Kerberos Authentication on an NT machine.

Similar Messages

• Kerberos Authentication between Sharepoint 2013 Foundation - SSRS 2012 - Oracle 11g failing with ORA-12638: Credential retrieval failed

  I have set up SharePoint 2013 Foundation, SharePoint Reporting Services and SQL Server 2012 in a single server. I then created a Data Connection to Oracle 11g. Upon testing the connection, it throws the error “ORA-12638: Credential retrieval failed”.
  Given below are the steps of installation and configuration.
  Installation till basic authentication:
  The installation has been done in a
  single server.
  Installed SQL Server 2012 (Developer version).
  Selected only the following features:
  Database Engine Services
  Analysis Services
  Reporting Services – SharePoint
  Reporting Services Add-in for SharePoint Products
  Management Tools – Basic
  - Management Tools - Complete
    2. Installed SQL Server 2012 SP1.
    3. Installed SQL Server 2012 SP2.
    4. Installed SharePoint Foundation 2013.
    5. Created web application (without Kerberos; we did not even create the SPNs).
        The application pool has been configured to use Reporting Services account since it is a single server installation. This account has been registered as a managed
  account.
    6. Created Site Collection.
    7. Verified that Reporting Services is not installed.
    8. Installed SharePoint Reporting Services from SharePoint 2013 Management Shell.
    9. Verified that Reporting Services is installed.
   10. Created a new SQL Server Reporting Services Service Application and associated the Web Application to the new SQL server Reporting Services Service Application.
    11. Verified that SQL Server Reporting Services Service Application and its proxy have started. Reset IIS.
    12. Created a Site.
    13. Created a Data Connection library with “Report Data Source” content type.
    14. Created a Report Model library with “Report Builder Model” content type.
    15. Created a Report library with “Report Builder Report” content type.
    16. Uploaded an SMDL to the Report Model library.
    17. Added the top level site to Local Intranet instead of as a Trusted Site in the browser settings.
    18. Able to create and save a report using Report Builder.
  Hence, basic authentication is working and SSRS is able to connect to Oracle database.
  Next we have to configure Kerberos settings between SharePoint and SQL Server.
  Implementation of Kerberos authentication
  In the Report Server machine, opened the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\WebServices\Reporting\rsreportserver.config  and added the Authentication Types of RSWindowsNegotiate
  and RSWindowsKerberos.
   2.  Set up the following SPNs.
                 a) SQL Server Database Engine service (sqlDbSrv2):
                  setspn -S MSSQLSvc/CER1110:1433 CERDEMO\sqlDbSrv2
                  setspn -S MSSQLSvc/CER1110.cer.demo.com:1433 CERDEMO\sqlDbSrv2
               In the Delegation tab of the account, selected "Trust this user for delegation to any service (Kerberos only)".
  b) Account: SharePoint Setup Admin account (spAdmin2)
       setspn -S HTTP/CER1110:9999 CERDEMO\spAdmin2
                  setspn -S HTTP/CER1110.cer.demo.com:9999 CERDEMO\spAdmin2
                  In the Delegation tab of the account, selected "Trust this user for delegation to any  service
  (Kerberos only)".
  c) Account: SQL Server Reporting Service account (sqlRepSrv2)
                     setspn -S HTTP/CER1110 CERDEMO\sqlRepSrv2
                     setspn -S HTTP/CER1110.cer.demo.com CERDEMO\sqlRepSrv2
                     In the Delegation tab of the account, selected "Trust this user for delegation to any service
  (Kerberos only)".
    3. Configure the Web Application to use “Negotiate (Kerberos)”.
    4. Logged in as SharePoint Administrator to the SharePoint server and opened the top level site in the IE browser.
       The Event Viewer logged the login process for the SharePoint Administration account as
  Negotiate and not Kerberos.
    5. Implemented Kerberos for Oracle database and client.
       Able to connect to the Oracle database via Kerberos authentication using SQL Plus.
    6. Turn on Windows Firewall.
    7. While testing the site's data connection using Kerberos settings, got the error
  “Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials.”
        Note: The Data Connection for basic authentication still worked.
    8. Created a Claims to Windows Token Service account (spC2WTS2).
    9. Started the Claims to Windows Token Service.
   10. Registered the Claims to Windows Token Service account as a Managed Account.
   11. Changed the Claims To Windows Token Service to use the above managed account.
   12. Verified that the Claims to Windows Token Service account (spC2WTS2) is automatically added to the WSS_WPG local group on the SharePoint box.
        Note: The Reporting Services service account is also a part of the WSS_WPG local group.
   13. Added the Claims to Windows Token Service account (spC2WTS2) to the Local Admin Group on the machine having the SharePoint App Server.
   14. In the SharePoint box, added the Claims to Windows Token Service account (spC2WTS2) in the Act as part of the operating system policy right.
   15. The Claims to Windows Token Service account (spC2WTS2) has the WSS_WPG group configured.
        When the C2WTS service was configured to use the managed account Claims to Windows Token Service account (spC2WTS2) earlier, the spC2WTS2 account was automatically
  added to the WSS_WPG local group on the SharePoint box. The WSS_WPG group in turn is configured in c2wtshost.exe.config file.
   16. Verified that the Reporting Services account is a managed account and part of the WSS_WPG group.
   17. Earlier Service Application Pool - SQL Server Reporting Services App Pool service was associated with the SharePoint Admin account.
        Changed this to associate the Reporting Service account with the Service Application Pool - SQL Server Reporting Services App Pool service.
   18. Changed the delegation of the Reporting Service account to constrained delegation with Protocol Transitioning. This is because we are transitioning from one authentication scheme (Claims) to another (Windows Token).
        For this, the delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use
  any authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
        Note: The Reporting Service account already had an HTTP SPN.
   19. Next, the goal was to make the Claims To Windows Token Service account match the Reporting Service account.
         For this, we created a fake SPN for the Claims To Windows Token Service account since the delegation tab was missing.
         The delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use any
  authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
   20. Restarted the SharePoint server.
   21. Tested the data connection with the Kerberos settings again.
         Got the error
  “ORA-12638: Credential retrieval failed”.
  Can anyone tell me what is wrong with this setup?

  http://www.freeoraclehelp.com/2011/10/kerberos-authentication-for-oracle.html
  Problem4: ORA-12638: Credential retrieval failed
  Solution:  Make sure that SQLNET.KERBEROS5_CC_NAME is set in sqlnet.ora and okinit has been run before attempting to connect to the database.
  Do check 
  http://webcache.googleusercontent.com/search?q=cache:5a2Pf3FH7vkJ:externaltable.blogspot.com/2012/06/kerberos-authentication-and-proxy-users.html+&cd=5&hl=en&ct=clnk&gl=in
  If this helped you resolve your issue, please mark it Answered. You can reach me through http://itfreesupport.com/

• Publish Sharepoint 2013 via Web Application Proxy and Kerberos Authentication

  This is similar to
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/66c23aae-8774-4257-b9f9-b796e69b0318/action?threadDisplayName=publishing-sharepoint-2010-using-web-application-proxy
  However I have tried his resolution to no avail.
  I am trying to publish a SharePoint 2013 website via web application proxy. SharePoint 2013 is using negotiate (Kerberos) as its authentication provider. When trying to browse to the site externally via the WAP I get an http error 500 internal server error.
  In the web application proxy's event viewer I find the following two entries every time I try to browse the site.
  event ID 13019
  level: warning
  Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: No credentials are available in the security package
  (0x8009030e).
  Details:
  Transaction ID: {5672be45-a4b8-0005-58ff-7256b8a4cf01}
  Session ID: {5672be45-a4b8-0000-3909-7356b8a4cf01}
  Published Application Name: sharepoint
  Published Application ID: ****
  Published Application External URL: https://sharepoint.domain.com
  Published Backend URL: https://sharepoint.domain.com
  User: [email protected]
  User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Gecko
  Device ID: <Not Applicable>
  Token State: OK
  Cookie State: NotFound
  Client Request URL:
  https://sharepoint.domain.com/home?authToken=****client-request-id=****
  Backend Request URL: <Not Applicable>
  Preauthentication Flow: PreAuthBrowser
  Backend Server Authentication Mode: WIA
  State Machine State: BackendRequestProcessing_Pending
  Response Code to Client: <Not Applicable>
  Response Message to Client: <Not Applicable>
  Client Certificate Issuer: <Not Found>"
  And
  event ID 12027
  level: error
  Web Application Proxy encountered an unexpected error while processing the request.
  Error: No credentials are available in the security package
  (0x8009030e).
  Details:
  Transaction ID: ****
  Session ID: ****
  Published Application Name: Sharepoint
  Published Application ID: ****
  Published Application External URL: https://sharepoint.domain.com/
  Published Backend URL: https://sharepoint.domain.com/
  User: [email protected]
  User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Gecko
  Device ID: <Not Applicable>
  Token State: OK
  Cookie State: NotFound
  Client Request URL:
  https://gateway.dcsch.co.uk/home?authToken=****client-request-id=****
  Backend Request URL: <Not Applicable>
  Preauthentication Flow: PreAuthBrowser
  Backend Server Authentication Mode: WIA
  State Machine State: OuOfOrderFEHeadersWriting
  Response Code to Client: 500
  Response Message to Client: <Not Applicable>
  Client Certificate Issuer: <Not Found>"
  I have tried everything I have seen in many posts and the one linked above but cannot get this working. It does work fine internally.

  And within the next 10 minutes I found this
  http://technet.microsoft.com/en-us/library/dn308246.aspx#Kerberos
  Needed to set up delegation to ANY service in the Web application proxy

• WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.

  I have two forests with a transitive on-way trust between them: PROD -> TEST (test trusts PROD). I had previously had kerberos authentication working with winrm from PROD to machines in TEST. I have verified the trust is healthy, I also verified users
  in TEST can use WINRM with kerberos just fine. Users from PROD cannot connect via kerberos to machines in TEST with winrm.
  I have verified the service has registered the appropriate SPNs. I ran dcdiag against all my PROD and TEST domain controllers and didn't find anything that would prevent kerberos from happening. I even tried disabling the firewall entirely on my TEST dcs
  but that didn't gain me anything.
  I've enabled kerberos logging but only see the expected errors such as it couldn't find a PROD SPN for the machine, which it shouldn't from what I understand, it should go to the TEST domain and find the SPN from there.
  I'm really out of next steps before I call PSS and hope someone here has run into this and could provide me some next steps.
  PowerShell Error:
  Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
   Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
   After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
   Note that computers in the TrustedHosts list might not be authenticated.
     -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
      + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
      + FullyQualifiedErrorId : PSSessionStateBroken
  winrs Error:
  Winrs error:
  WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
   Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
   After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
   Note that computers in the TrustedHosts list might not be authenticated.
     -For more information about WinRM configuration, run the following command: winrm help config.

  Hi Adam,
  I'm a little unclear about which SPNs you were looking for, in which case could you confirm you were checking that on the computer object belonging to the actual destination host it has the following SPNs registered?
  WSMAN/<NetBIOS name>
  WSMAN/<FQDN>
  If you were actually trying to use WinRM to connect to the remote forest's domain controllers, then what you said makes sense, but I was caught between assuming this was the case or you meant another member server in that remote forest.
  Also, from the client trying to connect to this remote server, are you able to telnet to port 5985? (If you've used something other than the default, try that port)
  If you can't, then you've got something else like a firewall (be that the Windows firewall on the destination or a hardware firewall somewhere in between) blocking you at the port level, or the listener on the remote box just isn't working as expected. I
  just replied to your other winrm post with steps for checking the latter, so I won't repeat myself here.
  If you can telnet to it and the SPNs exist, then you might be up against something called selective authentication which has to do with how the trust was defined. You can have a read of
  this to learn a bit more about selective trusts and whether or not it's affecting you.
  Cheers,
  Lain

• Kerberos Authentication on Windows 7

  I'm trying to authenticate using Kerberos Authentication. Let's say the server is oracle.mydomain.com, and the kdc is kdc.sub.mydomain.com. Now, I have one machine that is joined to the sub.mydomain.com domain, and another machine which is on a totally different domain thatdomain.com.
  Now, I use this as my krb5.ini file
  [libdefaults]
  default_realm = sub.mydomain.com
  dns_lookup_kdc = true
  dns_lookup_realm = true
  [realms]
  sub.mydomain.com = {
  default_domain = sub.mydomain.com
  kdc = kdc.sub.mydomain.com
  and on the machine that is joined to the sub domain, it connects. If I use the same file for the other machine, I get "Status : Failure - Test failed: Peek timed out". Now I tried kinit on that machine "kinit testacct" and it properly gives me "Enter password for [email protected]" to which I enter the password and it gives me "New ticket is stored in cache file C:\Users\testacct\krb5cc_testacct", so that seems to be working, I just don't know why the SQL developer doesn't. Any ideas? Does the machine have to be joined to the domain in order to work with kerberos? FYI I have tried and I can ping the servers and telnet to the oracle server port, so it doesn't seem like a network issue...?
  The machine that is connecting is on the same subnet and uses the same DNS servers, it is just joined to a different domain.
  Edited by: 850630 on Apr 14, 2011 5:38 AM
  Edited by: 850630 on Apr 14, 2011 5:39 AM

  Hi ElementZero,
  I would still try to get thick kerberos working with for example sqlplus before you try thin.
  To help rule out kerberos version incompatibilities and configuration issues.
  For your information: my oracle krb5.conf set in database advanced properties was:
  [libdefaults]
  default_realm = example.COM
  [realms]
  US.ORACLE.COM = {
  kdc = KERBEROS_SERVER.example.com
  default_domain = example.com
  admin_server = KERBEROS_SERVER.example.com
  [domain_realm]
  .us.oracle.com = EXAMPLE.COM
  us.oracle.com = EXAMPLE.COM
  .ie.oracle.com = EXAMPLE.COM
  ie.oracle.com = EXAMPLE.COM
  If you set the kerberos cache entry in database advanced preferences to an new file you will have
  to enter a new password in sqldeveloper.
  Turloch
  -SQLDeveloper Team

• Remotely adding a Kerberos Authenticated printer

  Hi there, I am deploying a printer Via MCX which works fine. however the machines are using an LDAP kerberos authentication setup. If i manually set kerberos on the machine using the following steps it works fine.
  1. Open the URL "http://localhost:631/printers" in Safari.
  2. For each printer you wish to share using Kerberos:
  3. Click the printer name in the list.
  4. Choose "Set Default Options" from the "Administration" pop-up menu.
  5. Click "Policies".
  6. Choose "kerberos" from the "Operation Policy:" pop-up menu.
  7. Click "Set Default Options".
   The problem i have is I can't do this on each machine manually.
  This setting is not held in the PPD for that printer. I have set the option, copied the PPD from /etc/cups/ppd and then created a new printer using this PPD but the option is not enabled. I can see that when you enable this option it is writing to and then deleting the following files
  /var/spool/cups/cache/printername.png
  /var/spool/cups/cache/printername.data.N
  /var/spool/cups/cache/printername.png-psHg
  /var/spool/cups/cache/printername.data I am sure this is what is setting the option but i can't see anything in lpadmin or lpoptions that would allow this to be set via the command line. Any Ideas?

  I have found the Apple whitepaper on Enterprise printing and this command is supposed to enable kerberos.
  However when you run it and then check through the CUPS interface kerberos is not enabled.
  first you get the queue name from this
  lpstat -a
  lpadmin -p printername -o auth-info-required=negotiate
  Now according to the white paper the process changed from 10.5 to 10.6
  I am wondering if anyone knows if things have changed from 10.6 to 10.7

• Error Event ID 11 The KDC encountered duplicate names while processing a Kerberos authentication request.

  I've been noticing The Error with event ID 11 popping up a lot on our domain controllers:
  The KDC encountered duplicate names while processing a Kerberos authentication request.
  When running setspn -X it says that it found 111 groups of duplicate SPNs. However, when going through the list, it references domain service accounts that are used to run our SQL Server services. We have about 50 remote locations and each of them has 3
  machines participating in a SQL mirror (principal, mirror, witness) and they all run the SQL Server service on the same account (1 account per location).
  We haven't experienced any issues at all but I was wondering if this could cause problems or if we are straying from best practice. Any advice is welcome. Thanks!

  I believe what you should do to follow best practice is to provide unique SPNs for each SQL server, which will also provide increased security, and to do that you must create individual service account for each SQL server so it can associate that
  account with that server's SPN.
  Here's more on it to help guide you. Read Paul's comments, as well as other suggestions in the following thread:
  event ID 11 There are multiple accounts with name MSSQLSvc/xxxxxx
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/8df35316-23ba-48ba-aa3e-2249fcbfecbc/event-id-11-there-are-multiple-accounts-with-name-mssqlsvcxxxxxx?forum=winserverDS
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Error=49 from the LDAP server for GSSAPI Kerberos authentication

  I am trying to find solution for ldapsearch failure with GSSAPI Kerberos authentication . I am running Sun Directory Server 5.2 P4 on a Solaris-9 sparc machine..
  Steps :
  bash-2.05# kinit tester1
  Password for [email protected]:
  bash-2.05#
  When I do ldapsearch , I am getting following logs on the server :
  tail -f /var/Sun/mps/slapd-bf1r-dsun-1/logs/access
  [22/Feb/2007:01:44:16 -0700] conn=32 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
  [22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
  [22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
  [22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
  [22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=4 - UNBIND
  [22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=-1 - closing - U1
  [22/Feb/2007:01:44:17 -0700] conn=32 op=-1 msgId=-1 - closed.
  [22/Feb/2007:01:45:50 -0700] conn=33 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
  [22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
  [22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
  [22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
  [22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=4 - UNBIND
  [22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=-1 - closing - U1
  [22/Feb/2007:01:45:51 -0700] conn=33 op=-1 msgId=-1 - closed.
  I am using default Identiy Mapping and the ldif file looks like this :
  dn: cn=default,cn=GSSAPI,cn=identity mapping,cn=config
  objectClass: dsIdentityMapping
  objectClass: nsContainer
  objectClass: dsPatternMatching
  objectClass: top
  cn: default
  dsMatching-pattern: ${Principal}
  creatorsName: cn=directory manager
  createTimestamp: 20070220045812Z
  dsMatching-regexp: uid=(.*)
  dsSearchBaseDN: ou=people,dc=test1,dc=com
  dsMappedDN: uid=${Principal},ou=people,dc=test1,dc=com
  modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
  t
  modifyTimestamp: 20070221082740Z
  Following is the snoop for LDAP on the server :
  bash-2.05# !snoop
  snoop -v port 389 | grep LDAP
  Using device /dev/eri (promiscuous mode)
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 0: Bind Request]
  LDAP: [Version]
  LDAP: [Object Name]
  LDAP: uid=tester1,ou=people,dc=test1,d
  LDAP: c=com
  LDAP: Authentication: SASL *[3]
  LDAP: [OctetString]
  LDAP: GSSAPI
  LDAP: [OctetString]
  LDAP: *** NOT PRINTED - Too long value ***
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 1: Bind Response]
  LDAP: [Result Code]
  LDAP: SASL Bind In Progress
  LDAP: [Matched DN]
  LDAP: [Error Message]
  LDAP: SASL Credentials [7]
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 0: Bind Request]
  LDAP: [Version]
  LDAP: [Object Name]
  LDAP: uid=tester1,ou=people,dc=test1,d
  LDAP: c=com
  LDAP: Authentication: SASL *[3]
  LDAP: [OctetString]
  LDAP: GSSAPI
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 1: Bind Response]
  LDAP: [Result Code]
  LDAP: SASL Bind In Progress
  LDAP: [Matched DN]
  LDAP: [Error Message]
  LDAP: SASL Credentials [7]
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 0: Bind Request]
  LDAP: [Version]
  LDAP: [Object Name]
  LDAP: uid=tester1,ou=people,dc=test1,d
  LDAP: c=com
  LDAP: Authentication: SASL *[3]
  LDAP: [OctetString]
  LDAP: GSSAPI
  LDAP: [OctetString]
  LDAP:
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 1: Bind Response]
  LDAP: [Result Code]
  LDAP: 1
  LDAP: Invalid Credentials
  LDAP: [Matched DN]
  LDAP: [Error Message]
  LDAP: SASL(-1): generic failure:
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation [APPL 2: Unbind Request]
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  Please help me on how to fix this issue.
  Thanks,
  Radhakrishnan

  I did reply on the other thread of yours...
  Ludovic

• Windows Service, SSPI, Kerberos, SQL Server on another machine.

  Hi,
  I have a TCPIP service running on SERVER which connects to a SQL Server that is located on another machine. (SQLSERVER).
  The client authenticates with the SERVER using the Kerberos security package successfully.
  the 3 machines are in the same domain.
  When the service is running under the System account, the connection to the SQL Server machine succeeds (I have enabled the "Trust computer for delegation" option for the SERVER machine).
  But When the service is running under a specific user profile (eg: USER1), the connection to the SQL Server machine fails with this error:
  Login failed for user 'AUTORITE NT\ANONYMOUS LOGON'
  I have tried toadd the "Impersonate a client after authentication" user right for USER1 in the Local Security Policy, but it does not solve the problem.
  Does someone know what is wrong here please?
  Thank you,
  Olivier gg.
  (Note: the "Forest Functional Level" of the domain is Win2000).

  Retried in a test domain with
  Forest Functional Level set to 2008, and figured out what to do.
  This page (How To: Use Impersonation and Delegation in ASP.NET 2.0, (http://msdn.microsoft.com/en-us/library/ms998351.aspx#paght000023_delegation) especially the
  Use Kerberos authentication and delegation part) helped me.
  However something remains unclear: I had first selected the "Trust this user for delegation to any service (Kerberos only)" option for the domain user,
  but it did not work (Does someone know why?).
  I had to select the "Trust this user for delegation to specified services only" option and specify explicitely the appropriate SPN in order to have the delegation working.

• Kerberos Authentication Failure for POP3 After Upgrading to 10.6.5

  So I just upgraded from 10.6.4 to 10.6.5 and now Kerberos authentication for POP3 from Mail fails. Kerberos authentication for SMTP outgoing mail is just fine, it's only POP3 incoming mail that fails to authenticate. POP3 Kerberos authentication still works fine for the same account from another machine running 10.5.8. The mailaccess.log file contains the following:
  Nov 23 15:36:59 server master[423]: about to exec /usr/bin/cyrus/bin/pop3d
  Nov 23 15:36:59 server pop3[423]: executed
  Nov 23 15:37:00 server pop3[423]: accepted connection
  Nov 23 15:37:00 server pop3[423]: Major Error (1): A token was invalid (gssaccept_seccontext)
  Nov 23 15:37:01 server pop3[423]: Minor Error (1): Token header is malformed or corrupt (gssaccept_seccontext)
  Nov 23 15:37:01 server pop3[423]: Major Error (1): A token was invalid (gssaccept_seccontext)
  Nov 23 15:37:01 server pop3[423]: Minor Error (1): Token header is malformed or corrupt (gssaccept_seccontext)
  Nov 23 15:37:04 server pop3[423]: badlogin: FQDN [192.168.0.4] GSSAPI
  Nov 23 15:37:04 server master[52]: process 423 exited, status 0
  The server is running Mac OS X Server 10.4.11 and cannot be upgraded any further than as it is ancient hardware.
  Any thoughts?
  Cheers,
  Derek

  Makes perfect sense to me that ending one session by logging out enables him to begin a new session by logging back in. I give the young man credit for figuring out how to get around this deficiency in Parental Controls, as, deep down, I'm sure you do, too.
  If you can't trust him to stick to his agreed upon half an hour a day, you can always (threaten to) lock him out of the computer for 23.5 hrs/day using the Bedtime settings. ; )

• How to configure the applet  use Kerberos authentication

  Hi all:
  I know few about the java or applet security and hope someone can help me.
  I have a MS IIS Web server named win2003stdbase1 and it use Kerberos authentication, and the
  web server host a jar file.The client machine has jdk1.5 installed.When the client visit a html page which contains a java applet,the jre starts the applet and a dialog "Password Needed -Networking" popups.Then we input the right user name and the password,but the dialog popup again.The dialog display these message:
  Server:     win2003stdbase1/192.168.0.43
  Scheme:     ntlm
  UserName:
  Password:
  Domain:
  I suspect that the applet use the ntlm authentcation method which different from the web server,and I want it to use Kerberos authentication.How can I achieve this?
  Any suggestion or idear will be appreciated.Thanks.

  Are there anyone can help on this? It is a urgent issue. Also if I did not explain it clearly, please let me know.Thanks.

• PS remoting with Kerberos authenticated sites

  Hi everyone,
  I was looking at the fabulous PowerShell Remoting feature and had it functional on a Windows 2003 server. Really cool !
  Then I tried to activated it on a Windows 2008 R2 with Sharepoint 2010 configured with Kerberos authenticated sites. Fail.
  It seems that WinRM needs an SPN HTTP for the machine name itself whereas If I do that, I'll get stuck with duplicate SPNs (Application pool service account already has a HTTP SPN). I tried removing the service account SPN and create the machine SPN and then
  it works.
  So my question is in the title :
  How are you supposed to configure PS Remoting with an already Kerberos-authentication website configured without having SPN duplicate issues ?
  Thanks!
  Wes

  Quick update on this as I have more infos.
  The DNS workaround you mention fsocas is in the case that WinRM (or enable-PSRemote) is actually working and running.
  In my case, it's not the case because WinRM isn't able to "activate" the listener, it will trigger a security error before doing it.
  For your case fsocas, I suppose you could just use this method to make it work :
  On your machine (from which you ps-remote):
  Set-Item WSMAN:\localhost\Client\TrustedHosts -value 'ip address of the server'
  So here's the complete scenario I have.
  SharePoint 2010 server with Central admin running on it using this url :
  http://name-of-the-server:8080
  This url uses an application pool running under a domain account (let's call him domain\mycentraladmin)
  To setup Kerberos, I added the corresponding SPNs to the domain account of the application pool (domain\mycentraladmin) :
   - HTTP\name-of-the-server
   - HTTP\name-of-the-server.domain.org
   - HTTP\name-of-the-server:8080
   - HTTP\name-of-the-server.domain.org:8080
  So the Central admin site uses Kerberos for authentication. Everything works.
  Running "Enable-PSRemoting -force" wll fail with this error :
  Set-WSManQuickConfig : WinRM cannot process the request. The following error occured while using Negotiate authenticati
  on: An unknown security error occurred.
  or more specifically (using winrm command directly)
  Error number: -2144108387 0x8033809D
  An unknown security error occurred.
  So, since WinRM seems to check for a HTTP SPN set on the computer object (HTTP\name-of-the-server), it will always fail because it will find the HTTP SPN but not set on the computer object. Thus, it cannot authenticate using Kerberos and just fails.
  To have a proper configuration, I found out an interesting fact :
  http://blogs.dirteam.com/blogs/tomek/archive/2009/12/20/kerberos-a-sprawa-portu.aspx
  Internet Explorer only checks for a HTTP SPN on the default HTTP port (80). To force him to check the HTTP SPN with the port, you need to add a specific registry key.
  Here's my simple Powershell script for this:
  $Reg_Key = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209"
  New-item -type Directory $Reg_Key
  New-ItemProperty -Path $Reg_Key -Name "iexplore.exe" -value "1" -propertytype dword
  Note that this needs to be done on the client side (your machine).
  Now, I modified the SPN configuration. It now looks like :
  - HTTP\name-of-the-server:8080
  - HTTP\name-of-the-server.domain.org:8080
  I remove the default HTTP SPNs (which were necessary before applying the registry key to connect by Kerberos on the Central admin). But with the registry key in place, I'm able to log on to the Central admin with Kerberos.
  With this working, I went on the server and triggered the cmdlet "Enable-PSRemoting -force". Success :)
  Et voilà ! A nice setup without any dirty workaround.

• Kerberos Authentication Issues. 

  Our set up is as follows. In Directory Access we have our own clients set to receive their LDAP information via DHCP from our Mac OSX server and when in our office - or indeed, at a location that does not have a Mac OS X server - Kerberos Authentication to our server works just fine.
  However, when out of the office and in a location that also has a Mac OSX Server providing it's LDAP information via DHCP, naturally, we pickup that location's Kerberos Realm and this prevents us from making a connection to our Office VPN server which is running on our Mac OSX Server. To work successfully, it requires Kerberos Authentication but when prompted to enter our Kerberos password, the dialogue box appears with the local site's Kerberos Realm and even if I type in our office's Realm, it still will not work. How can we avoid this situation, other than turning off Kerberos Authentication completely. 
  The krux of the matter is that when off-site, my computer seems to pick up the Kerberos Realm of the system I'm in and completely forgets my own realm, thus not allowing me to authenticate until I return to my own office. I don't seem to be able to manually override it either.
  Is there something I am missing here?

  afaict what you're expierencing is default behaviour. Kerberos on a client machine gets autoconfigured by means of reading the KerberosClient record in the LDAP database in use. This happens dynamically so having LDAP server coming from dhcp configures kerberos as laid out in that LDAP server KerberosClient record.
  See man kerberosautoconfig which is the tool actually run to achieve this.
  HTH
  -Ralph

• Configuring WACS for AD-kerberos Authentication in XI 3.1

  Hi,
  Installed WACS (WebApplication Container Server) and trying to configure CMC hosted on it, for AD-Kerberos authentication in XI 3.1.Followed all the steps inu201D XI 3.1 admin guideu201D but when trying to login to CMC using Kerberos authentication getting the error u201CAccount Information Not Recognized: Active Directory failed to log you onu2026u201D
  Then installed Tomcat on the same machine and deployed Infoview and CMC on it. Able to login to CMC and Infoview hosted on tomcat using Kerberos authentication, but still Kerberos authentication is failing with WACS.
  Also enabled Kerberos logging for WACS, by adding the command line parameters
  u201C-Dcrystal.enterprise.trace.configuration=verbose
  -Djcsi.kerberos.debug=trueu201D
  But not getting any useful from WebApplicationContainerServer_stdout.log.
  Could you please suggest me know how to proceed here.
  Regards,
  Saikrishna.

  Hi Tim,
  Yes. Did put the paths for krb5.ini and bscLogin.conf in the properties section of WACS.
  Tried deleting the WACS server (Right click and u201CDeleteu201D the server)->Created the server again from Home->Servers->Core Services->Manage->New->New server.
  But getting the same issue, able to login to WACS with enterprise authentication but AD is failing. Anything else I may need to check?
  Regards,
  Saikrishna.

• Portal Drive Single Sign On and Kerberos Authentication

  Hi,
  We are using NW2004s SP10 Portal and we have successfully configured Kerberos authentication with Windows Active Directory 2003. To access the KM Content in windows explorer format, we are using Portal Drive but Portal Drive still asks for authentication i.e. SSO is not working for Portal Drive. I have understood from the forums and sap help site that SSO from portal drive will work only for NTLM authentication and client certificates. Can you please help regarding below questions.
  1. Can Kerberos and NTLM authentication be configured together.
  2. If yes, what are the steps to configure NTLM authentication for NW2004s SAP Portal and Active Directory 2003.
  3. Any other approach to make Portal Drive SSO work.
  Helpful answers will be rewarded.
  Regards,
  Chandra

  Hi Gregor,
  I did two things:
  first i made a change in the portalapp.xml in the PAR file "com.sap.km.cm.par". In the section authentication scheme for "docs" I changed the authentication scheme to "default" to make sure that documents are opened using the default authentication scheme (SPNego) instead of basic authentication
  second, I used the SPNego wizard to configure SPNego. So I didn't adjust anything in the Visual Admin or the authentication template apart from adding the Template to the Ticket policy configuration.
  Again, this only worked after installing the latest vesion.
  Hope this helps
  Marcel