Kerberos Authentication Not Working on OS X 10.6

Using FF version 20.0, on OS X 10.6.8, I can not get it to use Kerberos authentication to allow SSO to a SharePoint web site.
On OS X 10.8, with the same configuration in the about:config, everything works fine - the user is not prompted for credentials.
I have put the necessary entires in network.negotiate-auth.delegation-uris and network.automatic-ntlm-auth.trusted-uris, network.negotiate-auth.gsslib is set to true.
When I have setup to log the errors from the authentication module, I find in the log file "Fail to load gssapi library".
Interestingly on 10.8, when I start Firefox from the command line the Kerberos authentication does not work. When I start it via the icon, it does. What is the difference? Are the preferences not being loaded when launching via the command line?
Thanks for any help,
Richard

Found the solution:
Was a combination of kinit being run on login (apparently a known 10.6 bug). Our Mac team were able to alter the appropriate plist file so that this does happen on login.
We also had to add an extra SPN for the actual server, as well as the DNS name of the SharePoint site we were trying to access with Kerberos authentication - although this may have something to do with using host-named site collections at the SharePoint end.
Main problem was the kinit thing though.

Similar Messages

Kerberos / GSSAPI authentication not working in Mail.app

I am using Kerberos with a Debian server on which is running the MIT KDC, Cyrus imapd, and sendmail. I have been using Kerberos authentication with Mail.app in this environment for some time, under Tiger. I just upgraded to Leopard, and it no longer works. The problem is simple: the Mail.app IMAP conversation goes like this:
OK sequoia Cyrus IMAP4 v2.1.18-IPv6-Debian-2.1.18-5.1 server ready
1.11 CAPABILITY
* CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ MAILBOX-REFERRALS NAMESPACE UIDP LUS ID NOATOMICRENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS AUTH=GSSAPI AUTH=CRAM-MD5 AUTH=DIGEST-MD5 AUTH=NTLM ANNOTATEMORE
1.11 OK Completed
2.11 AUTHENTICATE GSSAPI
+
2.11 NO authentication failure
Mail.app simply sends an empty GSSAPI message. This problem does not appear to be in the Kerberos libraries or endemic to Apple's apps in general, since Kerberos authentication still works in both SSH and WebDAV. This appears to be a Mail.app bug.
- Richard Silverman

Have you found any work around? I'm having exactly the same problem.
As you say, kerberos in general seems okay -- not only does GSSAPI work fine for other programs, it even works correctly for ThunderBird running under 10.5. Meanwhile Mail.app doesn't even try to fetch service tickets, nor does it use them if something else already has.
I've tried everything I can think of -- using the real A/PTR hostname instead of the CNAME, adding a user with a principal name that matches my username, hard-coding kerberos settings into the config file rather than relying on DNS -- but nothing makes Mail.app even try to use GSSAPI for IMAP or SMTP.

[svn] 1720: Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints .

Revision: 1720
Author: [email protected]
Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
Log Message:
Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
QA: Yes
Doc: No
Details:
Update to the TomcatLoginCommand to work correctly with NIO endpoints.
Ticket Links:
http://bugs.adobe.com/jira/browse/LCDS-304
Modified Paths:
blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java

Revision: 1720
Author: [email protected]
Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
Log Message:
Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
QA: Yes
Doc: No
Details:
Update to the TomcatLoginCommand to work correctly with NIO endpoints.
Ticket Links:
http://bugs.adobe.com/jira/browse/LCDS-304
Modified Paths:
blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java

Upgrade 10.3 to 10.4: Kerberos authentication stopped working

Hello:
I upgraded a G5 XServe from 10.3.9 to 10.4. It almost worked - ie: system booted again, all disks are visible, etc. But, trying to log on with a user in the OD hosted on that machine has stopped working... this happens when I try to mount a shared AFP volume, and also when logging on from a 10.4.8 client bound in Directory Access to that server. Logging on under the admin account at the console (over ARD in this case), or via ssh, works fine. I didn't think to try other accounts via that method, I will do this tomorrow morning local time and post a followup.
Upon connecting to the server with Server Admin, a message told me that there were new services which needed kerberizing, and to go to Open Directory and click 'settings'. I did this, and also looked at the overview: netinfod was in local-only mode, while all the others were marked as "Running" (lookupd, slapd, Password Server, Kerberos). In the old 10.3.9 system (ie: where user authentication is working OK), all are marked as "Running".
I clicked the "Kerberize" button, and entered a directory admin username and password as instructed. I think the process completed (unfortunately I didn't get a screenshot). Now, the kerberize button is gone.
At various times when admin passwords were requested, I have to try several; the expected ones didn't always work. Eg: I thought the "diradmin" account was needed in one dialog, but I used the system "admin" account instead. (Sorry, didn't record proper details of those events).
Forward and reverse DNS lookups with the host command work ok - they return the expected IP address.
I looked through a bunch of logs (/var/log/*.log, /Library/Logs/.../*.log), and found a few lines with possible clues... these are shown further down.
I have now tried updating to 10.4.8 (I'm not sure if I should have done it before kerberos was going again, but getting the system up to date does seem prudent). Errors are all exactly the same.
Any hints or suggestions much appreciated! Here's some promising things I've found, which I'll be studying today. I hope to take the server down tomorrow morning again to try this stuff out...
http://lists.apple.com/archives/macos-x-server/2006/Feb/msg01152.html
http://lists.apple.com/archives/Client-management/2006/Sep/msg00013.html
Thanks,
Ralph
/var/log/system.log:
Mar 10 15:18:37 tararuas krb5kdc[84]: no sockets set up?
AppleFileServiceAccess.log:
IP 130.195.240.52 - - [10/Mar/2007:15:15:15 1200] "Logout test333" -5023 0 0
IP 130.195.240.52 - - [10/Mar/2007:15:24:30 1200] "Logout ralphwahrlich" -5023 0 0
FWIW, the AFP Reference gives error -5023 meaning thus: "UAM failed (the specified old password doesn’t match); no user is logged in yet for the specified session; authentication failed; password is incorrect."
From slapconfig.log (slightly edited for brevity):
slapconfig.log:
2007-03-10 14:51:52 +1300 - slapconfig -migrateldapserver
2007-03-10 14:51:52 +1300 - 1 Removing LDAP server from search policy
2007-03-10 14:51:52 +1300 - 2 Data export
2007-03-10 14:51:52 +1300 - command: /usr/sbin/oldslapcat -c -l /var/db/openldap/migration/backup.ldif
2007-03-10 14:51:53 +1300 - Removed file at path /var/db/openldap/openldap-data/__db.001.
2007-03-10 14:51:53 +1300 - Removed file at path /var/db/openldap/openldap-slurp/replication.log.lock.
2007-03-10 14:51:53 +1300 - command: /usr/sbin/NeST -pwsrekey
2007-03-10 14:51:55 +1300 - NeST command output:
nothing found to load
2007-03-10 14:51:55 +1300 - 3 Data import
2007-03-10 14:51:55 +1300 - command: /usr/sbin/slapadd -c -l /tmp/backup11774.ldif
2007-03-10 14:51:58 +1300 - 4 Updating LDAP configuration
2007-03-10 14:51:59 +1300 - Starting LDAP server (slapd)
2007-03-10 14:52:22 +1300 - 5 Updating data in LDAP
2007-03-10 14:52:22 +1300 - command: /usr/bin/ldapdelete -c -x -H ldapi://%2Fvar%2Frun%2Fldapi cn=ldapreplicas,cn=config,dc=geo,dc=vuw,dc=ac,dc=nz cn=passwordserver,cn=config,dc=geo,dc=vuw,dc=ac,dc=nz cn=passwordserver_4AB32E0671171DC872A9D40CC42F9E07,cn=config,dc=geo,dc=vuw,dc=a c,dc=nz
2007-03-10 14:52:22 +1300 - ldapdelete command output:
ldap_bind: Can't contact LDAP server (-1)
2007-03-10 14:52:22 +1300 - ldapdelete command failed with status 1
2007-03-10 14:52:22 +1300 - command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2007-03-10 15:03:55 +1300 - slapconfig -setmacosxodpolicy
2007-03-10 15:03:55 +1300 - command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2007-03-10 15:03:55 +1300 - ldapadd command output:
ldap_modify: No such object (32)
matched DN: cn=config,dc=geo,dc=vuw,dc=ac,dc=nz
2007-03-10 15:03:55 +1300 - ldapadd command failed with status 32
2007-03-10 15:04:13 +1300 - slapconfig -kerberize
2007-03-10 15:04:13 +1300 - Error: Incorrect username or password. You must enter a directory domain administrator username and password.
2007-03-10 15:05:25 +1300 - slapconfig -setmacosxodpolicy
2007-03-10 15:05:25 +1300 - command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2007-03-10 15:05:25 +1300 - ldapadd command output:
ldap_modify: No such object (32)
matched DN: cn=config,dc=geo,dc=vuw,dc=ac,dc=nz
2007-03-10 15:05:25 +1300 - ldapadd command failed with status 32
2007-03-10 15:05:38 +1300 - slapconfig -kerberize
2007-03-10 15:05:38 +1300 - Error: Incorrect username or password. You must enter a directory domain administrator username and password.
2007-03-10 15:05:44 +1300 - slapconfig -kerberize
2007-03-10 15:05:45 +1300 - Removed directory at path /var/db/krb5kdc.
2007-03-10 15:05:45 +1300 - command: /sbin/kerberosautoconfig -r GEO.VUW.AC.NZ -m tararuas.geo.vuw.ac.nz -u -v 1
2007-03-10 15:05:45 +1300 - kerberosautoconfig command failed with exception launch path not accessible
2007-03-10 15:05:45 +1300 - command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a admin -p ** -v 1 GEO.VUW.AC.NZ
2007-03-10 15:05:47 +1300 - kdcsetup command output:
Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Creating KDC Config File
Creating Admin ACL File
Creating Kerberos Master Key
Creating Kerberos Database
Creating Kerberos Admin user
WARNING: no policy specified for [email protected]; defaulting to no policy
Adding kerberos auth authority to admin user
Creating keytab for the admin tools
Adding KDC & kadmind to launchd
Adding the new KDC into the KerberosClient config record
AddKDCToConfig: KDC is already present in record
Finished
2007-03-10 15:05:47 +1300 - command: /usr/sbin/mkpassdb -kerberize
Mac Mini G4 1.25GHz Mac OS X (10.4.8)

Thanks heaps for your reply
Yes, I did indeed use CDs.
I followed the instructions at http://docs.info.apple.com/article.html?artnum=301909-en , but struck problems...
Step 16:
here's what I got after pressing CTRL-D:
ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge
I thought I'd press ahead anyway... and struck the next problem:
Step 18:
here's what I got when attempting to add a record in /AccessControls.. a dialog box that said this:
Record type not mapped
The record with type "AccessControls" is not mapped. Your should report this error to the administrator of your directory server.
I found the following:
http://docs.info.apple.com/article.html?path=ServerAdmin/10.4/en/c7od31.html
step 8 on that page, bullet point starting with "To add a mapping for a record type ..." seems what I want, but have no idea which object class name to use.
Not sure where to go next. I'm somewhat inclined to blow away the OD database, and rebuild it from a backup. I would do this...
On the 10.3.9 system:
- export the OD from WGM
Go into 10.4.8, and:
- in Server Admin, change OD to be standalone only
- reboot
- go back to Server Admin, change OD to be a OD master
- import the records exported from the 10.3.9 system
I will post another update tommorrow.

Windows AD with Kerberos authentication not supported for NW AS JAVA 7.1

The Admin guide for BO 3.1 states that Windows AD with Kerberos authentication is not supported on NetWeaver AS.
Can anybody suggest & confirm on this???

I know we haven't been receiving cases for it, but I think in theory it should work fine. BO doesn't really care what web/app kerberos comes from as the manual authentication uses the java SDK (i.e tomcat 5.5 would use Sun JDK 1.5), and SSO kerberos (vintela) uses 3rd party libraries. It's possible our 3rd party libraries may not support netweaver yet. If I hear anything else I'll post.
Regards,
Tim

Advanced Server 10.5.7, Kerberos Authentication not responding

Hi everyone,
Hoping Captain Obvious can help me out. I have searched the web and forums and i'm not getting very far.
This is the first time I am managing a Mac Server - I come from a Windoz Server background.
So ->
Installed 10.5.7 Server
Setup DNS
(tested AOK)
Setup Open Directory
Setup iChat Server
Setup AFP
The server seems to be running ok, all the above services work. It has been working for a few weeks.
Then I started to harden it and was looking at kerberos authentication, so I first went into iChat server and changed the form of Authentication to "Any" method.
When I try to log in from iChat I go into this endless Certificate acceptance loop
When I try to log in via AFP with Kerberos authentication, I go noplace.
Second I switch back to standard authentication, i get right in.
I turned on VPN services and that is a dead end as well because of this authentication issue.
What could be causing this Kerberos issue? DNS? or did Captain Obvious miss a button?
Your help is greatly appreciated

Hi davidh,
Thank you for responding. I found that command just as I was passing out last night, so it was ironic to find your msg when I woke up. The thing is that I didn't know what I was looking at until I read your msg and yes, I see 3 entries for each kerberized service.
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
3 05/05/09 21:37:50 afpserver/LKDC:SHA1.43AB07C7E595E78DBA6658C9FE5AD54683DA4A8F@LKDC:SHA1.43AB07C7 E595E78DBA6658C9FE5AD54683DA4A9F
3 05/05/09 21:37:50 afpserver/LKDC:SHA1.43AB07C7E595E78DBA6658C9FE5AD54683DA4A8F@LKDC:SHA1.43AB07C7 E595E78DBA6658C9FE5AD54683DA4A9F
3 05/05/09 21:37:50 afpserver/LKDC:SHA1.43AB07C7E595E78DBA6658C9FE5AD54683DA4A8F@LKDC:SHA1.43AB07C7 E595E78DBA6658C9FE5AD54683DA4A9F
3 05/05/09 21:37:50 cifs/LKDC:SHA1.43AB07C7E595E78DBA6658C9FE5AD54683DA4A8F@LKDC:SHA1.43AB07C7E595E 78DBA6658C9FE5AD54683DA4A9F
3 05/05/09 21:37:50 cifs/LKDC:SHA1.43AB07C7E595E78DBA6658C9FE5AD54683DA4A8F@LKDC:SHA1.43AB07C7E595E 78DBA6658C9FE5AD54683DA4A9F
3 05/05/09 21:37:50 cifs/LKDC:SHA1.43AB07C7E595E78DBA6658C9FE5AD54683DA4A8F@LKDC:SHA1.43AB07C7E595E 78DBA6658C9FE5AD54683DA4A9F
3 05/05/09 21:37:50 vnc/LKDC:SHA1.43AB07C7E595E78DBA6658C9FE5AD54683DA4A8F@LKDC:SHA1.43AB07C7E595E7 8DBA6658C9FE5AD54683DA4A9F
3 05/05/09 21:37:50 vnc/LKDC:SHA1.43AB07C7E595E78DBA6658C9FE5AD54683DA4A8F@LKDC:SHA1.43AB07C7E595E7 8DBA6658C9FE5AD54683DA4A9F
3 05/05/09 21:37:51 vnc/LKDC:SHA1.43AB07C7E595E78DBA6658C9FE5AD54683DA4A8F@LKDC:SHA1.43AB07C7E595E7 8DBA6658C9FE5AD54683DA4A9F
3 05/27/09 22:44:34 fcsvr/[email protected]
3 05/27/09 22:44:34 fcsvr/vader. mydomain.com@VADER. MYDOMAIN.COM
3 05/27/09 22:44:34 fcsvr/vader. mydomain.com@VADER. MYDOMAIN.COM
3 05/27/09 22:44:34 pcast/vader. mydomain.com@VADER. MYDOMAIN.COM
3 05/27/09 22:44:34 pcast/vader. mydomain.com@VADER. MYDOMAIN.COM
3 05/27/09 22:44:34 pcast/vader. mydomain.com@VADER. MYDOMAIN.COM
3 05/27/09 22:44:34 vnc/vader. mydomain.com@VADER. MYDOMAIN.COM
3 05/27/09 22:44:34 vnc/vader. mydomain.com@VADER. MYDOMAIN.COM
3 05/27/09 22:44:34 vnc/vader. mydomain.com@VADER. MYDOMAIN.COM
I'm starting to think that it's actually running, but if it is... how come i can't authenticate via Kerb?
Let me know what you think and what I can do next..thanks

Ldap authentication not working for Solaris 8 host - Help!

Greetings folks,
I just recently migrated a host to use LDAP authentication. The only difference between this host and the rest of the hosts in the environment that I've converted to use LDAP is that this one is running Solaris 8.
Here's the steps I took to migrate it (though, I used the same steps for another Sol8 host in another environment and it works fine):
ldapclient -P stg -d mydomain.com -D cn=proxyagent,ou=profile,dc=mydomain,dc=com -w secret 192.168.1.69
My /etc/nsswitch.conf looks like this:
passwd: files ldap
group: files ldap
My /etc/pam.conf looks like this:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_ldap.so.1
sshd auth requisite pam_authtok_get.so.1
sshd auth sufficient pam_unix_auth.so.1
sshd auth required pam_ldap.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_ldap.so.1
passwd auth sufficient pam_passwd_auth.so.1
passwd auth required pam_ldap.so.1
I've also cleared out the local user accounts for my human users, so there aren't any more passwd or shadow entries (yes, I ran pwconv). I also cleaned out the /etc/group entries for the same users. The machine appears to be configured properly, because I can run various DS commands that indicate this:
hostname# getent passwd user1
user1::1001:1001:User 1:/opt/home/user1:/bin/bash
hostname# ldaplist -l passwd user1
dn: uid=user1,ou=people,dc=mydomain,dc=com
shadowFlag: 0
userPassword: {crypt}(removed)
uid: user1
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
objectClass: top
cn: user1
uidNumber: 1001
gidNumber: 1001
gecos: User 1
homeDirectory: /opt/home/user1
loginShell: /bin/bash
However, in the end, actual logins to this host fail via ssh. Snooping the traffic reveals that all the right info is being handed back to the client, including the crypt'ed password hash, uid, etc. just like I see with other hosts that work.
Any ideas?
Thanks!
Patrick

I assume you have applied lastest kernel patch and 108993 to this Solaris8 machine, and its nss_ldap.so.1 and pam_ldap.so.1 are the same as the other Solaris8 LDAP clients that are working for ssh via LDAP auth.
1) Please replace "objectClass: account" with "objectClass: person", I know SUN ONE DS5.2 likes "person".
2) Did you test and verify telnet/ftp/su working? but SSH not working?
3) If telnet/ftp/su all worked, and SSH (SUN-SSH or OpenSSH), make sure you have "UsePAM yes" in sshd_config and restart sshd.
4) It is not a must I think but normally I will add "shadow: files ldap" to /etc/nsswitch.conf, restart nscd after that.
5) Whenever ldapclient command is run and ldap_cachemgr is restarted, I usually also restart nscd and sshd after that, if not testing result may not be accurate as nscd is still remembering OLD stuffs cached which could be very misleading.
6) You may use "ssh -v userid@localhost" to watch the SSH communications, on top of your usual "snoop"ing of network packets.
7) Use the sample pam.conf that is meant for pam_ldap from Solaris 10 system admin guide with all the pam_unix_cred.so.1 lines commented out. This works for me, there is no sshd defintions as it will follow "other".
http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view
Gary

Sg300 - 802.1x NPS - mac authentication not working

I configured 802.1x on a sg300 switch. It is working very well with some Windows 7 machines and a Windows Server 2008 NPS server.
Now I tried to get the MAC authentication running, on a 3850X it is working without problems, but every access request sent from the SG300 is declined.
My current port configuration on the SG300:
interface fastethernet1
dot1x guest-vlan enable
dot1x max-req 1
dot1x reauthentication
dot1x timeout quiet-period 10
dot1x authentication 802.1x mac
dot1x radius-attributes vlan static
dot1x port-control auto
switchport mode access
On the Windows NPS server there is following error to see:
Authentication Details:
   Connection Request Policy Name:   Secure Wire
   Network Policy Name:       -
   Authentication Provider:       Windows
   Authentication Server:        myradius.local
   Authentication Type:       -
   EAP Type:           -
   Account Session Identifier:       30353030399999
   Reason Code:           1
   Reason:               An internal error occurred. Check the system event log for additional information.
There is compared to the message from the 3850 the authentication type missing (PAP) and a not very helpful error message displayed...

Still not working.
I tried different settings and (also older) software versions on the SF302-08P.
Also started to change the settings on the NPS (though it is working with the 3850X!), without success.
The NPS reports following error:
Schannel:
The following fatal alert was received: 40.
EventID 36887
If I search for this error, every source is pointing to certificate errors, but there should not be any certificate involved?!
... is this a bug on the SF302-08P?

Cisco Ise Central Web authentication not working

Hello Guys,
CWA is not working. It says that authentication suceeded but posture status is pending. No error in my Monitor--authentication. Checking it in my Windows 7, it does not shows the CWA portal.
What might be the possible problem of this.?
thanks

Kindly review the below links:
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

"Allow insecure authentication" not working on mac mail after upgrade to Yosimite

I recently upgraded to the new Yosemite OS. Since then, I have not been able to access my ISP's IMAP server. After spending time troubleshooting with the service provider, it seems that the "allow insecure authentication" feature is not working. The password appears to be sent as a series of "*" which the server can not recognize and I fail the login. It is of note that I am still able to access this email account through my iPhone 4S with all the same settings and had no issues before the Yosimite upgrade. Is there anyway around this issue?

I had the same problem. Rebooting the computer fixed the issue for me.

J2EE and user authentication not working

Hi,
has anyone gotten the basic/form based authentication to
work in the latest version of the 9iAS?
Oracle9iAS (9.0.2.0.0)
I've read all the posts and articles from orionsupport.com
BUT it still does not work.
Support Folks from ORacle: Where is the latest documentation
for the Server ???? Everything seems outdated??
cheers,
Vijay

Hi,
You can change User and password through SU01 through UME. and also read SNote: Note 891614 - Login problems / Expired password
Regards
Thomas

Wireless with PEAP Authentication not working using new NPS server

All,
We are planning to migrate from our old IAS server to new NPS server. We are testing the new NPS server with our wireless infrastructure using WISM. We are using PEAP with server Cert for authentication. For testing purpose we are doing user authentication but our goal is to do machine authentication. On client side we are using Windows XP, Windows 7 & iPAD’s
I believe I have configured the NPS & CA server as per the documents I found on Cisco support forum & Microsoft’s site.
But it is not working for me. I am getting the following error message on the NPS server.
Error # 1
=======
Cryptographic operation.
Subject:
            Security ID:                 SYSTEM
            Account Name:                       MADXXX
            Account Domain:                    AD
            Logon ID:                    0x3e7
Cryptographic Parameters:
            Provider Name:          Microsoft Software Key Storage Provider
            Algorithm Name:         RSA
            Key Name:      XXX-Wireless-NPS
            Key Type:       Machine key.
Cryptographic Operation:
            Operation:       Decrypt.
            Return Code: 0x80090010
Error # 2
======
An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
I was wondering if anyone has any insight on what is going on.
Thanks, Ds

Scott,
I have disabled MS-CHAP v1 & only MS-CHAP v2 is enabled on Network Policies > Constraints.
I disabled validate Certificate on Windows 7 and tried to authenticate, it is still failing. Here is the output from the event viewer:
Cryptographic operation.
Subject:
Security ID: SYSTEM
Account Name: MADHFSVNPSPI01$
Account Domain: AD
Logon ID: 0x3e7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: DOT-Wireless-NPS
Key Type: Machine key.
Cryptographic Operation:
Operation: Decrypt.
Return Code: 0x80090010
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: AD\mscdzs
Account Name: AD\mscdzs
Account Domain: AD
Fully Qualified Account Name: AD\mscdzs
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 64-ae-0c-00-de-f0:DOT
Calling Station Identifier: a0-88-b4-e2-79-cc
NAS:
NAS IPv4 Address: 130.47.128.7
NAS IPv6 Address: -
NAS Identifier: WISM2B
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 29
RADIUS Client:
Client Friendly Name: WISM2B
Client IP Address: 130.47.128.7
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Secure Wireless Connections
Authentication Provider: Windows
Authentication Server: MADHFSVNPSPI01.AD.DOT.STATE.WI.US
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
Attached are EAP logs & debug logs from the controller.
Thanks for all the help. I really appreciate.

ADFS 3.0 Windows Authentication not working

I recently upgraded from ADFS 2.1 and TMG 2010 as the reverse proxy to ADFS 3.0 and Web Application Proxy as the reverse proxy. I have upgraded to ADFS 3.0 successfully and it is working without anything changing to the end users. This is still
using TMG 2010 as the reverse proxy.
When I make the changes to use WAP as the reverse proxy, I get prompted with a forms based authentication page instead of the usual windows authentication screen. This poses a problem since this creates an extra step for people when logging on to our
sites that use SSO since there's no "save password" box. I can move the traffic back to TMG and it's back to working like it should but we are looking to remove TMG very soon.
When I am on the "inside" network connecting to ADFS without the reverse proxy, it works just fine. However, ALL of our users are "outside" of the network will be using the reverse proxy. None of the computers are domain joined.
The issue seems to only be when using Web Application Proxy server to service ADFS SSO requests.....TMG servicing these requests does not have this issue.
What's the difference? How can I get this functionality back with WAP?

Hi Eric,
Based on my research, when publishing applications that use Integrated Windows authentication, the Web Application Proxy server uses Kerberos constrained delegation to authenticate users
to the published application.
To use Integrated Windows authentication, the Web Application Proxy server must be joined to an AD DS domain.
More information for you:
Web Application Proxy: Some applications are configured to perform backend authentication using Integrated Windows authentication but the server is not joined to a domain
http://technet.microsoft.com/en-us/library/dn464299.aspx
Best Regards,
Amy

Client authentication not working

Hi all,
I am using Apache's HTTPClient to connect with a server running https. The server is the latest stable Tomcat (version 4.1.27). If I set clientAuth="false" in the Tomcat configuration, everything is working fine. I am able to comunicate with the server, since the server's certificate is in the trusted store. If I want to authenticate myself (by setting clientAuth="true") it doesn't work. It seems that the application I have written doesn't send the client's certificate.
Here's the code:
HttpClient httpclient = new HttpClient();
Protocol myhttps =
     new Protocol(
          "https",
          new StrictSSLProtocolSocketFactory(false),
          8443);
httpclient.getHostConfiguration().setHost("rigel", 8443, myhttps);
GetMethod httpget = new GetMethod("/");
httpclient.executeMethod(httpget);
If I turn on all sorts of debugging this is what I get:
2003/10/08 14:54:26:898 CEST [DEBUG] HttpClient - -Java version: 1.4.0_02
2003/10/08 14:54:26:898 CEST [DEBUG] HttpClient - -Java vendor: Sun Microsystems Inc.
2003/10/08 14:54:26:898 CEST [DEBUG] HttpClient - -Java class path: f:\myhome\projects\NextiraOne\class;f:\myhome\projects\NextiraOne\lib\commons-httpclient-2.0-rc1.jar;f:\myhome\projects\NextiraOne\lib\log4j-1.2.6.jar;f:\myhome\projects\NextiraOne\lib\commons-logging.jar;f:\myhome\projects\NextiraOne\lib\commons-logging-api.jar;f:\myhome\projects\NextiraOne\lib\com.ibm.mq.jar;f:\myhome\projects\NextiraOne\lib\xmlparserv2new.jar;f:\myhome\projects\NextiraOne\lib\connector.jar
2003/10/08 14:54:26:898 CEST [DEBUG] HttpClient - -Operating system name: Windows 2000
2003/10/08 14:54:26:898 CEST [DEBUG] HttpClient - -Operating system architecture: x86
2003/10/08 14:54:26:898 CEST [DEBUG] HttpClient - -Operating system version: 5.0
2003/10/08 14:54:27:078 CEST [DEBUG] HttpClient - -SUN 1.2: SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS keystore; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores)
2003/10/08 14:54:27:078 CEST [DEBUG] HttpClient - -SunJSSE 1.4002: Sun JSSE provider(implements RSA Signatures, PKCS12, SunX509 key/trust factories, SSLv3, TLSv1)
2003/10/08 14:54:27:078 CEST [DEBUG] HttpClient - -SunRsaSign 1.0: SUN's provider for RSA signatures
2003/10/08 14:54:27:078 CEST [DEBUG] HttpClient - -SunJCE 1.4: SunJCE Provider (implements DES, Triple DES, Blowfish, PBE, Diffie-Hellman, HMAC-MD5, HMAC-SHA1)
2003/10/08 14:54:27:088 CEST [DEBUG] HttpClient - -SunJGSS 1.0: Sun (Kerberos v5)
2003/10/08 14:54:27:188 CEST [DEBUG] HttpConnection - -HttpConnection.setSoTimeout(0)
keyStore is :
keyStore type is : jks
init keystore
init keymanager of type SunX509
trustStore is: f:\client.keystore
trustStore type is : jks
init truststore
adding private entry as trusted cert: [
Version: V1
Subject: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@8fd984
Validity: [From: Wed Oct 08 13:48:24 CEST 2003,
               To: Tue Jan 06 12:48:24 CET 2004]
Issuer: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
SerialNumber: [    3f83f988 ]
Algorithm: [MD5withRSA]
Signature:
0000: 04 24 63 44 43 26 CA 79 BC 0B 96 2D 27 1A 40 DA .$cDC&.y...-'.@.
0010: E0 92 FE D6 57 F8 4C C4 C6 97 F7 13 24 4B 30 F9 ....W.L.....$K0.
0020: E7 C3 06 2B A3 67 FD 70 E1 A5 8E E7 16 3D 59 16 ...+.g.p.....=Y.
0030: DB 7B 73 AC 30 B1 43 C1 F2 96 DD 8F 52 0E 61 1F ..s.0.C.....R.a.
0040: 0E 23 0F 88 8E 1A 6F 24 54 B9 87 4C 2C A1 97 78 .#....o$T..L,..x
0050: FD 80 6A A1 F8 65 C3 CE 39 F4 AA A6 6C 3C 7A 98 ..j..e..9...l<z.
0060: 86 4E 5B 6A 2D 7F BC 89 E8 36 29 54 22 0A 3F C7 .N[j-....6)T".?.
0070: B3 83 4E 47 36 F1 C9 09 25 E7 9C D6 11 10 3B 3C ..NG6...%.....;<
adding as trusted cert: [
Version: V1
Subject: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@f99ff5
Validity: [From: Wed Oct 08 11:56:42 CEST 2003,
               To: Tue Jan 06 10:56:42 CET 2004]
Issuer: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
SerialNumber: [    3f83df5a ]
Algorithm: [MD5withRSA]
Signature:
0000: E0 21 80 C9 4C 8C BC FC 48 B3 36 6A 0B E1 C1 94 .!..L...H.6j....
0010: 79 E1 E7 6B 27 B0 71 7D CF 17 A6 B9 E6 71 D6 85 y..k'.q......q..
0020: 6F 9F EB 66 73 4B CB A2 C1 A2 7F F3 38 A1 A7 8B o..fsK......8...
0030: 92 F0 82 1F 4A A4 E9 F5 8C 64 0B 7E 86 61 C0 D5 ....J....d...a..
0040: 74 60 7D D3 B0 11 3F 77 B9 D8 EC 7D 17 22 D8 7C t`....?w....."..
0050: 77 42 CB C1 24 CC 26 5E CF 8A 20 7D 77 44 D4 29 wB..$.&^.. .wD.)
0060: DF 59 D1 17 CE D2 51 59 BC 53 35 B0 EB CE 51 CE .Y....QY.S5...Q.
0070: 79 F7 D2 53 CE FD 2F 9A FD 1A A8 E3 3C 58 AF EB y..S../.....<X..
init context
trigger seeding of SecureRandom
done seeding SecureRandom
2003/10/08 14:54:32:456 CEST [DEBUG] HttpMethodBase - -Execute loop try 1
2003/10/08 14:54:32:466 CEST [DEBUG] wire - ->> "GET / HTTP/1.1[\r][\n]"
2003/10/08 14:54:32:466 CEST [DEBUG] HttpMethodBase - -Adding Host request header
2003/10/08 14:54:32:476 CEST [DEBUG] wire - ->> "User-Agent: Jakarta Commons-HttpClient/2.0rc1[\r][\n]"
2003/10/08 14:54:32:476 CEST [DEBUG] wire - ->> "Host: rigel[\r][\n]"
%% No cached client session
*** ClientHello, v3.1
RandomCookie: GMT: 1048840456 bytes = { 43, 4, 244, 103, 54, 110, 99, 128, 162, 132, 22, 2, 197, 112, 91, 105, 4, 133, 249, 114, 142, 122, 44, 203, 156, 188, 132, 100 }
Session ID: {}
Cipher Suites: { 0, 5, 0, 4, 0, 9, 0, 10, 0, 18, 0, 19, 0, 3, 0, 17 }
Compression Methods: { 0 }
[write] MD5 and SHA1 hashes: len = 59
0000: 01 00 00 37 03 01 3F 84 09 08 2B 04 F4 67 36 6E ...7..?...+..g6n
0010: 63 80 A2 84 16 02 C5 70 5B 69 04 85 F9 72 8E 7A c......p[i...r.z
0020: 2C CB 9C BC 84 64 00 00 10 00 05 00 04 00 09 00 ,....d..........
0030: 0A 00 12 00 13 00 03 00 11 01 00 ...........
main, WRITE: SSL v3.1 Handshake, length = 59
[write] MD5 and SHA1 hashes: len = 77
0000: 01 03 01 00 24 00 00 00 20 00 00 05 00 00 04 01 ....$... .......
0010: 00 80 00 00 09 06 00 40 00 00 0A 07 00 C0 00 00 .......@........
0020: 12 00 00 13 00 00 03 02 00 80 00 00 11 3F 84 09 .............?..
0030: 08 2B 04 F4 67 36 6E 63 80 A2 84 16 02 C5 70 5B .+..g6nc......p[
0040: 69 04 85 F9 72 8E 7A 2C CB 9C BC 84 64 i...r.z,....d
main, WRITE: SSL v2, contentType = 22, translated length = 16310
main, READ: SSL v3.1 Handshake, length = 2275
*** ServerHello, v3.1
RandomCookie: GMT: 1048840456 bytes = { 2, 207, 237, 54, 101, 119, 116, 33, 59, 54, 56, 111, 170, 110, 92, 129, 178, 67, 124, 46, 187, 153, 247, 27, 216, 197, 21, 232 }
Session ID: {63, 132, 9, 8, 85, 66, 130, 20, 34, 100, 122, 131, 137, 133, 143, 214, 43, 232, 151, 61, 12, 216, 23, 84, 58, 241, 194, 116, 67, 44, 43, 44}
Cipher Suite: { 0, 5 }
Compression Method: 0
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_SHA]
** SSL_RSA_WITH_RC4_128_SHA
[read] MD5 and SHA1 hashes: len = 74
0000: 02 00 00 46 03 01 3F 84 09 08 02 CF ED 36 65 77 ...F..?......6ew
0010: 74 21 3B 36 38 6F AA 6E 5C 81 B2 43 7C 2E BB 99 t!;68o.n\..C....
0020: F7 1B D8 C5 15 E8 20 3F 84 09 08 55 42 82 14 22 ...... ?...UB.."
0030: 64 7A 83 89 85 8F D6 2B E8 97 3D 0C D8 17 54 3A dz.....+..=...T:
0040: F1 C2 74 43 2C 2B 2C 00 05 00 ..tC,+,...
*** Certificate chain
chain [0] = [
Version: V1
Subject: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@b2a2d8
Validity: [From: Wed Oct 08 11:56:42 CEST 2003,
               To: Tue Jan 06 10:56:42 CET 2004]
Issuer: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
SerialNumber: [    3f83df5a ]
Algorithm: [MD5withRSA]
Signature:
0000: E0 21 80 C9 4C 8C BC FC 48 B3 36 6A 0B E1 C1 94 .!..L...H.6j....
0010: 79 E1 E7 6B 27 B0 71 7D CF 17 A6 B9 E6 71 D6 85 y..k'.q......q..
0020: 6F 9F EB 66 73 4B CB A2 C1 A2 7F F3 38 A1 A7 8B o..fsK......8...
0030: 92 F0 82 1F 4A A4 E9 F5 8C 64 0B 7E 86 61 C0 D5 ....J....d...a..
0040: 74 60 7D D3 B0 11 3F 77 B9 D8 EC 7D 17 22 D8 7C t`....?w....."..
0050: 77 42 CB C1 24 CC 26 5E CF 8A 20 7D 77 44 D4 29 wB..$.&^.. .wD.)
0060: DF 59 D1 17 CE D2 51 59 BC 53 35 B0 EB CE 51 CE .Y....QY.S5...Q.
0070: 79 F7 D2 53 CE FD 2F 9A FD 1A A8 E3 3C 58 AF EB y..S../.....<X..
stop on trusted cert: [
Version: V1
Subject: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@b2a2d8
Validity: [From: Wed Oct 08 11:56:42 CEST 2003,
               To: Tue Jan 06 10:56:42 CET 2004]
Issuer: CN=rigel, OU=ECS, O=DC, L=MER, ST=OVL, C=BE
SerialNumber: [    3f83df5a ]
Algorithm: [MD5withRSA]
Signature:
0000: E0 21 80 C9 4C 8C BC FC 48 B3 36 6A 0B E1 C1 94 .!..L...H.6j....
0010: 79 E1 E7 6B 27 B0 71 7D CF 17 A6 B9 E6 71 D6 85 y..k'.q......q..
0020: 6F 9F EB 66 73 4B CB A2 C1 A2 7F F3 38 A1 A7 8B o..fsK......8...
0030: 92 F0 82 1F 4A A4 E9 F5 8C 64 0B 7E 86 61 C0 D5 ....J....d...a..
0040: 74 60 7D D3 B0 11 3F 77 B9 D8 EC 7D 17 22 D8 7C t`....?w....."..
0050: 77 42 CB C1 24 CC 26 5E CF 8A 20 7D 77 44 D4 29 wB..$.&^.. .wD.)
0060: DF 59 D1 17 CE D2 51 59 BC 53 35 B0 EB CE 51 CE .Y....QY.S5...Q.
0070: 79 F7 D2 53 CE FD 2F 9A FD 1A A8 E3 3C 58 AF EB y..S../.....<X..
[read] MD5 and SHA1 hashes: len = 552
0000: 0B 00 02 24 00 02 21 00 02 1E 30 82 02 1A 30 82 ...$..!...0...0.
0010: 01 83 02 04 3F 83 DF 5A 30 0D 06 09 2A 86 48 86 ....?..Z0...*.H.
0020: F7 0D 01 01 04 05 00 30 54 31 0B 30 09 06 03 55 .......0T1.0...U
0030: 04 06 13 02 42 45 31 0C 30 0A 06 03 55 04 08 13 ....BE1.0...U...
0040: 03 4F 56 4C 31 0C 30 0A 06 03 55 04 07 13 03 4D .OVL1.0...U....M
0050: 45 52 31 0B 30 09 06 03 55 04 0A 13 02 44 43 31 ER1.0...U....DC1
0060: 0C 30 0A 06 03 55 04 0B 13 03 45 43 53 31 0E 30 .0...U....ECS1.0
0070: 0C 06 03 55 04 03 13 05 72 69 67 65 6C 30 1E 17 ...U....rigel0..
0080: 0D 30 33 31 30 30 38 30 39 35 36 34 32 5A 17 0D .031008095642Z..
0090: 30 34 30 31 30 36 30 39 35 36 34 32 5A 30 54 31 040106095642Z0T1
00A0: 0B 30 09 06 03 55 04 06 13 02 42 45 31 0C 30 0A .0...U....BE1.0.
00B0: 06 03 55 04 08 13 03 4F 56 4C 31 0C 30 0A 06 03 ..U....OVL1.0...
00C0: 55 04 07 13 03 4D 45 52 31 0B 30 09 06 03 55 04 U....MER1.0...U.
00D0: 0A 13 02 44 43 31 0C 30 0A 06 03 55 04 0B 13 03 ...DC1.0...U....
00E0: 45 43 53 31 0E 30 0C 06 03 55 04 03 13 05 72 69 ECS1.0...U....ri
00F0: 67 65 6C 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D gel0..0...*.H...
0100: 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 .........0......
0110: F0 8B 5A 91 87 97 AB 55 2A 6A AA 96 1F CF 77 D7 ..Z....U*j....w.
0120: 73 C2 23 4D 78 51 CF 6E 3F 10 46 C5 DA D7 9D 75 s.#MxQ.n?.F....u
0130: 77 3A 94 4A 07 5B D6 38 82 18 AE 71 6A 76 F9 6F w:.J.[.8...qjv.o
0140: 58 19 9D 2F 97 EE 4E 38 0E 3F E1 B2 5D 2D C1 1A X../..N8.?..]-..
0150: 0E F2 08 B2 D6 FF 0A 5E FC BD 57 73 C1 F0 09 C3 .......^..Ws....
0160: 8E E4 20 C2 CC 96 E3 DE 24 2C 76 DD 9C BA F3 D2 .. .....$,v.....
0170: 14 FC 94 86 C6 A3 6D 90 02 6B 5C 6E C7 94 0A 44 ......m..k\n...D
0180: A2 64 F6 A2 31 16 1E AC 97 36 17 84 7E 60 EC 2B .d..1....6...`.+
0190: 02 03 01 00 01 30 0D 06 09 2A 86 48 86 F7 0D 01 .....0...*.H....
01A0: 01 04 05 00 03 81 81 00 E0 21 80 C9 4C 8C BC FC .........!..L...
01B0: 48 B3 36 6A 0B E1 C1 94 79 E1 E7 6B 27 B0 71 7D H.6j....y..k'.q.
01C0: CF 17 A6 B9 E6 71 D6 85 6F 9F EB 66 73 4B CB A2 .....q..o..fsK..
01D0: C1 A2 7F F3 38 A1 A7 8B 92 F0 82 1F 4A A4 E9 F5 ....8.......J...
01E0: 8C 64 0B 7E 86 61 C0 D5 74 60 7D D3 B0 11 3F 77 .d...a..t`....?w
01F0: B9 D8 EC 7D 17 22 D8 7C 77 42 CB C1 24 CC 26 5E ....."..wB..$.&^
0200: CF 8A 20 7D 77 44 D4 29 DF 59 D1 17 CE D2 51 59 .. .wD.).Y....QY
0210: BC 53 35 B0 EB CE 51 CE 79 F7 D2 53 CE FD 2F 9A .S5...Q.y..S../.
0220: FD 1A A8 E3 3C 58 AF EB ....<X..
*** CertificateRequest
Cert Types: DSS, RSA,
Cert Authorities:
<OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<[email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA>
<[email protected], CN=Thawte Personal Basic CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA>
<OU=Secure Server Certification Authority, O="RSA Data Security, Inc.", C=US>
<OU=Class 4 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<[email protected], CN=Thawte Personal Premium CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA>
<[email protected], CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA>
<CN=kws, OU=Delaware, O=Delaware, L=BE, ST=BE, C=BE>
<OU=Class 2 Public Primary Certification Authority, O="VeriSign, Inc.", C=US>
<[email protected], CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA>
[read] MD5 and SHA1 hashes: len = 1645
0000: 0D 00 06 69 02 02 01 06 64 00 61 30 5F 31 0B 30 ...i....d.a0_1.0
0010: 09 06 03 55 04 06 13 02 55 53 31 17 30 15 06 03 ...U....US1.0...
0020: 55 04 0A 13 0E 56 65 72 69 53 69 67 6E 2C 20 49 U....VeriSign, I
0030: 6E 63 2E 31 37 30 35 06 03 55 04 0B 13 2E 43 6C nc.1705..U....Cl
0040: 61 73 73 20 33 20 50 75 62 6C 69 63 20 50 72 69 ass 3 Public Pri
0050: 6D 61 72 79 20 43 65 72 74 69 66 69 63 61 74 69 mary Certificati
0060: 6F 6E 20 41 75 74 68 6F 72 69 74 79 00 D1 30 81 on Authority..0.
0070: CE 31 0B 30 09 06 03 55 04 06 13 02 5A 41 31 15 .1.0...U....ZA1.
0080: 30 13 06 03 55 04 08 13 0C 57 65 73 74 65 72 6E 0...U....Western
0090: 20 43 61 70 65 31 12 30 10 06 03 55 04 07 13 09 Cape1.0...U....
00A0: 43 61 70 65 20 54 6F 77 6E 31 1D 30 1B 06 03 55 Cape Town1.0...U
00B0: 04 0A 13 14 54 68 61 77 74 65 20 43 6F 6E 73 75 ....Thawte Consu
00C0: 6C 74 69 6E 67 20 63 63 31 28 30 26 06 03 55 04 lting cc1(0&..U.
00D0: 0B 13 1F 43 65 72 74 69 66 69 63 61 74 69 6F 6E ...Certification
00E0: 20 53 65 72 76 69 63 65 73 20 44 69 76 69 73 69 Services Divisi
00F0: 6F 6E 31 21 30 1F 06 03 55 04 03 13 18 54 68 61 on1!0...U....Tha
0100: 77 74 65 20 50 72 65 6D 69 75 6D 20 53 65 72 76 wte Premium Serv
0110: 65 72 20 43 41 31 28 30 26 06 09 2A 86 48 86 F7 er CA1(0&..*.H..
0120: 0D 01 09 01 16 19 70 72 65 6D 69 75 6D 2D 73 65 ......premium-se
0130: 72 76 65 72 40 74 68 61 77 74 65 2E 63 6F 6D 00 [email protected].
0140: CE 30 81 CB 31 0B 30 09 06 03 55 04 06 13 02 5A .0..1.0...U....Z
0150: 41 31 15 30 13 06 03 55 04 08 13 0C 57 65 73 74 A1.0...U....West
0160: 65 72 6E 20 43 61 70 65 31 12 30 10 06 03 55 04 ern Cape1.0...U.
0170: 07 13 09 43 61 70 65 20 54 6F 77 6E 31 1A 30 18 ...Cape Town1.0.
0180: 06 03 55 04 0A 13 11 54 68 61 77 74 65 20 43 6F ..U....Thawte Co
0190: 6E 73 75 6C 74 69 6E 67 31 28 30 26 06 03 55 04 nsulting1(0&..U.
01A0: 0B 13 1F 43 65 72 74 69 66 69 63 61 74 69 6F 6E ...Certification
01B0: 20 53 65 72 76 69 63 65 73 20 44 69 76 69 73 69 Services Divisi
01C0: 6F 6E 31 21 30 1F 06 03 55 04 03 13 18 54 68 61 on1!0...U....Tha
01D0: 77 74 65 20 50 65 72 73 6F 6E 61 6C 20 42 61 73 wte Personal Bas
01E0: 69 63 20 43 41 31 28 30 26 06 09 2A 86 48 86 F7 ic CA1(0&..*.H..
01F0: 0D 01 09 01 16 19 70 65 72 73 6F 6E 61 6C 2D 62 ......personal-b
0200: 61 73 69 63 40 74 68 61 77 74 65 2E 63 6F 6D 00 [email protected].
0210: 61 30 5F 31 0B 30 09 06 03 55 04 06 13 02 55 53 a0_1.0...U....US
0220: 31 20 30 1E 06 03 55 04 0A 13 17 52 53 41 20 44 1 0...U....RSA D
0230: 61 74 61 20 53 65 63 75 72 69 74 79 2C 20 49 6E ata Security, In
0240: 63 2E 31 2E 30 2C 06 03 55 04 0B 13 25 53 65 63 c.1.0,..U...%Sec
0250: 75 72 65 20 53 65 72 76 65 72 20 43 65 72 74 69 ure Server Certi
0260: 66 69 63 61 74 69 6F 6E 20 41 75 74 68 6F 72 69 fication Authori
0270: 74 79 00 61 30 5F 31 0B 30 09 06 03 55 04 06 13 ty.a0_1.0...U...
0280: 02 55 53 31 17 30 15 06 03 55 04 0A 13 0E 56 65 .US1.0...U....Ve
0290: 72 69 53 69 67 6E 2C 20 49 6E 63 2E 31 37 30 35 riSign, Inc.1705
02A0: 06 03 55 04 0B 13 2E 43 6C 61 73 73 20 34 20 50 ..U....Class 4 P
02B0: 75 62 6C 69 63 20 50 72 69 6D 61 72 79 20 43 65 ublic Primary Ce
02C0: 72 74 69 66 69 63 61 74 69 6F 6E 20 41 75 74 68 rtification Auth
02D0: 6F 72 69 74 79 00 61 30 5F 31 0B 30 09 06 03 55 ority.a0_1.0...U
02E0: 04 06 13 02 55 53 31 17 30 15 06 03 55 04 0A 13 ....US1.0...U...
02F0: 0E 56 65 72 69 53 69 67 6E 2C 20 49 6E 63 2E 31 .VeriSign, Inc.1
0300: 37 30 35 06 03 55 04 0B 13 2E 43 6C 61 73 73 20 705..U....Class
0310: 31 20 50 75 62 6C 69 63 20 50 72 69 6D 61 72 79 1 Public Primary
0320: 20 43 65 72 74 69 66 69 63 61 74 69 6F 6E 20 41 Certification A
0330: 75 74 68 6F 72 69 74 79 00 D2 30 81 CF 31 0B 30 uthority..0..1.0
0340: 09 06 03 55 04 06 13 02 5A 41 31 15 30 13 06 03 ...U....ZA1.0...
0350: 55 04 08 13 0C 57 65 73 74 65 72 6E 20 43 61 70 U....Western Cap
0360: 65 31 12 30 10 06 03 55 04 07 13 09 43 61 70 65 e1.0...U....Cape
0370: 20 54 6F 77 6E 31 1A 30 18 06 03 55 04 0A 13 11 Town1.0...U....
0380: 54 68 61 77 74 65 20 43 6F 6E 73 75 6C 74 69 6E Thawte Consultin
0390: 67 31 28 30 26 06 03 55 04 0B 13 1F 43 65 72 74 g1(0&..U....Cert
03A0: 69 66 69 63 61 74 69 6F 6E 20 53 65 72 76 69 63 ification Servic
03B0: 65 73 20 44 69 76 69 73 69 6F 6E 31 23 30 21 06 es Division1#0!.
03C0: 03 55 04 03 13 1A 54 68 61 77 74 65 20 50 65 72 .U....Thawte Per
03D0: 73 6F 6E 61 6C 20 50 72 65 6D 69 75 6D 20 43 41 sonal Premium CA
03E0: 31 2A 30 28 06 09 2A 86 48 86 F7 0D 01 09 01 16 1*0(..*.H.......
03F0: 1B 70 65 72 73 6F 6E 61 6C 2D 70 72 65 6D 69 75 .personal-premiu
0400: 6D 40 74 68 61 77 74 65 2E 63 6F 6D 00 D4 30 81 [email protected].
0410: D1 31 0B 30 09 06 03 55 04 06 13 02 5A 41 31 15 .1.0...U....ZA1.
0420: 30 13 06 03 55 04 08 13 0C 57 65 73 74 65 72 6E 0...U....Western
0430: 20 43 61 70 65 31 12 30 10 06 03 55 04 07 13 09 Cape1.0...U....
0440: 43 61 70 65 20 54 6F 77 6E 31 1A 30 18 06 03 55 Cape Town1.0...U
0450: 04 0A 13 11 54 68 61 77 74 65 20 43 6F 6E 73 75 ....Thawte Consu
0460: 6C 74 69 6E 67 31 28 30 26 06 03 55 04 0B 13 1F lting1(0&..U....
0470: 43 65 72 74 69 66 69 63 61 74 69 6F 6E 20 53 65 Certification Se
0480: 72 76 69 63 65 73 20 44 69 76 69 73 69 6F 6E 31 rvices Division1
0490: 24 30 22 06 03 55 04 03 13 1B 54 68 61 77 74 65 $0"..U....Thawte
04A0: 20 50 65 72 73 6F 6E 61 6C 20 46 72 65 65 6D 61 Personal Freema
04B0: 69 6C 20 43 41 31 2B 30 29 06 09 2A 86 48 86 F7 il CA1+0)..*.H..
04C0: 0D 01 09 01 16 1C 70 65 72 73 6F 6E 61 6C 2D 66 ......personal-f
04D0: 72 65 65 6D 61 69 6C 40 74 68 61 77 74 65 2E 63 [email protected]
04E0: 6F 6D 00 5D 30 5B 31 0B 30 09 06 03 55 04 06 13 om.]0[1.0...U...
04F0: 02 42 45 31 0B 30 09 06 03 55 04 08 13 02 42 45 .BE1.0...U....BE
0500: 31 0B 30 09 06 03 55 04 07 13 02 42 45 31 11 30 1.0...U....BE1.0
0510: 0F 06 03 55 04 0A 13 08 44 65 6C 61 77 61 72 65 ...U....Delaware
0520: 31 11 30 0F 06 03 55 04 0B 13 08 44 65 6C 61 77 1.0...U....Delaw
0530: 61 72 65 31 0C 30 0A 06 03 55 04 03 13 03 6B 77 are1.0...U....kw
0540: 73 00 61 30 5F 31 0B 30 09 06 03 55 04 06 13 02 s.a0_1.0...U....
0550: 55 53 31 17 30 15 06 03 55 04 0A 13 0E 56 65 72 US1.0...U....Ver
0560: 69 53 69 67 6E 2C 20 49 6E 63 2E 31 37 30 35 06 iSign, Inc.1705.
0570: 03 55 04 0B 13 2E 43 6C 61 73 73 20 32 20 50 75 .U....Class 2 Pu
0580: 62 6C 69 63 20 50 72 69 6D 61 72 79 20 43 65 72 blic Primary Cer
0590: 74 69 66 69 63 61 74 69 6F 6E 20 41 75 74 68 6F tification Autho
05A0: 72 69 74 79 00 C7 30 81 C4 31 0B 30 09 06 03 55 rity..0..1.0...U
05B0: 04 06 13 02 5A 41 31 15 30 13 06 03 55 04 08 13 ....ZA1.0...U...
05C0: 0C 57 65 73 74 65 72 6E 20 43 61 70 65 31 12 30 .Western Cape1.0
05D0: 10 06 03 55 04 07 13 09 43 61 70 65 20 54 6F 77 ...U....Cape Tow
05E0: 6E 31 1D 30 1B 06 03 55 04 0A 13 14 54 68 61 77 n1.0...U....Thaw
05F0: 74 65 20 43 6F 6E 73 75 6C 74 69 6E 67 20 63 63 te Consulting cc
0600: 31 28 30 26 06 03 55 04 0B 13 1F 43 65 72 74 69 1(0&..U....Certi
0610: 66 69 63 61 74 69 6F 6E 20 53 65 72 76 69 63 65 fication Service
0620: 73 20 44 69 76 69 73 69 6F 6E 31 19 30 17 06 03 s Division1.0...
0630: 55 04 03 13 10 54 68 61 77 74 65 20 53 65 72 76 U....Thawte Serv
0640: 65 72 20 43 41 31 26 30 24 06 09 2A 86 48 86 F7 er CA1&0$..*.H..
0650: 0D 01 09 01 16 17 73 65 72 76 65 72 2D 63 65 72 ......server-cer
0660: 74 73 40 74 68 61 77 74 65 2E 63 6F 6D [email protected]
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** Certificate chain
JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
*** ClientKeyExchange, RSA PreMasterSecret, v3.1
Random Secret: { 3, 1, 183, 52, 32, 171, 15, 252, 104, 26, 122, 4, 33, 152, 207, 169, 53, 3, 54, 92, 207, 235, 108, 124, 43, 137, 189, 40, 155, 244, 16, 195, 171, 111, 45, 24, 118, 251, 161, 5, 255, 221, 102, 77, 136, 92, 253, 146 }
[write] MD5 and SHA1 hashes: len = 141
0000: 0B 00 00 03 00 00 00 10 00 00 82 00 80 E7 73 AF ..............s.
0010: 77 3C B9 37 C3 23 58 BB 44 7E B0 E1 EE D1 6F 37 w<.7.#X.D.....o7
0020: E9 C2 CB CD 5B 36 80 61 76 69 28 FA 66 E5 19 31 ....[6.avi(.f..1
0030: AF C5 CE 1D D0 B1 C0 A3 31 D4 2E 1A DB 1E CC 21 ........1......!
0040: 7F B9 9F 8C 6A B8 4C 43 50 78 95 CF 51 E3 9E 97 ....j.LCPx..Q...
0050: BF 07 DC 25 DE 56 D7 A5 7C D7 7D 5C D4 47 16 5D ...%.V.....\.G.]
0060: 54 FC FE 6C D8 C7 17 AB 18 A0 EE 31 B6 38 10 29 T..l.......1.8.)
0070: C4 D6 75 5B DB 1F B2 2B 20 28 40 C5 96 E4 E3 7A ..u[...+ (@....z
0080: 5C D6 85 C3 03 05 F5 38 FE 34 72 EF 3F \......8.4r.?
main, WRITE: SSL v3.1 Handshake, length = 141
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 B7 34 20 AB 0F FC 68 1A 7A 04 21 98 CF A9 ...4 ...h.z.!...
0010: 35 03 36 5C CF EB 6C 7C 2B 89 BD 28 9B F4 10 C3 5.6\..l.+..(....
0020: AB 6F 2D 18 76 FB A1 05 FF DD 66 4D 88 5C FD 92 .o-.v.....fM.\..
CONNECTION KEYGEN:
Client Nonce:
0000: 3F 84 09 08 2B 04 F4 67 36 6E 63 80 A2 84 16 02 ?...+..g6nc.....
0010: C5 70 5B 69 04 85 F9 72 8E 7A 2C CB 9C BC 84 64 .p[i...r.z,....d
Server Nonce:
0000: 3F 84 09 08 02 CF ED 36 65 77 74 21 3B 36 38 6F ?......6ewt!;68o
0010: AA 6E 5C 81 B2 43 7C 2E BB 99 F7 1B D8 C5 15 E8 .n\..C..........
Master Secret:
0000: 92 AB 4A D6 D4 F1 35 46 3D F8 20 64 7D 0D 1D 3C ..J...5F=. d...<
0010: 6D 12 61 D7 B6 21 1D F9 9E F2 A3 1E C8 72 16 48 m.a..!.......r.H
0020: 7E EB ED BD 71 66 89 36 8D A4 AA 30 A7 B6 F9 E3 ....qf.6...0....
Client MAC write Secret:
0000: FB B5 C5 28 A0 EF A9 2C 6F 6E 9A 8E 46 21 F8 5D ...(...,on..F!.]
0010: 21 3A F3 5A !:.Z
Server MAC write Secret:
0000: AC B4 8C 0C 19 E9 70 87 86 2C 88 19 74 96 CB 86 ......p..,..t...
0010: E1 57 28 D0 .W(.
Client write key:
0000: 67 8C 40 8A 0E F6 66 02 AA 57 A9 46 3E 4C 2B 0B [email protected]>L+.
Server write key:
0000: 39 79 50 0C 26 2A 0C 06 34 57 9F D0 ED 9E 76 1A 9yP.&*..4W....v.
... no IV for cipher
main, WRITE: SSL v3.1 Change Cipher Spec, length = 1
JsseJCE: Using JSSE internal implementation for cipher RC4
*** Finished, v3.1
verify_data: { 2, 131, 239, 184, 3, 52, 180, 31, 246, 47, 142, 241 }
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C 02 83 EF B8 03 34 B4 1F F6 2F 8E F1 .........4.../..
Plaintext before ENCRYPTION: len = 36
0000: 14 00 00 0C 02 83 EF B8 03 34 B4 1F F6 2F 8E F1 .........4.../..
0010: E8 92 3D 1E 0C A5 0A B2 E3 71 7A E9 02 41 91 20 ..=......qz..A.
0020: 30 86 A2 47 0..G
main, WRITE: SSL v3.1 Handshake, length = 36
waiting for close_notify or alert: state 1
Exception while waiting for close java.net.SocketException: Software caused connection abort: JVM_recv in socket input stream read
main, SEND SSL v3.1 ALERT: warning, description = close_notify
Plaintext before ENCRYPTION: len = 22
0000: 01 00 BD 94 A3 63 BB DA 73 4F 7A 85 4B 79 25 76 .....c..sOz.Ky%v
0010: 8B 08 0F FF CE FC ......
main, WRITE: SSL v3.1 Alert, length = 22
java.net.SocketException: Software caused connection abort: JVM_recv in socket input stream read
     at java.net.SocketInputStream.socketRead0(Native Method)
     at java.net.SocketInputStream.read(SocketInputStream.java:116)
     at com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275)
     at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
     at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(DashoA6275)
     at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(DashoA6275)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.g(DashoA6275)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.a(DashoA6275)
     at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(DashoA6275)
     at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA6275)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
     at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
     at org.apache.commons.httpclient.HttpConnection$WrappedOutputStream.write(HttpConnection.java:1344)
     at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:69)
     at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:127)
     at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:779)
     at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2179)
     at org.apache.commons.httpclient.HttpMethodBase.processRequest(HttpMethodBase.java:2534)
     at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1047)
     at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:638)
     at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:500)
     at kws.testing.out.HTTPClient.main(HTTPClient.java:60)
Exception in thread "main"
Does someone have an idea on how to get client authentication (without password) work?
regards,
Kenneth

... no IV for cipher
This line is in my debug and the debug posted in the original message.
Am having the same problem of accessing a page with a Client Side Cert that uses a password. I get debug that has the "no IV for cipher" message. It does not throw
an exception, but gets a 403 from server.
Does anyone know? Will a Client Side Cert with a Symmetric Key work in Java APIs?
I load the .pfx cert into a Java KeyStore and send this to Apache HTTPClient.

Kerberos auth. not working..with VDI 3.1 EA

Guys,
krb5.conf file is configured correctly. command line utilities nslookup and kinit are working fine..
Kerberos auth. giving following error in cacao logs..
com.sun.directoryservices.service.ConnectionException: Failed to connect to ad://COMPANY/dc=COMPANY,dc=XXX,dc=YYY,dc=AU [Root exception is com.sun.directoryservices.auth.AuthenticationException: Authentication Failed [Client not found in Kerberos database (6)] [Root exception is javax.security.auth.login.LoginException: Client not found in Kerberos database (6)]]
at com.sun.sgd.directoryservices.core.connect.DirectoryConnector.connect(DirectoryConnector.java:182)
at com.sun.sgd.directoryservices.core.service.GenericDirectoryService.connect(GenericDirectoryService.java:109)
at com.sun.sgd.directoryservices.core.service.ADService.connect(ADService.java:99)
at com.sun.sgd.directoryservices.core.DirectoryServiceContext.connect(DirectoryServiceContext.java:154)
at com.sun.sgd.directoryservices.core.DirectoryServiceContext.connect(DirectoryServiceContext.java:143)
at com.sun.directoryservices.service.DirectoryService.connect(DirectoryService.java:143)
at com.sun.vda.service.ldap.UserDirConnection.createDirService(UserDirConnection.java:221)
at com.sun.vda.service.adapter.UserDirMgrAdapter.checkUserDirConnectivity(UserDirMgrAdapter.java:100)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:592)
at com.sun.vda.service.core.ThreadClassloaderProxy.invoke(ThreadClassloaderProxy.java:96)
at $Proxy42.checkUserDirConnectivity(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:592)
at com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:414)
at javax.management.StandardMBean.invoke(StandardMBean.java:323)
at com.sun.jmx.mbeanserver.DynamicMetaDataImpl.invoke(DynamicMetaDataImpl.java:213)
at com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:815)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)
at com.sun.jdmk.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:203)
at com.sun.cacao.agent.DispatchInterceptor.invoke(DispatchInterceptor.java:783)
at com.sun.cacao.agent.auth.impl.AccessControlInterceptor.invoke(AccessControlInterceptor.java:638)
at com.sun.jdmk.JdmkMBeanServerImpl.invoke(JdmkMBeanServerImpl.java:764)
at com.sun.cacao.common.instrum.impl.InstrumDefaultForwarder.invoke(InstrumDefaultForwarder.java:126)
at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1410)
at javax.management.remote.rmi.RMIConnectionImpl.access$100(RMIConnectionImpl.java:81)
at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1247)
at java.security.AccessController.doPrivileged(Native Method)
at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1350)
at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:784)
at sun.reflect.GeneratedMethodAccessor3.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:592)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
at sun.rmi.transport.Transport$1.run(Transport.java:153)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:149)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:466)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:707)
at java.lang.Thread.run(Thread.java:595)
Caused by: com.sun.directoryservices.auth.AuthenticationException: Authentication Failed [Client not found in Kerberos database (6)] [Root exception is javax.security.auth.login.LoginException: Client not found in Kerberos database (6)]
at com.sun.sgd.directoryservices.core.auth.AuthAgent.handleAuthException(AuthAgent.java:126)
at com.sun.sgd.directoryservices.core.auth.KerberosAuthAgent.authenticate(KerberosAuthAgent.java:68)
at com.sun.sgd.directoryservices.core.auth.KerberosAuthAgent.doAsCredential(KerberosAuthAgent.java:164)
at com.sun.sgd.directoryservices.core.connect.KerberizedConnection.connect(KerberizedConnection.java:59)
at com.sun.sgd.directoryservices.core.connect.DirectoryConnector.connect(DirectoryConnector.java:138)
... 44 more
Caused by: javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:592)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
at com.sun.sgd.directoryservices.core.auth.KerberosAuthAgent.login(KerberosAuthAgent.java:184)
at com.sun.sgd.directoryservices.core.auth.KerberosAuthAgent.authenticate(KerberosAuthAgent.java:66)

Can you please post your krb5.conf?
Also make sure that a valid forward AND reverse DNS lookups return for your kerberos server.
# getent hosts <hostname/IP>

Kerberos Authentication Not Working on OS X 10.6

Similar Messages

Maybe you are looking for