Kerberos authentification with WinServer 2003 ADS
Hi,
I tried to implement the Kerberos authentification based on Web AS 6.40 EP6 SP17 and Windows Server 2003 ADS according to the following logs:
<a href="https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/3541">kerberos implementation with ADS made easy</a>
<a href="https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/3522">Windows Integrated Authentication via Kerberos on an LDAP data source</a>
But actually it doesnt work. Already at the generation of the keytab file I got an message that it was not possible to bind to the default domain ("failed getting target domain"). The other steps were made appropriately.
So where is the problem. Does it lie at the configuration of the Domain Controller. There was no special configuration made with it because I thougt that Kerberos authentification is possible by default
Thanks, regards
Markus Armbruster
Didnt work!
Let me explain what I did and maybe anyone of you will see my failure.
1. Assigned a workíng connection to ADS of an WinServer 2003
2. Took the xml of this configuration and added the corresonding lines. (kbr5pincipalname)
3. Uploaded the xml
4. Added -Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.krb5.conf= E:/usr/sap/SPE/JC00/j2ee/security/krb5.conf
-Dsun.security.krb5.debug=true
to server configuration
5. Created
-om.sap.core.server.jaas.SPNegoLoginModule
-com.sap.security.core.server.jaas.SPNegoMappingLoginModule
-com.sun.security.auth.module.Krb5LoginModule
6. On J2EE Host %java_home% inktab -a host/[email protected] -k keytab
7. setspn -A HTTP/server.aaa.bbb.ccc serviceuser
8. Assign HTTP/[email protected] to the loginModules SPNegoLoginModule and Krb5LoginModule
So wheres the cause for this misfunction?
Last, what is the ConfigTool->UME_LDAP_data->use UME unique id with unique LDAP attribut = samaccountname?
Do I need to change it krb5principalname?
regards
Similar Messages
-
Unity 4.2 voice mail only with Exchange 2003
Hi Team,
we are replacing window 2000 OS with Win 2003 for unity 4.2. This is a single box solution. Exchange 2000 is installed on same unity server. Now we are upgrading the OS from 2000 to 2003. With window 2003 we have to installed the Exchange 2003. In unity installation 4.0(5) following paragraph is mentioned which means we need separate hardware for Exchange. Kindly advise whether we need a separate server for Exchange 2003 or we can install on the on unity box.
If you are using Exchange 2003, install Exchange 2003 administration software on the Cisco Unity server. (Exchange 2003 is installed on a separate server.)
If you are using Exchange 2000, you can install Exchange 2000 either on the Cisco Unity server or on a separate server. If you install Exchange 2000 on a separate server (typically for systems with a large number of subscribers), install Exchange 2000 administration software on the Cisco Unity server.
BR
Muhammad IrfanThank you Javalenc,
I can understand from following that Exchange 2003 can be installed on same server.
Voice Messaging
•Exchange 2003 on the Cisco Unity server or on a separate server. If you want to install Exchange 2003 on the Cisco Unity server, note the following:
–The Cisco Unity server must be running Windows Server 2003.
–Exchange 2003 can be installed only on the currently shipping servers supported for use with Cisco Unity 4.2 (MCS-78xx-x2, MCS-78xx-x3, or later, including IBM and HP equivalents). Currently shipping servers are listed in the Cisco Unity Supported Platforms List at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/
As you know we are just replacing the OS, from win 2K to 2k3. So any thing I need to take care to back up the existing Unity with win 2000 and exchange 2000..
I am taking the back up of my unity 4.2 installed on window 2000 with DiRT and will restore on unity 4.2 with win 2003 and Exchange 2003.
Kindly advise.
BR -
I am having difficulty: we are running a windows server 2003 - mail and outlook support 2007 and upwards, how do I get the brand new apple machines to work with the 2003 version of server
I may be way out, but do you know about this product, would it help integrate the Macs for you.
https://www.thursby.com/sites/default/files/images/ADmitMacv8_SPD.pdf -
I'm trying to use kerberos V5 with ActiveDirectory but get an error
I'm trying to use kerberos V5 with ActiveDirectory im using simple code from previuos posts but
when i try with correct username/password i get :
Authentication attempt failedjavax.security.auth.login.LoginException: Message stream modified (41)
when i try incorrect username/pass i get :
Pre-authentication information was invalid (24)
Debug info is :
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Kerberos username [naiden]: naiden
Kerberos password for naiden: naiden
[Krb5LoginModule] user entered username: naiden
Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
Pre-authentication information was invalid (24)
Authentication attempt failedjavax.security.auth.login.LoginException: Java code is :
import javax.naming.*;
import javax.naming.directory.*;
import javax.security.auth.login.*;
import javax.security.auth.Subject;
import com.sun.security.auth.callback.TextCallbackHandler;
import java.util.Hashtable;
* Demonstrates how to create an initial context to an LDAP server
* using "GSSAPI" SASL authentication (Kerberos v5).
* Requires J2SE 1.4, or JNDI 1.2 with ldapbp.jar, JAAS, JCE, an RFC 2853
* compliant implementation of J-GSS and a Kerberos v5 implementation.
* Jaas.conf
* racfldap.GssExample {com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true doNotPrompt=true; };
* 'qop' is a comma separated list of tokens, each of which is one of
* auth, auth-int, or auth-conf. If none is supplied, the default is 'auth'.
class KerberosExample {
public static void main(String[] args) {
java.util.Properties p = new java.util.Properties(System.getProperties());
p.setProperty("java.security.krb5.realm", "ISY");
p.setProperty("java.security.krb5.kdc", "192.168.0.101");
p.setProperty("java.security.auth.login.config", "C:\\jaas.conf");
System.setProperties(p);
// 1. Log in (to Kerberos)
LoginContext lc = null;
try {
lc = new LoginContext("ISY",
new TextCallbackHandler());
// Attempt authentication
lc.login();
} catch (LoginException le) {
System.err.println("Authentication attempt failed" + le);
System.exit(-1);
// 2. Perform JNDI work as logged in subject
Subject.doAs(lc.getSubject(), new LDAPAction(args));
// 3. Perform LDAP Action
* The application must supply a PrivilegedAction that is to be run
* inside a Subject.doAs() or Subject.doAsPrivileged().
class LDAPAction implements java.security.PrivilegedAction {
private String[] args;
private static String[] sAttrIDs;
private static String sUserAccount = new String("Administrator");
public LDAPAction(String[] origArgs) {
this.args = (String[])origArgs.clone();
public Object run() {
performLDAPOperation(args);
return null;
private static void performLDAPOperation(String[] args) {
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
// Must use fully qualified hostname
env.put(Context.PROVIDER_URL, "ldap://192.168.0.101:389/DC=isy,DC=local");
// Request the use of the "GSSAPI" SASL mechanism
// Authenticate by using already established Kerberos credentials
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
env.put("javax.security.sasl.server.authentication", "true");
try {
/* Create initial context */
DirContext ctx = new InitialDirContext(env);
/* Get the attributes requested */
Attributes aAnswer =ctx.getAttributes( "CN="+ sUserAccount + ",CN=Users,DC=isy,DC=local");
NamingEnumeration enumUserInfo = aAnswer.getAll();
while(enumUserInfo.hasMoreElements()) {
System.out.println(enumUserInfo.nextElement().toString());
// Close the context when we're done
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}JAAS conf file is :
ISY {
com.sun.security.auth.module.Krb5LoginModule required
debug=true;
};krb5.ini file is :
# Kerberos 5 Configuration File
# All available options are specified in the Kerberos System Administrator's Guide. Very
# few are used here.
# Determines which Kerberos realm a machine should be in, given its domain name. This is
# especially important when obtaining AFS tokens - in afsdcell.ini in the Windows directory
# there should be an entry for your AFS cell name, followed by a list of IP addresses, and,
# after a # symbol, the name of the server corresponding to each IP address.
[libdefaults]
default_realm = ISY
[domain_realm]
.isy.local = ISY
isy.local = ISY
# Specifies all the server information for each realm.
#[realms]
ISY=
kdc = 192.168.0.101
admin_server = 192.168.0.101
default_domain = ISY
}Now it works
i will try to explain how i do this :
step 1 )
fallow this guide http://www.cit.cornell.edu/computer/system/win2000/kerberos/
and configure AD to use kerberos and to heve Kerberos REALM
step 2 ) try windows login to the new realm to be sure that it works ADD trusted realm if needed.
step 3 ) create jaas.conf file for example in c:\
it looks like this :
ISY {
com.sun.security.auth.module.Krb5LoginModule required
debug=true;
};step 4)
( dont forget to make mappings which are explained in step 1 ) go to Active Directory users make sure from View to check Advanced Features Right click on the user go to mappings in secound tab kerberos mapping add USERNAME@KERBEROSreaLm for example [email protected]
step 5)
copy+paste this code and HIT RUN :)
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import com.sun.security.auth.callback.TextCallbackHandler;
public class Main {
public static void main(String[] args) {
java.util.Properties p = new java.util.Properties(System.getProperties());
p.setProperty("java.security.krb5.realm", "ISY.LOCAL");
p.setProperty("java.security.krb5.kdc", "192.168.0.101");
p.setProperty("java.security.auth.login.config", "C:\\jaas.conf");
System.setProperties(p);
// 1. Log in (to Kerberos)
LoginContext lc = null;
try {
lc = new LoginContext("ISY", new TextCallbackHandler());
// Attempt authentication
lc.login();
} catch (LoginException le) {
System.err.println("Authentication attempt failed" + le);
System.exit(-1);
// 2. Perform JNDI work as logged in subject
Subject.doAs(lc.getSubject(), new LDAPAction(args));
// 3. Perform LDAP Action
* The application must supply a PrivilegedAction that is to be run
* inside a Subject.doAs() or Subject.doAsPrivileged().
class LDAPAction implements java.security.PrivilegedAction {
private String[] args;
private static String[] sAttrIDs;
private static String sUserAccount = new String("Administrator");
public LDAPAction(String[] origArgs) {
this.args = origArgs.clone();
public Object run() {
performLDAPOperation(args);
return null;
private static void performLDAPOperation(String[] args) {
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
// Must use fully qualified hostname
env.put(Context.PROVIDER_URL, "ldap://192.168.0.101:389");
// Request the use of the "GSSAPI" SASL mechanism
// Authenticate by using already established Kerberos credentials
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
// env.put("javax.security.sasl.server.authentication", "true");
try {
/* Create initial context */
DirContext ctx = new InitialDirContext(env);
/* Get the attributes requested */
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"sn","givenName","mail"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//specify the LDAP search filter
String searchFilter = "(&(objectClass=user)(mail=*))";
//Specify the Base for the search
String searchBase = "DC=isy,DC=local";
//initialize counter to total the results
int totalResults = 0;
// Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println(">>>" + sr.getName());
// Print out some of the attributes, catch the exception if the attributes have no values
Attributes attrs = sr.getAttributes();
if (attrs != null) {
try {
System.out.println(" surname: " + attrs.get("sn").get());
System.out.println(" firstname: " + attrs.get("givenName").get());
System.out.println(" mail: " + attrs.get("mail").get());
catch (NullPointerException e) {
System.err.println("Error listing attributes: " + e);
System.out.println("RABOTIII");
System.out.println("Total results: " + totalResults);
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}It will ask for username and password
type for example : [email protected] for username
and password : TheSecretPassword
where ISY.LOCAL is the name of kerberos realm.
p.s. it is not good idea to use Administrator as login :)
Edited by: JOKe on Sep 14, 2007 2:23 PM -
Report Generation Toolkit with Excel 2003 and Excel 2000
Hello,
I'm using the Report Generation Toolkit to generate an Excel report from an Excel template.
The "NI_Excel.lvclass" is included in the "source" section of the application builder options.
I create an exe file on a PC where Excel 2003 is installed. On a Notebook, where only Excel 2000 is installed, the application crashes at the generation of the report:
I guess the problem is the different version of Excel but I don't know. On the developer PC with Excel 2003 it works fine.
In this document it's only talked about different Word versions.
How can I use the Report Generation Toolkit here?
I'm using it that way:
RegardsOh, it seems that the Report Generation Toolkit "only" supports Excel XP/2003/2007.
I think, that's the problem. -
Windows 7 -64 bit syncing with Outlook 2003 not working
Hello all,
I have a Dell Vostro 1720 (64-bit) with MS-Office 2003 (32-bit), in German language.
My Iphone 3GS (Dutch language) won't sync any contacts or appointments with Outlook 2003. There is no error message, Itunes seems to think everything is OK. Resetting the sync history in Itunes has no effect. Telling Itunes to replace all contacts and calendars has no effect either. I have disabled third-party Outlook COM add-ins (there was a Norton antispam entry there).
Strangely, the syncing of Outlook notes DOES work. As does the syncing of Internet Explorer bookmarks. I am at a loss.
Can anyone PLEASE point me to some help?
Arthur (the desperate)In the Windows event log, I see the following error:
Name der fehlerhaften Anwendung: OutlookSyncClient.exe, Version: 8.4.0.0, Zeitstempel: 0x4a820691
Name des fehlerhaften Moduls: ntdll.dll, Version: 6.1.7600.16385, Zeitstempel: 0x4a5bdb3b
Ausnahmecode: 0xc0000005
Fehleroffset: 0x00038c39
ID des fehlerhaften Prozesses: 0xbe0
Startzeit der fehlerhaften Anwendung: 0x01caaefcb4e8a010
Pfad der fehlerhaften Anwendung: C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\OutlookSyncClient.exe
Pfad des fehlerhaften Moduls: C:\Windows\SysWOW64\ntdll.dll
Berichtskennung: f2e19be8-1aef-11df-9b04-005056c00008 -
VGA problem with FiFA 2003 and Audio Problem with NHL2003
i use onboard VGA
800 x600for both games
with no problem
but for Fifa 2003
the screen looks so dark...
all players look like a black people(all black color hair
and black face))
some audio problem with NHL 2003...Have you tried the following?
Adjust monitor settings? i.e. contrast/brightness
Video settings within the game? Some have gamma or brightness settings.
Gamma correction in "Display Properties"?
for starters anyway...... -
Sending Email in Adobe Reader XI with Outlook 2003
After upgrading the Acrobat Reader on our Terminal Servers with Windows Server 2008 R2 and Outlook 2003, it is not possible to send pdf from Acrobat Reader via E-Mail. When we select the function to send the document per mail (with the default mail program (Outlook)), the focus switches to Outlook (when started), but no mail with the pdf-file as attachment is opened.
Is Acrobat XI not compatible with Outlook 2003 anymore? Is it a problem only in terminal server environments?
Is anybody able to get this to work in a similar environment?
Thanks for any help.11.0.01 patch was released last thursday (01/10).
-
BexAnalyser : compatibilty of WB created in Excel 2010 with Excel 2003
Hi all,
I'm trying to define the compatibilty of worbook created with BexAnalyser (Excel) 2003 with BexAnalyser 2010.
When a workbook is created in 2003 version and saved with 2010 version and opened with BexAnalyser 2003, I'm loosing the textelement (available by the Information bouton).
For displaying this information, I have to turn into creation mode and displaying the information by quoting the radio bouton in properties panel.
In an other case, when i'm creating a worbook with Bexanalyser 2010, i cannot open it with 2003.
Do you know if Worbooks that are created in BexAnalyser 2010 have a chance to be compatible (by two ways) with BexAnalyser 2003.
For information, we installed FEP 200 and FEP 201 and the SAPGUI is 720.
Thank you in advance.
CedricAs an update...
I verified the Control ID in Outlook 2003 to be 5621.
I have also downloaded a handy tool which is a bit more friendly for figuring out all the MS Office 2010 control ID's: http://www.add-in-express.com/downloads/mapi-store-events.php
However, the tool confirms that the ID for OOF in Outlook 2010 is STILL 5621.
Just for grins, I disabled the MailBox Cleanup utility on the same page by identifying it's control ID (7092), grey's out no problem. But I can't get the OOF button to go grey. -
Anyone seen this problem with Excel 2003?
We're developing a Microsoft Excel-based app. The help system uses HTML Help (.chm) format, and works just fine with Excel 2007 and 2010. However, since a lot of potential users out there are still using older versions, we've been asked to adapt the app for Excel 2002 and 2003.
The help system works, more or less, with Excel 2002, but when we try it with Excel 2003 the tri-pane is missing. The default topic appears but the left-hand pane containing the navigation system (TOC, Index and Search) is missing. Consequently, users can't move away from the default topic. Has anyone come across this problem before, and do you know how to fix it?I cannot help you with this one other than to say I haven't seen any other such reports. That may suggest it is worth checking for some small difference you haven't identified yet.
Of course it could also mean there aren't many people with that workflow.
See www.grainge.org for RoboHelp and Authoring tips
@petergrainge -
Tour Sync Issues with Outlook 2003 and Error Code 0x8004fceb
Hello, I have a Tour with DM 5.0, which I sync with Outlook 2003 on my laptop running Vista O/S. I am having a problem deleting items from the Tour that I've previously added via a sync with Outlook.
Some time after syncing, I delete the items from Outlook and then re-sync. Instead of deleting from BB, the changes dialog box tells me the items are going to be added from the device to Outlook!!! If I accept changes so that other calendar items will update (from Outlook to BB), Outlook remains fine, but the items do not delete from BB.
Additionally, existing items on BB are duplicated on the BB during sync. In other words, I have ended up with 7 entries for one appointment on the BB even though there's only one in Outlook. This primarily happens with recurring appointments.
Lastly, despite all this confusion, the sync ends with Error Code 0x8004fceb; check documentation, which I cannot locate on blackberry.com.
I am set up for two-way sync, future items only. I even reset to one-way sync from calendar to device to no avail.
Please help.
Thank you.Sorry. I guess I needed to be clearer I have Office SP 2.
I will tell you that I currently running an older version of iTunes (7.3) because that is the only one that syncs.
In the newest version of iTunes (and of course the current one) it does give me the option to sync with outlook.
Message was edited by: obxbound -
I am having difficulties syncing my iphone with Outlook 2003. My previous post has been deleted. I am seeking assistance in figuring out how I can use the latest version of itunes and the latest firmware update. With both installed, Outlook 2003 does not sync with my calendar or contacts.
Apple and anyone who reads this and has input, please provide any information you have to resolve this matter. I have followed the instructions pasted to the top of the forum to no avail.Sorry. I guess I needed to be clearer I have Office SP 2.
I will tell you that I currently running an older version of iTunes (7.3) because that is the only one that syncs.
In the newest version of iTunes (and of course the current one) it does give me the option to sync with outlook.
Message was edited by: obxbound -
My company asked me to learn Robohelp and create a document,
so I learned from Adobe Robohelp 6 but they supplied me with
Macromedia X5. The HTML part works fine, but I need to create a
Winhelp 2000 hlp. output. When I import Word documents into Winhelp
2003, it spews out error messages, jumbles exhibits and headings,
and created Topics and Mid-topic IDs at random--that is, when it
doesn't lock up completely. Am I missing something? I downloaded
updates, so it should work with Word 2003, but its lack of function
is appaling. I have lost days trying to install and then debug this
software on this and am desperate. Is there a fix or a workaround?
I have downloaded a converter for chm to hlp, but it doesn't
output with the proper skin. Help! (And thanks)Hi
Microsoft offers a compatibility pack for earlier versions of Office that allows, for instance, Word 2003 to open Word 2007 documents. More info:
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=3
http://office.microsoft.com/en-us/word-help/open-a-word-2007-document-in-an-earlier-versio n-of-word-HA010044473.aspx
There will be some Docx features that behave differently or are substituted when opened in Word 2003. These are listed in the second web page link.
Regards,
Sarabjit Singh
QE Lead, Acrobat.com -
Authentification with user and password
hello experts,
Someone knows, what steps are necessary to carry out in XI for Authentification with user and pasword in SOAP adapter receiver?.
It's necesary put something in visual administrator?
thanks for alluser/pwd need to be provided by the Soap client. You'll need to store it there and maintain whenever the pwd is changed in XI.
As of best practices:
- The minimum requirements here should be SSL, so that no one can get the pwd;
- Also, as to avoid this, you could take a look at client authentication with certificates.
Regards,
Henrique. -
WLC 4404-100/ACS 3.2/Windows 2003 ADS/ WLAPP AP1231
Equipments:
1. WLC4404-100
2. AP 1231 WLAPP
3. ACS 3.2
4. Windows 2003 ADS
We want to created dynamic VLANs, based on user's Web login authentication it'll place them to the correct VLAN.
We have one single broadcase SSID "SCHOOL" which faculty, student and guest will use to gain wireless access. I want to use ACS as the management inferface for management.
Please provide any helpful links?
THanks!
~GMHi David,
Check this link for AAA override feature which will let you configure dynamic vlans based on user's web login authentication.
http://www.cisco.com/univercd/cc/td/doc/product/wireless/control/c44/ccfig40/c40sol.htm#wp1124844
Check this link to configure WEB LOGIN AUTHENTICATION
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml
Check this link to configure basic WLANs
http://www.cisco.com/univercd/cc/td/doc/product/wireless/control/c44/ccfig40/c40wlan.htm
To have a look at the complete configuration guide for 4400 controller have a look at this link
http://www.cisco.com/univercd/cc/td/doc/product/wireless/control/c44/ccfig40/index.htm
HTH
Ankur
*Pls rate helpfull post
Maybe you are looking for
-
Hello all, As a reference point for my technological skills, I work in international development and in timber framed building construction and repair. Beyond Ford full- size pick-ups pre 1993, I mostly employ 19th century systems. This MacBook Pro i
-
Document Type in Outgoing Payment
Hi All, I would like to know which table stores the information about the document type selected in Outgoing Payment. Thanks, Joseph
-
I just installed an iMic on my mini, and right now I'm only using it for audio input, and leaving the output set to the mini's built-in headphones jack. Does anyone know if there is a difference in performance and/or quality when switching audio outp
-
Select List not updated by htmldb_collection
I used the Collection Showcase as a template to do a collection, When I edit a collection Record from a populated form that contains a select list. when I changed the value in the select list and processed htmldb_collection.update_member API, the rep
-
Looking at External SSD Drive for Lightroom Editing - How Can I Set This Up and Which Drive?
I'd like to purchase an external SSD drive for Lightroom editing and am hoping somebody can provide a recommendation for me. I'm using a FW800 G-Drive to store my Lightroom Library and have been using this drive to edit. I'd like to add an external