Kerberos authentication via Apache ...

Similar Messages

• Kerberos authentication with Apache Kerberos Module

  Hi,
  Using the Java GSS tutorials, I have been able to create code to successfully authenticate with our KDC server or from a local ticket cache.
  However, I have been unsuccessful in using the obtained credentials to perform client authentication with a web server running Apache using Kerberos for authentication (mod_kerberos).
  I have tried to use an SSLSocket to connect to the server, which works fine. To request a page that requires client side authentication, I have passed the necessary client headers, over the socket connection e.g.
  GET: http://www.myhost.com/protected_page.html
  HOST: www.myhost.com
  AUTHENTICATE: negotiate XXXXX
  However, I do not know what to put in place of XXXXX. Using some PHP code and Firefox, I have been able to observe what Firefox is passing to the web server to perform client side authentication. It is clearly passing a base64 encoded string, which is related to the cached Kerberos credentials.
  Can anyone tell me, how I can use Java and GSS to perform client side authentication with an Apache web server that is using the Kerberos authentication module? I know it is possible to do so using SPEGNO in a Windows environment, but this is a Linux/Unix environment, so it is not an option.
  Thanks for any help or advice,
  Neil.

  Here are your options:
  1) Configure Krb5LoginModule programmatically.
  If the environment variable KRB5CC_NAME points to the ticket cache location,
  (which is updated each time), you can configure the Krb5LoginModule
  programmatically and set the "ticketCache" option to the value obtained
  from KRB5CC_NAME.
  Refer to following docs for details:
  http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/LoginConfigFile.html
  http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
  http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/AppConfigurationEntry.html
  2) Use native Kerberos from the platform
  Java SE 6 provides support for native GSS/Kerberos on Solaris/Linux platforms.
  NOTE: If native GSS/Kerberos on your platform does not have support for SPNEGO,
  you will not be able to use this option.
  For details refer to following docs:
  http://download.java.net/jdk6/docs/technotes/guides/security/jgss/jgss-features.html
  Seema

• Serving Directories with Authentication via Apache

  Yep, it really is that simple but it's driving me nuts.
  We are setting up an xserve to serve customer data (directories with HTML pages). I'd like to be able to set up a folder for each customer, have them hit our server via http, be challenged for a username and password, and be able to view and browse thier folder contents.
  I've poked around in server admin most of the day (spending a lot of time trying to set up realms with no luck), looked at the Web Technologies Administration document (following directions on page 43 with no luck), browsed the web and this forum and still don't see how I might do this.
  Suggestions on where to look or specific advice would be greatly appreciated and sorry if this is so galactically simple and/or discussed an infinite number of times.
  xerve g5 & others   Mac OS X (10.4.6)  

  Welcome to discussions!
  Server Admin does a pretty good job of making simple things hard, doesn't it? The only thing more useless is the performance cache.
  Probably the easiest way, unless you have a VERY high volume server, to do what you want would be .htaccess files. In each of the folders that you want basic authentication for it's contents, create a folder with the name .htaccess . In .htaccess the following:
  AuthType Basic
  AuthName "What you want to appear in the popup window"
  AuthUserFile /path/to/a/file/that/has/name/passwds
  require valid-user
  Check out the man page for htpasswd. It will help you make a name/password file for your .htaccess file to reference.
  Roger

• Kerberos Authentication between Sharepoint 2013 Foundation - SSRS 2012 - Oracle 11g failing with ORA-12638: Credential retrieval failed

  I have set up SharePoint 2013 Foundation, SharePoint Reporting Services and SQL Server 2012 in a single server. I then created a Data Connection to Oracle 11g. Upon testing the connection, it throws the error “ORA-12638: Credential retrieval failed”.
  Given below are the steps of installation and configuration.
  Installation till basic authentication:
  The installation has been done in a
  single server.
  Installed SQL Server 2012 (Developer version).
  Selected only the following features:
  Database Engine Services
  Analysis Services
  Reporting Services – SharePoint
  Reporting Services Add-in for SharePoint Products
  Management Tools – Basic
  - Management Tools - Complete
    2. Installed SQL Server 2012 SP1.
    3. Installed SQL Server 2012 SP2.
    4. Installed SharePoint Foundation 2013.
    5. Created web application (without Kerberos; we did not even create the SPNs).
        The application pool has been configured to use Reporting Services account since it is a single server installation. This account has been registered as a managed
  account.
    6. Created Site Collection.
    7. Verified that Reporting Services is not installed.
    8. Installed SharePoint Reporting Services from SharePoint 2013 Management Shell.
    9. Verified that Reporting Services is installed.
   10. Created a new SQL Server Reporting Services Service Application and associated the Web Application to the new SQL server Reporting Services Service Application.
    11. Verified that SQL Server Reporting Services Service Application and its proxy have started. Reset IIS.
    12. Created a Site.
    13. Created a Data Connection library with “Report Data Source” content type.
    14. Created a Report Model library with “Report Builder Model” content type.
    15. Created a Report library with “Report Builder Report” content type.
    16. Uploaded an SMDL to the Report Model library.
    17. Added the top level site to Local Intranet instead of as a Trusted Site in the browser settings.
    18. Able to create and save a report using Report Builder.
  Hence, basic authentication is working and SSRS is able to connect to Oracle database.
  Next we have to configure Kerberos settings between SharePoint and SQL Server.
  Implementation of Kerberos authentication
  In the Report Server machine, opened the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\WebServices\Reporting\rsreportserver.config  and added the Authentication Types of RSWindowsNegotiate
  and RSWindowsKerberos.
   2.  Set up the following SPNs.
                 a) SQL Server Database Engine service (sqlDbSrv2):
                  setspn -S MSSQLSvc/CER1110:1433 CERDEMO\sqlDbSrv2
                  setspn -S MSSQLSvc/CER1110.cer.demo.com:1433 CERDEMO\sqlDbSrv2
               In the Delegation tab of the account, selected "Trust this user for delegation to any service (Kerberos only)".
  b) Account: SharePoint Setup Admin account (spAdmin2)
       setspn -S HTTP/CER1110:9999 CERDEMO\spAdmin2
                  setspn -S HTTP/CER1110.cer.demo.com:9999 CERDEMO\spAdmin2
                  In the Delegation tab of the account, selected "Trust this user for delegation to any  service
  (Kerberos only)".
  c) Account: SQL Server Reporting Service account (sqlRepSrv2)
                     setspn -S HTTP/CER1110 CERDEMO\sqlRepSrv2
                     setspn -S HTTP/CER1110.cer.demo.com CERDEMO\sqlRepSrv2
                     In the Delegation tab of the account, selected "Trust this user for delegation to any service
  (Kerberos only)".
    3. Configure the Web Application to use “Negotiate (Kerberos)”.
    4. Logged in as SharePoint Administrator to the SharePoint server and opened the top level site in the IE browser.
       The Event Viewer logged the login process for the SharePoint Administration account as
  Negotiate and not Kerberos.
    5. Implemented Kerberos for Oracle database and client.
       Able to connect to the Oracle database via Kerberos authentication using SQL Plus.
    6. Turn on Windows Firewall.
    7. While testing the site's data connection using Kerberos settings, got the error
  “Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials.”
        Note: The Data Connection for basic authentication still worked.
    8. Created a Claims to Windows Token Service account (spC2WTS2).
    9. Started the Claims to Windows Token Service.
   10. Registered the Claims to Windows Token Service account as a Managed Account.
   11. Changed the Claims To Windows Token Service to use the above managed account.
   12. Verified that the Claims to Windows Token Service account (spC2WTS2) is automatically added to the WSS_WPG local group on the SharePoint box.
        Note: The Reporting Services service account is also a part of the WSS_WPG local group.
   13. Added the Claims to Windows Token Service account (spC2WTS2) to the Local Admin Group on the machine having the SharePoint App Server.
   14. In the SharePoint box, added the Claims to Windows Token Service account (spC2WTS2) in the Act as part of the operating system policy right.
   15. The Claims to Windows Token Service account (spC2WTS2) has the WSS_WPG group configured.
        When the C2WTS service was configured to use the managed account Claims to Windows Token Service account (spC2WTS2) earlier, the spC2WTS2 account was automatically
  added to the WSS_WPG local group on the SharePoint box. The WSS_WPG group in turn is configured in c2wtshost.exe.config file.
   16. Verified that the Reporting Services account is a managed account and part of the WSS_WPG group.
   17. Earlier Service Application Pool - SQL Server Reporting Services App Pool service was associated with the SharePoint Admin account.
        Changed this to associate the Reporting Service account with the Service Application Pool - SQL Server Reporting Services App Pool service.
   18. Changed the delegation of the Reporting Service account to constrained delegation with Protocol Transitioning. This is because we are transitioning from one authentication scheme (Claims) to another (Windows Token).
        For this, the delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use
  any authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
        Note: The Reporting Service account already had an HTTP SPN.
   19. Next, the goal was to make the Claims To Windows Token Service account match the Reporting Service account.
         For this, we created a fake SPN for the Claims To Windows Token Service account since the delegation tab was missing.
         The delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use any
  authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
   20. Restarted the SharePoint server.
   21. Tested the data connection with the Kerberos settings again.
         Got the error
  “ORA-12638: Credential retrieval failed”.
  Can anyone tell me what is wrong with this setup?

  http://www.freeoraclehelp.com/2011/10/kerberos-authentication-for-oracle.html
  Problem4: ORA-12638: Credential retrieval failed
  Solution:  Make sure that SQLNET.KERBEROS5_CC_NAME is set in sqlnet.ora and okinit has been run before attempting to connect to the database.
  Do check 
  http://webcache.googleusercontent.com/search?q=cache:5a2Pf3FH7vkJ:externaltable.blogspot.com/2012/06/kerberos-authentication-and-proxy-users.html+&cd=5&hl=en&ct=clnk&gl=in
  If this helped you resolve your issue, please mark it Answered. You can reach me through http://itfreesupport.com/

• WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.

  I have two forests with a transitive on-way trust between them: PROD -> TEST (test trusts PROD). I had previously had kerberos authentication working with winrm from PROD to machines in TEST. I have verified the trust is healthy, I also verified users
  in TEST can use WINRM with kerberos just fine. Users from PROD cannot connect via kerberos to machines in TEST with winrm.
  I have verified the service has registered the appropriate SPNs. I ran dcdiag against all my PROD and TEST domain controllers and didn't find anything that would prevent kerberos from happening. I even tried disabling the firewall entirely on my TEST dcs
  but that didn't gain me anything.
  I've enabled kerberos logging but only see the expected errors such as it couldn't find a PROD SPN for the machine, which it shouldn't from what I understand, it should go to the TEST domain and find the SPN from there.
  I'm really out of next steps before I call PSS and hope someone here has run into this and could provide me some next steps.
  PowerShell Error:
  Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
   Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
   After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
   Note that computers in the TrustedHosts list might not be authenticated.
     -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
      + CategoryInfo          : OpenError: (:) [], PSRemotingTransportException
      + FullyQualifiedErrorId : PSSessionStateBroken
  winrs Error:
  Winrs error:
  WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.  
   Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
   After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
   Note that computers in the TrustedHosts list might not be authenticated.
     -For more information about WinRM configuration, run the following command: winrm help config.

  Hi Adam,
  I'm a little unclear about which SPNs you were looking for, in which case could you confirm you were checking that on the computer object belonging to the actual destination host it has the following SPNs registered?
  WSMAN/<NetBIOS name>
  WSMAN/<FQDN>
  If you were actually trying to use WinRM to connect to the remote forest's domain controllers, then what you said makes sense, but I was caught between assuming this was the case or you meant another member server in that remote forest.
  Also, from the client trying to connect to this remote server, are you able to telnet to port 5985? (If you've used something other than the default, try that port)
  If you can't, then you've got something else like a firewall (be that the Windows firewall on the destination or a hardware firewall somewhere in between) blocking you at the port level, or the listener on the remote box just isn't working as expected. I
  just replied to your other winrm post with steps for checking the latter, so I won't repeat myself here.
  If you can telnet to it and the SPNs exist, then you might be up against something called selective authentication which has to do with how the trust was defined. You can have a read of
  this to learn a bit more about selective trusts and whether or not it's affecting you.
  Cheers,
  Lain

• Authentication via weblogic security realm

            My servlet needs to access a session bean. The action in the session bean requires
            that a user has been authorized, i.e. at some point the session been calls
            String name = d_ctx.getCallerPrincipal().getName()
            This name may not be null at this time.
            What I would like to have is that the user executing the URL gets authenticated
            by my server realm 'myrealm' and that the associated prinicpal gets passed to
            the session bean. Is this possible. If so, how can the user pass along the username
            and password as this query is executed programmatically?
            markus
            

  http://www.weblogic.com/docs51/classdocs/API_acl.html
  Michael Girdley
  BEA Systems Inc
  "gennot" <[email protected]> wrote in message
  news:[email protected]..
  Could you send me the complete URL of these example, please?
  Thanks
  Enrico
  Michael Girdley <[email protected]> wrote in message
  39b87078$[email protected]..
  The passing of the client's certificate should be automatic to WebLogic.We
  have an example of getting the client side certificate from inside of
  WebLogic in our documentation.
  This does not require for SSL to be used from the Web server to
  WebLogic.
  >>
  Thanks,
  Michael
  Michael Girdley
  BEA Systems Inc
  "Bob Simonoff" <[email protected]> wrote in message
  news:[email protected]..
  I have read through the docs and haven't found anything that would
  address
  the following confusion:
  Suppose I want to use Apache or IPlanet as the webserver with WebLogicas
  the back end application server (obviously). I have the need to use 2way
  SSL authentication. As I understand it the following applies:
  Client (browser) has a certificate as does the web server. Theyauthenticate
  each other.
  Now, the web server and weblogic need to communicate. WebLogic, in our
  environment does authentication via the security realm.
  What do I have to do to get the the web server (Apache or IPlanet) to
  communicate the client's certificate to WebLogic so the WebLogic canperform
  the authentication?
  Does the communication between the web server and WebLogic also need
  to
  be
  SSL?
  Thanks
  Bob Simonoff

• Question about Java GSS-Kerberos authentication

  Hi,
  I am new to GSS API. I have a client requirement to use Java GSS Kerberos Authentication instead of using IIS for Integrated Windows Authentication. In IWA, the IE browser automatically picks up the logged-in windows user credentials and passes it to IIS, which authenticates you against Active Directory and returns SUCCESS.
  We are planning to write a Servlet/JSP code on Apache Tomcat on Solaris 10, which uses Java GSS API to do Kerberos Authentication and return SUCCESS to the user. When I look at the examples:
  http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/AcnOnly.html#RunAc
  it says:
  "You will be prompted for your Kerberos user name and password, and the underlying Kerberos authentication mechanism specified in the login configuration file will log you into Kerberos. If your login is successful, you will see the following message: Authentication succeeded!"
  Does this mean that in Kerberos Authentication using Java GSS API, the user will have to enter his windows credentials for authentication? Is there a way for the credentials to be passed from Windows automatically to the API, without user intervention?
  Any links detailing the procedure would be of great help.
  Thanks,
  shetty2k

  We are having a similar requirement from our end. To make situation worst I do not even have an idea about an approach.
  What are the ways that we can use windows credentials to authenticate against IIS with tomcat?
  any help is greatly appreciated.
  R.

• Remotely adding a Kerberos Authenticated printer

  Hi there, I am deploying a printer Via MCX which works fine. however the machines are using an LDAP kerberos authentication setup. If i manually set kerberos on the machine using the following steps it works fine.
  1. Open the URL "http://localhost:631/printers" in Safari.
  2. For each printer you wish to share using Kerberos:
  3. Click the printer name in the list.
  4. Choose "Set Default Options" from the "Administration" pop-up menu.
  5. Click "Policies".
  6. Choose "kerberos" from the "Operation Policy:" pop-up menu.
  7. Click "Set Default Options".
   The problem i have is I can't do this on each machine manually.
  This setting is not held in the PPD for that printer. I have set the option, copied the PPD from /etc/cups/ppd and then created a new printer using this PPD but the option is not enabled. I can see that when you enable this option it is writing to and then deleting the following files
  /var/spool/cups/cache/printername.png
  /var/spool/cups/cache/printername.data.N
  /var/spool/cups/cache/printername.png-psHg
  /var/spool/cups/cache/printername.data I am sure this is what is setting the option but i can't see anything in lpadmin or lpoptions that would allow this to be set via the command line. Any Ideas?

  I have found the Apple whitepaper on Enterprise printing and this command is supposed to enable kerberos.
  However when you run it and then check through the CUPS interface kerberos is not enabled.
  first you get the queue name from this
  lpstat -a
  lpadmin -p printername -o auth-info-required=negotiate
  Now according to the white paper the process changed from 10.5 to 10.6
  I am wondering if anyone knows if things have changed from 10.6 to 10.7

• Regarding Kerberos authentication for webservices.

  Hi,
        I need to use kerberos authentication for my receiver webservice.  I am working in PI7.1 . Which adapter I can use for this ( WS-RM adapter or SOAP adapter) and How to configure it for kerberos. I mean, which value of authentication parameter refers to kerberos authentication.
  Regards,
  Reyaz hussain

  Hi Reyaz,
  To tell you frankly i never come across this kerberos protocol but since you would like to use there is certainly a chance after the launch of PI 7.1. The launch has Opened the Door to the World of Web Services Reliable Messaging.  "The Integration Directory enables you to easily configure scenarios where the Integration Server acts as a message hub between WS-RM-enabled applications and any other application or technical system. Thus, you can configure scenarios where either a Web Service client calls the Integration Server and the message is then routed to any other application, or the other way around where any application calls a Web Service provider via the Integration Server. In the Integration Directory you can do the complete configuration of the Integration Server inbound or outbound processing."
  https://www.sdn.sap.com/irj/scn/wiki?path=/display/profile/2007/07/25/new+news&focusedcommentid=44360
  Regards
  joel

• Does 10.4.6 SMB support Kerberos authentication?

  Our company is heading towards using Kerberos authentication to access home directories shared via NFS and CIFS/SMB. I did some searching but wasn't able to determine if OS X 10.4.6 supported Kerberos auth. in it's version of SMB. Does it?

  Hello a brody and Kiraly,
  thanks for the answers and much appreciate your hints regarding memory.
  Was thinking about the upgrade mostly for future security updates - they surely will end for 10.3.9 at some point in time, won't they? - and potentially for EAP-FAST. Application-wise I'm fine with eMail, Office and Telnet/SSH but when a memory on eBay comes along I may think about it
  Again thanks for your help!
  Regards, Marc

• Jabber SSO for PKI / Kerberos LogOn via Card&fingerPrint

  Is there any solution (existing or planned) for Jabber SSO when users are not using UserName/Password identification when they are logging in to their PC ?
  Instead they are using a PKI / Kerberos LogOn via Card&fingerPrint ? and for this LogOn method once opening Jabber Client how can they be LoggedOn without any need for further identification?

  Hi Andrzej Kazmierczak,
  Thanks a lot for the reply,
  If we configure certificate based authentication in IIS (certificate mapping) it doesn't use kerberos provider (at least that's what I have seen through network monitor captures).
  guess probably the presentation of intent in my question was wrong.. my bad..sorry
  My requirement is to configured the SSO environment based on "kerberos Authentication" (where the pre-authentication happens not via user name and password but through USER IDENTITY certificates.)
  http://msdn.microsoft.com/en-in/library/cc238455.aspx
  When smart cards are implemented with kerberos, pre-authentication (for kerberos) happens through KDC validating the smart card PKI certificate (x.509), I want to achieve the same thing in my lab without smart card (i.e.. only with user identity certificate
  installed over a device).
  There are few related information  available over the web but for Linux based (MIT kerberos) environment. However according the document available in the link(http://msdn.microsoft.com/en-in/library/cc238455.aspx), it should be possible even in Microsoft
  environment.That's exactly is my requirement.
  I am very new to  kerberos topic, please correct me if my implementation understanding is wrong somewhere.
  Thanks,
  GK

• Kerberos Authentication Not Working on OS X 10.6

  Using FF version 20.0, on OS X 10.6.8, I can not get it to use Kerberos authentication to allow SSO to a SharePoint web site.
  On OS X 10.8, with the same configuration in the about:config, everything works fine - the user is not prompted for credentials.
  I have put the necessary entires in network.negotiate-auth.delegation-uris and network.automatic-ntlm-auth.trusted-uris, network.negotiate-auth.gsslib is set to true.
  When I have setup to log the errors from the authentication module, I find in the log file "Fail to load gssapi library".
  Interestingly on 10.8, when I start Firefox from the command line the Kerberos authentication does not work. When I start it via the icon, it does. What is the difference? Are the preferences not being loaded when launching via the command line?
  Thanks for any help,
  Richard

  Found the solution:
  Was a combination of kinit being run on login (apparently a known 10.6 bug). Our Mac team were able to alter the appropriate plist file so that this does happen on login.
  We also had to add an extra SPN for the actual server, as well as the DNS name of the SharePoint site we were trying to access with Kerberos authentication - although this may have something to do with using host-named site collections at the SharePoint end.
  Main problem was the kinit thing though.

• Advanced Server 10.5.7, Kerberos Authentication not responding

  Hi everyone,
  Hoping Captain Obvious can help me out. I have searched the web and forums and i'm not getting very far.
  This is the first time I am managing a Mac Server - I come from a Windoz Server background.
  So ->
  Installed 10.5.7 Server
  Setup DNS
  (tested AOK)
  Setup Open Directory
  Setup iChat Server
  Setup AFP
  The server seems to be running ok, all the above services work. It has been working for a few weeks.
  Then I started to harden it and was looking at kerberos authentication, so I first went into iChat server and changed the form of Authentication to "Any" method.
  When I try to log in from iChat I go into this endless Certificate acceptance loop
  When I try to log in via AFP with Kerberos authentication, I go noplace.
  Second I switch back to standard authentication, i get right in.
  I turned on VPN services and that is a dead end as well because of this authentication issue.
  What could be causing this Kerberos issue? DNS? or did Captain Obvious miss a button?
  Your help is greatly appreciated

  Hi davidh,
  Thank you for responding. I found that command just as I was passing out last night, so it was ironic to find your msg when I woke up. The thing is that I didn't know what I was looking at until I read your msg and yes, I see 3 entries for each kerberized service.
  Keytab name: FILE:/etc/krb5.keytab
  KVNO Timestamp Principal
  3 05/05/09 21:37:50 afpserver/LKDC:SHA1.43AB07C7E595E78DBA6658C9FE5AD54683DA4A8F@LKDC:SHA1.43AB07C7 E595E78DBA6658C9FE5AD54683DA4A9F
  3 05/05/09 21:37:50 afpserver/LKDC:SHA1.43AB07C7E595E78DBA6658C9FE5AD54683DA4A8F@LKDC:SHA1.43AB07C7 E595E78DBA6658C9FE5AD54683DA4A9F
  3 05/05/09 21:37:50 afpserver/LKDC:SHA1.43AB07C7E595E78DBA6658C9FE5AD54683DA4A8F@LKDC:SHA1.43AB07C7 E595E78DBA6658C9FE5AD54683DA4A9F
  3 05/05/09 21:37:50 cifs/LKDC:SHA1.43AB07C7E595E78DBA6658C9FE5AD54683DA4A8F@LKDC:SHA1.43AB07C7E595E 78DBA6658C9FE5AD54683DA4A9F
  3 05/05/09 21:37:50 cifs/LKDC:SHA1.43AB07C7E595E78DBA6658C9FE5AD54683DA4A8F@LKDC:SHA1.43AB07C7E595E 78DBA6658C9FE5AD54683DA4A9F
  3 05/05/09 21:37:50 cifs/LKDC:SHA1.43AB07C7E595E78DBA6658C9FE5AD54683DA4A8F@LKDC:SHA1.43AB07C7E595E 78DBA6658C9FE5AD54683DA4A9F
  3 05/05/09 21:37:50 vnc/LKDC:SHA1.43AB07C7E595E78DBA6658C9FE5AD54683DA4A8F@LKDC:SHA1.43AB07C7E595E7 8DBA6658C9FE5AD54683DA4A9F
  3 05/05/09 21:37:50 vnc/LKDC:SHA1.43AB07C7E595E78DBA6658C9FE5AD54683DA4A8F@LKDC:SHA1.43AB07C7E595E7 8DBA6658C9FE5AD54683DA4A9F
  3 05/05/09 21:37:51 vnc/LKDC:SHA1.43AB07C7E595E78DBA6658C9FE5AD54683DA4A8F@LKDC:SHA1.43AB07C7E595E7 8DBA6658C9FE5AD54683DA4A9F
  3 05/27/09 22:44:34 fcsvr/[email protected]
  3 05/27/09 22:44:34 fcsvr/vader. mydomain.com@VADER. MYDOMAIN.COM
  3 05/27/09 22:44:34 fcsvr/vader. mydomain.com@VADER. MYDOMAIN.COM
  3 05/27/09 22:44:34 pcast/vader. mydomain.com@VADER. MYDOMAIN.COM
  3 05/27/09 22:44:34 pcast/vader. mydomain.com@VADER. MYDOMAIN.COM
  3 05/27/09 22:44:34 pcast/vader. mydomain.com@VADER. MYDOMAIN.COM
  3 05/27/09 22:44:34 vnc/vader. mydomain.com@VADER. MYDOMAIN.COM
  3 05/27/09 22:44:34 vnc/vader. mydomain.com@VADER. MYDOMAIN.COM
  3 05/27/09 22:44:34 vnc/vader. mydomain.com@VADER. MYDOMAIN.COM
  I'm starting to think that it's actually running, but if it is... how come i can't authenticate via Kerb?
  Let me know what you think and what I can do next..thanks

• Kerberos Authentication Issues. 

  Our set up is as follows. In Directory Access we have our own clients set to receive their LDAP information via DHCP from our Mac OSX server and when in our office - or indeed, at a location that does not have a Mac OS X server - Kerberos Authentication to our server works just fine.
  However, when out of the office and in a location that also has a Mac OSX Server providing it's LDAP information via DHCP, naturally, we pickup that location's Kerberos Realm and this prevents us from making a connection to our Office VPN server which is running on our Mac OSX Server. To work successfully, it requires Kerberos Authentication but when prompted to enter our Kerberos password, the dialogue box appears with the local site's Kerberos Realm and even if I type in our office's Realm, it still will not work. How can we avoid this situation, other than turning off Kerberos Authentication completely. 
  The krux of the matter is that when off-site, my computer seems to pick up the Kerberos Realm of the system I'm in and completely forgets my own realm, thus not allowing me to authenticate until I return to my own office. I don't seem to be able to manually override it either.
  Is there something I am missing here?

  afaict what you're expierencing is default behaviour. Kerberos on a client machine gets autoconfigured by means of reading the KerberosClient record in the LDAP database in use. This happens dynamically so having LDAP server coming from dhcp configures kerberos as laid out in that LDAP server KerberosClient record.
  See man kerberosautoconfig which is the tool actually run to achieve this.
  HTH
  -Ralph

• Portal Drive Single Sign On and Kerberos Authentication

  Hi,
  We are using NW2004s SP10 Portal and we have successfully configured Kerberos authentication with Windows Active Directory 2003. To access the KM Content in windows explorer format, we are using Portal Drive but Portal Drive still asks for authentication i.e. SSO is not working for Portal Drive. I have understood from the forums and sap help site that SSO from portal drive will work only for NTLM authentication and client certificates. Can you please help regarding below questions.
  1. Can Kerberos and NTLM authentication be configured together.
  2. If yes, what are the steps to configure NTLM authentication for NW2004s SAP Portal and Active Directory 2003.
  3. Any other approach to make Portal Drive SSO work.
  Helpful answers will be rewarded.
  Regards,
  Chandra

  Hi Gregor,
  I did two things:
  first i made a change in the portalapp.xml in the PAR file "com.sap.km.cm.par". In the section authentication scheme for "docs" I changed the authentication scheme to "default" to make sure that documents are opened using the default authentication scheme (SPNego) instead of basic authentication
  second, I used the SPNego wizard to configure SPNego. So I didn't adjust anything in the Visual Admin or the authentication template apart from adding the Template to the Ticket policy configuration.
  Again, this only worked after installing the latest vesion.
  Hope this helps
  Marcel