Kerberos & jcifs
I am developing a single sign-on module for our company's Intranet site. I am using jcfis extended version, which supports Kerberos authentication. It requires a krb5.ini file in c:/winnt directory. I am using AuthenticationFilter class which will autheticate a request. I have Tomcat on my machine and the main server is situated somewhere else, where the Kerberos is installed. When I am running my tomcat and opening page from my system, which has Tomcat, its running successfully, but when I am opening same page from other system, which is within the same domain, throwing an exception
"jcifs.spnego.AuthenticationException: Error performing Kerberos authentication:
java.lang.reflect.InvocationTargetException"
My C:/winnt/krb5.ini file:
[libdefaults]
default_realm = IGGLOBAL.COM
kdc_timesync = 1
ccache_type = 4
ticket_lifetime = 36000
default_tkt_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc
dns_lookup_kdc = true
dns_lookup_realm = false
[domain_realm]
.igglobal.com = IGGLOBAL.COM
[realms]
IGGLOBAL.COM = {
kdc = 172.18.65.36:88
login = {
forwardable = true
krb5_run_aklog = true
krb5_get_tickets = true
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
useKeyTab=false
I am using Java 6.
I don't know what should I do? Please help me, if any one can.
An update:
After installing Java 1.5, the error has become a little more clearer. Instead of the old "no support for encryption type (14)", I now have "KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC".
However, Ethereal still says des-cbc-md5 is what the AP REP is encoded in (incidentally I got both client and server using des-cbc-md5 over des-cbc-crc). If this is correct, the only conclusion I can come to is that IE or the local system is somehow modifying the HTTP message before it gets decoded by java. Is this even possible or is Ethereal wrong?
Similar Messages
-
Please help. Negotiate field in http header - Kerberos, SPNEGO, Base64... ?
Hello to you all.
I'm trying to implement a Kerberized SSO solution in Win2000
environment. The web servers are apaches, the clients are IE5.5+
But I had encountered the following problem:
I wrote a servlet in java on the web server that sends 401 http error
+ "Negotiate" in the www-authenticate field. Then the client sends me
back in the same field "Negotiate " and a long string that ends with
'==' and it's somehow encoded...
That's the problematic point. I saw it's encoded in base64, but
decoding it didn't brought me to anything. Furthermore, I read that
it's a spnego protocol. What am I doing with that? Does JDK1.4 gives
enough to work with that?
All I know that in that string is the TGS sent to me... and that's all
I need to authenticate my client, don't I?!
Do you know what should I do with that string? Can you tell me what am
I missing? Should I decode it with the '==' or without? What does it
mean anyway?
I'd really appriciate if you help me.
Thanks very much in advance,
Danik.Close... SPNEGO is a GSSAPI mechanism for negotiating another mechanism. JDK 1.4 comes with a Kerberos mechanism provider out of the box, but not SPNEGO. Even though Microsoft's "Negotiate" auth method ends up negotiating Kerberos, you need to have a SPNEGO provider installed to effectively tell it to use Kerberos.
The '==' is Base64 padding (the Base64-encoded string will end in '=' or '==' if the input content length is not divisible by 3). You would include it when decoding. The byte array you get from decoding is fed to the acceptSecContext method in org.ietf.jgss.GSSContext -- but you will get an "unknown mechanism" error if you don't have a SPNEGO mechanism provider.
If you don't have the inclination to write a provider yourself (I know I wouldn't), and you have some cash to spend (I know I don't), you can get a SPNEGO provider from:
http://www.wedgetail.com/jcsi/sso/FAQ.html
They actually provide a complete solution for doing exactly what you are attempting.
If you are just looking to provide single sign-on to a web application for Windows clients, and you don't necessarily need to do it via Kerberos, jCIFS provides a solution for performing NTLM authentication (the precursor to Negotiate, which authenticates against NT/Samba domains). You can get jCIFS from
http://jcifs.samba.org
The site is temporarily transitioning to a new ISP, so the latest version (0.7.5) can actually be found at:
http://users.erols.com/mballen/jcifs
The client side of NTLM is also supported in JDK 1.4.2, which would allow single sign-on for applets or Java applications. -
I am developing a single sign-on module for our company's Intranet site. I am using jcfis extended version, which supports Kerberos authentication. It requires a krb5.ini file in c:/winnt directory. I am using AuthenticationFilter class which will autheticate a request. I have Tomcat on my machine and the main server is situated somewhere else, where the Kerberos is installed. When I am running my tomcat and opening page from my system, which has Tomcat, its running successfully, but when I am opening same page from other system, which is within the same domain, throwing an exception
"jcifs.spnego.AuthenticationException: Error performing Kerberos authentication:
java.lang.reflect.InvocationTargetException"
My C:/winnt/krb5.ini file:
[libdefaults]
default_realm = IGGLOBAL.COM
kdc_timesync = 1
ccache_type = 4
ticket_lifetime = 36000
default_tkt_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc
dns_lookup_kdc = true
dns_lookup_realm = false
[domain_realm]
.igglobal.com = IGGLOBAL.COM
[realms]
IGGLOBAL.COM = {
kdc = 172.18.65.36:88
login = {
forwardable = true
krb5_run_aklog = true
krb5_get_tickets = true
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
useKeyTab=false
I am using Java 6.
I don't know what should I do? Please help me, if any one can.After digging a bit deeper, I discovered this was related to a line I added to my /etc/hosts file. I deleted the line and Kerberos authentication for FTP started working again.
The line I had added was my servers's IP address and a name other than my server's true FQDN. It was the name in the "Computer Name" field in the Windows Service in Server Admin. I had added the line to correct a totally unrelated problem.
Anyway, thanks to anyone who gave my question any thought before I answered it myself. -
Jcifs exception for just one user
We have jira deployed under solaris, and we're using NTLM authentication via jcifs. For one user we are seeing an exception being thrown all other user have no problem. The exception is the standard:
jcifs.smb.SmbAuthException: Logon failure: unknown user name or bad password.
at jcifs.smb.SmbTransport.checkStatus(SmbTransport.java:503)
If we move the jira instance to a windows machine from solaris this one user gets authenticated successfully. Move things back to solaris and this one single user cannot get authenticated.
I was hoping someone could give me a lead, as this seems very strange and not very computer like to me...
;)turns out the solaris to windows move was only part of the equation, probably symptomatic of the immediate issue. As it happened if the user went to a different machine the problem didnt exist. So it was tied to a particular machine. Im thinking there was/is some invalid kerberos ticket hanging around for some reason, or some registry setting on the client machine... who knows! Im sure the evidence is all there, just canny see the wood for the trees sometimes.
Thank you for any thoughts raised, we can close this one off. -
Terrible error with kerberos, win2003 - Checksum failed!
Now i'm trying to use CAS SSO with kerberos for authentication.
I done all settings by instruction, see this tutorial http://www.ja-sig.org/wiki/display/CASUM/SPNEGO.
So, the error is: Failure unspecified at GSS-API level (Mechanism level: Checksum failed).
I guess, there is a problem with encryption type, but i don't know how to resolve it. Please help
My stacktrace shown below:
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level:
Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:
741)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java
:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java
:267)
... 75 more
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
cEType.java:85)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
cEType.java:77)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken
.java:79)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:
724)
... 77 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCry
pto.java:388)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.jav
a:74)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
cEType.java:83)
... 83 moreThank you for advice, my friend.
I have analyzed info in TGS-REQ request, but i could not find any SPN in it.
Please see this screenshot and say me: where is needed SPN in ticket?
Here is my full configuration:
[logging]
[libdefaults]
ticket_lifetime = 24000
default_realm = MYCORP.KUBA
dns_lookup_kdc = true
dns_lookup_realm = true
default_tkt_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc
[realms]
MYCORP.KUBA = {
kdc = mycorp.kuba:88
admin_server = mycorp.kuba:749
default_domain = mycorp.kuba
[domain_realm]
.mycorp.kuba = MYCORP.KUBA
mycorp.kuba = MYCORP.KUBA
[domain_realm]
.mycorp.kuba = MYCORP.KUBA
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
<bean class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"
p:jcifsDomainController="xxx"
p:jcifsNetbiosWins="xxx"
p:jcifsServicePrincipal="HTTP/MYUSER.mycorp.kuba"
p:jcifsServicePassword="secret"
p:useSubjectCredsOnly="true"
p:kerberosDebug="true"
p:kerberosRealm="MYCORP.KUBA"
p:kerberosKdc="xxx"
p:kerberosConf="c:/winnt/krb5.conf"
p:loginConf="C:/mypath/WEB-INF/login.conf"
/>
jcifs.spnego.initiate {
com.sun.security.auth.module.Krb5LoginModule
required
debug=true
realm="MYCORP.KUBA"
principal="HTTP/MYUSER.mycorp.kuba"
storeKey=true
doNotPrompt=false
client=true
refreshKrb5Config=true
storePass=true
isInitiator=false
useKeyTab=true
useTicketCache=false
keyTab="c:\a.keytab"
jcifs.spnego.accept {
com.sun.security.auth.module.Krb5LoginModule
required
debug=true
realm="MYCORP.KUBA"
principal="HTTP/MYUSER.mycorp.kuba"
storeKey=true
doNotPrompt=false
client=true
refreshKrb5Config=true
storePass=true
isInitiator=false
useKeyTab=true
useTicketCache=false
keyTab="c:\a.keytab"
setspn -A HTTP/MYUSER.mycorp.kuba myuser
ktpass -out a.keytab -princ HTTP/[email protected] -pass secret -mapuser [email protected] -ptype krb5_nt_principal -crypto RC4-HMAC-NTWhat is wrong with it? Please correct it if you can? -
SSO using Kerberos with SAP Logon Tickets
Hi,
I am creating a Repository Manager for the Portal Knowledge Management System and I want to use SSO to a backend IIS application and I have a few questions here.
I have a three tiered architecture.
A. The presentation tier (SAP Portal which has my Repository Manager implementation)
B. ASP.NET web service data layer.
C. Backend document management system which runs on IIS.
I have installed the ISAPI filter on my ASP.NET application server and have enabled this HOST account for delegation in MSAD 2003. Server B will use Kerberos constrained delegation to access Server C, which is an IIS backend server.
My question is how do I pass an SAP Logon Ticket to an ASP.NET web service request from my Repository Manager implementation? Basically how do I just make an HTTP request to an ASP.NET application from some portal iView or WebDynPro code and pass along the SAP Logon Ticket in the request so it can be interpreted by the ISAPI filter on the IIS server. Does anyone have any sample code or an application here that does this?
Thanks,
ScottHi Scott
Did you managed to find out anything regarding how to pass SAP Logon ticket to ASP.NET Webservice. Can you share it with me?
regards
ram -
Post Author: hqcire
CA Forum: Authentication
I'm running Windows server 2003 + IIS 6.0 + windows AD + SSO and I try to used the Kerberos Token. But I Have this error I did those SETSPN: SETSPN -A BOBJCentralMS/aaaa.dev.bbbb.qc.ca dev\user123 SETSPN -A BOBJCentralMS/ aaaa dev\user123 SETSPN -A HTTP/aaaa.dev.bbbb.qc.ca dev\user123 ERROR 1 A Kerberos Error Message was received: on logon session Client Time: Server Time: 15:23:8.0000 2/26/2008 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc00000bb KLIN(0) Client Realm: Client Name: Server Realm: DEV.bbbb.QC.CA Server Name: host/aaaa.dev.bbbb.qc.ca Target Name: host/aaaa.dev.bbbb.qc.ca @DEV.bbbb.QC.CA Error Text: File: 9 Line: ae0 Error Data is in record data. ERROR 2 A Kerberos Error Message was received: on logon session Client Time: Server Time: 15:22:32.0000 2/26/2008 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: Client Realm: Client Name: Server Realm: DEV.bbbb.QC.CA Server Name: cccc.dev.bbbb.qc.ca Target Name:cccc.dev.bbbb.qc.ca @DEV.bbbb.QC.CA Error Text: File: 9 Line: ae0 Error Data is in record data. ERROR 3 A Kerberos Error Message was received: on logon session Client Time: Server Time: 15:22:30.0000 2/26/2008 Z Error Code: 0x34 KRB_ERR_RESPONSE_TOO_BIG Extended Error: Client Realm: Client Name: Server Realm: DEV.bbbb.QC.CA Server Name: host/aaaa.dev.bbbb.qc.ca Target Name: host/aaaa.dev.bbbb.qc.ca @DEV.bbbb.QC.CA Error Text: File: 9 Line: ae0 Error Data is in record data. What is my problem ?Post Author: hqcire
CA Forum: Authentication
I used WFETCH to have more information. There's whta I have
started....WWWConnect::Connect("placebo","443")\nsource port: 3055\r\nISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\nSEC_I_CONTINUE_NEEDED\nREQUEST: **************\nGET D:\SystProd\BOE\BusinessObjects Enterprise 11.5\Web Content HTTP/1.1\r\nHost: placebo\r\nAccept: /\r\nConnection: Keep-Alive\r\nAuthorization: Kerberos YIIMAQYJKoZIhvcSAQICAQBuggvwMIIL7KADAgEFoQMCAQ6iBwMFACAAAACjggsUYYILEDCCCwygAwIBBaERGw9ERVYuSFlEUk8uUUMuQ0GiGjAYoAMCAQKhETAPGwRIVFRQGwdwbGFjZWJvo4IK1DCCCtCgAwIBF6EDAgECooIKwgSCCr4k5OSUJ9fiV7KWJvAfjdWHY8Sl6cRMt7KXeR7D2LmgAZXHnWAZBdd2TXjVYCCQ2OIOPZKOnJmuvIy9pzXc/mzgUJuB9O999aQjNPBUEf6bss8cE8FPOceFXH1oYLhUFXidns7ykFTGB/iC2sxzeYBUZL0xXALbd5zprZQxg3WRaOcCJe0v8BsrKglV56cnKdSDWHcBuvbfxKYS2nUnnVYApoMjzqZKilHMXtfcDCsdn66e99U483TYxbqMJcQqiJEuntGdc/w/eGqKVsPC9iTZAJmPCBE88zxmTdcQtt9ZsHkxOmuHrJILH2vf1j/xP9pzFIZOf7Y5sRNYKwn74Ee7fHbY5CwVnPpM3wCnBsyYGWZ3e90BtF7Z2xklT/Gmvw7yHCKrIwAZvnc6yVMsrMhqsqJUHimFRlzddUzoH/L5HPDX5TDUoeuBeO4X6zLteIMIOGcQ1C47W59R3qscwZDWWJL4T/R7TjpY3PLsQcaHv/fUuo6lv8gRzYaS9tljJQMr6BwFgw4xS2TyyZZBaKqdbYuH/Y1wksu1XDIwTYpkgLex7xsZC5CCP1FJP7TKQA3V1fpZbdAgOZRCdFCTzl0UbYt2qrIKB4a7bKVsfmJefDHVHoLf7LBQC8/fKA696Qxdph6/PRYh4KwhwEMWM3nGkNnB2MpLqhVXxhDio0bhiZtEmFUVjylZepikLEP9AfC2j4IoiVPu2BujhW79/SR9Gl2HQrSlpXnHzhtCT7hSoKH8Zm99jnofpiBJk6tD4LsbRuDeWYf4X3Mw5qns7/SD6umCHMs2eNtgt/H2d6cJxBEc81nbdoU3fIErlC2jSsjo7Tv4xeiLNbi7nH7woXvzFYIGlRrVILRRbteoA5269Ju8rB1UKestiPsvxo9sz265eEKgotDVNUIBn7f6TXd4Bjr1lOhzq2zY9v7kK21y95cxHHqKaNBGVnbz7Y9EYaxyGQrEG7oXf8/herH/IRTfmabKSU8JBHOt7RBwgCh46Qmt6DisyIr0dkLH2m1xlS6dbtELLjRj0EXxAUMxt7ufFcmE3hEK9JRmGhuwi5SFKCcUKNlJbgWwf6Od/oySbXoaBamoh0w1t/98XGFUR8JCn5V7x5oAxG9oCABmCKdq6cy7XR9F8PKcqbtbZC2EM7Bcyvpk4HJSZKTL7YCbtzwWTDbEZmm1wQvroCu7JXU1qhpWLvJPzfm9Hi2xU5UYgIMfdcqK8uNOys2QPkCdFqcHrLUDQH/dQ9PksFnk2oJORbjR0L94FJgtTowurn3xt13j9wq5solwcSJnTWTiX4g7Xx2ciBTcE1fJfIN/LaPGFq1hQfM7f0pIgwQH/Up0BGHPiOfTBe9VGWswoQaygXxb4aD3aLPahP4BrkfcnIRv61Y7xS6yWgGvkizY5oVwgpi6l8kRkui7L8s3PLJfDZ28CBO3eoxeCbtMcjijKI1mQ0me5VFoEfpUVdkaOFBlX2Lb1qgR7BA/eIXCcToTmXCk7lPHkt8wIUzzl4g8950lLn0o0WPpMm1V+5/ab11ySSlF5n6s3kNvrLOSRcrCJ4sXWPAYbI7pqHgDah7iJtZsSaMFglSpKAV734pWSx7fybUuxxvL48ELGSGogaeCutKpOoabvA3nz1J471cRwrBVQXnFMt2b3Z1rCnDYC6B2L30gu3IASvpWZZAnn4Jzq64CD/RhtgUxYQW5cJX0B01xlLZRZ9ANruTmO8B/Ui/ZWLJYb3A8sSzKtA7Q0QNCXPk2sXvC6RWiEJUsKz/rYWdgNGkqhNKVFyLaxvFNYPDI2P4bf5fbOwuYbIyYrXfO8pZU8GqlOTXzVANOxPpaVyD22Q5o2wcVeShg0f0YILFaSD5CF31KGo5KTR5AyP8WRMH9Kvjs7hq8RG7DkLHdGannsLXll5DIuaPARVvoVF06PjktDHOaQnjYDnnnOw6V0QKq8oItDEemeWw7gQwgFIzGtRvzK6yX6zrNqTGOOhc2P/GZtN03Afe7DxNmIC2FNMT0aaVBnvoysQyqGEnUyp4PrhhDhkLDHLDiSJgWf/u82IzdMcBkJisBdswu0jVTyWnowX2b8GI8F1aCzD0cxcahhYNgxA58ouFzmmoeRhf0vFMqpv2GQlE2eKIMmCQ50jDHHfABw5KUiIr68NV1mqzUxan9QwKHvFrPVnIxsS4K0c95KMX1/NaYNpoBC2iVsRljj0LiQZs0rRYe/aM7IFY71Zqw8vuIxuE64QOMsBNGs8pDQBNhPzy2sKG01JjU5nSsh4Rv6kX4HGh2aV6Nb6bsJ59EOQa7IkVsZkJ9TPgglRiSdHq0G4PHB/asfEHZkVZB2aJzPMiUYVYpu6s/zX37S08U9fYl6ygHKiR1gQU0gWlDA/A4I4r5S8t1jaTlrmDqAe64bd56P/Fhr7zpYz/1FZ98TOTHh7DHWnm5tzj6JyPrUcY7OtJrQVGObWCM0/g1pv13ektbgw7b/evAcahKnTRiJnjvwFj16G0057c88EV7T5ivVGhD9viKqR7hKJuxvmCVbhSvY7jRbVTNrR52FUIEFkk0FVkU6VkfdpCZTsDrmeQ/Rhad79jtKeudzO6vLKY8vdC7YE51o/Pid2Ebi6UbuznKONKGVBxEa2KArVc/UDbbT9YSPN9kfPlzgxSB/lc2zDr6bWaRiuL6xfxP36ofoWhyeybtFGjwjormCUEmkf1uxoMRKRzJEtFlGrN/B8DMxmZSobeOsObyjTDZ6XSMOjGUNnJwojiQ5ptzLf1iEQ1aYs4BJPnvjHYsBwZFr6wkN1wIDFNgm1IRX4lXTvrJwjumKCLRLN97DJGqR3m7R8WophOotAUfT0ccWY0DOcUJgArVDQvwrMr1UdPk2Wp5WPS8utwRahSFt4xCWhbd25ST5I81zRpQt8RGjaCwvW3c4YoaSJ3Zd20ZQJ3kmGbV1T9jpozMpEned7TthohNde0GTS7QwCb6oPCJLmlc00sB3SIDk6pdhQJf9u15ydrQFxeAWvKWjpRRQ2f8W/h281twvOkNJLbEBs66ZJPQlDcZdpSswin4h6nGiuBGf9X/i2GoxZ2yaDVPfdazPtin6O3MPtIxPilKHIBwsQXLPV4Tjs0YeFKGJkAezCOMA8mo9iGwEOmTC73heKApyyRKpE2CKNWTWwXXMsyObpGOkmQI3hFt4uj6TOjFOFIqliRMBm9OSnPaWenbJD3MJ23jmszEDmPhJgayK2JGwuYzp9RLwALP1UhDEGbVtpR1NquSapaXxuAJcoJ7c9OZ63Jz2mWXJWqcOu6gb4qHNfi4tS/4oLEKcPAfOpxTnhCvXOPks1DM2TclPxkZd9J9fHMxdfsXozcVrA98169EILHoa4yeoJ/iPhD9qyNnTI95eDjaVcngdSrNmw6VX5IUbGV8Jg3mf8XMzOPa/Iyp5OYTMktL7SL3UNIOPafPte3wMfsxNE/ZOuw2KeDAQtNlm2qy0/UmFNurlbAKtINZDcq6rVEBO79DDq53WNBXNm/RYIAuze1mt6UGusSed0HjdckLhIEX12dklM8fpspULrItbmjjBqDzeCq0EJHtqepgbV5I8417DKPoUjtSqmmsAoVEAN9HfX6i4cxZgtubL1QtByI6SBvjCBu6ADAgEXooGzBIGw6nOV/0EFjDnf1MK8uSeNUehzQRkQNR/DSLJIm2G49hJeW7q5V3RVIZf243qJwgonLr0v1cPh/BJE3bij6WlECbnA8LhCsY9poQQd8/JIJpxU/MFlMUAFllBZFrn0CUdzhxDcSbDoTOFQDKCxCc0GwNk7VGVNkKVBaKgWciqVPfdCmVVCwazCczfjodTlhyqRXpv1ufuF1ZGIw7e2676wYfyWjWiDwwqTDMlEMhVL8=\r\n\r\nRESPONSE: **************\nHTTP/1.1 400 Bad Request\r\nContent-Type: text/html\r\nDate: Thu, 28 Feb 2008 14:45:39 GMT\r\nConnection: close\r\nContent-Length: 20\r\n\r\n<h1>Bad Request</h1>WWWConnect::Close("placebo","443")\nclosed source port: 3055\r\nfinished. -
Configuring Windows XP to use IIS w/ Kerberos
I need to build a Windows XP SSO solution using IIS 5.1 with Integrated Windows Authentication using Kerberos protocol. IIS will then pass the request over to another application which will need to use a Kerberos JAAS module to authenticate the respective users to the application.
Does anyone have any instructions or tips on accomplishing these set of tasks? I have very limited experience with Kerberos. Any help would be much appreciated.
Note: I've gotten this to work using NTLM, so I would like to know the level of difficulty in making the switch over to Kerberos.
Thanks a lot in advance!
Message was edited by:
YvesGBecause in SAP Help on topics <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm">Single Sign-On with Microsoft Kerberos SSP</a> and
<a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm">Configuring the Application Server</a>, tell to copyt the gsskrb5.dll file(see SAP Note 595341), to the following directory on the central instance: Drive:\%windir%\system32.
This text let me think that central instance is installed on a Windows Server, but on SAP Help docs I didn't found the specific information that the central instance must be installed on a Windows Server. -
Portal Drive Single Sign On and Kerberos Authentication
Hi,
We are using NW2004s SP10 Portal and we have successfully configured Kerberos authentication with Windows Active Directory 2003. To access the KM Content in windows explorer format, we are using Portal Drive but Portal Drive still asks for authentication i.e. SSO is not working for Portal Drive. I have understood from the forums and sap help site that SSO from portal drive will work only for NTLM authentication and client certificates. Can you please help regarding below questions.
1. Can Kerberos and NTLM authentication be configured together.
2. If yes, what are the steps to configure NTLM authentication for NW2004s SAP Portal and Active Directory 2003.
3. Any other approach to make Portal Drive SSO work.
Helpful answers will be rewarded.
Regards,
ChandraHi Gregor,
I did two things:
first i made a change in the portalapp.xml in the PAR file "com.sap.km.cm.par". In the section authentication scheme for "docs" I changed the authentication scheme to "default" to make sure that documents are opened using the default authentication scheme (SPNego) instead of basic authentication
second, I used the SPNego wizard to configure SPNego. So I didn't adjust anything in the Visual Admin or the authentication template apart from adding the Template to the Ticket policy configuration.
Again, this only worked after installing the latest vesion.
Hope this helps
Marcel -
Kerberos Single Sign On and Query Designer for BI forcing user to log in
Hello experts,
Our company just implemented SSO using Kerberos for Portal and BI. However when a user trying to open a query using the Query Designer to connect to the portal, they have to log in again. Anyone know why?Is this for every user or only to certain user?
also check the browser authentication. --> Tools --> Internet Options --> Advanced --> Under Security --> Enable Integrated windows authentication.
/padmanaban -
BO XI Release 2 - NLTM versus Kerberos Authentication
Hello,
I have some problem with Authentication. At first time I set up only in CMS Kerberos Authentication, but now I would like to change it to NLTM, but if I clear the Use Kerberos authentication and I mark off Use NTLM authentication and I set up update, it doesn´t work.
Authentication Options
Use NTLM authentication
Use Kerberos authentication
Cache security context (required for SSO to database)
Service principal name:
Thank you very much for your answer,
unhappy:( MarikaYou can set up kerberos for both, it's required for java. .net will support both kerberos and NTLM although unless you are trying to delegate credentials all the way to your DB, then it usually isn't desired in .net because the configuration is far more complex
You can simple look at your logon url to figure out if you are hitting IIS (urls end in aspx and no port #) or tomcat(urls end in .do and port 8080).
Regards,
Tim -
2012 R2 Web Application Proxy returns 400 (Bad Request) for Kerberos IIS App
I've gone through all of the step-by-step examples for publishing applications with the Web App Proxy and I'm getting HTTP 400 when I try to publish an IIS Kerberos application. I'm using ADFS pre-authentication.
The application is SharePoint but I CAN NOT change the authentication method to claims based auth...it has to be windows integrated. I've double checked all of the SPN's and delegation. I get the 400 returned once the user has been authenticated and is forwarded
to the app url with the AUTHTOKEN?=blahblahblah query string. I've installed the ADFS certificate on the proxy and set it to be the external SSL certificate for the application.
PLEASE DONT JUST TELL ME TO POST THIS IN THE GENEVA FORUM FOR ADFS.
The event log has an exception that looks like this:
Web Application Proxy received a nonvalid edge token signature.
Error: Edge Token signature mismatch. edgeTokenHelper.ValidateTokenSignature failed: Verifying token with signature public key failed
Received token: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkY4NmgzYlFJbEk0NzZ5Y25HNlBHb1NSNDJ4byJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoiaHR0cDovL3N0cy5zb3N3ZWV0c29zb2Z0LmNvbS9hZGZzL3NlcnZpY2VzL3RydXN0IiwiaWF0IjoxMzk2NDY2NDQ2LCJleHAiOjEzOTY0NzAwNDYsInJlbHlpbmdwYXJ0eXRydXN0aWQiOiI3N2Y3OTQzYi1kOGI4LWUzMTEtODBiYy0wMDE1NWQ1MWY0OWMiLCJ1cG4iOiJqdGFkbWluQHNvc3dlZXRzb3NvZnQuY29tIiwiY2xpZW50cmVxaWQiOiJlZTA1MDU3ZS00ZTliLTAwMDAtZDkwNS0wNWVlOWI0ZWNmMDEiLCJhdXRoX3RpbWUiOiIyMDE0LTA0LTAyVDE5OjEwOjM2Ljc1NVoiLCJhdXRobWV0aG9kIjoidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQiLCJ2ZXIiOiIxLjAifQ.E1SqDU1Q2qh00Bt1n1UsBHJrf2kxWh8mN0j03QJTGPQ6vtrkncun017idy2BgB8NzQBVhPQAhfQb3F_lRAAWnpHjwaCuTjeL-pi1-ntVax37TQqQxqg0PVND8OpWxd7rTECObp6KnHBSkgHdaC6ntJ4WzE-QV6afUOyKQrIXil9qF_ybX8IOvMorvGllQB4enR3ZD6KMZBZwzLSl0iueKvZC8TqacRL_Kdvhn2AmutqFVw4wbZILhTsQFRSl86tEp-PCSJ_yLHcxTgqmKWVpEVC0Jo00hJe1MH7P1QMoJISdFY3-4tkuUykpgSNSSlEqZ9EwVdN--4aGE3QlqdL1vA
Details:
Transaction ID: {ee05057e-4e9b-0000-da05-05ee9b4ecf01}
Session ID: {ee05057e-4e9b-0000-d905-05ee9b4ecf01}
Published Application Name: FIM Portal
Published Application ID: 48db8de3-96e7-18b6-06d8-5cb6df999b6c
Published Application External URL:
https://portal.sosweetsosoft.com/IdentityManagement/
Published Backend URL:
https://portal.sosweetsosoft.com/IdentityManagement/
User: <Unknown>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Device ID: <Not Applicable>
Token State: Invalid
Cookie State: NotFound
Client Request URL:
https://portal.sosweetsosoft.com/identitymanagement?authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkY4NmgzYlFJbEk0NzZ5Y25HNlBHb1NSNDJ4byJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoiaHR0cDovL3N0cy5zb3N3ZWV0c29zb2Z0LmNvbS9hZGZzL3NlcnZpY2VzL3RydXN0IiwiaWF0IjoxMzk2NDY2NDQ2LCJleHAiOjEzOTY0NzAwNDYsInJlbHlpbmdwYXJ0eXRydXN0aWQiOiI3N2Y3OTQzYi1kOGI4LWUzMTEtODBiYy0wMDE1NWQ1MWY0OWMiLCJ1cG4iOiJqdGFkbWluQHNvc3dlZXRzb3NvZnQuY29tIiwiY2xpZW50cmVxaWQiOiJlZTA1MDU3ZS00ZTliLTAwMDAtZDkwNS0wNWVlOWI0ZWNmMDEiLCJhdXRoX3RpbWUiOiIyMDE0LTA0LTAyVDE5OjEwOjM2Ljc1NVoiLCJhdXRobWV0aG9kIjoidXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmRQcm90ZWN0ZWRUcmFuc3BvcnQiLCJ2ZXIiOiIxLjAifQ.E1SqDU1Q2qh00Bt1n1UsBHJrf2kxWh8mN0j03QJTGPQ6vtrkncun017idy2BgB8NzQBVhPQAhfQb3F_lRAAWnpHjwaCuTjeL-pi1-ntVax37TQqQxqg0PVND8OpWxd7rTECObp6KnHBSkgHdaC6ntJ4WzE-QV6afUOyKQrIXil9qF_ybX8IOvMorvGllQB4enR3ZD6KMZBZwzLSl0iueKvZC8TqacRL_Kdvhn2AmutqFVw4wbZILhTsQFRSl86tEp-PCSJ_yLHcxTgqmKWVpEVC0Jo00hJe1MH7P1QMoJISdFY3-4tkuUykpgSNSSlEqZ9EwVdN--4aGE3QlqdL1vA&client-request-id=ee05057e-4e9b-0000-d905-05ee9b4ecf01
Backend Request URL: <Not Applicable>
Preauthentication Flow: PreAuthBrowser
Backend Server Authentication Mode:
State Machine State: Idle
Response Code to Client: <Not Applicable>
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>Hi,
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
Thanks for your understanding and support.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
How do I use Kerberos Auth in Java 6?
Hi,
I have a problem with the Kerberos authentication. I have a simple class that tries to connect to an LDAP server using Kerberos. It works great when I use java 5, but with java 6 it fails.
Here is part of the code:
System.setProperty("java.security.auth.login.config", "/etc/login.conf");
System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
System.out.println("Trying to login using kerberos...");
KerberosCallbackHandler kerberosCallbak = new KerberosCallbackHandler();
LoginContext loginContext = new LoginContext(loginContextName, kerberosCallbak);
loginContext.login();
System.out.println("Login succeeded");
//Login succeeds on both java 5 and java 6
Subject.doAs(loginContext.getSubject(), new JndiAction());
System.out.println("Connected through Kerberos successfully");The failure happens in the JndiAction:
public class JndiAction implements PrivilegedExceptionAction<Integer>
public Integer run() throws Exception
String username = user + "@" + domain;
System.out.println("User to connect to Kerberos is " + username);
System.out.println("Provider URL is: " + url);
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put("java.naming.ldap.derefAliases", "finding");
env.put(Context.PROVIDER_URL, url);
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
System.out.println("Trying to create context...");
new InitialLdapContext(env, null);
return 0;
}An exception occures when calling new InitialLdapContext:
Exception in thread "main" java.security.PrivilegedActionException: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at KerberosAuth.connectKerberos(KerberosAuth.java:71)
at KerberosAuth.main(KerberosAuth.java:29)
Caused by: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
at KerberosAuth$JndiAction.run(KerberosAuth.java:155)
at KerberosAuth$JndiAction.run(KerberosAuth.java:1)
... 4 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
... 18 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
... 19 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
... 22 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
... 27 moreI want to emphasize that the login function did succeed, and that I try to connect to the same server with the same username and password and same configuration. With java 5 it works, with java 6 it does not.
Does anybody know what I should do to solve this problem?
TIA,
DiklaNote: This thread was originally posted in the [Java Secure Socket Extension (JSSE)|http://forums.sun.com/forum.jspa?forumID=2] forum, but moved to this forum for closer topic alignment.
-
I have a problem with a kerberos installation on Solaris 10.
I modiefied the krb5.conf and pam.conf file, if I do a kinit or klist kerberos is working fine.
If I try to login with ssh I get this error:
[ID 537602 auth.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: No such file or directory
What does this mean ?
Regards,
Ar_minmy first guess is you are missing your keytab (/etc/krb5/krb5.keytab). ssh uses a host/FQDN@<KRB5 REALM> entry in the keytab for auth. other kerbirized services may use the same entry or ftp/FQDN@<KRB5 REALM>, ldap/FQDN@<KRB5 REALM> (openldap for example).
if you created that host entry on your kdc (or in AD, and then used ktpass to export it), and you imported it ok, run sshd in debug mode to see more: /usr/lib/ssh/sshd -ddd -p 220 (-p 220 is the port to connect to) -
I have set up SharePoint 2013 Foundation, SharePoint Reporting Services and SQL Server 2012 in a single server. I then created a Data Connection to Oracle 11g. Upon testing the connection, it throws the error “ORA-12638: Credential retrieval failed”.
Given below are the steps of installation and configuration.
Installation till basic authentication:
The installation has been done in a
single server.
Installed SQL Server 2012 (Developer version).
Selected only the following features:
Database Engine Services
Analysis Services
Reporting Services – SharePoint
Reporting Services Add-in for SharePoint Products
Management Tools – Basic
- Management Tools - Complete
2. Installed SQL Server 2012 SP1.
3. Installed SQL Server 2012 SP2.
4. Installed SharePoint Foundation 2013.
5. Created web application (without Kerberos; we did not even create the SPNs).
The application pool has been configured to use Reporting Services account since it is a single server installation. This account has been registered as a managed
account.
6. Created Site Collection.
7. Verified that Reporting Services is not installed.
8. Installed SharePoint Reporting Services from SharePoint 2013 Management Shell.
9. Verified that Reporting Services is installed.
10. Created a new SQL Server Reporting Services Service Application and associated the Web Application to the new SQL server Reporting Services Service Application.
11. Verified that SQL Server Reporting Services Service Application and its proxy have started. Reset IIS.
12. Created a Site.
13. Created a Data Connection library with “Report Data Source” content type.
14. Created a Report Model library with “Report Builder Model” content type.
15. Created a Report library with “Report Builder Report” content type.
16. Uploaded an SMDL to the Report Model library.
17. Added the top level site to Local Intranet instead of as a Trusted Site in the browser settings.
18. Able to create and save a report using Report Builder.
Hence, basic authentication is working and SSRS is able to connect to Oracle database.
Next we have to configure Kerberos settings between SharePoint and SQL Server.
Implementation of Kerberos authentication
In the Report Server machine, opened the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\WebServices\Reporting\rsreportserver.config and added the Authentication Types of RSWindowsNegotiate
and RSWindowsKerberos.
2. Set up the following SPNs.
a) SQL Server Database Engine service (sqlDbSrv2):
setspn -S MSSQLSvc/CER1110:1433 CERDEMO\sqlDbSrv2
setspn -S MSSQLSvc/CER1110.cer.demo.com:1433 CERDEMO\sqlDbSrv2
In the Delegation tab of the account, selected "Trust this user for delegation to any service (Kerberos only)".
b) Account: SharePoint Setup Admin account (spAdmin2)
setspn -S HTTP/CER1110:9999 CERDEMO\spAdmin2
setspn -S HTTP/CER1110.cer.demo.com:9999 CERDEMO\spAdmin2
In the Delegation tab of the account, selected "Trust this user for delegation to any service
(Kerberos only)".
c) Account: SQL Server Reporting Service account (sqlRepSrv2)
setspn -S HTTP/CER1110 CERDEMO\sqlRepSrv2
setspn -S HTTP/CER1110.cer.demo.com CERDEMO\sqlRepSrv2
In the Delegation tab of the account, selected "Trust this user for delegation to any service
(Kerberos only)".
3. Configure the Web Application to use “Negotiate (Kerberos)”.
4. Logged in as SharePoint Administrator to the SharePoint server and opened the top level site in the IE browser.
The Event Viewer logged the login process for the SharePoint Administration account as
Negotiate and not Kerberos.
5. Implemented Kerberos for Oracle database and client.
Able to connect to the Oracle database via Kerberos authentication using SQL Plus.
6. Turn on Windows Firewall.
7. While testing the site's data connection using Kerberos settings, got the error
“Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials.”
Note: The Data Connection for basic authentication still worked.
8. Created a Claims to Windows Token Service account (spC2WTS2).
9. Started the Claims to Windows Token Service.
10. Registered the Claims to Windows Token Service account as a Managed Account.
11. Changed the Claims To Windows Token Service to use the above managed account.
12. Verified that the Claims to Windows Token Service account (spC2WTS2) is automatically added to the WSS_WPG local group on the SharePoint box.
Note: The Reporting Services service account is also a part of the WSS_WPG local group.
13. Added the Claims to Windows Token Service account (spC2WTS2) to the Local Admin Group on the machine having the SharePoint App Server.
14. In the SharePoint box, added the Claims to Windows Token Service account (spC2WTS2) in the Act as part of the operating system policy right.
15. The Claims to Windows Token Service account (spC2WTS2) has the WSS_WPG group configured.
When the C2WTS service was configured to use the managed account Claims to Windows Token Service account (spC2WTS2) earlier, the spC2WTS2 account was automatically
added to the WSS_WPG local group on the SharePoint box. The WSS_WPG group in turn is configured in c2wtshost.exe.config file.
16. Verified that the Reporting Services account is a managed account and part of the WSS_WPG group.
17. Earlier Service Application Pool - SQL Server Reporting Services App Pool service was associated with the SharePoint Admin account.
Changed this to associate the Reporting Service account with the Service Application Pool - SQL Server Reporting Services App Pool service.
18. Changed the delegation of the Reporting Service account to constrained delegation with Protocol Transitioning. This is because we are transitioning from one authentication scheme (Claims) to another (Windows Token).
For this, the delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use
any authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
Note: The Reporting Service account already had an HTTP SPN.
19. Next, the goal was to make the Claims To Windows Token Service account match the Reporting Service account.
For this, we created a fake SPN for the Claims To Windows Token Service account since the delegation tab was missing.
The delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use any
authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
20. Restarted the SharePoint server.
21. Tested the data connection with the Kerberos settings again.
Got the error
“ORA-12638: Credential retrieval failed”.
Can anyone tell me what is wrong with this setup?http://www.freeoraclehelp.com/2011/10/kerberos-authentication-for-oracle.html
Problem4: ORA-12638: Credential retrieval failed
Solution: Make sure that SQLNET.KERBEROS5_CC_NAME is set in sqlnet.ora and okinit has been run before attempting to connect to the database.
Do check
http://webcache.googleusercontent.com/search?q=cache:5a2Pf3FH7vkJ:externaltable.blogspot.com/2012/06/kerberos-authentication-and-proxy-users.html+&cd=5&hl=en&ct=clnk&gl=in
If this helped you resolve your issue, please mark it Answered. You can reach me through http://itfreesupport.com/
Maybe you are looking for
-
I have Pages version 2.1 for the i-pad. I have Pages on my Macbook, version 4.3. When I try to ipen a doc on my Mac it says I need a newer version to open this doc. There is no newer version. I need these docs in a bad way and cant get to them on the
-
Logical (Business) Column based on physical column value
Hello everyone, I'm new to here. I've been more of a reader than poster so far, but hopefully, I could offer some advice too. My question today is the following - let's say I have brought 2 columns to the physical layer (in the same table or in diffe
-
Brand New Macbook Pro running 10.8.2, has an update for iphoto and imovie but when I go to update it in the appstore it gives me this: "To update this application, sign in to the account you used to purchase it." My dad bought it, so he put his apple
-
Error in XML file generation :240416
Hi All, I am facing problem with XML file generation. Steps: 1. Source-->Query Transform and maintained Nested Stucture 2. Generated XML fomat from query transform 3. Created XML format file 4. Make XML format as target and given XML generate path so
-
I am trying to create a simple regular XY plot. Unfortunately, i have problems with the x-axis. I would like the x-axis to be labeled with 0, 10000, 20000, etc. So i configered the x-axis to be a time scale (category is worse, because x-values don't