Kerberos & Java GSS (JGSS) - pre-authentication required
EDIT.
duplicate post. Sorry
Edited by: evil_kerberos on Jul 18, 2010 8:36 AM
As I know there is no such an option. And, this is definitely not an error.
The preauth challenge and response is a normal part of the protocol. If you take a sniff into the logon process of Windows or Unix/Linux kinit, you can also see this KRB-ERROR on the wire.
Similar Messages
-
Question about Java GSS-Kerberos authentication
Hi,
I am new to GSS API. I have a client requirement to use Java GSS Kerberos Authentication instead of using IIS for Integrated Windows Authentication. In IWA, the IE browser automatically picks up the logged-in windows user credentials and passes it to IIS, which authenticates you against Active Directory and returns SUCCESS.
We are planning to write a Servlet/JSP code on Apache Tomcat on Solaris 10, which uses Java GSS API to do Kerberos Authentication and return SUCCESS to the user. When I look at the examples:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/AcnOnly.html#RunAc
it says:
"You will be prompted for your Kerberos user name and password, and the underlying Kerberos authentication mechanism specified in the login configuration file will log you into Kerberos. If your login is successful, you will see the following message: Authentication succeeded!"
Does this mean that in Kerberos Authentication using Java GSS API, the user will have to enter his windows credentials for authentication? Is there a way for the credentials to be passed from Windows automatically to the API, without user intervention?
Any links detailing the procedure would be of great help.
Thanks,
shetty2kWe are having a similar requirement from our end. To make situation worst I do not even have an idea about an approach.
What are the ways that we can use windows credentials to authenticate against IIS with tomcat?
any help is greatly appreciated.
R. -
Java GSS API - Kerberos - Receive timed out when requesting service ticket.
Hi,
I'm following the following exercises about Kerberos/JGSS-API :
http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab/
On exercise 3, I get an exception (when requesting a service ticket) from the client side:
"+Exception in thread "main" java.security.PrivilegedActionException: GSSException: No valid credentials provided (Mechanism level: Receive timed out)
etc.+"
This seems to happen when the GSSContext.initSecContext(...) method is called.
The server side receives the client connection:
"+Waiting for incoming connection...+
+Got connection from client /xxx.xxx.x.xxx+"
But then displays the following exception:
"+Exception in thread "main" java.security.PrivilegedActionException: java.net.SocketException: Connection reset
etc.+"
I checked my KDC (win 2003 Server SP2) and added SPNs with setspn but the error remains.
Any suggestion are more than welcome !The TGT is already present on my Client machine because it is acquired automaticaly from the KDC during the Windows opening session.
I use then JAAS to access the LSA and obtain the TGT - This doesn't need any further connection to the KDC.
But the Service Ticket is requested to the KDC by my client machine..
Here is the complete output (Client side) after I destroyed the tickets (with Kerberos MIT Leash.exe and/or kdestroy.exe ):
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
+>>>KinitOptions cache name is C:\Documents and Settings\user.MYDOMAIN\krb5cc_user+
+>> Acquire default native Credentials+
+>>> Obtained TGT from LSA: Credentials:+
[email protected]
server=krbtgt/[email protected]
authTime=20080529135209Z
startTime=20080529135209Z
endTime=20080530015209Z
renewTill=20080702135209Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 23
Principal is [email protected]
Commit Succeeded
+Authenticated principal: [[email protected]]+
Connected to address host1/xxx.xxx.x.xxx
Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri May 30 03:52:09 CEST 2008
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri May 30 03:52:09 CEST 2008
Service ticket not found in the subject
+>>> Credentials acquireServiceCreds: same realm+
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
+>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType+
+>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType+
+>>> KrbKdcReq send: kdc=yyy.yyy.y.y UDP:88, timeout=30000, number of retries =3, #bytes=1262+
+>>> KDCCommunication: kdc=yyy.yyy.y.y UDP:88, timeout=30000,Attempt =1, #bytes=1262+
SocketTimeOutException with attempt: 1
+>>> KDCCommunication: kdc=yyy.yyy.y.y UDP:88, timeout=30000,Attempt =2, #bytes=1262+
SocketTimeOutException with attempt: 2
+>>> KDCCommunication: kdc=yyy.yyy.y.y UDP:88, timeout=30000,Attempt =3, #bytes=1262+
Exception in thread "main" java.security.PrivilegedActionException: GSSException: No valid credentials provided (Mechanism level: Receive timed out)
+ at java.security.AccessController.doPrivileged(Native Method)+
+ at javax.security.auth.Subject.doAs(Subject.java:396)+
+ at SimpleAuthzz2.loginAndAction(SimpleAuthzz2.java:56)+
+ at SimpleGssClient.main(SimpleGssClient.java:36)+
SocketTimeOutException with attempt: 3
Caused by: GSSException: No valid credentials provided (Mechanism level: Receive timed out)
+ at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:659)+
+ at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:213)+
+ at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)+
+ at SimpleGssClient$GssClientAction.run(SimpleGssClient.java:121)+
+ ... 4 more+
Caused by: java.net.SocketTimeoutException: Receive timed out
+ at java.net.PlainDatagramSocketImpl.peekData(Native Method)+
+ at java.net.DatagramSocket.receive(DatagramSocket.java:662)+
+ at sun.security.krb5.internal.UDPClient.receive(UDPClient.java:77)+
+ at sun.security.krb5.KrbKdcReq$KdcCommunication.run(KrbKdcReq.java:278)+
+ at java.security.AccessController.doPrivileged(Native Method)+
+ at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:195)+
+ at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:140)+
+ at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:106)+
+ at sun.security.krb5.KrbTgsReq.send(KrbTgsReq.java:215)+
+ at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:293)+
+ at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)+
+ at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:561)+
+ at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:585)+
+ ... 7 more+
It seems like the TGT is still present in the cache, even if Leash displays "no tickets".
Meanwhile, in the KDC-server side:
-What is the correct spn to add? C:\setspn GssServer/host1 user ? (I in fact tried many possibilities)..
-Is there any other special configuration to do in the KDC ?
Thanks a lot! -
Kerberos pre-authentication failed
Hi,
I have a customer has the below issue:
After he changed their administrator account password on domain, event ID 4771 is continuously thrown in the security log in DCs. Below is a snapshot:
Also the below email alert from ADManager:
Alert Message:
Login failure for User 'Administrator' in server.domain.local'. Reason: 'Bad password'.
Severity:
Attention
Event Details
Domain
krbtgt/domain.LOCAL
Event Code
16
SID
%{S-1-5-21-428199501-1217283236-4064894256-500}
Client Host Name
Server.domain.local
Event Type
Failure
Remarks
Kerberos pre-authentication failed.
Logon Service
krbtgt/ domain.LOCAL
Domain Controller
DC.domain.local
User Name
Administrator
Client IP Address
IP
Failure Code
0x18
Logon Time
Apr 09,2015 11:42 AM
Failure Reason
Bad password
Record number
2197037173
Event Number
4771
They already changed the password for service accounts running using that admin account with new password. There is no issues in domain other than this, users can login and services are fine. However, account lockout policy is disabled and if it is enabled
I think they will have a huge issue due to this Kerberos authentication failure.
Please help!Hi,
Did you confirm the time sync issue?
The error code 0x25, means Workstation’s clock too far out of sync with the DC’s , so i suggest you could check the time snyc of the computer failing pre-auth with DC firstly.
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771
Similar threads has been discussed:
https://social.technet.microsoft.com/forums/windowsserver/en-US/245aa714-8f2f-4ea7-b2a1-dd447c02fa93/accounts-lockedout
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Proxy Auth authentication required and kerberos
Hi All
Oracle supports the proxy auth trusted subsystem which allows greater scalability through the use of a system wide connection pool. There is a configuration option to "authentication required" to the proxy auth system.
Oracle also support kerberos authentication for external users.
What I would like to know is whether the proxy_auth authentication required is compatable with kerberos authentication. That is can I configure proxy auth to authenticate the tunneled user using kerberos.
Thanks
Edited by: user8002300 on 28/10/2009 16:47Hi,
What you can do is to set up a reverse and the forward proxy. When the client hits the first proxy it should be configured as a reverse proxy which will redirect the request to the second proxy (this will be a reverse proxy) which will connect to the internet.
Hope this helps.
Regards,
Dakshin.
Developer Technical Support
Sun Microsystems
http://www.sun.com/developers/support. -
Java webstart - authentication required
Hello and thank you for reading my post,
I need to get the username written in the "Authentication required" dialog. System.getenv("User.name") gets the username used to login to OS.
Would be grateful for any help.
Best regards,
S.RenaniFollowup:
Alternatively, is there a way to turn off the authenticator? (Not an optimum solution but in some cases necessarily)
http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/properties.html describes depolyment.config and how one can turn it off from there but it seems that it can only be turned off at client side. I need to do that at server side. -
Kerberos pre-authentication issues - why now?
Hi all,
We recently put up a new Windows 2003 Active Directory domain controller to replace a de-commissioned Windows 2000 DC. When my VPN users try to authenticate to it using Kerberos, they are getting rejected with a pre-authentication failed error. I know that this is a common issue with the ASA, and TAC has confirmed that there's no solution for it yet. However, we have another W2K3 DC that has never had this issue. So why now? Why this new DC? What's the difference between my DCs where one can authenticate a user with pre-authentication enabled and one can't?
Any help or information that I can get would be helpful.
Thanks,
- SteveHi JK,
Thanks for the reply.
Right, I understand that, and TAC directed me to the same document. But we have an existing domain controller that we are currently using the authenicate against; pre-authentication is enabled, and it works fine. It's only the NEW domain controller that has this problem. So I'm trying to figure out what the difference is!
I would rather NOT disable pre-authentication for all VPN users if possible - there are a lot of them and it lessens the security of Active Directory.
Thanks,
- Steve -
Pre-authentication information was invalid (24) authoriazation against AD
Hi all,
im going to be really desperate from this error message during the authentization to the Win2003 server where the Active Directory is running ... Im using Krb5LoginModule.
- Our administrator of the AD service has enabled DES encryption at the tested account.
- Im sure that entered password is correct, because im able to login via this password to our network.
- Entered Kerberos realm is in upper case...in the form (COMPANY.COM)
- Kerberos KDC contains IP adress of the Domain controller.
I really dont know why it doesnt work....:-(( Strange is that if i enable ticketCache to the ability to use the native ticket cache it works fine.....
My code is:
import javax.security.sasl.*;
import java.io.*;
import java.util.*;
import javax.security.auth.Subject;
import com.sun.security.auth.callback.TextCallbackHandler;
* This JaasAcn application attempts to authenticate a user
* and reports whether or not the authentication was successful.
public class JaasSample {
public static void main(String[] args) {
LoginContext lc = null;
java.util.Properties p = new java.util.Properties(System.getProperties());
try
lc = new LoginContext("JaasSample", new TextCallbackHandler());
catch (LoginException le)
System.err.println("Cannot create LoginContext. "
+ le.getMessage());
System.exit(-1);
catch (SecurityException se)
System.err.println("Cannot create LoginContext. "
+ se.getMessage());
System.exit(-1);
catch (Exception e)
System.out.println("Login failer: "+e.getMessage());
try {
lc.login();
Subject subject = lc.getSubject();
Iterator it = subject.getPrincipals().iterator();
while (it.hasNext())
System.out.println("Authenticated: " + it.next().toString());
it = subject.getPublicCredentials(Properties.class).iterator();
while (it.hasNext())
((Properties)it.next()).list(System.out);
lc.logout();
} catch (LoginException le) {
System.err.println("Authentication failed: ");
System.err.println(" " + le.getMessage());
System.exit(-1);
System.out.println("Authentication succeeded!");
}start.bat file:
"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Djava.security.auth.login.config=jaas.conf JaasSample
jaas.conf file:
JaasSample {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache="false" debug="true";
Output is:
c:\JAAS>"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=
BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Dja
va.security.auth.login.config=jaas.conf JaasSample
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null KeyTab is null refreshKrb5Config is false principal is
null tryFirstPass is false useFirstPass is false storePass is false clearPass is
false
Kerberos username [Kloucek]: User3
Kerberos password for User3: Poiu4566
[Krb5LoginModule] user entered username: User3
principal is [email protected]
Acquire TGT using AS Exchange
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 01 58 6E AE EF 25 15 43 F1
2C 40 46 7A 3D 2A B0 .Xn..%.C.,@Fz=*.
0010: 1F 16 9E B6 19 8A 46 68
[Krb5LoginModule] authentication failed
Pre-authentication information was invalid (24)
Authentication failed:
Pre-authentication information was invalid (24)
I tried all tips i found at this forum and other internet resources without luck...:-(((
Please heeeeelp!!!!!!!!!!!!!!!!!I have solve it....The reason of this problem was this:
Im accesing our network via this login properties:
login: My second name
pass: My password
Due to this fact i had entered this login properties into the Kerberos database too..., BUT KERBEROS had been expecting my fully qualified network name which is myfirstname.myseconame@KERBEROS-REALM!!!!!!!!!!!!!!!So after i had entered [email protected] instead of [email protected] it started to work!!!!! I hope this will help many other programmers.... -
Pre-authentication information was invalid (24)
Hi all,
im going to be really desperate from this error message during the authentization to the Win2003 server where the Active Directory is running ... Im using Krb5LoginModule.
- Our administrator of the AD service has enabled DES encryption at the tested account.
- Im sure that entered password is correct, because im able to login via this password to our network.
- Entered Kerberos realm is in upper case...in the form (COMPANY.COM)
- Kerberos KDC contains IP adress of the Domain controller.
I really dont know why it doesnt work....:-(( Strange is that if i enable ticketCache to the ability to use the native ticket cache it works fine.....
My code is:
import javax.security.sasl.*;
import java.io.*;
import java.util.*;
import javax.security.auth.Subject;
import com.sun.security.auth.callback.TextCallbackHandler;
* This JaasAcn application attempts to authenticate a user
* and reports whether or not the authentication was successful.
public class JaasSample {
public static void main(String[] args) {
LoginContext lc = null;
java.util.Properties p = new java.util.Properties(System.getProperties());
try
lc = new LoginContext("JaasSample", new TextCallbackHandler());
catch (LoginException le)
System.err.println("Cannot create LoginContext. "
+ le.getMessage());
System.exit(-1);
catch (SecurityException se)
System.err.println("Cannot create LoginContext. "
+ se.getMessage());
System.exit(-1);
catch (Exception e)
System.out.println("Login failer: "+e.getMessage());
try {
lc.login();
Subject subject = lc.getSubject();
Iterator it = subject.getPrincipals().iterator();
while (it.hasNext())
System.out.println("Authenticated: " + it.next().toString());
it = subject.getPublicCredentials(Properties.class).iterator();
while (it.hasNext())
((Properties)it.next()).list(System.out);
lc.logout();
} catch (LoginException le) {
System.err.println("Authentication failed: ");
System.err.println(" " + le.getMessage());
System.exit(-1);
System.out.println("Authentication succeeded!");
}start.bat file:
"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Djava.security.auth.login.config=jaas.conf JaasSample
jaas.conf file:
JaasSample {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache="false" debug="true";
Output is:
c:\JAAS>"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=
BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Dja
va.security.auth.login.config=jaas.conf JaasSample
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null KeyTab is null refreshKrb5Config is false principal is
null tryFirstPass is false useFirstPass is false storePass is false clearPass is
false
Kerberos username [Kloucek]: User3
Kerberos password for User3: Poiu4566
[Krb5LoginModule] user entered username: User3
principal is [email protected]
Acquire TGT using AS Exchange
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 01 58 6E AE EF 25 15 43 F1
2C 40 46 7A 3D 2A B0 .Xn..%.C.,@Fz=*.
0010: 1F 16 9E B6 19 8A 46 68
[Krb5LoginModule] authentication failed
Pre-authentication information was invalid (24)
Authentication failed:
Pre-authentication information was invalid (24)
I tried all tips i found at this forum and other internet resources without luck...:-(((
Please heeeeelp!!!!!!!!!!!!!!!!!Hi all,
im going to be really desperate from this error message during the authentization to the Win2003 server where the Active Directory is running ... Im using Krb5LoginModule.
- Our administrator of the AD service has enabled DES encryption at the tested account.
- Im sure that entered password is correct, because im able to login via this password to our network.
- Entered Kerberos realm is in upper case...in the form (COMPANY.COM)
- Kerberos KDC contains IP adress of the Domain controller.
I really dont know why it doesnt work....:-(( Strange is that if i enable ticketCache to the ability to use the native ticket cache it works fine.....
My code is:
import javax.security.sasl.*;
import java.io.*;
import java.util.*;
import javax.security.auth.Subject;
import com.sun.security.auth.callback.TextCallbackHandler;
* This JaasAcn application attempts to authenticate a user
* and reports whether or not the authentication was successful.
public class JaasSample {
public static void main(String[] args) {
LoginContext lc = null;
java.util.Properties p = new java.util.Properties(System.getProperties());
try
lc = new LoginContext("JaasSample", new TextCallbackHandler());
catch (LoginException le)
System.err.println("Cannot create LoginContext. "
+ le.getMessage());
System.exit(-1);
catch (SecurityException se)
System.err.println("Cannot create LoginContext. "
+ se.getMessage());
System.exit(-1);
catch (Exception e)
System.out.println("Login failer: "+e.getMessage());
try {
lc.login();
Subject subject = lc.getSubject();
Iterator it = subject.getPrincipals().iterator();
while (it.hasNext())
System.out.println("Authenticated: " + it.next().toString());
it = subject.getPublicCredentials(Properties.class).iterator();
while (it.hasNext())
((Properties)it.next()).list(System.out);
lc.logout();
} catch (LoginException le) {
System.err.println("Authentication failed: ");
System.err.println(" " + le.getMessage());
System.exit(-1);
System.out.println("Authentication succeeded!");
start.bat file:
"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Djava.security.auth.login.config=jaas.conf JaasSample
jaas.conf file:
JaasSample {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache="false" debug="true";
Output is:
c:\JAAS>"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=
BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Dja
va.security.auth.login.config=jaas.conf JaasSample
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null KeyTab is null refreshKrb5Config is false principal is
null tryFirstPass is false useFirstPass is false storePass is false clearPass is
false
Kerberos username [Kloucek]: User3
Kerberos password for User3: Poiu4566
[Krb5LoginModule] user entered username: User3
principal is [email protected]
Acquire TGT using AS Exchange
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 01 58 6E AE EF 25 15 43 F1
2C 40 46 7A 3D 2A B0 .Xn..%.C.,@Fz=*.
0010: 1F 16 9E B6 19 8A 46 68
[Krb5LoginModule] authentication failed
Pre-authentication information was invalid (24)
Authentication failed:
Pre-authentication information was invalid (24)I tried all tips i found at this forum and other internet resources without luck...:-(((
Please heeeeelp!!!!!!!!!!!!!!!!! -
Error with Pre-Authentication for Windows Desktop SSO
When I try to use the windows desktop sso module created in the Access Manager I get an error in the amAuthWindowsDesktopSSO file, but I don't know what I'm doing erroneous. It's not an access manager problem, I can't get kinit to work either. I think I'm following the directions correctly from the manual.
Are these ktpass commands setup right?
The Windows AD administrator created the accounts:
C:\>ktpass -princ HOST/[email protected] -pass amdev -mapuser AD\amdev$ -out amdev.keytab
Targeting domain controller: dc2.ad.tcpip.com
Successfully mapped HOST/amdev.tcpip.com to AMDEV$.
WARNING: Account AMDEV$ is not a user account (uacflags=0x1021).
WARNING: Resetting AMDEV$'s password may cause authentication problems if AMDEV$ is being used as a server.
Reset AMDEV$'s password [y/n]? y
Key created.
Output keytab to amdev.keytab:
Keytab version: 0x502
keysize 56 HOST/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x023efe
3e6846d3cd)
Account AMDEV$ has been set for DES-only encryption.
C:\>ktpass -princ HTTP/[email protected] -pass amdev -mapuser AD\amdev$ -out amdev-http.keytab
Targeting domain controller: dc2.ad.tcpip.com
Successfully mapped HTTP/amdev.tcpip.com to AMDEV$.
WARNING: Account AMDEV$ is not a user account (uacflags=0x201021).
WARNING: Resetting AMDEV$'s password may cause authentication problems if AMDEV$ is being used as a server.
Reset AMDEV$'s password [y/n]? y
Key created.
Output keytab to amdev-http.keytab:
Keytab version: 0x502
keysize 56 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x3 (DES-CBC-MD5) keylength 8 (0x45201c
f4d3ec43e6)
Account AMDEV$ has been set for DES-only encryption.
C:\>I can read the keys with ktutil.
ktutil: rkt amdev-http.keytab
ktutil: list
slot KVNO Principal
1 4 HTTP/[email protected]
ktutil: rkt amdev.keytab
ktutil: list
slot KVNO Principal
1 4 HTTP/[email protected]
2 3 HOST/[email protected]
ktutil: wkt amdev2.keytabI then try to do a kinit with the principal:
kinit -k -t amdev2.keytab HTTP/[email protected]
kinit(v5): Preauthentication failed while getting initial credentialsAccess Manager reports similar problem on access:
01/17/2007 10:23:56:699 AM CST: Thread[service-j2ee-2,5,main]
Stack trace:
javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
. . .Something deep, dark, and inside Kerberos way outside of my knowledge base was the problem.
I could always get a kinit with the HTTP/amdev.tcpip.com service to work. I never got the keytabs from the output of ktpass to operate. I used ktutil to create keytab entries all in vain, kinit using the keytab always resulted in a PA error, although the time clocks are setup the same.
The AD administrator created the account, this time as a user account, not a machine account, and the keytabs from the Windows domain controller finally worked.
If anyone knows the difference between machine and user accounts are in AD, I would be obliged for his/her explanation. The UPN and SPN look the same in the directory. I'm at a loss. However, very glad to finally have this working. -
JAAS, AD, Pre-authentication information was invalid (24)
Our application is java based, and we use JAAS to allow authentication for the users though Active Directory.
In particular we alwyas encourage our prospect clients to use Krb5LoginModule.
We would
1. add new user to AD , set DES for the account, reset the password
2.
setspn -A host/newUser.DOMAIN.COM newUser
setspn -A HTTP/newUser.DOMAIN.COM newUser
run ktpass
pass the keytab to the server where the server application will be running from and setup there
-Djava.security.auth.login.config=c:\config\config.conf
-Djava.security.realm=DOMANNAME
-Djava.security.kdc=<Ip address of kdc>
where config.conf file would have line
Krb5LoginModule tryFirstPass=true storePass=true storeKey=true useKeyTab=true keyTab="c:\keytab.key";
and it works...
However, I have encountered a situation where the above would return
Pre-authentication information was invalid (24) error.
We have reset the password, re-generate the keytab, it is the same time zone ... and nothing.
Then I asked to have a new user added (just to test it) - and it worked for the new user.
Now - what do I need to do to get to work for the hunders of others?
ThanksSupport for the new Kerberos preauthentication mechanisms is available in Java SE 6.
In addition, the pre-auth support has been backported to J2SE 5.0 Update 8.
Seema -
RDP pre-authentication: what does it actually do?
I'm trying to integrate Forefront TMG and RDS with SecurID authentication. I believe I'm very close to having it working, but I'm hitting a brick wall.
I have "require pre-authentication" set, and "pre-authentication server name" configured, as indicated in so many forum posts and HOWTOs.
No matter what I do, clients receive the error "authentication to the firewall failed due to missing firewall credentials." This is
after they have already successfully authenticated and visited the /RDWeb pages.
Using the TMG logs, procmon, and wireshark, I am 100% certain that no network activity is occurring from the RDP client when this error occurs; this error is being generated entirely on the client side, before it attempts to connect to anything. I understand
that this is what is expected; it is checking for the existence of a cookie.
But the cookie doesn't exist. Why? Because nothing is setting one. The only cookies the client receives during the entire process (logging in to rdweb and trying to launch an app) are the SecurID domain SSO cookie I set in TMG, and the persistent authentication
cookie I also set in TMG. RDweb itself is not issuing any cookie at all.
Can anyone please explain to me, what specific cookie is the RDP client looking for when "require pre-authentication" is enabled? And which component is meant to be setting it?
Obviously I'd be very grateful if anyone can tell me "run this command and it will start working" or whatever, but I'm really hoping to gain an engineering-level understanding of how it's
meant to work ;)
Hi,
Please double check the following article:
Configuring Forefront Threat Management Gateway Integration with RD Gateway Step-by-Step Guide
http://technet.microsoft.com/en-us/library/gg589607(v=ws.10).aspx
On the Forefront TMG server apply the Filter ipv4.address==<your public IP>
When client request of remote desktop is reaching to TMG server, please check if the TMG server is forwarding the packet to RDG server.
Looking forward to your feedback.
Regards,
Dollar Wang
Forum Support
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Technology changes life…… -
Proxy Authentication required(Acess denied)
I created simple java web service (java class with single method it takes two arguments) with SAOP messgae format as document/wrapped using JDeveloper 10.1.3.1.
I created one ESB project in ESB for this same application.
In ESB project i created one Routing service here i givven physical path of WSDL file.
And also i created one SOAP service here i given URL of WSDl file.
After that I register that web service in ESB.Registration was done successfully.
After that I log in to OC4J console, here i able to find my web service under webservices tab.
Now i tested this webservice ,but it is giving some exception proxy Authentication required(Acess denied).
this is Exception
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><faultcode>env:Server</faultcode><faultstring>oracle.tip.esb.server.common.exceptions.BusinessEventRetriableException: An unhandled exception has been thrown in the ESB system. The exception reported is: "oracle.tip.esb.server.common.exceptions.BusinessEventRetriableException: An unhandled exception has been thrown in the ESB system. The exception reported is: "org.collaxa.thirdparty.apache.wsif.WSIFException: exception on JaxRpc invoke: HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Bad response: 407 Proxy Authentication Required ( Access is denied. )
at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.invokeOperation(WSIFOperation_JaxRpc.java:1714)
at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.invokeRequestResponseOperation(WSIFOperation_JaxRpc.java:1460)
at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.executeRequestResponseOperation(WSIFOperation_JaxRpc.java:1182)
at oracle.tip.esb.server.common.wsif.WSIFInvoker.executeOperation(Unknown Source)
at oracle.tip.esb.server.common.wsif.WSIFInvoker.nextService(Unknown Source)
at oracle.tip.esb.server.common.wsif.WSIFInvoker.nextService(Unknown Source)
at oracle.tip.esb.server.service.impl.outadapter.OutboundAdapterService.nextService(Unknown Source)
at oracle.tip.esb.server.service.impl.outadapter.OutboundAdapterService.processBusinessEvent(Unknown Source)
at oracle.tip.esb.server.dispatch.InitialEventDispatcher.dispatchNonRoutingService(Unknown Source)
at oracle.tip.esb.server.dispatch.InitialEventDispatcher.dispatch(Unknown Source)
at oracle.tip.esb.server.dispatch.BusinessEvent.raise(Unknown Source)
at oracle.tip.esb.utils.EventUtils.raiseBusinessEvent(Unknown Source)
at oracle.tip.esb.server.service.EsbRouterSubscription.onBusinessEvent(Unknown Source)
at oracle.tip.esb.server.dispatch.EventDispatcher.executeSubscription(Unknown Source)
at oracle.tip.esb.server.dispatch.InitialEventDispatcher.processSubscription(Unknown Source)
at oracle.tip.esb.server.dispatch.InitialEventDispatcher.processSubscriptions(Unknown Source)
at oracle.tip.esb.server.dispatch.EventDispatcher.dispatchRoutingService(Unknown Source)
at oracle.tip.esb.server.dispatch.InitialEventDispatcher.dispatch(Unknown Source)
at oracle.tip.esb.server.dispatch.BusinessEvent.raise(Unknown Source)
at oracle.tip.esb.server.service.impl.soap.EventOracleSoapProvider.raiseEvent(Unknown Source)
at oracle.tip.esb.server.service.impl.soap.EventOracleSoapProvider.processMessage(Unknown Source)
at oracle.j2ee.ws.server.provider.ProviderProcessor.doEndpointProcessing(ProviderProcessor.java:869)
at oracle.j2ee.ws.server.WebServiceProcessor.invokeEndpointImplementation(WebServiceProcessor.java:349)
at oracle.j2ee.ws.server.provider.ProviderProcessor.doRequestProcessing(ProviderProcessor.java:460)
at oracle.j2ee.ws.server.WebServiceProcessor.processRequest(WebServiceProcessor.java:114)
at oracle.j2ee.ws.server.WebServiceProcessor.doService(WebServiceProcessor.java:96)
at oracle.j2ee.ws.server.WebServiceServlet.doPost(WebServiceServlet.java:177)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:711)
at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:368)
at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:866)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:448)
at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:216)
at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:117)
at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:110)
at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:239)
at oracle.oc4j.network.ServerSocketAcceptHandler.access$700(ServerSocketAcceptHandler.java:34)
at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:880)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
at java.lang.Thread.run(Thread.java:595)
at oracle.tip.esb.server.common.wsif.WSIFInvoker.executeOperation(Unknown Source)
at oracle.tip.esb.server.common.wsif.WSIFInvoker.nextService(Unknown Source)
at oracle.tip.esb.server.common.wsif.WSIFInvoker.nextService(Unknown Source)
at oracle.tip.esb.server.service.impl.outadapter.OutboundAdapterService.nextService(Unknown Source)
at oracle.tip.esb.server.service.impl.outadapter.OutboundAdapterService.processBusinessEvent(Unknown Source)
at oracle.tip.esb.server.dispatch.InitialEventDispatcher.dispatchNonRoutingService(Unknown Source)
at oracle.tip.esb.server.dispatch.InitialEventDispatcher.dispatch(Unknown Source)
at oracle.tip.esb.server.dispatch.BusinessEvent.raise(Unknown Source)
at oracle.tip.esb.utils.EventUtils.raiseBusinessEvent(Unknown Source)
at oracle.tip.esb.server.service.EsbRouterSubscription.onBusinessEvent(Unknown Source)
at oracle.tip.esb.server.dispatch.EventDispatcher.executeSubscription(Unknown Source)
at oracle.tip.esb.server.dispatch.InitialEventDispatcher.processSubscription(Unknown Source)
at oracle.tip.esb.server.dispatch.InitialEventDispatcher.processSubscriptions(Unknown Source)
at oracle.tip.esb.server.dispatch.EventDispatcher.dispatchRoutingService(Unknown Source)
at oracle.tip.esb.server.dispatch.InitialEventDispatcher.dispatch(Unknown Source)
at oracle.tip.esb.server.dispatch.BusinessEvent.raise(Unknown Source)
at oracle.tip.esb.server.service.impl.soap.EventOracleSoapProvider.raiseEvent(Unknown Source)
at oracle.tip.esb.server.service.impl.soap.EventOracleSoapProvider.processMessage(Unknown Source)
at oracle.j2ee.ws.server.provider.ProviderProcessor.doEndpointProcessing(ProviderProcessor.java:869)
at oracle.j2ee.ws.server.WebServiceProcessor.invokeEndpointImplementation(WebServiceProcessor.java:349)
at oracle.j2ee.ws.server.provider.ProviderProcessor.doRequestProcessing(ProviderProcessor.java:460)
at oracle.j2ee.ws.server.WebServiceProcessor.processRequest(WebServiceProcessor.java:114)
at oracle.j2ee.ws.server.WebServiceProcessor.doService(WebServiceProcessor.java:96)
at oracle.j2ee.ws.server.WebServiceServlet.doPost(WebServiceServlet.java:177)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:711)
at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:368)
at com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:866)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:448)
at com.evermind.server.http.HttpRequestHandler.serveOneRequest(HttpRequestHandler.java:216)
at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:117)
at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:110)
at oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
at oracle.oc4j.network.ServerSocketAcceptHandler.procClientSocket(ServerSocketAcceptHandler.java:239)
at oracle.oc4j.network.ServerSocketAcceptHandler.access$700(ServerSocketAcceptHandler.java:34)
at oracle.oc4j.network.ServerSocketAcceptHandler$AcceptHandlerHorse.run(ServerSocketAcceptHandler.java:880)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
at java.lang.Thread.run(Thread.java:595)
Caused by: org.collaxa.thirdparty.apache.wsif.WSIFException: exception on JaxRpc invoke: HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Bad response: 407 Proxy Authentication Required ( Access is denied. )
at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.invokeOperation(WSIFOperation_JaxRpc.java:1714)
at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.invokeRequestResponseOperation(WSIFOperation_JaxRpc.java:1460)
at com.collaxa.cube.ws.wsif.providers.oc4j.jaxrpc.WSIFOperation_JaxRpc.executeRequestResponseOperation(WSIFOperation_JaxRpc.java:1182)
... 39 more
</faultstring><faultactor></faultactor></env:Fault></env:Body></env:Envelope>
can any one help me in this case please.
Any help is highly appreciableI got the same issue : runs fine via web test, doesn't work via generated Jdevelopers proxy class. Both machines are within same local network. Tried setting uid/pwd same as oc4j admin crendentials - didn't work :
WARNING: Unable to connect to URL: http://10.75.0.122:8888/ws_1-context-root/WebService1SoapHttpPort due to java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Bad response: 407 Proxy Authentication Required
java.rmi.RemoteException: ; nested exception is:
HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Bad response: 407 Proxy Authentication Required
at ws_1.proxy.runtime.WebService1SoapHttp_Stub.echo(WebService1SoapHttp_Stub.java:94)
at ws_1.WebService1SoapHttpPortClient.echo(WebService1SoapHttpPortClient.java:45)
at ws_1.WebService1SoapHttpPortClient.main(WebService1SoapHttpPortClient.java:33)
Caused by: HTTP transport error: javax.xml.soap.SOAPException: java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Bad response: 407 Proxy Authentication Required
at oracle.j2ee.ws.client.http.HttpClientTransport.invokeImpl(HttpClientTransport.java:172)
at oracle.j2ee.ws.client.http.HttpClientTransport.invoke(HttpClientTransport.java:148)
at oracle.j2ee.ws.client.StreamingSender._sendImpl(StreamingSender.java:175)
at oracle.j2ee.ws.client.StreamingSender._send(StreamingSender.java:112)
at ws_1.proxy.runtime.WebService1SoapHttp_Stub.echo(WebService1SoapHttp_Stub.java:78)
Thank you!
V. -
Pre-requisites required for the local configuration of the Weblogic portal
Hi All,
I have got the code from the client. It is appenntly came to know that Code has been developed in Weblogic workshop.
When we build teh application we are getting the following web services related Errors:
ERROR: DESCRIPTION:An unexpected exception occurred while attempting to locate the run-time information for this Web Service. Error: java.lang.NullPointerException:null
WARNING: SUGGESTION:An unexpected error occurred. Please contact [email protected] for further assistance.
ERROR: ERROR
ERROR: DESCRIPTION:An unexpected exception occurred while attempting to locate the run-time information for this Web Service. Error: java.lang.NullPointerException:null
WARNING: SUGGESTION:An unexpected error occurred. Please contact [email protected] for further assistance.
ERROR: ERROR
ERROR: DESCRIPTION:An unexpected exception occurred while attempting to locate the run-time information for this Web Service. Error: java.lang.NullPointerException:null
WARNING: SUGGESTION:An unexpected error occurred. Please contact [email protected] for further assistance.
ERROR: ERROR
ERROR: DESCRIPTION:An unexpected exception occurred while attempting to locate the run-time information for this Web Service. Error: java.lang.NullPointerException:null
WARNING: SUGGESTION:An unexpected error occurred. Please contact [email protected] for further assistance.
ERROR: ERROR
ERROR: DESCRIPTION:An unexpected exception occurred while attempting to locate the run-time information for this Web Service. Error: java.lang.NullPointerException:null
WARNING: SUGGESTION:An unexpected error occurred. Please contact [email protected] for further assistance.
ERROR: ERROR
ERROR: DESCRIPTION:An unexpected exception occurred while attempting to locate the run-time information for this Web Service. Error: java.lang.NullPointerException:null
WARNING: SUGGESTION:An unexpected error occurred. Please contact [email protected] for further assistance.
PortaleWebApp: Created control beans for 19 controls in 12703 milliseconds
BUILD FAILED
ERROR: Build failed with 15 error(s).
When we deploy in the Portal weblogic server, Application is deploying with out any errors. But it is not showing any login page when I start the PTLoginMain.portal file.
As I am completly new to this Weblogic Portal server, Please let me know, Do i need to configure the any setting before starting the application. I mean to ask you that Pre-requisites required for the local configuration of the Weblogic portal Server.
Any Help would be much appriciated.
Regards & thanks,
Nirmala Vijaay Sekhar Varreand your server address can be resolved or not?
Are you accessing the server from Windows or Linux?
- On Linux try editing the /etc/hosts file and add something like: 10.241.110.105 server1.etcetera
- On Windows try editing the C:\WINDOWS\system32\drivers\etc\hosts file and add something like: 10.241.110.105 server1.etcetera
When this works, contact your system administrator and ask him or her to map an ip to your hostname in DNS and DHCP
such that the servername automatically resolves the ip-address -
Pre-authentication failed in krb
Hi All,
Wee also facing the same issue, but in a different way.
our java application accepts first 100(around) krb auth requests and the rest of the requests are droped out, during the droping it simply show the message like pre-authentication failed
What is doubt is, do we have any constraint on number of concurrent access in krb?
im using tomcat and casified sakai with apache2Hi All,
Wee also facing the same issue, but in a different way.
our java application accepts first 100(around) krb auth requests and the rest of the requests are droped out, during the droping it simply show the message like pre-authentication failed
What is doubt is, do we have any constraint on number of concurrent access in krb?
im using tomcat and casified sakai with apache2
Maybe you are looking for
-
Unable to capture IdcService on certain webdav actions like copy-paste
We wrote a simple checkin filter long back for the Dynamix Prefix functionality. We have written an If Clause to restrict running this for any services other than CHECKIN related ones, by checking the value of IDCService parameter There is a scenario
-
Macbook Pro 13' ethernet port is missing
Hello, I just noticed this today... and I'm not sure when it happened but my ethernet port is missing, I will provide a picture. What I see is a black rubber, a triangle with a circle in the middle. The ethernet cable won't connect into it. What shou
-
Hi, I have a problem with my .login file. As of the Intel-Compiler documentation I should place the line source /opt/intel/cc/9.1.032/bin/iccvars.sh into my ".login" file. I've done this, but neither when I start a Terminal, nor when I try to compile
-
Solaris 10 01/06 (grub booting) on HP DL360 - adding array drivers to DVD
I'm trying to install to a DL360. This has been successful using the DU diskette for the HP Smart Array. However, I want to automate the install from DVD so that it loads the drivers without using a floppy (or another CD/DVD). I have modified the /bo
-
I tried to run BootCamp on my new macbook pro, but i could not partition because of an apparent bad sector. I reformatted the macbook, but the mac could not even boot up Mac OS Lion. As such, I had to go down to my retailer and reinstall Lion. What e