder Report” content type.
16. Uploaded an SMDL to the Report Model library.
17. Added the top level site to Local Intranet instead of as a Trusted Site in the browser settings.
18. Able to create and save a report using Report Builder.
Hence, basic authentication is working and SSRS is able to connect to Oracle database.
Next we have to configure Kerberos settings between SharePoint and SQL Server.
Implementation of Kerberos authentication
In the Report Server machine, opened the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\WebServices\Reporting\rsreportserver.config and added the Authentication Types of RSWindowsNegotiate
and RSWindowsKerberos.
2. Set up the following SPNs.
a) SQL Server Database Engine service (sqlDbSrv2):
setspn -S MSSQLSvc/CER1110:1433 CERDEMO\sqlDbSrv2
setspn -S MSSQLSvc/CER1110.cer.demo.com:1433 CERDEMO\sqlDbSrv2
In the Delegation tab of the account, selected "Trust this user for delegation to any service (Kerberos only)".
b) Account: SharePoint Setup Admin account (spAdmin2)
setspn -S HTTP/CER1110:9999 CERDEMO\spAdmin2
setspn -S HTTP/CER1110.cer.demo.com:9999 CERDEMO\spAdmin2
In the Delegation tab of the account, selected "Trust this user for delegation to any service
(Kerberos only)".
c) Account: SQL Server Reporting Service account (sqlRepSrv2)
setspn -S HTTP/CER1110 CERDEMO\sqlRepSrv2
setspn -S HTTP/CER1110.cer.demo.com CERDEMO\sqlRepSrv2
In the Delegation tab of the account, selected "Trust this user for delegation to any service
(Kerberos only)".
3. Configure the Web Application to use “Negotiate (Kerberos)”.
4. Logged in as SharePoint Administrator to the SharePoint server and opened the top level site in the IE browser.
The Event Viewer logged the login process for the SharePoint Administration account as
Negotiate and not Kerberos.
5. Implemented Kerberos for Oracle database and client.
Able to connect to the Oracle database via Kerberos authentication using SQL Plus.
6. Turn on Windows Firewall.
7. While testing the site's data connection using Kerberos settings, got the error
“Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials.”
Note: The Data Connection for basic authentication still worked.
8. Created a Claims to Windows Token Service account (spC2WTS2).
9. Started the Claims to Windows Token Service.
10. Registered the Claims to Windows Token Service account as a Managed Account.
11. Changed the Claims To Windows Token Service to use the above managed account.
12. Verified that the Claims to Windows Token Service account (spC2WTS2) is automatically added to the WSS_WPG local group on the SharePoint box.
Note: The Reporting Services service account is also a part of the WSS_WPG local group.
13. Added the Claims to Windows Token Service account (spC2WTS2) to the Local Admin Group on the machine having the SharePoint App Server.
14. In the SharePoint box, added the Claims to Windows Token Service account (spC2WTS2) in the Act as part of the operating system policy right.
15. The Claims to Windows Token Service account (spC2WTS2) has the WSS_WPG group configured.
When the C2WTS service was configured to use the managed account Claims to Windows Token Service account (spC2WTS2) earlier, the spC2WTS2 account was automatically
added to the WSS_WPG local group on the SharePoint box. The WSS_WPG group in turn is configured in c2wtshost.exe.config file.
16. Verified that the Reporting Services account is a managed account and part of the WSS_WPG group.
17. Earlier Service Application Pool - SQL Server Reporting Services App Pool service was associated with the SharePoint Admin account.
Changed this to associate the Reporting Service account with the Service Application Pool - SQL Server Reporting Services App Pool service.
18. Changed the delegation of the Reporting Service account to constrained delegation with Protocol Transitioning. This is because we are transitioning from one authentication scheme (Claims) to another (Windows Token).
For this, the delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use
any authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
Note: The Reporting Service account already had an HTTP SPN.
19. Next, the goal was to make the Claims To Windows Token Service account match the Reporting Service account.
For this, we created a fake SPN for the Claims To Windows Token Service account since the delegation tab was missing.
The delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use any
authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
20. Restarted the SharePoint server.
21. Tested the data connection with the Kerberos settings again.
Got the error
“ORA-12638: Credential retrieval failed”.
Can anyone tell me what is wrong with this setup?http://www.freeoraclehelp.com/2011/10/kerberos-authentication-for-oracle.html
Problem4: ORA-12638: Credential retrieval failed
Solution: Make sure that SQLNET.KERBEROS5_CC_NAME is set in sqlnet.ora and okinit has been run before attempting to connect to the database.
Do check
http://webcache.googleusercontent.com/search?q=cache:5a2Pf3FH7vkJ:externaltable.blogspot.com/2012/06/kerberos-authentication-and-proxy-users.html+&cd=5&hl=en&ct=clnk&gl=in
If this helped you resolve your issue, please mark it Answered. You can reach me through http://itfreesupport.com/ -
One computer at COMPANY-A is attempting to communicate with two
computers located at COMPANY-B, via an IPsec tunnel between the
two companies.
All communications are via TCP protocol.
All devices present public IP addresses to one another, although they
may have RFC 1918 addresses on other interfaces, and NAT may be in use
on the COMPANY-B side. (NAT is not being used on the COMPANY-A side.)
The players:(Note: first three octets have been changed for security reasons)
COMPANY-A computer 1.2.3.161
COMPANY-A router 1.2.3.8 (also IPsec peer)
COMPANY-A has 1.2.3.0/24 with no subnetting.
COMPANY-B router 4.5.6.228 (also IPsec peer)
COMPANY-B computer #1 4.5.7.94 (this one has no issues)
COMPANY-B computer #2 4.5.7.29 (this one fails)
COMPANY-B has 4.5.6.0/23 subnetted in various ways.
COMPANY-B also has 9.10.11.0/24, but it is not involved in the issue.
What works:
The COMPANY-A computer 1.2.3.161 can communicate via the single IPsec
tunnel to COMPANY-B computer #1 4.5.7.94 without problems.
The "show crypto session detail" command shows Inbound/Outbound packets
flowing in the dec'ed and enc'ed positions.
What doesn't:
When the COMPANY-A computer 1.2.3.161 attempts to communicate
via the single IPsec tunnel with the COMPANY-B computer #2 4.5.7.29,
the COMPANY-A router eventually reports five of these messages:
Oct 9 15:24:54.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:24:57.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:03.327: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:15.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:25:39.329: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
Oct 9 15:26:27.328: IPSEC(epa_des_crypt): decrypted packet failed SA identity check
and the "show crypto session detail" shows inbound packets being dropped.
The COMPANY-A computer that opens the TCP connection never gets past the
SYN_SENT phase of the TCP connection whan trying to communicate with the
COMPANY-B computer #2, and the repeated error messages are the retries of
the SYN packet.
On the COMPANY-A side, this IPsec configuration has been set up on a 3745,
a 3725, and some 76xx routers were tried, all with similar behavior,
with packets from one far-end computer passing fine, and packets from
another far-end computer in the same netblock passing through the same
IPsec tunnel failing with the "failed SA identity" error.
The COMPANY-A computer directs all packets headed to COMPANY-B via the
COMPANY-A router at 1.2.3.8 with this set of route settings:
netstat -r -n
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
4.5.7.0 1.2.3.8 255.255.255.0 UG 0 0 0 eth3
1.2.3.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
10.1.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth3
10.0.0.0 10.1.1.1 255.0.0.0 UG 0 0 0 eth0
0.0.0.0 1.2.3.1 0.0.0.0 UG 0 0 0 eth3
The first route line shown is selected for access to both COMPANY-B computers.
The COMPANY-A router (IPsec tunnel endpoint, 1.2.3.8) has this
configuration:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXX address 4.5.6.228
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set COMPANY-B01 esp-3des esp-sha-hmac
crypto map COMPANY-BMAP1 10 ipsec-isakmp
description COMPANY-B VPN
set peer 4.5.6.228
set transform-set COMPANY-B01
set pfs group2
match address 190
interface FastEthernet0/0
ip address 1.2.3.8 255.255.255.0
no ip redirects
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map COMPANY-BMAP1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.2.3.1
ip route 10.0.0.0 255.0.0.0 10.1.1.1
ip route 1.2.3.8.0 255.255.255.0 FastEthernet0/0
access-list 190 permit ip host 1.2.3.161 4.5.7.0 0.0.0.255
access-list 190 permit ip host 1.2.3.161 9.10.11.0 0.0.0.255
bridge 1 protocol ieee
One of the routers tried had this IOS/hardware configuration:
Cisco IOS Software, 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.4(25c),
RELEASE SOFTWARE (fc2)
isco 3725 (R7000) processor (revision 0.1) with 115712K/15360K bytes of memory.
Processor board ID XXXXXXXXXXXXXXX
R7000 CPU at 240MHz, Implementation 39, Rev 3.3, 256KB L2 Cache
2 FastEthernet interfaces
4 ATM interfaces
DRAM configuration is 64 bits wide with parity disabled.
55K bytes of NVRAM.
31296K bytes of ATA System CompactFlash (Read/Write)
250368K bytes of ATA Slot0 CompactFlash (Read/Write)
Configuration register is 0x2102
#show crypto sess
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
#show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:06:26:27
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 651 drop 16 life (KB/Sec) 4496182/23178
Outbound: #pkts enc'ed 574 drop 2 life (KB/Sec) 4496279/23178
IPSEC FLOW: permit ip host 1.2.3.161 9.10.11.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
The COMPANY-B device on their end of the IPsec VPN is a Juniper SSG1000
Version 6.1 (ScreenOS)
We only have a limited view into the Juniper device configuration.
What we were allowed to see was:
COMPANY-B-ROUTER(M)-> sh config | incl COMPANY-A
set address "Untrust" "oss-COMPANY-A-1.2.3.161" 1.2.3.161 255.255.255.255
set ike gateway "COMPANY-A-1-GW" address 1.2.3.8 Main outgoing-interface "ethernet2/1" preshare xxxxxxxxxxxxxxxxxxxxxx proposal "pre-g2-3des-sha"
set vpn "COMPANY-A-1-IKE" gateway "COMPANY-A-1-GW" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha-28800"
set policy id 2539 from "Untrust" to "Trust" "oss-COMPANY-A-1.2.3.161" "9.10.11.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2500
set policy id 2500 from "Trust" to "Untrust" "9.10.11.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309a pair-policy 2539
set policy id 2541 from "Trust" to "Untrust" "4.5.7.0-24" "oss-COMPANY-A-1.2.3.161" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2540
set policy id 2540 from "Untrust" to "Trust" "oss-COMPANY-A-1.2.3.161" "4.5.7.0-24" "ANY" tunnel vpn "COMPANY-A-1-IKE" id 0x309b pair-policy 2541
COMPANY-B-ROUTER(M)->
I suspect that this curious issue is due to a configuration setting on the
Juniper device, but neither party has seen this error before. COMPANY-B
operates thousands of IPsec VPNs and they report that this is a new error
for them too. The behavior that allows traffic from one IP address to
work and traffic from another to end up getting this error is also unique.
As only the Cisco side emits any error message at all, this is the only
clue we have as to what is going on, even if this isn't actually an IOS
problem.
What we are looking for is a description of exactly what the Cisco
IOS error message:
IPSEC(epa_des_crypt): decrypted packet failed SA identity check
is complaining about, and if there are any known causes of the behavior
described that occur when running IPsec between Cisco IOS and a Juniper
SSG device. Google reports many other incidents of the same error
message (but not the "I like that IP address but hate this one" behavior),
and not just with a Juniper device on the COMPANY-B end, but for those cases,
not one was found where the solution was described.
It is hoped that with a better explanation of the error message
and any known issues with Juniper configuration settings causing
this error, we can have COMPANY-B make adjustments to their device.
Or, if there is a setting change needed on the COMPANY-A router,
that can also be implemented.
Thanks in advance for your time in reading this, and any ideas.Hello Harish,
It is believed that:
COMPANY-B computer #1 4.5.7.94 (this one has no issues)
COMPANY-B computer #2 4.5.7.29 (this one fails)
both have at least two network interfaces, one with a public IP address
(which we are supposedly conversing with) and one with a RFC 1918 type
address. COMPANY-B is reluctant to disclose details of their network or
servers setup, so this is not 100% certain.
Because of that uncertainty, it occurred to me that perhaps COMPANY-B
computer #2 might be incorrectly routing via the RFC 1918 interface.
In theory, such packets should have been blocked by the access-list on both
COMPANY-A router, and should not have even made it into the IPsec VPN
if the Juniper access settings work as it appears they should. So I turned up
debugging on COMPANY-A router so that I could see the encrypted and
decrypted packet hex dumps.
I then hand-disassembled the decoded ACK packet IP header received just
prior to the "decrypted packet failed SA check" error being emitted and
found the expected source and destination IP addresses (4.5.7.29 and 1.2.3.161),
in the unecapsulated packet. I also found the expected port numbers of the TCP
conversation that was trying to be established in the TCP header. So, it
looks like COMPANY-B computer #2 is emitting the packets out the right
interface.
The IP packet header of the encrypted packet showed the IP addresses of the
two routers at each terminus of the IPsec VPN, but since I don't know what triggers
the "SA check" error message or what it is complaining about, I don't know what
other clues to look for in the packet dumps.
As to your second question, "can you check whether both encapsulation and
decapsulation happening in 'show crypto ipsec sa'", the enc'ed/dec'ed
counters were both going up by the correct quantities. When communicating
with the uncooperative COMPANY-B computer #2, you would also see the
received Drop increment for each packet decrypted. When communicating
with the working COMPANY-B computer #1, the Drop counters would not
increment, and the enc'ed/dec'ed would both increment.
#show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:07:59:54
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 376 drop 5 life (KB/Sec) 4458308/28784
Outbound: #pkts enc'ed 401 drop 3 life (KB/Sec) 4458308/28784
Attempt a TCP communication to COMPANY-B computer #2...
show crypto sess det
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 4.5.6.228 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 4.5.6.228
Desc: (none)
IKE SA: local 1.2.3.8/500 remote 4.5.6.228/500 Active
Capabilities:(none) connid:1 lifetime:07:59:23
IPSEC FLOW: permit ip host 1.2.3.161 4.5.7.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 376 drop 6 life (KB/Sec) 4458307/28753
Outbound: #pkts enc'ed 402 drop 3 life (KB/Sec) 4458307/28753
Note Inbound "drop" changed from 5 to 6. (I didn't let it sit for all
the retries.)
#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: COMPANY-BMAP1, local addr 1.2.3.8
protected vrf: (none)
local ident (addr/mask/prot/port): (1.2.3.161/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (4.5.7.0/255.255.255.0/0/0)
current_peer 4.5.6.228 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 402, #pkts encrypt: 402, #pkts digest: 402
#pkts decaps: 376, #pkts decrypt: 376, #pkts verify: 376
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3, #recv errors 6
local crypto endpt.: 1.2.3.8, remote crypto endpt.: 4.5.6.228
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xDF2CC59C(3744253340)
inbound esp sas:
spi: 0xD9D2EBBB(3654478779)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: SW:4, crypto map: COMPANY-BMAP1
sa timing: remaining key lifetime (k/sec): (4458307/28600)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xDF2CC59C(3744253340)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: SW:3, crypto map: COMPANY-BMAP1
sa timing: remaining key lifetime (k/sec): (4458307/28600)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
The "send" errors appear to be related to the tunnel reverting to a
DOWN state after periods of inactivity, and you appear to get one
each time the tunnel has to be re-negotiated and returned to
an ACTIVE state. There is no relationship between Send errors
incrementing and working/non-working TCP conversations to the
two COMPANY-B servers.
Thanks for pondering this very odd behavior. -
Updating hybrid configuration failed - Kerberos authentication: The network path was not found
I'm configuring Exchange 2010 SP3 as a Hybrid server with Exchange Online. This is a single server running Exchange roles Mailbox, Client Access, Unified Messaging and Hub Transport.
When I run the Manage Hybrid Configuration, I receive the following error:
Updating hybrid configuration failed with error
'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: The network
path was not found.
The full text from the Hybrid Configuration log file (C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration)
[1/5/2014 21:21:1] INFO:Opening runspace to
http://[servername]/powershell?serializationLevel=Full
[1/5/2014 21:21:1] INFO:Disconnected from On-Premises session
[1/5/2014 21:21:1] ERROR:Updating hybrid configuration failed with error 'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following
error occured while using Kerberos authentication: The network path was not found.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
at System.Management.Automation.Runspaces.RunspacePool.Open()
at System.Management.Automation.RemoteRunspace.Open()
at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.Connect(PSCredential credentials, CultureInfo sessionUiCulture)
at Microsoft.Exchange.Management.Hybrid.Engine.Execute(ILogger logger, String onPremPowershellHost, PSCredential onPremCredentials, PSCredential tenantCredentials, HybridConfiguration hybridConfiguration)
at Microsoft.Exchange.Management.SystemConfigurationTasks.UpdateHybridConfiguration.InternalProcessRecord()'.
I have sought help, posting on the forum at community.office365.com -
http://community.office365.com/en-us/forums/158/t/212265.aspx. But I've got to a point where I believe the problem is more to do with how PowerShell is operating on the on-prem Exchange server.
Has anyone else come across this problem running the Hybrid Configuration Wizard?Hello Darrell,
Have you verified the settings of Powershell virtual directories for the on-premises Exchange Servers? The following article has a list of some common issues with that virtual directory and how to correct them:
http://technet.microsoft.com/en-us/library/ff607221(v=exchg.80).aspxI would take a look at the one titled "Configure Kerberos Authentication" specifically to ensure everything
looks good.
As the article states you can run the Exchange BPA and it will check if any of these exist as well. -
Exchange 2010 sp2 emc initialization error using "kerberos" authentication failed
We use exchange 2010 SP2.
We have 2 management stations, both w2k8 R2 SP1.
I have one mangement station on which the emc and ems works ok.
On the other management staiton (which is also in another ad site) the emc and ems don't work.
I get the following error message : The attempt to connect to
http://fqdnCasServer/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
I have checked the time on the management station and on the exchange server and this is ok.
It is not a permissions issue because the user functions ok on the other management station.
On the bad management station I can open the emc once and after a minute I get an error message and the message access denied. From then on I can't connect any more.
What am I doing wrong?
Anyone any tips?
Thanks,
JBThis is what I get in the eventlog of the bad management station.
Log Name: MSExchange Management
Source: MSExchange CmdletLogs
Date: 1/10/2012 11:39:27
Event ID: 6
Task Category: (1)
Level: Error
Keywords: Classic
User: N/A
Computer: Server.domain.com
Description:
The description for Event ID 6 from source MSExchange CmdletLogs cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
Get-ExchangeServer
{Identity=Servername}
Domain/ou/ou/ou/ou/username
Exchange Management Console-Local
3080
22
00:00:00.3593888
View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DN }'
Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMTSTATION' couldn't be found on 'FQDN DC'.
Context
the message resource is present but the message is not found in the string/message table
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSExchange CmdletLogs" />
<EventID Qualifiers="49152">6</EventID>
<Level>2</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-10-01T09:39:27.000000000Z" />
<EventRecordID>11</EventRecordID>
<Channel>MSExchange Management</Channel>
<Computer>FQDN MGMT STATION</Computer>
<Security />
</System>
<EventData>
<Data>Get-ExchangeServer</Data>
<Data>{Identity=MGMT STATION}</Data>
<Data>domain/ou/ou/ou/ou/username</Data>
<Data>
</Data>
<Data>
</Data>
<Data>Exchange Management Console-Local</Data>
<Data>3080</Data>
<Data>
</Data>
<Data>22</Data>
<Data>00:00:00.3593888</Data>
<Data>View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DC }'</Data>
<Data>Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMT STATION' couldn't be found on 'FQDN DC'.</Data>
<Data>Context</Data>
<Data>
</Data>
</EventData>
</Event> -
Hi,
I have a slight issue I'm having some problems resolving..
The scenario is as follows;
I have an external provider which connects to me via VPN to a Juniper SSG firewall, that works fine.
I then have an external site, which does NOT reside in my MPLS cloud, so I have to deploy IPSec via Internet to reach it.
That also works fine and I have multiple SA's running on that site with no issues or problems.
The external provider has a small network device deployed on the external site which monitor cooling values in one of our warehouses.
The external site which is connect via IPSEC has a Cisco 1921 and a numerous Cisco 3550 deployed.
The VLAN for the cooling provider is vlan 150 and is setup with 10.150.4.0/24 where .1 is the def gw and .10 is the cooling monitor device.
The external provider's servers are located within 192.168.220.0/24 subnet.
As of right now, we can reach the Cisco 1921 through the whole IPsec tunnel from 192.168.220.182 with all services, ping, telnet whatnot, but we are unable to ping the cooling device from 192.168.220.0/24.
However from the Cisco 1921, we can ping both 192.168.220.0/24 and the locally connected 10.150.4.10
So basicly it seems to be the last bit when the traffic goes through the 1921 and to the switch where it fails and I can't for the life of me figure out why.
Network diagram attached.. any ideas?
This is the 1921 config:
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname bergen-vpn-gw
boot-start-marker
boot system flash flash:c1841-adventerprisek9-mz.124-25d.bin
boot-end-marker
logging buffered 50000
aaa new-model
aaa authentication login default local
aaa authentication enable default enable
aaa session-id common
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
no ipv6 cef
no ip source-route
ip cef
no ip bootp server
no ip domain lookup
ip domain name xxxxx
multilink bundle-name authenticated
license udi pid CISCO1921/K9 sn FCZ1508C1P4
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
vtp mode client
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key harakiri address 1.2.3.4
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto map VPN 10 ipsec-isakmp
set peer 1.2.3.4
set transform-set 3DES-SHA
match address VPN
interface GigabitEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
interface GigabitEthernet0/0.99
description *** Test VLAN To be removed ***
encapsulation dot1Q 99
ip address 10.90.90.1 255.255.255.0
no ip route-cache
interface GigabitEthernet0/0.112
encapsulation dot1Q 112
ip address 192.168.112.1 255.255.255.0
ip helper-address 172.30.1.223
no ip route-cache
interface GigabitEthernet0/0.150
encapsulation dot1Q 150
ip address 10.150.4.1 255.255.255.0
no ip redirects
no ip proxy-arp
no ip route-cache
interface GigabitEthernet0/0.178
encapsulation dot1Q 178
ip address 192.168.178.1 255.255.255.0
ip helper-address 172.30.1.223
no ip redirects
no ip proxy-arp
no ip route-cache
interface GigabitEthernet0/0.999
encapsulation dot1Q 999
no ip route-cache
interface GigabitEthernet0/1
ip address 1.2.3.4 255.255.255.252
no ip redirects
no ip proxy-arp
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map VPN
interface FastEthernet0/0/0
switchport access vlan 99
interface FastEthernet0/0/1
interface FastEthernet0/0/2
interface FastEthernet0/0/3
interface Vlan1
no ip address
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 85.200.203.29
ip access-list extended VPN
permit ip 10.90.90.0 0.0.0.255 172.30.1.0 0.0.0.255
permit ip 10.90.90.0 0.0.0.255 172.22.0.0 0.0.255.255
permit ip 10.90.90.0 0.0.0.255 172.18.5.0 0.0.0.255
permit ip 10.90.90.0 0.0.0.255 10.50.0.0 0.0.255.255
permit ip 192.168.112.0 0.0.0.255 172.30.1.0 0.0.0.255
permit ip 192.168.112.0 0.0.0.255 172.22.0.0 0.0.255.255
permit ip 192.168.112.0 0.0.0.255 172.18.5.0 0.0.0.255
permit ip 192.168.112.0 0.0.0.255 10.50.0.0 0.0.255.255
permit ip 192.168.178.0 0.0.0.255 172.30.1.0 0.0.0.255
permit ip 192.168.178.0 0.0.0.255 172.22.0.0 0.0.255.255
permit ip 192.168.178.0 0.0.0.255 172.18.5.0 0.0.0.255
permit ip 192.168.178.0 0.0.0.255 10.50.0.0 0.0.255.255
permit ip 192.168.112.0 0.0.0.255 172.30.240.0 0.0.0.255
permit ip 192.168.178.0 0.0.0.255 172.30.240.0 0.0.0.255
permit ip 192.168.112.0 0.0.0.255 10.70.0.0 0.0.0.255
permit ip 192.168.178.0 0.0.0.255 10.70.0.0 0.0.0.255
permit ip 10.150.4.0 0.0.0.255 192.168.220.0 0.0.0.255 log
ip sla 1
icmp-echo 172.30.1.223 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 1 start-time now
ip sla 2
icmp-echo 10.50.1.200 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 2 start-time now
ip sla 3
icmp-echo 172.18.5.121 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 3 start-time now
ip sla 4
icmp-echo 172.22.0.140 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 4 start-time now
ip sla 5
icmp-echo 172.30.240.40 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 5 start-time now
ip sla 6
icmp-echo 10.70.0.200 source-interface GigabitEthernet0/0.178
threshold 20
frequency 120
ip sla schedule 6 start-time now
cdp source-interface GigabitEthernet0/0.112
snmp-server community bamacomro RO
cdp source-interface GigabitEthernet0/0.112
snmp-server community bamacomro RO
snmp-server community bamacomrw RW
control-plane
banner motd ^CCC-----------------------------------------------------------------------------
This system is solely for the use of authorised users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all their activities monitored and recorded by system personell.
Use of this system evidence an express consent to such monitoring and
agreement that if such monitoring reveals evidence of possible abuse or
criminal activity, system personell may provide the result of such
monitoring to appropiate officials.
-----------------------------------------------------------------------------^C
line con 0
exec-timeout 5 0
logging synchronous
line aux 0
line vty 0 4
access-class telnet in
exec-timeout 180 0
logging synchronous
transport input telnet ssh
line vty 5 15
access-class telnet in
exec-timeout 180 0
password 7 094F471A1A0A
logging synchronous
transport input telnet ssh
scheduler allocate 20000 1000
endI had that issue 1 year go
"decrypted packet failed SA identity check" means that we have decrypted a traffic that does not match the proxy ID negotiated
Juniper is violating RFC4301. there is nothing we can do against RFC violation
As mentioned in Section 4.4.1, "The Security Policy Database (SPD)",
the SPD (or associated caches) MUST be consulted during the
processing of all traffic that crosses the IPsec protection boundary,
including IPsec management traffic. If no policy is found in the SPD
that matches a packet (for either inbound or outbound traffic), the
packet MUST be discarded.
I know JNPR can do 2 vpn modes. There is one where we could use a VTI instead of a crypto map on the Cisco side. That was the solution to the problem we had.
Cheers, -
Remote PowerShell Connection to Lync Server With Kerberos authentication Fails
Hi everyone ,
Remote PowerShell to Lync Server With Kerberos authentication Fails .. Is there any reason for not being able to connect when authentication specified as Kerberos . But exactly same code works when Authentication is specified as "Negotiate"
E.g :
Error -
$session=New-PSSession -ConfigurationName Microsoft.Powershell -ConnectionUri https://serverName.lync.com/ocspowershell/ -Credential $cred -Authentication Kerberos
[serverName.lync.com] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. The authentication mechanism requested by the client is not supported by the server or unencrypted traffic is disabled in
the service configuration. Verify the unencrypted traffic setting in the service configuration or specify one of the authentication mechanisms supported by the server. To use Kerberos, specify the computer name as the remote destination. Also verify
that the client computer and the destination computer are joined to a domain.To use Basic, specify the computer name as the remote destination, specify Basic authentication and provide user name and password. Possible authentication mechanisms reported by
server: Digest Negotiate For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
eption
+ FullyQualifiedErrorId : PSSessionOpenFailed
Works -
$session=New-PSSession -ConfigurationName Microsoft.Powershell -ConnectionUri https://serverName.lync.com/ocspowershell/ -Credential $cred -Authentication NegotiateHi,
Please double check if Windows Update is the latest version, if not, please update and then test again.
Please also ensure that the workstation you are using has network access to the Certificate Authority that signed the certificate.
Best Regards,
Eason Huang
Eason Huang
TechNet Community Support -
Hi. We recently purchased an ISE 1.2 appliance (SNS-3415 hardware). It installed fine, but I am unable to access the GUI. When I login to the box and run the following command on the CLI
ISE-12-NS-SD-2/admin# show application status ise
I see the following output:
ISE Database listener is running, PID: 7737
ISE Database is running, number of processes: 38
ISE Application Server process is not running.
ISE Profiler DB is running, PID: 9090
ISE M&T Session Database is running, PID: 8959
ISE M&T Log Collector is running, PID: 9294
ISE M&T Log Processor is running, PID: 9376
% ERROR: ISE SERVICES HAVE BEEN DISABLED BECAUSE
% HARDWARE RNG INTEGRITY CHECK HAS FAILED!
Can anyone help me? What can I do to ensure that the hardware RNG integrity check succeeds. Is it a license issue? Is it faulty hardware? Please advise. I would be very greatful.
Thanks in advance.I worked with a TAC engineer on this and he said one other customer had this issue and the only recourse was reimaging the appliance with the ISE 1.2 ISO image.
I did reboot, restarted services, reset to factory default and none of that worked. It is possible that the issue happened because during setup of the appliance I didn't have network connectivity and went ahead with the setup and configuration of the ISE application anyway. I later had network connectivity but by that time ISE manifested this fault.
Reimaging and ensuring network connectivity during setup the next time around fixed the problem. -
Database Integrity check failed, how to find an un-corrupted backup for recovery
I got database integrity check task that runs weekly. The job ran March 23rd but failed on March 30th. We have identified that there is a corruption in database and now the task is to restore it from backup (with data loss). We have database backup running
every-night and I need to know how can I find which is the latest backup that's not corrupted.
The MSDN documentation says "RESTORE VERIFYONLY" command does not verify whether the structure of the data contained within the backup set is correct. Does it mean the restore command will not able to detect corruption in the database and I just
need to restore each of the backs starting from the latest to see if integrity check fails after restore ? OR RESTORE VERIFYONLY will confirm if the database is un-corrupted ?The MSDN documentation says "RESTORE VERIFYONLY" command does not verify whether the structure of the data contained within the backup set is correct. Does it mean the restore command will not able to detect corruption in the database and I just need to
restore each of the backs starting from the latest to see if integrity check fails after restore ? OR RESTORE VERIFYONLY will confirm if the database is un-corrupted ?
As the documentation suggests, RESTORE VERIFYONLY checks the structure of the backup but not the database itself. You'll need to restore the backup to check the database consistency.
Dan Guzman, SQL Server MVP, http://www.dbdelta.com
Maybe you are looking for
-
While creating sales order got error version "0" is not defined for company
Hi, i got a error while creating a sales order(va01) ,i got an error saying that "version 0(zero) is not defined for company code if there is any solution please provide.... Thanks®ards kishore kumar
-
In house prod. time for continuous manufacturing
Hello friends, I want to enter in house production time in matarial master for continuous manufacturing process.I am using Base Unit Of Measure "Quintal".It is not possible to calculate In house production time. So how can I define it? Thanks!!
-
How to assign cost center to cost element.
Hello, Can any one please guide how to assign cost center to cost element. Thanks in Advance.. Have a nice day...
-
How to check Username and Password
hai in my application i'm navigating from Login page to Home Page . in login page i have to check for particular user name and password let us say abc and abc. if the user enters wrong username and password it should redirect to login page. is ther
-
Dynamic select list with display,return val & join condition issue.
hello, I am having a dynamic select list with display, return value say for example my select statement is select distinct dname d, deptno r from dept dt right join emp e on (e.deptno=dt.deptno) where (condition) when i tried this query for my select