Kerberos Pre-Authentication - Security Vulnerabilities

Similar Messages

• Kerberos pre-authentication failed

  Hi,
  I have a customer has the below issue:
  After he changed their administrator account password on domain, event ID 4771 is continuously thrown in the security log in DCs. Below is a snapshot:
  Also the below email alert from ADManager:
  Alert     Message:
  Login failure for User 'Administrator' in server.domain.local'.     Reason: 'Bad password'.
  Severity:
  Attention
  Event Details
  Domain
    krbtgt/domain.LOCAL
  Event Code
    16
  SID
    %{S-1-5-21-428199501-1217283236-4064894256-500}
  Client Host Name
    Server.domain.local
  Event Type
    Failure
  Remarks
    Kerberos pre-authentication failed.
  Logon Service
    krbtgt/ domain.LOCAL
  Domain Controller
    DC.domain.local
  User Name
    Administrator
  Client IP Address
    IP
  Failure Code
    0x18
  Logon Time
    Apr 09,2015 11:42 AM
  Failure Reason
    Bad password
  Record number
    2197037173
  Event Number
    4771
  They already changed the password for service accounts running using that admin account with new password. There is no issues in domain other than this, users can login and services are fine. However, account lockout policy is disabled and if it is enabled
  I think they will have a huge issue due to this Kerberos authentication failure.
  Please help!

  Hi,
  Did you confirm the time sync issue?
  The error code 0x25, means Workstation’s clock too far out of sync with the DC’s , so i suggest you could check the time snyc of the computer failing pre-auth with DC firstly.
  https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771
  Similar threads has been discussed:
  https://social.technet.microsoft.com/forums/windowsserver/en-US/245aa714-8f2f-4ea7-b2a1-dd447c02fa93/accounts-lockedout
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Kerberos pre-authentication issues - why now?

  Hi all,
  We recently put up a new Windows 2003 Active Directory domain controller to replace a de-commissioned Windows 2000 DC.  When my VPN users try to authenticate to it using Kerberos, they are getting rejected with a pre-authentication failed error.  I know that this is a common issue with the ASA, and TAC has confirmed that there's no solution for it yet.  However, we have another W2K3 DC that has never had this issue.  So why now?  Why this new DC?  What's the difference between my DCs where one can authenticate a user with pre-authentication enabled and one can't?
  Any help or information that I can get would be helpful.
  Thanks,
  - Steve

  Hi JK,
  Thanks for the reply.
  Right, I understand that, and TAC directed me to the same document.  But we have an existing domain controller that we are currently using the authenicate against; pre-authentication is enabled, and it works fine.  It's only the NEW domain controller that has this problem.  So I'm trying to figure out what the difference is!
  I would rather NOT disable pre-authentication for all VPN users if possible - there are a lot of them and it lessens the security of Active Directory.
  Thanks,
  - Steve

• Error with Pre-Authentication for Windows Desktop SSO

  When I try to use the windows desktop sso module created in the Access Manager I get an error in the amAuthWindowsDesktopSSO file, but I don't know what I'm doing erroneous. It's not an access manager problem, I can't get kinit to work either. I think I'm following the directions correctly from the manual.
  Are these ktpass commands setup right?
  The Windows AD administrator created the accounts:
  C:\>ktpass -princ HOST/[email protected] -pass amdev -mapuser AD\amdev$ -out amdev.keytab
  Targeting domain controller: dc2.ad.tcpip.com
  Successfully mapped HOST/amdev.tcpip.com to AMDEV$.
  WARNING: Account AMDEV$ is not a user account (uacflags=0x1021).
  WARNING: Resetting AMDEV$'s password may cause authentication problems if AMDEV$ is being used as a server.
  Reset AMDEV$'s password [y/n]?  y
  Key created.
  Output keytab to amdev.keytab:
  Keytab version: 0x502
  keysize 56 HOST/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x023efe
  3e6846d3cd)
  Account AMDEV$ has been set for DES-only encryption.
  C:\>ktpass -princ HTTP/[email protected] -pass amdev -mapuser AD\amdev$ -out amdev-http.keytab
  Targeting domain controller: dc2.ad.tcpip.com
  Successfully mapped HTTP/amdev.tcpip.com to AMDEV$.
  WARNING: Account AMDEV$ is not a user account (uacflags=0x201021).
  WARNING: Resetting AMDEV$'s password may cause authentication problems if AMDEV$ is being used as a server.
  Reset AMDEV$'s password [y/n]?  y
  Key created.
  Output keytab to amdev-http.keytab:
  Keytab version: 0x502
  keysize 56 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x3 (DES-CBC-MD5) keylength 8 (0x45201c
  f4d3ec43e6)
  Account AMDEV$ has been set for DES-only encryption.
  C:\>I can read the keys with ktutil.
  ktutil:  rkt amdev-http.keytab
  ktutil:  list
  slot KVNO Principal
     1    4            HTTP/[email protected]
  ktutil:  rkt amdev.keytab
  ktutil:  list
  slot KVNO Principal
     1    4            HTTP/[email protected]
     2    3            HOST/[email protected]
  ktutil:  wkt amdev2.keytabI then try to do a kinit with the principal:
  kinit -k -t amdev2.keytab HTTP/[email protected]
  kinit(v5): Preauthentication failed while getting initial credentialsAccess Manager reports similar problem on access:
  01/17/2007 10:23:56:699 AM CST: Thread[service-j2ee-2,5,main]
  Stack trace:
  javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
          at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652)
          at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:585)
  . . .

  Something deep, dark, and inside Kerberos way outside of my knowledge base was the problem.
  I could always get a kinit with the HTTP/amdev.tcpip.com service to work. I never got the keytabs from the output of ktpass to operate. I used ktutil to create keytab entries all in vain, kinit using the keytab always resulted in a PA error, although the time clocks are setup the same.
  The AD administrator created the account, this time as a user account, not a machine account, and the keytabs from the Windows domain controller finally worked.
  If anyone knows the difference between machine and user accounts are in AD, I would be obliged for his/her explanation. The UPN and SPN look the same in the directory. I'm at a loss. However, very glad to finally have this working.

• Pre-authentication information was invalid (24) authoriazation against AD

  Hi all,
  im going to be really desperate from this error message during the authentization to the Win2003 server where the Active Directory is running ... Im using Krb5LoginModule.
  - Our administrator of the AD service has enabled DES encryption at the tested account.
  - Im sure that entered password is correct, because im able to login via this password to our network.
  - Entered Kerberos realm is in upper case...in the form (COMPANY.COM)
  - Kerberos KDC contains IP adress of the Domain controller.
  I really dont know why it doesnt work....:-(( Strange is that if i enable ticketCache to the ability to use the native ticket cache it works fine.....
  My code is:
  import javax.security.sasl.*;
  import java.io.*;
  import java.util.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  * This JaasAcn application attempts to authenticate a user
  * and reports whether or not the authentication was successful.
  public class JaasSample {
    public static void main(String[] args) {
          LoginContext lc = null;
       java.util.Properties p = new java.util.Properties(System.getProperties());
         try
              lc = new LoginContext("JaasSample", new TextCallbackHandler());
         catch (LoginException le)
              System.err.println("Cannot create LoginContext. "
                   + le.getMessage());
              System.exit(-1);
         catch (SecurityException se)
              System.err.println("Cannot create LoginContext. "
                   + se.getMessage());
              System.exit(-1);
         catch (Exception e)
              System.out.println("Login failer: "+e.getMessage());
        try {
                      lc.login();
                      Subject subject = lc.getSubject();
                  Iterator it = subject.getPrincipals().iterator();
                  while (it.hasNext())
                      System.out.println("Authenticated: " + it.next().toString());
                  it = subject.getPublicCredentials(Properties.class).iterator();
                  while (it.hasNext())
                      ((Properties)it.next()).list(System.out);
                  lc.logout();
        } catch (LoginException le) {
            System.err.println("Authentication failed: ");
            System.err.println("  " + le.getMessage());
            System.exit(-1);
        System.out.println("Authentication succeeded!");
  }start.bat file:
  "c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Djava.security.auth.login.config=jaas.conf JaasSample
  jaas.conf file:
  JaasSample {
  com.sun.security.auth.module.Krb5LoginModule required useTicketCache="false" debug="true";
  Output is:
  c:\JAAS>"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=
  BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Dja
  va.security.auth.login.config=jaas.conf JaasSample
  Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
  alse ticketCache is null KeyTab is null refreshKrb5Config is false principal is
  null tryFirstPass is false useFirstPass is false storePass is false clearPass is
  false
  Kerberos username [Kloucek]: User3
  Kerberos password for User3: Poiu4566
  [Krb5LoginModule] user entered username: User3
  principal is [email protected]
  Acquire TGT using AS Exchange
  EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 01 58 6E AE EF 25 15 43 F1
  2C 40 46 7A 3D 2A B0 .Xn..%.C.,@Fz=*.
  0010: 1F 16 9E B6 19 8A 46 68
  [Krb5LoginModule] authentication failed
  Pre-authentication information was invalid (24)
  Authentication failed:
  Pre-authentication information was invalid (24)
  I tried all tips i found at this forum and other internet resources without luck...:-(((
  Please heeeeelp!!!!!!!!!!!!!!!!!

  I have solve it....The reason of this problem was this:
  Im accesing our network via this login properties:
  login: My second name
  pass: My password
  Due to this fact i had entered this login properties into the Kerberos database too..., BUT KERBEROS had been expecting my fully qualified network name which is myfirstname.myseconame@KERBEROS-REALM!!!!!!!!!!!!!!!So after i had entered [email protected] instead of [email protected] it started to work!!!!! I hope this will help many other programmers....

• Pre-authentication information was invalid (24)

  Hi all,
  im going to be really desperate from this error message during the authentization to the Win2003 server where the Active Directory is running ... Im using Krb5LoginModule.
  - Our administrator of the AD service has enabled DES encryption at the tested account.
  - Im sure that entered password is correct, because im able to login via this password to our network.
  - Entered Kerberos realm is in upper case...in the form (COMPANY.COM)
  - Kerberos KDC contains IP adress of the Domain controller.
  I really dont know why it doesnt work....:-(( Strange is that if i enable ticketCache to the ability to use the native ticket cache it works fine.....
  My code is:
  import javax.security.sasl.*;
  import java.io.*;
  import java.util.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  * This JaasAcn application attempts to authenticate a user
  * and reports whether or not the authentication was successful.
  public class JaasSample {
    public static void main(String[] args) {
          LoginContext lc = null;
       java.util.Properties p = new java.util.Properties(System.getProperties());
         try
              lc = new LoginContext("JaasSample", new TextCallbackHandler());
         catch (LoginException le)
              System.err.println("Cannot create LoginContext. "
                   + le.getMessage());
              System.exit(-1);
         catch (SecurityException se)
              System.err.println("Cannot create LoginContext. "
                   + se.getMessage());
              System.exit(-1);
         catch (Exception e)
              System.out.println("Login failer: "+e.getMessage());
        try {
                      lc.login();
                      Subject subject = lc.getSubject();
                  Iterator it = subject.getPrincipals().iterator();
                  while (it.hasNext())
                      System.out.println("Authenticated: " + it.next().toString());
                  it = subject.getPublicCredentials(Properties.class).iterator();
                  while (it.hasNext())
                      ((Properties)it.next()).list(System.out);
                  lc.logout();
        } catch (LoginException le) {
            System.err.println("Authentication failed: ");
            System.err.println("  " + le.getMessage());
            System.exit(-1);
        System.out.println("Authentication succeeded!");
  }start.bat file:
  "c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Djava.security.auth.login.config=jaas.conf JaasSample
  jaas.conf file:
  JaasSample {
  com.sun.security.auth.module.Krb5LoginModule required useTicketCache="false" debug="true";
  Output is:
  c:\JAAS>"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=
  BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Dja
  va.security.auth.login.config=jaas.conf JaasSample
  Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
  alse ticketCache is null KeyTab is null refreshKrb5Config is false principal is
  null tryFirstPass is false useFirstPass is false storePass is false clearPass is
  false
  Kerberos username [Kloucek]: User3
  Kerberos password for User3: Poiu4566
  [Krb5LoginModule] user entered username: User3
  principal is [email protected]
  Acquire TGT using AS Exchange
  EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 01 58 6E AE EF 25 15 43 F1
  2C 40 46 7A 3D 2A B0 .Xn..%.C.,@Fz=*.
  0010: 1F 16 9E B6 19 8A 46 68
  [Krb5LoginModule] authentication failed
  Pre-authentication information was invalid (24)
  Authentication failed:
  Pre-authentication information was invalid (24)
  I tried all tips i found at this forum and other internet resources without luck...:-(((
  Please heeeeelp!!!!!!!!!!!!!!!!!

  Hi all,
  im going to be really desperate from this error message during the authentization to the Win2003 server where the Active Directory is running ... Im using Krb5LoginModule.
  - Our administrator of the AD service has enabled DES encryption at the tested account.
  - Im sure that entered password is correct, because im able to login via this password to our network.
  - Entered Kerberos realm is in upper case...in the form (COMPANY.COM)
  - Kerberos KDC contains IP adress of the Domain controller.
  I really dont know why it doesnt work....:-(( Strange is that if i enable ticketCache to the ability to use the native ticket cache it works fine.....
  My code is:
  import javax.security.sasl.*;
  import java.io.*;
  import java.util.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  * This JaasAcn application attempts to authenticate a user
  * and reports whether or not the authentication was successful.
  public class JaasSample {
    public static void main(String[] args) {
          LoginContext lc = null;
       java.util.Properties p = new java.util.Properties(System.getProperties());
         try
              lc = new LoginContext("JaasSample", new TextCallbackHandler());
         catch (LoginException le)
              System.err.println("Cannot create LoginContext. "
                   + le.getMessage());
              System.exit(-1);
         catch (SecurityException se)
              System.err.println("Cannot create LoginContext. "
                   + se.getMessage());
              System.exit(-1);
         catch (Exception e)
              System.out.println("Login failer: "+e.getMessage());
        try {
                      lc.login();
                      Subject subject = lc.getSubject();
                  Iterator it = subject.getPrincipals().iterator();
                  while (it.hasNext())
                      System.out.println("Authenticated: " + it.next().toString());
                  it = subject.getPublicCredentials(Properties.class).iterator();
                  while (it.hasNext())
                      ((Properties)it.next()).list(System.out);
                  lc.logout();
        } catch (LoginException le) {
            System.err.println("Authentication failed: ");
            System.err.println("  " + le.getMessage());
            System.exit(-1);
        System.out.println("Authentication succeeded!");
  start.bat file:
  "c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Djava.security.auth.login.config=jaas.conf JaasSample
  jaas.conf file:
  JaasSample {
  com.sun.security.auth.module.Krb5LoginModule required useTicketCache="false" debug="true";
  Output is:
  c:\JAAS>"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=
  BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Dja
  va.security.auth.login.config=jaas.conf JaasSample
  Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
  alse ticketCache is null KeyTab is null refreshKrb5Config is false principal is
  null tryFirstPass is false useFirstPass is false storePass is false clearPass is
  false
  Kerberos username [Kloucek]: User3
  Kerberos password for User3: Poiu4566
  [Krb5LoginModule] user entered username: User3
  principal is [email protected]
  Acquire TGT using AS Exchange
  EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
  EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 01 58 6E AE EF 25 15 43 F1
  2C 40 46 7A 3D 2A B0 .Xn..%.C.,@Fz=*.
  0010: 1F 16 9E B6 19 8A 46 68
  [Krb5LoginModule] authentication failed
  Pre-authentication information was invalid (24)
  Authentication failed:
  Pre-authentication information was invalid (24)I tried all tips i found at this forum and other internet resources without luck...:-(((
  Please heeeeelp!!!!!!!!!!!!!!!!!

• JAAS, AD, Pre-authentication information was invalid (24)

  Our application is java based, and we use JAAS to allow authentication for the users though Active Directory.
  In particular we alwyas encourage our prospect clients to use Krb5LoginModule.
  We would
  1. add new user to AD , set DES for the account, reset the password
  2.
  setspn -A host/newUser.DOMAIN.COM newUser
  setspn -A HTTP/newUser.DOMAIN.COM newUser
  run ktpass
  pass the keytab to the server where the server application will be running from and setup there
  -Djava.security.auth.login.config=c:\config\config.conf
  -Djava.security.realm=DOMANNAME
  -Djava.security.kdc=<Ip address of kdc>
  where config.conf file would have line
  Krb5LoginModule tryFirstPass=true storePass=true storeKey=true useKeyTab=true keyTab="c:\keytab.key";
  and it works...
  However, I have encountered a situation where the above would return
  Pre-authentication information was invalid (24) error.
  We have reset the password, re-generate the keytab, it is the same time zone ... and nothing.
  Then I asked to have a new user added (just to test it) - and it worked for the new user.
  Now - what do I need to do to get to work for the hunders of others?
  Thanks

  Support for the new Kerberos preauthentication mechanisms is available in Java SE 6.
  In addition, the pre-auth support has been backported to J2SE 5.0 Update 8.
  Seema

• Security vulnerabilities in apache that comes with oracle database.

  Hi,
  We are having a QA database in Oracle enterprise version 9.2.0.4 on OS : OSF1.
  Recently our security team ran a test and found that the apache1.3 that comes as component of Oracle database is prone to security vulnerabilities. Also they suggested to remove the apache or upgrade to latest as remedy.
  When contacted to Oracle support, Oracle team replied apache upgrade should not be done instead latest apache seprately can be installed as reverse proxy. But when asked for steps/document there is no reply. Anyone faced this problem can provide any help/suggestion in this regard.
  I am attaching some of the threads identified by our Security Team for reference.
  1. Apache 1.3 HTTP Server Expect Header Cross-Site Scripting XXXX and YYYYYY ports 7782, 4889, 3339.
  2. Apache HTTP Server 413 Error HTTP Request Method Cross-Site Scripting Weakness
  3. Keep-Alive: timeout=15, max=100
  Connection: Keep-Alive
  Transfer-Encoding: chunked
  Content-Type: text/html; charset=iso-8859-1
  <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <HTML><HEAD>
  <TITLE>417 Expectation Failed</TITLE>
  </HEAD><BODY>
  <H1>Expectation Failed</H1>
  The expectation given in the Expect request-header
  field could not be met by this server.<P>
  The client sent<PRE>
  Expect: <script>alert(document.domain)</script>
  </PRE>
  but we only allow the 100-continue expectation.
  -CR

  I dont know how to find which components are using the apache. Help me if there is any way to find it. Only information i can say you is there is no other software installed that in that server other than oracle Database.

• Java 1.4.2 Security Vulnerabilities

  Hello,
  I'm looking for a link that lists the security vulnerabilities of Java 1.4.2 and I am having trouble finding a comprehensive list. Our security officer doesn't want us using 1.4.2 because of security vulnerabilities and I want to confirm what they are. But, I have not seen any report of what these issues are. This relates specifically to our Java version in relation to our Discoverer Plus use. Does anyone have a link of known Java 1.4 security issues?
  Thanks!

  Check this
  http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1

• Calling a function in Pre-Authentication Process in Authentication Scheme

  Hello all,
  I want to call a function located somewhere inside apex (not in the database) from the Pre-Authentication Process in an Authentication Scheme.
  Is it possible?
  Regards Pedro.

  Pedro
  Possibly if you could unwrap the source of the package but basically you wouldn't want to mess with APEX's API.
  If this is your function then you want it somewhere in one of your own schemas (you won't potentially break APEX and you will retain it when you upgrade).
  If you wish, you could create your own authentication schema and only give yourself access to it (as well as execute to the applications parsing schema user). You could also just create it as in the application parsing schema
  CREATE OR REPLACE PACKAGE BODY xxxxxxx WRAPPED  This makes the source unreadable in the database. (remember to keep the original source yourself though!).
  Hope this helps
  Cheers
  Ben

• RDP pre-authentication: what does it actually do?

  I'm trying to integrate Forefront TMG and RDS with SecurID authentication. I believe I'm very close to having it working, but I'm hitting a brick wall.
  I have "require pre-authentication" set, and "pre-authentication server name" configured, as indicated in so many forum posts and HOWTOs.
  No matter what I do, clients receive the error "authentication to the firewall failed due to missing firewall credentials." This is
  after they have already successfully authenticated and visited the /RDWeb pages.
  Using the TMG logs, procmon, and wireshark, I am 100% certain that no network activity is occurring from the RDP client when this error occurs; this error is being generated entirely on the client side, before it attempts to connect to anything. I understand
  that this is what is expected; it is checking for the existence of a cookie.
  But the cookie doesn't exist. Why? Because nothing is setting one. The only cookies the client receives during the entire process (logging in to rdweb and trying to launch an app) are the SecurID domain SSO cookie I set in TMG, and the persistent authentication
  cookie I also set in TMG. RDweb itself is not issuing any cookie at all.
  Can anyone please explain to me, what specific cookie is the RDP client looking for when "require pre-authentication" is enabled? And which component is meant to be setting it?
  Obviously I'd be very grateful if anyone can tell me "run this command and it will start working" or whatever, but I'm really hoping to gain an engineering-level understanding of how it's
  meant to work ;)

   
  Hi,
  Please double check the following article:
  Configuring Forefront Threat Management Gateway Integration with RD Gateway Step-by-Step Guide
  http://technet.microsoft.com/en-us/library/gg589607(v=ws.10).aspx
  On the Forefront TMG server apply the Filter ipv4.address==<your public IP>
  When client request of remote desktop is reaching to TMG server, please check if the TMG server is forwarding the packet to RDG server.
  Looking forward to your feedback.
  Regards,
  Dollar Wang
  Forum Support
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Technology changes life……

• Pre-authentication failed in krb

  Hi All,
  Wee also facing the same issue, but in a different way.
  our java application accepts first 100(around) krb auth requests and the rest of the requests are droped out, during the droping it simply show the message like pre-authentication failed
  What is doubt is, do we have any constraint on number of concurrent access in krb?
  im using tomcat and casified sakai with apache2

  Hi All,
  Wee also facing the same issue, but in a different way.
  our java application accepts first 100(around) krb auth requests and the rest of the requests are droped out, during the droping it simply show the message like pre-authentication failed
  What is doubt is, do we have any constraint on number of concurrent access in krb?
  im using tomcat and casified sakai with apache2

• Oracle Security Vulnerabilities?

  Hi all,
  We're running many PHP 5.x applications in a distributed environment that use the OCI client to access Oracle 10g databases.
  Our server administration group is migrating to a new server and is refusing to install or support the OCI Instant client under Linux saying it's a security problem. Specifically, they say that the OCI Instant Client is exposed to buffer overflows and stack smashing. Their recommendation? Rewrite all our apps to use another database. Yeah, right.
  They provided me with two sources to explain the issues:
  http://www.dummies.com/WileyCDA/DummiesArticle/id-2900.html
  and
  Re: Problems with libclntsh.so.10.1 and PHP/Apache HTTPD
  Is this really a security problem? If so, what can be done to mitigate the risk?
  Thanks,
  John

  Hi all,
  I thought I’d jump in this thread with a few thoughts.
  Security flaws unfortunately affect software, both commercial and open source. I believe that what sets Oracle apart from many other vendors is the company’s commitment to security. Oracle Software Security Assurance (http://www.oracle.com/security/software-security-assurance.html) includes the most transparent vulnerability remediation policy in the industry. Furthermore, the Critical Patch Update (CPU) process (http://www.oracle.com/technology/deploy/security/alerts.htm) provides a predictable mechanism for the remediation of security vulnerabilities in Oracle software. By comparison, open source involves unpredictable releases of security fixes.
  Now, getting back to the discussion in this thread: as much as we try to prevent vulnerabilities during development, as is the case with all large software products, some make their way into released code. As vulnerabilities are discovered, Oracle fixes them in order of severity and release fixes for them through the Critical Patch Update.
  An attacker could attempt to exploit the unpatched vulnerabilities through OCI or other protocols providing access to the database (This is not specific to OCI). Oracle’s recommendation is therefore to remain current on the Critical Patch Update (the last one was issued on July 17, 2007). Keep in mind that the CPU is cumulative for the database, and applying the most recent CPU will bring you at current security patch level, and this will significantly contribute to improving your organization’s security posture.
  Do not hesitate to contact me if you have questions at [email protected]
  Sincerely
  Eric Maurice
  Manager – Oracle Software Security Assurance

• OSX Security Vulnerabilities - 20 found according to this article

  Via Gizmodo, here is an article about a guy finding 20 zero-day security holes in OSX. Zero-day threats refer to security vulnerabilities which do not yet have a fix. At present, Macs are highly resistant but not immune to viruses, but this article does raise a few red flags. Thoughts?
  Article: http://www.h-online.com/security/news/item/Mac-OS-X-safer-but-less-secure-Update -957981.html

  I've reposted this message in the "Using Mac OS X 10.6 Snow Leopard" forum. I posted here out of habit. I could not see how to delete the message, so please refer to this thread instead:
  http://discussions.apple.com/thread.jspa?threadID=2371811&tstart=0

• OSX Security Vulnerabilities - 20 found according to article

  Via Gizmodo, here is an article about a guy finding 20 zero-day security holes in OSX. Zero-day threats refer to security vulnerabilities which do not yet have a fix. At present, Macs are highly resistant but not immune to viruses, but this article does raise a few red flags. Thoughts?
  Article: http://www.h-online.com/security/news/item/Mac-OS-X-safer-but-less-secure-Update -957981.html

  Usually these "security bulletin" type postings are completely bogus. The guy is trying to make a living finding exploits. So, he finds 20 in Mac OS X, and then goes to the media so he can make a name for himself. Most people will say "Wow, 20 exploits! That is a lot, maybe we should be worried. Maybe OS X is not as secure as we think it is."
  But, what is totally missing here that is completely necessary to make a conclusion like that is any semblance of detail. The comments on Giz nailed it already. Are these "exploits" in the core OS, or are they in Flash? Etc. Most importantly, are these "holes" able to be exploited remotely? If I had to guess I would have to say most are not remotely exploitable. So, if this is true, are they really something to worry about? Absolutely not.
  So, the guy holds back the details so that he can get some interest from some company that makes security software. Pay him a nice royalty to provide that information. Or maybe, he's fishing for Apple to hire him so that they can patch those holes. Either way, I'm not sure I can take him seriously.
  And honestly:
  Macs are highly resistant but not immune to viruses
  This statement is false and reads like a journalist trying to cover their bases when they really don't know what they're talking about. OS X is currently immune from viruses by the definition of the word. Of course, there are a couple "trojans" around, but those require you to type in your admin password and install yourself. So, they aren't really a threat at all, at least compared to what we see on Windows.
  --Travis