Kerberos PAM Help!

Similar Messages

• Constant AD/Kerberos issues - HELP!!

  Here's a piece of my error log:
  [2007/05/07 14:45:43, 1] /SourceCache/samba/samba-92.20/samba/source/smbd/service.c:makeconnectionsnum(648)
  10.193.160.140 (10.193.160.140) connect to service Internal initially as user DOMAIN\user.name (uid=1796753072, gid=1106437719) (pid 26775)
  [2007/05/07 14:45:43, 0] /SourceCache/samba/samba-92.20/samba/source/smbd/service.c:setcurrentservice(51)
  chdir (/Volumes/ADTX RAID5/Internal) failed
  [2007/05/07 14:45:44, 0] /SourceCache/samba/samba-92.20/samba/source/smbd/service.c:setcurrentservice(51)
  chdir (/Volumes/ADTX RAID5/Internal) failed
  [2007/05/07 14:54:43, 1] /SourceCache/samba/samba-92.20/samba/source/smbd/sesssetup.c:replyspnegokerberos(184)
  Failed to verify incoming ticket!
  We've been having CONSTANT issues the past week with certain users not being able to log in to a network share. Even if I unbind and re-bind to our AD server, reboot or stop/start Windows services, we're still getting these kerberos errors.
  We're currently running 10.4.7, staying away from 10.4.8. Will 10.4.9 fix this? We completely re-installed the OS on a separate drive, only transferring the SMB.conf file over. We're left scratching our heads here over this. PLEASE help.

  Anyone?
  I made a change to the smb.conf file. I changed domain logons to "YES". However, still having issues. I haven't been able to re-start the server since there's a huge backup STILL running, but will re-boot soon and cross my fingers that solves the issue.

• Kerberos n00b help with CentOS integration

  Hi all,
  I've inherited an OD installation and I have a few questions. First, the LDAP search base is dc=spidertracks, dc=local and the Kerberos Realm is SERVER.PRIVATE. This was upgraded to Advanced server mode from Simple mode. I would like to accomplish the following.
  1. Change all LDAP entries from dc=spidertracks,dc=local to dc=spidertracks,dc=com
  2. Change the Kerberos realm to be SPIDERTRACKS.COM
  3. Integrate all Linux and Windows systems to authenticate against OD.
  I've tried step 3 with the existing Realm and LDAP config following this tutorial which was quite good.
  http://www.jerkys.org/wiki/pages/viewpage.action?pageId=131085
  However, when I attempt to SSH to my CentOS box, I receive the following error in the Kerberos logs.
  commmand "ssh [email protected]"
  Kerberos error
  May 12 14:30:55 spidertracks.local krb5kdc[116](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 10.0.1.50: PREAUTH_FAILED: [email protected] for krbtgt/[email protected], Decrypt integrity check failed
  First, any ideas what's wrong with the test setup for #3?
  Second, is it possible to change the Kerberos realm and the root dc in my LDAP without dumping and reloading everything?
  Thanks,
  Todd

  Hello
  the domain.com domain exist, but it's not our domain.
  so, when I put domain.com, it search with no result (nothing appends).
  our kdc.conf :
  [kdcdefaults]
  kdc_ports = 88,750
  [realms]
  CORP.DOMAIN.COM = {
  profile = /etc/krb5/krb5.conf
  database_name = /var/krb5/principal
  admin_keytab = /etc/krb5/kadm5.keytab
  acl_file = /etc/krb5/kadm5.acl
  kadmind_port = 749
  max_life = 8h 0m 0s
  max_renewable_life = 7d 0h 0m 0s
  default_principal_flags = +preauth
  krb.conf
  [libdefaults]
  default_realm = CORP.DOMAIN.COM
  default_checksum = rsa-md5
  [realms]
  CORP.DOMAIN.COM = {
  kdc = dc01.corp.domain.com
  kdc = dc02.corp.domain.com
  [domain_realm]
  .corp.domain.com = CORP.DOMAIN.COM
  corp.domain.com = CORP.DOMAIN.COM
  in every domain, I think the GC are in corp.domain.com. but in my company, it's in domain.com...
  Thank you,

• Kerberos, Heimdall help?!?

  I have a couple questions
  What exactly is KDC / Heimdall? Are these security programs?
  Are they automatic on macbooks?
  could copying my mac logs and mailing them to someone else cause mac security to consider that an offense? 
  I had been having weird issues with  my mac and sending my logs out / saving pdfs of them and now Heimdall is DESTROYING every computer I own. It is like someone goes in and takes my files, locks me out of programs, changes my passwords, etc.
  It seems like a virus, but the files it takes are only related to apple logs/ my work.
  is this making any sense?

  I rcvd a computer from work (mac osx)
  about a week into having it at my home, I noticed that it had pulled up files from my home desktop pc, and personal macbook.
  I also was confused to find that my microsoft word docs were syncing - I could see what docs I had opened on my desktop.
  While trying to unsync files, I found that I could NOT.  if I deleted, they'd come back.
  If I took screenshots and saved them on any of my 3 computers, they'd be deleted.  They were also deleted from emails before they could send, as well as my online photo account.  It was as if someone went behind me and deleted any evidence.  (files were continuosly being moved/deleted/added to computers which were unplugged and turned off. )
  Additionally, my tethering cost me an additional $200 because of all of the data going in and out of my iphone.
  I know nothing about what programs are standard on OSX - but I am listing some that seem odd to me. Are any obvious spyware/ illegal? My employer acted as if he knew nothing when I mentioned file syncing.
  In an effort to get help for the syncing files, and because I thought perhaps my employer had monitoring on the work computer, I tried to duplicate the files in order to get help.
  Ever since doing this, my files are getting mass deleted from both my personal computers and work macbook
  However the files that get delete are only work related, or apple logs.
  I don't believe this is just a virus, because it seems to particular to those two items.

• Java command still not working - please help

  i have installed jdk1.6.0_05. The javac command works fine but the java command does not work at all. even when i try java HelloWorld i receive this exception message
  Exception in thread "main" java.lang.NoClassDefFoundError: HelloWorld
  Caused by: java.lang.ClassNotFoundException: HelloWorld
  at java.net.URLClassLoader$1.run(Unknown Source)
  at java.security.AccessController.doPrivileged(Native Method)
  at java.net.URLClassLoader.findClass(Unknown Source)
  at java.lang.ClassLoader.loadClass(Unknown Source)
  at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
  at java.lang.ClassLoader.loadClass(Unknown Source)
  at java.lang.ClassLoader.loadClassInternal(Unknown Source)
  please help (you to SUN)!!

  bart@kerberos:~$ javac -help
  Usage: javac <options> <source files>
  where possible options include:
    -g                         Generate all debugging info
    -g:none                    Generate no debugging info
    -g:{lines,vars,source}     Generate only some debugging info
    -nowarn                    Generate no warnings
    -verbose                   Output messages about what the compiler is doing
    -deprecation               Output source locations where deprecated APIs are used
    -classpath <path>          Specify where to find user class files and annotation processors
    -cp <path>                 Specify where to find user class files and annotation processors
    -sourcepath <path>         Specify where to find input source files
    -bootclasspath <path>      Override location of bootstrap class files
    -extdirs <dirs>            Override location of installed extensions
    -endorseddirs <dirs>       Override location of endorsed standards path
    -proc:{none,only}          Control whether annotation processing and/or compilation is done.
    -processor <class1>[,<class2>,<class3>...]Names of the annotation processors to run; bypasses default discovery process
    -processorpath <path>      Specify where to find annotation processors
    -d <directory>             Specify where to place generated class files
    -s <directory>             Specify where to place generated source files
    -implicit:{none,class}     Specify whether or not to generate class files for implicitly referenced files
    -encoding <encoding>       Specify character encoding used by source files
    -source <release>          Provide source compatibility with specified release
    -target <release>          Generate class files for specific VM version
    -version                   Version information
    -help                      Print a synopsis of standard options
    -Akey[=value]              Options to pass to annotation processors
    -X                         Print a synopsis of nonstandard options
    -J<flag>                   Pass <flag> directly to the runtime systemSee the bold part.
  More information: [http://java.sun.com/docs/books/tutorial/java/package/managingfiles.html]

• Some general theory question, pls help !!!

  1. How does Java support connection-based communications between two processes ?
  2 Why is use-case or scenario-based testing important in testing object-oriented programs.
  3. Explain the role of PAM (Pluggable Authentication Modules) in creating secure applications.
  4. What is a midlet and when should it be used?
  5 Explain how the following conventional testing strategies relate to testing object-oriented software: unit testing and integration testing
  6. Explain how designing java programs using UML design techniques can improve a Java program
  7. Explain how Servlets can be used in the server side of an application ?
  8. When should JSP be used in preference to servlets.
  9. Explain what standard actions are and the function of <jsp: forward> standard action.
  10. Explain the purpose of a URLConnection object?
  11. Explain how Java technology can access remote objects
  12. What role does the SecurityManager object play securing java applications and provide an example
  13. What is the Java Authentication and Authorization Service and how can it be used to develop secure java applications

  1. How does Java support connection-based
  communications between two processes ? It does this by using what is called the Windows Communication Foundation (WCF).
  2 Why is use-case or scenario-based testing important
  in testing object-oriented programs.This is so the Project manager will be able to determine scope in future releases.
  3. Explain the role of PAM (Pluggable Authentication
  Modules) in creating secure applications. PAM helps secure browser cookies from being stuck to the TRAY (Turnable Remote Activation Yearner) after BAKE (Billing Accounts Kernel Energizer)
  4. What is a midlet and when should it be used?Within the presentation tier.
  5 Explain how the following conventional testing
  strategies relate to testing object-oriented
  software: unit testing and integration testingUnit testing should be done on the production environment while integration testing should be to verify software needs.
  6. Explain how designing java programs using UML
  design techniques can improve a Java program UML design techniques improve a code's readability.
  7. Explain how Servlets can be used in the server
  side of an application ?They can be used for automatically generating dynamic GUI applications.
  8. When should JSP be used in preference to servlets.When one wants to display their presentation layer within the database tier.
  9. Explain what standard actions are and the function
  of <jsp: forward> standard action. This action moves the JSP to the next line of execution.
  10. Explain the purpose of a URLConnection object?This object is to maintain a browser instance within a GUI application.
  11. Explain how Java technology can access remote
  objectsThey do this by creating a contract with which SOA components can communicate.
  12. What role does the SecurityManager object play
  securing java applications and provide an exampleThe SecurityManager object provides an encryption key for preventing DDOS attacks from remote locations.
  n and Authorization Service and how can it be used to
  develop secure java applicationsThe Authorization Service is used to authenticate users based on applet certificates.

• SSO to MOSS Microsoft SharePoint

  Hi guys!
  I am currently trying to find out how to implemnt a SSO between SAP NetWeaver and the MOSS from Microsoft. EP is supposed to be the main host.
  Does anybody have any experience on this?
  Greets,
  Jan Marquardt

  Hi,
  if your use Active Directory for the user store (password):
  SPNego and Kerberos. The user will identify himself against windows (Windows Logon) and receive SSO for MOSS and SAP EP via Kerberos.
  http://help.sap.com/saphelp_nw04s/helpdata/en/43/4bd58c6c5e5f34e10000000a1553f6/content.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/43/4e80824d155f86e10000000a1553f6/content.htm
  br,
  Tobias

• SharePoint 2013 Multiple authentication prompts for web apps

  We have multiple web apps for MySite, collaboration portal and search centre.  When users click on different URLs and access different portals non IE browsers prompt for credentials multiple times for
  each Web app.
  Is this some thing to do with
  kerberos delegation set-up?
  http://technet.microsoft.com/en-us/library/ee806870(v=office.15).aspx
  sudesh withanage

  This is basically the way its designed to work.  Kerberos will help with authentication between different site collections on the same web app, but not different web apps.  Since you have multiple web apps Kerberos Delegation of credentials does
  not apply.  It only happens on non-IE browsers because IE can be set to pass the OS credentials in the background by default.  For other browsers you normally have to save a web site's credentials.
  Paul Stork SharePoint Server MVP
  Principal Architect: Blue Chip Consulting Group
  Blog: http://dontpapanic.com/blog
  Twitter: Follow @pstork
  Please remember to mark your question as "answered" if this solves your problem.

• Help with GSSAPI Kerberos in tomcat JNDIRealm

  Greetings,
  I could use some help with getting tomcat 5.5.12 to use Kerberos against Microsoft Active Directory.
  I have been using Ethereal to sniff the packets going back and forth from tomcat and I verified that with a normal server.xml entry (remove the authentication attribute keyword below), it uses 'simple'
  authentication (clear text passwords).
  My original server.xml works just fine but now I'm trying to take it to next level and I found documentation (jdk-1_5_0-doc.zip\docs\guide\jndi\jndi-ldap.html)
  specifies that there are the following values:
  - EXTERNAL (RFC 2222). This mechanism obtains authentication information from an external source (such as SSL/TLS or IPsec).
  - DIGEST-MD5 (RFC 2831) is for Digest Authentication.
  - GSSAPI (RFC 2222) is for Kerberos V5 authentication.
  I wish to use GSSAPI to talk with Active Directory so I setup my server.xml with the following :
  <Realm className="org.apache.catalina.realm.JNDIRealm"
       debug="4"
       authentication="GSSAPI"
       connectionName="CN=Klotz\, Dennis,OU=myou,DC=company,DC=com"
       connectionPassword="myPassword"
       connectionURL="ldap://10.16.0.xx:389"
       alternateURL="ldap://10.16.0.xx:389"
       userBase="OU= myou,DC=company,DC=com"
       userSearch="(sAMAccountName={0})"
       userSubtree="true"
       userRoleName="memberOf"
  />And now I get a different type of error from Catalina.out:
  Oct 28, 2005 2:28:47 PM org.apache.catalina.core.StandardHost start
  INFO: XML validation disabled
  GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
          at
  sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential
  .java:133)
  .....At least the GSSAPI is being recognized! My next step was talking with IT; they suggested a c:\winnt\krb5.ini with the following contents:
  [libdefaults]
  default_realm = COMPANY.COM
  default_tgs_enctypes = des-cbc-crc
  default_tkt_enctypes = des-cbc-crc
  [realms]
  COMPANY.COM = {
  kdc = addy.mycompany.com:88
  admin_server = addy. mycompany.com:88
  kpasswd_server = addy. mycompany.com:464 default_domain = COMPANY.COM }And that I then execute:
  $ kinit DKlotz
  Password for [email protected]:mypassword New ticket is stored in cache file C:\Documents and Settings\DKlotz\krb5cc_dklotzBut as you can see from the previous tomcat error log that something is still missing. Do I need to move the cache file or do other commands so that the code within ldap.jar can use it?
  At this time tomcat never tries connecting to the LDAP server as it can't get out of the starting gate. I've got something wrong / missing from the Kerberos setup.
  Any help is greatly appreciated!!
  -Dennis Klotz

  Ok I've made progress, whether it is backwards or not, I don't know yet.
  I've added :
  -Djavax.security.auth.useSubjectCredsOnly=false
  To my Catalina options environment variable in Catalina.bat.
  Now I get the error:
  WARNING: Exception performing authentication
  java.lang.SecurityException: Unable to locate a login configuration
       at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:97)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
       at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
       at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
       at java.lang.Class.newInstance0(Class.java:350)
       at java.lang.Class.newInstance(Class.java:303)
       at javax.security.auth.login.Configuration$3.run(Configuration.java:216)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:210)
       at javax.security.auth.login.LoginContext$1.run(LoginContext.java:237)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.init(LoginContext.java:234)
       at javax.security.auth.login.LoginContext.<init>(LoginContext.java:403)
       at sun.security.jgss.LoginUtility.login(LoginUtility.java:72)
       at sun.security.jgss.krb5.Krb5Util.getTicketFromSubject(Krb5Util.java:137)
       at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:331)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.security.jgss.krb5.Krb5InitCredential.getTgtFromSubject(Krb5InitCredential.java:328)
       at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:131)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:72)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
       at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:37)
       at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:96)
       at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:178)
       at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)
       at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:155)
       at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
       at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
       at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
       at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
       at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
       at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
       at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
       at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
       at javax.naming.InitialContext.init(InitialContext.java:223)
       at javax.naming.InitialContext.<init>(InitialContext.java:197)
       at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
       at org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:1515)
       at org.apache.catalina.realm.JNDIRealm.start(JNDIRealm.java:1601)
       at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1004)
       at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
       at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1012)
       at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
       at org.apache.catalina.core.StandardService.start(StandardService.java:450)
       at org.apache.catalina.core.StandardServer.start(StandardServer.java:683)
       at org.apache.catalina.startup.Catalina.start(Catalina.java:537)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:271)
       at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409)
  Caused by: java.io.IOException: Unable to locate a login configuration
       at com.sun.security.auth.login.ConfigFile.init(ConfigFile.java:206)
       at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:95)
       ... 56 moreAm I moving in the right direction?
  -Dennis

• Help-kerberos works with spnego keytab file but not in netbeans and Metro

  Hi,
  Appreciate if someone can shed some light on this problem and guide on what else am I missing.
  I'm trying to call .NET based WCF webservice (MS Dynamics CRM - OrganizationSvc) from a java client. Started looking at Metro framework for interoperability. I was able to generate all the proxy classes and was able to write the code to invoke web service. However the challenge was using Kerberos based authentication and related setup.
  I primarily followed the link below which was very helpful but had to dig more to get more specific details.
  http://blogs.sun.com/enterprisetechtips/entry/building_kerberos_based_secure_services
  Tried to follow netbeans route and hit some roadblocks in verifying the setup (krb5.conf & login.conf & wsit-client.xml). So, came across SPNEGO and used their examples, made changes accordingly and after experimenting with various configuration settings(krb5.conf and login.conf), finallyI was able to run HelloKDC & HelloKeytab files successfully.
  krb5.conf_
  [libdefaults]
  default_realm = NA.CONVERGYS.COM
  [realms]
  NA.CONVERGYS.COM = {
  kdc = CDCWW13.na.convergys.com
  admin_server = CDCWW13.na.convergys.com
  [domain_realm]
  .na.convergys.com = NA.CONVERGYS.COM
  login.conf_
  spnego-server {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="C:/WINDOWS/orldwv705_feb03.keytab"
  doNotPrompt=false
  storeKey=true
  principal="HOST/ORLDWV705.na.convergys.com"
  debug=true;
  C:\spnego-r7>klist -k C:\WINDOWS\orldwv705_feb03.keytab
  Key tab: C:\WINDOWS\orldwv705_feb03.keytab, 1 entry found.
  [1] Service principal: HOST/[email protected]
  KVNO: 7
  With these settings, I was able to successfully make the call & Hello Keytab was able to get the Ticket and authenticate.
  http://spnego.sourceforge.net/index.html
  http://spnego.sourceforge.net/client_keytab.html
  http://spnego.sourceforge.net/troubleshoot_hellokeytab.html
  However, when I run the example in Netbeans with the setup mentioned in the link below, I run into following exception...
  http://metro.java.net/guide/Developing_with_NetBeans.html#wsit_example_with_nb-creating_wsit_client
  http://metro.java.net/guide/_Configuring_Kerberos_for_Glassfish_and_Tomcat.html
  1) noticed that sc:KerberosConfig element in wsit-client.xml does not get updated automatically in netbeans ide, so manually edited to put the entries.
  2) also followed the setup required in glassfish domain.xml & login.conf xml.
  3) also noticed that netbeans setup requires us to use C:\Windows\krb5.ini file which is nothing but krb5.conf file referred elsewhere.)
  wsit-client.xml_
  <wsp:Policy wsu:Id="ClientKerberosPolicy"
  xmlns:sc="http://schemas.sun.com/2006/03/wss/client"
  xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
  xmlns:scc="http://schemas.sun.com/ws/2006/05/sc/client"
  xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsp:ExactlyOne>
  <wsp:All>
  <sc:KerberosConfig wspp:visibility="private"
  loginModule="KerberosClient"
  servicePrincipal="HOST/ORLDWV705.na.convergys.com"
  credentialDelegation="true" />
  </wsp:All>
  </wsp:ExactlyOne>
  </wsp:Policy>
  ERROR
  INFO: WSP5018: Loaded WSIT configuration from file: file:/C:/Documents%20and%20Settings/rchoppal/My%20Documents/NetBeansProjects/TestOrgSvc/build/web/WEB-INF/classes/META-INF/wsit-client.xml.
  WARNING: [failed to localize] WSP_0075_PROBLEMATIC_ASSERTION_STATE({http://schemas.microsoft.com/xrm/2011/Contracts/Services}AuthenticationPolicy, UNKNOWN)
  WARNING: [failed to localize] WSP_0019_SUBOPTIMAL_ALTERNATIVE_SELECTED(PARTIALLY_SUPPORTED)
  INFO: >>>KinitOptions cache name is C:\Documents and Settings\rchoppal\krb5cc_rchoppal
  INFO: >>> KrbCreds found the default ticket granting ticket in credential cache.
  SEVERE: WSITPVD0050: Error while Securing Request Message.
  com.sun.xml.wss.XWSSecurityException: Unexpected Exception in Kerberos login - unable to continue
  at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:94)
  at com.sun.xml.wss.impl.misc.WSITProviderSecurityEnvironment.doKerberosLogin(WSITProviderSecurityEnvironment.java:3049)
  at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.populateKerberosContext(WSITClientAuthContext.java:911)
  at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:318)
  at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:291)
  at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
  Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
  at sun.security.krb5.Credentials.acquireDefaultCreds(Credentials.java:451) (i tried to search open source code, but this line did'nt match exactly)
  at sun.security.krb5.Credentials.acquireTGTFromCache(Credentials.java:272)
  at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:589)
  at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
  at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
  at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
  at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
  at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:85)
  SEVERE: SEC2004: Container-auth: wss: Error securing request
  javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
  at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
  at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
  Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
  at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
  at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
  ... 42 more
  WARNING: StandardWrapperValve[TestOrgSvcServlet]: PWC1406: Servlet.service() for servlet TestOrgSvcServlet threw exception
  javax.xml.ws.WebServiceException: Cannot secure request for {http://schemas.microsoft.com/xrm/2011/Contracts}CustomBinding_IOrganizationService
  at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:165)
  Caused by: javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
  at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
  at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
  ... 40 more
  Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
  at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
  at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
  ... 42 more
  Edited by: user6748004 on Feb 3, 2011 5:36 PM
  Edited by: user6748004 on Feb 3, 2011 5:38 PM

  Hi Gasha,
  The only change I did after this, was to try and use 'KerberosServer' configuration from the wsit-client.xml. Atleast, this enabled the glassfish application to load the configuration related to keytab etc, and use it to communicate with the WCF service for negotiation.
  <sc:KerberosConfig wspp:visibility="private"
  loginModule="KerberosServer"
  servicePrincipal="HOST/ORLDWV705.na.convergys.com"
  credentialDelegation="true" />
  login.conf has
  KerberosServer {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="C:/WINDOWS/orldwv705_feb03.keytab"
  doNotPrompt=false
  storeKey=true
  principal="HOST/ORLDWV705.na.convergys.com"
  debug=true;
  fyi.. Used the following way to create the keytab
  Keytab was created using below instructions
  ktpass -princ HOST/[email protected]
  -mapUser [email protected]
  -mapOp set
  -pass *
  -crypto DES-CBC-MD5
  -pType KRB5_NT_PRINCIPAL
  -out orldwv705.keytab
  Targeting domain controller: CDCWW13.na.convergys.com
  Successfully mapped HOST/ORLDWV705.na.convergys.com to svcMSCRMDev.
  Key created.
  Output keytab to orldwv705.keytab:
  Keytab version: 0x502
  keysize 75 HOST/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x0bc27ca83891dc2a)
  Also realised that we need to add 'HTTP/ORLDWV705.na.convergys.com' & 'http/ORLDWV705.na.convergys.com' using set SPN commands on the AD of the server where CRM is installed.
  With these changes, the negotiate authentication seems to have happened using the Kerberos token from the keytab, but later ran into an error for which I was not able to get any clue to go forward. Someone in another post about this error suggested that it worked once they changed principal names, but when I tried I did'nt get any success.
  This is where I'm struck now. What I don't know is if there is another setup from which we can try a similar interoperability example for ex.. weblogic 10.1 & eclipse which is more close to our real environment.
  SEVERE: SEC2004: Container-auth: wss: Error securing request
  java.lang.IllegalArgumentException: Missing argument
  at javax.crypto.spec.SecretKeySpec.<init>(DashoA13*..)
  at com.sun.xml.ws.security.impl.kerberos.KerberosContext.getSecretKey(KerberosContext.java:91)
  at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:525)
  Edited by: user6748004 on Apr 8, 2011 10:39 AM

• Please help. Negotiate field in http header - Kerberos, SPNEGO, Base64... ?

  Hello to you all.
  I'm trying to implement a Kerberized SSO solution in Win2000
  environment. The web servers are apaches, the clients are IE5.5+
  But I had encountered the following problem:
  I wrote a servlet in java on the web server that sends 401 http error
  + "Negotiate" in the www-authenticate field. Then the client sends me
  back in the same field "Negotiate " and a long string that ends with
  '==' and it's somehow encoded...
  That's the problematic point. I saw it's encoded in base64, but
  decoding it didn't brought me to anything. Furthermore, I read that
  it's a spnego protocol. What am I doing with that? Does JDK1.4 gives
  enough to work with that?
  All I know that in that string is the TGS sent to me... and that's all
  I need to authenticate my client, don't I?!
  Do you know what should I do with that string? Can you tell me what am
  I missing? Should I decode it with the '==' or without? What does it
  mean anyway?
  I'd really appriciate if you help me.
  Thanks very much in advance,
  Danik.

  Close... SPNEGO is a GSSAPI mechanism for negotiating another mechanism. JDK 1.4 comes with a Kerberos mechanism provider out of the box, but not SPNEGO. Even though Microsoft's "Negotiate" auth method ends up negotiating Kerberos, you need to have a SPNEGO provider installed to effectively tell it to use Kerberos.
  The '==' is Base64 padding (the Base64-encoded string will end in '=' or '==' if the input content length is not divisible by 3). You would include it when decoding. The byte array you get from decoding is fed to the acceptSecContext method in org.ietf.jgss.GSSContext -- but you will get an "unknown mechanism" error if you don't have a SPNEGO mechanism provider.
  If you don't have the inclination to write a provider yourself (I know I wouldn't), and you have some cash to spend (I know I don't), you can get a SPNEGO provider from:
  http://www.wedgetail.com/jcsi/sso/FAQ.html
  They actually provide a complete solution for doing exactly what you are attempting.
  If you are just looking to provide single sign-on to a web application for Windows clients, and you don't necessarily need to do it via Kerberos, jCIFS provides a solution for performing NTLM authentication (the precursor to Negotiate, which authenticates against NT/Samba domains). You can get jCIFS from
  http://jcifs.samba.org
  The site is temporarily transitioning to a new ISP, so the latest version (0.7.5) can actually be found at:
  http://users.erols.com/mballen/jcifs
  The client side of NTLM is also supported in JDK 1.4.2, which would allow single sign-on for applets or Java applications.

• HELP!!  Solaris 10 - Mount NFSv4 Share from Linux using Kerberos Security

  Greetings all, my apologies if this post is in the wrong place...
  I have an issue getting Solaris 10 to mount an NFSv4 share from a SuSE Linux 10 machine using kerberos security.
  I am able to mount the NFSv4 share from another SuSE 10 machine. The kerberos principal for that is nfs/host.domain and is working perfectly with the mount command of 'mount -t nfs4 -o sec=krb5 host:/ /mnt'
  My problem is that when I try to mount that same share on Solaris 10 using the command 'mount -F nfs -o sec=krb5 host:/ /mnt' I am getting nowhere fast. My kerberos principals for the Solaris machine are nfs/host.domain, host/host.domain, and root/host.domain. I have tried rebooting the Solaris 10 machine with a different keytab file in place each time (as I'm not sure which principal to make the keytab from for Solaris).
  When I run the Solaris 10 mount command all it does is hang. I don't get any error message, etc. On the kerberos server I can see where the Solaris machine has communicated and appears to receive a ticket, and I can see that the NFS server was responding to the client's request, however the mount command just hangs.
  Any ideas / suggestions? I really need someone to point me in the right direction!
  Your help is very appreciated!

  I had similar, not identical, issues with a custom JumpStart DVD I was creating. I was not using flar and it was for x86, not SPARC.
  I found that changing the case for the value assigned to network_interface made a difference. In looking at the sysidcfg manpage and online JumpStart documentation, all the examples they used had capitalized "PRIMARY" and "NONE". When I changed the value to the capitalized equivelant, my particular issue had gone away.
  You may also want to consider adding ip_address and default_route to the network_interface section. Test either way to identify the differing results.
  In my particular scenereo, I did not want any networking configuration to be done. The resulting line in sysidcfg was:
  network_interface=NONE {hostname=jsclient}HTH

• Kerberos 5 PAM module

  I've uploaded a PKGBUILD for pam-krb5 3.6
  http://aur.archlinux.org/packages.php?d … s=0&SeB=nd
  Allows pluggable authentication via PAM against a KDC.
  later.
  ryanc

  I too am switching over from the world of Gentoo.  At my previous job, I managed a lot of about 30 Gentoo boxes and 10 OpenBSD boxes.
  Heimdal is the Kerberos distribution of choice in Arch Linux, unless you make a package for mit-krb5 your own, you'll have to use Heimdal as it is officially part of Arch Linux in the 'extra' repo.  Personally, I like Heimdal better -- it's smaller, supports newer ciphers, but isn't as common therefore is an afterthought by some authors implementing Kerberos support in their software.  So, the easiest way is to get it in via PAM since most programs that need auth support PAM on Linux.  Also, it is the default Kerberos implementation for most of the BSDs, so it integrates easier for me between Linux and BSD.
  You'll notice that the version in the package isn't the latest available.  3.6 is the latest I can get to compile with Heimdal where as 3.8 has been released.  Remeber the part about Heimdal being an afterthought?  Seems the new PKINIT support in versions > 3.6 doesn't quite work with Heimdal although the author claims it does.
  I hope the package works well for you.  If you need some example configs just let me know.
  Oh, and be sure to vote for it in AUR so we can get it into the 'community' repo!
  thanks.
  ryanc

• Kerberos client not found-help! can't print!

  I am posting this to the benefit of all who may have experienced the "Kerberos client not found" message after configuring CUPS for Kerberos authentication. After getting locked out of CUPS and not being able to add or delete printers I found in another google-search post a solution.
  I edited the /etc/cups/cupsd.conf file using a terminal editor (vi) and changed the entry:
  "DefaultAuthType Negotiate" to "DefaultAuthType Basic", then restarted the server and all worked fine after that, although I still haven't figured out what the problem is with CUPS and Kerberos interaction.
  I hope this helps someone as I spent about a day and a half trying to figure out a solution.
  Ciao

  Hello Sapo11,
  To get your issue more exposure I would suggest posting it in the commercial forums since this is a commercial product. You can do this at Commercial Forums.
  Thanks for your time.
  Click the “Kudos Thumbs Up" at the bottom of this post to say “Thanks” for helping!
  Please click “Accept as Solution ” if you feel my post solved your issue, it will help others find the solution.
  W a t e r b o y 71
  I work on behalf of HP

• Help with Active Directory Integration and kerberos

  Hello,
  I’m encountering a bug preventing me to use Active Directory integration with kerberos :
  Our domain name is CORP.DOMAIN.COM.
  When we request the GC in this domain :
  bash-3.00# nslookup -query=any gc.tcp.corp.domain.com
  Server: 1.2.1.6
  Address: 1.2.1.6#53
  ** server can't find gc.tcp.corp.domain.com: NXDOMAIN
  there is no answer.
  But when we request without corp, we find the servers :
  bash-3.00# nslookup -query=any gc.tcp.domain.com | grep sis
  gc.tcp.domain.com service = 0 100 3268 serveur02.corp.domain.com.
  gc.tcp.domain.com service = 0 100 3268 serveur01.corp.domain.com.
  bash-3.00#
  Is-it possible to add the possibility to enter the domain name where reside the gc.tcp ?
  Thank you.

  Hello
  the domain.com domain exist, but it's not our domain.
  so, when I put domain.com, it search with no result (nothing appends).
  our kdc.conf :
  [kdcdefaults]
  kdc_ports = 88,750
  [realms]
  CORP.DOMAIN.COM = {
  profile = /etc/krb5/krb5.conf
  database_name = /var/krb5/principal
  admin_keytab = /etc/krb5/kadm5.keytab
  acl_file = /etc/krb5/kadm5.acl
  kadmind_port = 749
  max_life = 8h 0m 0s
  max_renewable_life = 7d 0h 0m 0s
  default_principal_flags = +preauth
  krb.conf
  [libdefaults]
  default_realm = CORP.DOMAIN.COM
  default_checksum = rsa-md5
  [realms]
  CORP.DOMAIN.COM = {
  kdc = dc01.corp.domain.com
  kdc = dc02.corp.domain.com
  [domain_realm]
  .corp.domain.com = CORP.DOMAIN.COM
  corp.domain.com = CORP.DOMAIN.COM
  in every domain, I think the GC are in corp.domain.com. but in my company, it's in domain.com...
  Thank you,