Kerberos Service tickets & Service server

Hi,
I've implemented a simple hello_world.java application (on Windows) that gets authentified by the KerberosLoginModule by the Kerberos Keytab (not the TGT!).
- That Keytab was built on a Microsoft Server 2003 using "ktpass".
- The name of the application "hello_world" was added in Active directory using setspn.exe (necessary if I want to use Kerberos Service Tickets) for an user account.
At the moment every account can launch the application.
But how can I:
1- Make that application require and use the service ticket to allow just 1 user to launch the application?
2- Prevent/Deny all the others.
and also:
3- From the user account, establish the communication with the KDC (TGS) to acquire Service Tickets?
---> I want that application to require the Kerberos Service Ticket from the user AND decrypt it by using the keytab (to finally allow access to the user).
Any suggestions for a newbie like me are all welcome..
Thanks !

what do you mean "launch the application"? If it's a class or a jar readable by all, then everyone can launch it. if your "launch" means it can authenticate itself and goes on, maybe you can simply make the keytab file readable by a single user.
Anyway this looks a little strange. Normally JGSS programs have a client and a server, the client need to authenticate itself to the server, and request the server to do something. If you have only one program, user may alter the configuration (say, appointing another KDC), trick the program to believe it passes the authentication stage, and goes on.

Similar Messages

Service Ticket Management

What is Service ticket management.The same is known as Case management functionally.

Hi Harish,
Case and Service ticket (service order) are different transaction types.
Cases are integrated with service orders in the People-Centric User Interface for service order processing. You can create a case for a selected service order and that order is automatically linked to the case.
Serice ticket management is nothing but service transaction management. You can use service ticket management to enter and process service orders in your Interaction Center (IC) WebClient. The service ticket provides central access to all information and functions that are necessary for processing service orders.
You can make the necessary settings for the service ticket by choosing Interaction Center WebClient > Business Transaction > Service Ticket.
Please refer to the SAP link for service tickets - http://help.sap.com/saphelp_crm50/helpdata/en/39/2fb540e4c5782ae10000000a155106/frameset.htm
Case Management enables you to consolidate, manage, and process information about a complex problem or issue in a central collection point, the case. Within a case, you can group diverse information, such as business partners, transactions, products, and documents. This information can reside in different physical systems.
You can use Case Management to process problems and issues that involve multiple processing steps or multiple processors. Case Management therefore supports the processing and communication flow between organizational units and helps you to increase processing efficiency.
Case Management is available in the CRM Enterprise using the People-Centric User Interface (UI) and in the Interaction Center (IC) WebClient.
Refer to this SAP help link for case management - http://help.sap.com/saphelp_crm50/helpdata/en/43/ce91d0010f01b4e10000000a11466f/frameset.htm
<b>Reward if helps</b>,
Regards,
Paul Kondaveeti

Web-Ticket service returns: (500) Internal Server Error

I get Internal server errors when I try to get something from the server. This is what I get from the "Test-CSAddressBookService":
PS C:\Users\testuser> Test-CsAddressBookService -TargetFqdn wak-lync.testdomain.com -UserCredential testdomain\testuser -UserSipAddress "sip:[email protected]" -verbose
VERBOSE: Workflow Instance Id 42f8f454-5d02-48b2-8b8e-4ecaf6dba5e0, started.
Connecting to web service : https://wak-lync.testdomain.com:443/WebTicket/WebTicketService.svc
Using IWA authentication
Successfully created connection proxy and website bindings
Requesting new web ticket
Sending Web-Ticket Request: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<Action s:mustUnderstand="1" xmlns="http://schemas.microsoft.com/ws/2005/05/addressing/none">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action>
</s:Header>
<s:Body>
<RequestSecurityToken xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</TokenType>
<RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</RequestType>
<AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy">
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://wak-lync.testdomain.com/WebTicket/WebTicketService.svc</Address>
</EndpointReference>
</AppliesTo>
<Entropy>
<BinarySecret>BMLGyAK9H+6w1rrdFY+I2oSy39FMyfy86/WwJoTK0nE=</BinarySecret>
</Entropy>
<KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</KeyType>
</RequestSecurityToken>
</s:Body>
</s:Envelope>
ERROR communicating with GetWebTicket() service System.ServiceModel.ProtocolException: The content type text/html of the response message does not match the content type of the binding (text/xml; charset=utf-8). If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly. The first 1024 bytes of the response were:
'<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>500 - Internal server error.</title>
<style type="text/css">

</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
'. ---> System.Net.WebException: The remote server returned an error: (500) Internal Server Error.
at System.Net.HttpWebRequest.GetResponse()
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory factory, WebException responseException, ChannelBinding channelBinding)
at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.Rtc.Internal.WebTicketService.IWebTicketService.IssueToken(Message request)
at Microsoft.Rtc.SyntheticTransactions.WebServicesHelper.GetWebTicket()
TargetUri : https://wak-lync.testdomain.com:443/abs/handler
TargetFqdn : wak-lync.testdomain.com
Result : Failure
Latency : 00:00:00
Error : ERROR - No response received for Web-Ticket service.
Inner Exception:The content type text/html of the response message
does not match the content type of the binding (text/xml; charset
=utf-8). If using a custom encoder, be sure that the IsContentType
Supported method is implemented properly. The first 1024 bytes of
the response were: '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 S
trict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-88
59-1"/>
<title>500 - Internal server error.</title>
<style type="text/css">

</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
Inner Exception:The remote server returned an error: (500) Interna
l Server Error.
Diagnosis :
VERBOSE: 'Register' activity started.
Sending Registration request:
Target Fqdn = wak-lync.testdomain.com
User Sip Address = sip:[email protected]
Registrar Port = No Port is provided..
Auth Type 'IWA' is selected.
Registration Request hit against sip/WAK-LYNC.testdomain.com
'Register' activity completed in '0.3157031' secs.
'ReadUriFromInBandProvisioningDataActivity' activity started.
'ReadUriFromInBandProvisioningDataActivity' activity completed in '0.0002991' secs.
'UnRegisterActivity' activity started.
'UnRegisterActivity' activity completed in '0.0102002' secs.
'STActivity' activity started.
Trying to get web ticket.
Web Service url :
https://wak-lync.testdomain.com:443/WebTicket/WebTicketService.svc
Using NTLM\Kerb auth.
Could not get a web ticket
CHECK:
- Web service url is valid and the web services are functional
- If using PhoneNo\PIN to authenticate, make sure they match the user uri
- If using NTLM\Kerberos auth, make sure you provided valid credentials
An exception 'ERROR - No response received for Web-Ticket service.' occurred
during Workflow Microsoft.Rtc.SyntheticTransactions.Workflows.STAbsWorkflow
execution.
Exception Call Stack: at
Microsoft.Rtc.SyntheticTransactions.WebServicesHelper.GetWebTicket()
at
Microsoft.Rtc.SyntheticTransactions.Activities.GetWebTicketActivity.InternalExe
cute(ActivityExecutionContext executionContext)
at
Microsoft.Rtc.SyntheticTransactions.Activities.STActivity.Execute(ActivityExecu
tionContext executionContext)
at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(T activity,
ActivityExecutionContext executionContext)
at System.Workflow.ComponentModel.CompositeActivityExecutor`1.Execute(T
activity, ActivityExecutionContext executionContext)
at System.Workflow.ComponentModel.ActivityExecutor`1.Execute(Activity
activity, ActivityExecutionContext executionContext)
at
System.Workflow.ComponentModel.ActivityExecutorOperation.Run(IWorkflowCoreRunti
me workflowCoreRuntime)
at System.Workflow.Runtime.Scheduler.Run()
Server stack trace:
at
System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(
HttpWebRequest request, HttpWebResponse response, HttpChannelFactory factory,
WebException responseException, ChannelBinding channelBinding)
at
System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelR
equest.WaitForReply(TimeSpan timeout)
at System.ServiceModel.Channels.RequestChannel.Request(Message message,
TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message
message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean
oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan
timeout)
at
System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessa
ge methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage
message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage
reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&
msgData, Int32 type)
at
Microsoft.Rtc.Internal.WebTicketService.IWebTicketService.IssueToken(Message
request)
at Microsoft.Rtc.SyntheticTransactions.WebServicesHelper.GetWebTicket()
VERBOSE: Workflow Instance Id 42f8f454-5d02-48b2-8b8e-4ecaf6dba5e0, completed.
VERBOSE: Workflow Execution Time (sec): 0.481
When I look at the server I see the following in the log:
2012-07-10 15:02:09 10.128.1.16 POST /WebTicket/WebTicketService.svc - 443 TESTDOMAIN\g01 10.10.20.115 OC/4.0.7577.4098+(Microsoft+Lync+2010) 500 0 0 218
2012-07-10 15:02:09 10.128.1.16 POST /groupexpansion/service.svc - 443 TESTDOMAIN\g01 10.10.20.115 OC/4.0.7577.4098+(Microsoft+Lync+2010) 500 0 0 0
2012-07-10 15:02:12 10.128.1.16 POST /WebTicket/WebTicketService.svc/cert - 443 TESTDOMAIN\e01 10.10.30.105 OC/4.0.7577.0+(Microsoft+Lync+2010) 500 0 0 15
2012-07-10 15:02:12 10.128.1.16 POST /WebTicket/WebTicketService.svc - 443 TESTDOMAIN\e01 10.10.30.105 OC/4.0.7577.0+(Microsoft+Lync+2010) 500 0 0 0
2012-07-10 15:02:15 10.128.1.16 POST /WebTicket/WebTicketService.svc - 443 TESTDOMAIN\k01 10.10.20.59 OC/4.0.7577.4098+(Microsoft+Lync+2010) 500 0 0 46
2012-07-10 15:02:15 10.128.1.16 POST /groupexpansion/service.svc - 443 TESTDOMAIN\k01 10.10.20.59 OC/4.0.7577.4098+(Microsoft+Lync+2010) 500 0 0 202
2012-07-10 15:02:18 10.128.1.16 POST /WebTicket/WebTicketService.svc - 443 TESTDOMAIN\g02 10.10.11.53 OC/4.0.7577.0+(Microsoft+Lync+2010) 500 0 0 31
2012-07-10 15:02:18 10.128.1.16 POST /groupexpansion/service.svc - 443 TESTDOMAIN\g02 10.10.11.53 OC/4.0.7577.0+(Microsoft+Lync+2010) 500 0 0 202
2012-07-10 15:02:18 10.128.1.16 POST /WebTicket/WebTicketService.svc - 443 TESTDOMAIN\k01 10.10.20.59 OC/4.0.7577.4098+(Microsoft+Lync+2010) 500 0 0 46
2012-07-10 15:02:18 10.128.1.16 POST /groupexpansion/service.svc - 443 TESTDOMAIN\k01 10.10.20.59 OC/4.0.7577.4098+(Microsoft+Lync+2010) 500 0 0 218
So I see it is not only a address book issue, though it is the first visible hint you get about it. I also get the Password request window for "Retrieving Response Groups" after the log in.
I looked at similar issues, but what I found was mainly Kerberos issues, but that is not the case here, the user is able to access the folders.

Hi,
Try the way the following thread mentioned:
http://social.technet.microsoft.com/Forums/en-US/ocsaddressbook/thread/83106a88-7b38-49cc-b62d-52867a99bfd1
Regards,
Lisa

Java GSS API - Kerberos - Receive timed out when requesting service ticket.

Hi,
I'm following the following exercises about Kerberos/JGSS-API :
http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab/
On exercise 3, I get an exception (when requesting a service ticket) from the client side:
"+Exception in thread "main" java.security.PrivilegedActionException: GSSException: No valid credentials provided (Mechanism level: Receive timed out)
etc.+"
This seems to happen when the GSSContext.initSecContext(...) method is called.
The server side receives the client connection:
"+Waiting for incoming connection...+
+Got connection from client /xxx.xxx.x.xxx+"
But then displays the following exception:
"+Exception in thread "main" java.security.PrivilegedActionException: java.net.SocketException: Connection reset
etc.+"
I checked my KDC (win 2003 Server SP2) and added SPNs with setspn but the error remains.
Any suggestion are more than welcome !

The TGT is already present on my Client machine because it is acquired automaticaly from the KDC during the Windows opening session.
I use then JAAS to access the LSA and obtain the TGT - This doesn't need any further connection to the KDC.
But the Service Ticket is requested to the KDC by my client machine..
Here is the complete output (Client side) after I destroyed the tickets (with Kerberos MIT Leash.exe and/or kdestroy.exe ):
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
+>>>KinitOptions cache name is C:\Documents and Settings\user.MYDOMAIN\krb5cc_user+
+>> Acquire default native Credentials+
+>>> Obtained TGT from LSA: Credentials:+
[email protected]
server=krbtgt/[email protected]
authTime=20080529135209Z
startTime=20080529135209Z
endTime=20080530015209Z
renewTill=20080702135209Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 23
Principal is [email protected]
Commit Succeeded
+Authenticated principal: [[email protected]]+
Connected to address host1/xxx.xxx.x.xxx
Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri May 30 03:52:09 CEST 2008
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri May 30 03:52:09 CEST 2008
Service ticket not found in the subject
+>>> Credentials acquireServiceCreds: same realm+
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
+>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType+
+>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType+
+>>> KrbKdcReq send: kdc=yyy.yyy.y.y UDP:88, timeout=30000, number of retries =3, #bytes=1262+
+>>> KDCCommunication: kdc=yyy.yyy.y.y UDP:88, timeout=30000,Attempt =1, #bytes=1262+
SocketTimeOutException with attempt: 1
+>>> KDCCommunication: kdc=yyy.yyy.y.y UDP:88, timeout=30000,Attempt =2, #bytes=1262+
SocketTimeOutException with attempt: 2
+>>> KDCCommunication: kdc=yyy.yyy.y.y UDP:88, timeout=30000,Attempt =3, #bytes=1262+
Exception in thread "main" java.security.PrivilegedActionException: GSSException: No valid credentials provided (Mechanism level: Receive timed out)
+     at java.security.AccessController.doPrivileged(Native Method)+
+     at javax.security.auth.Subject.doAs(Subject.java:396)+
+     at SimpleAuthzz2.loginAndAction(SimpleAuthzz2.java:56)+
+     at SimpleGssClient.main(SimpleGssClient.java:36)+
SocketTimeOutException with attempt: 3
Caused by: GSSException: No valid credentials provided (Mechanism level: Receive timed out)
+     at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:659)+
+     at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:213)+
+     at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)+
+     at SimpleGssClient$GssClientAction.run(SimpleGssClient.java:121)+
+     ... 4 more+
Caused by: java.net.SocketTimeoutException: Receive timed out
+     at java.net.PlainDatagramSocketImpl.peekData(Native Method)+
+     at java.net.DatagramSocket.receive(DatagramSocket.java:662)+
+     at sun.security.krb5.internal.UDPClient.receive(UDPClient.java:77)+
+     at sun.security.krb5.KrbKdcReq$KdcCommunication.run(KrbKdcReq.java:278)+
+     at java.security.AccessController.doPrivileged(Native Method)+
+     at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:195)+
+     at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:140)+
+     at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:106)+
+     at sun.security.krb5.KrbTgsReq.send(KrbTgsReq.java:215)+
+     at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:293)+
+     at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)+
+     at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:561)+
+     at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:585)+
+     ... 7 more+
It seems like the TGT is still present in the cache, even if Leash displays "no tickets".
Meanwhile, in the KDC-server side:
-What is the correct spn to add? C:\setspn GssServer/host1 user ? (I in fact tried many possibilities)..
-Is there any other special configuration to do in the KDC ?
Thanks a lot!

SQL Server cannot authenticate using Kerberos because the Service Principal Name (SPN) is missing, misplaced, or duplicated

We are getting this below alert message, while using SCOM 2012 R2. Anybody have any idea how to resolve this on the SQL box ?
Thx...
SQL Server cannot authenticate using Kerberos because the Service Principal Name (SPN) is missing, misplaced, or duplicated.
Service Account: NT Service\MSSQL$SQLEXPRESS
Missing SPNs:
Misplaced SPNs: MSSQLSvc/mysqlbox.com:SQLEXPRESS - sqldbadmin
Duplicate SPNs:

To Fix this issue, You can check below links
http://support.microsoft.com/kb/2443457/EN-US
http://www.scomgod.com/?p=155
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"Mai Ali | My blog:
Technical | Twitter:
Mai Ali

Kerberos service ticket was requested

I got the following message in my event viewer. can anyone advise on this?
A Kerberos service ticket was requested.
Account Information:
Account Name:
Account Domain:
Logon GUID:
{00000000-0000-0000-0000-000000000000}
Service Information:
Service Name:
Service ID:
NULL SID
Network Information:
Client Address:
192.168.0.57
Client Port:
1154
Additional Information:
Ticket Options:
0x40800000
Ticket Encryption Type:
0xffffffff
Failure Code:
0x25
Transited Services:
This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.
This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
Ticket options, encryption types, and failure codes are defined in RFC 4120.
thanks,
Ashley

Yeah… Code: 0x25 Clock skew too great. Workstation’s clock too far out of sync with the DC’s. refer:http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771
Best,
Howtodo

Problem with getting a service ticket - ignoring host name?

Hello,
I've been struggling with this for several weeks on and off. The latest issue I have, is that when I try to obtain a service ticket it replaces the hostname I use with the ip address of the server. This then results in a 'Server not found in Kerberos database' exception.
    public static void main(String args[]) {
        try {
            org.ietf.jgss.Oid[] desiredMechs = new org.ietf.jgss.Oid[1];
            desiredMechs[0] = new org.ietf.jgss.Oid("1.2.840.113554.1.2.2");
            GSSManager manager = GSSManager.getInstance();
            GSSName clientName = manager.createName("[email protected]", GSSName.NT_USER_NAME);
            GSSCredential clientCreds = manager.createCredential( GSSCredential.INITIATE_ONLY);
            GSSCredential clientCred = manager.createCredential(clientName,
            8 * 3600, desiredMechs[0], GSSCredential.INITIATE_ONLY);
           GSSName serverName = manager.createName("*[email protected]*", GSSName.NT_HOSTBASED_SERVICE);
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
Credentials acquireServiceCreds: same realmUsing builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbKdcReq send: kdc=labad2.lab2k.net UDP:88, timeout=30000, number of retries =3, #bytes=1276
KDCCommunication: kdc=labad2.lab2k.net UDP:88, timeout=30000,Attempt =1, #bytes=1276
KrbKdcReq send: #bytes read=92
KrbKdcReq send: #bytes read=92
KDCRep: init() encoding tag is 126 req type is 13
KRBError:         sTime is Mon Jul 26 12:07:34 EDT 2010 1280160454000
         suSec is 65057
         error code is 7
         error Message is Server not found in Kerberos database
         realm is LAB2K.NET
         sname is *HTTP/172.16.118.89*
         msgType is 30
KrbException: Server not found in Kerberos database (7)Thanks - Bryan.

Your DNS server should have an entry for this host name in its reverse lookup table.
Regards- Abid

GSS-API How to get the client-to-service ticket

In Kerberos when requesting services, the client sends the following two messages to the TGS: A composed message of the Ticket-Granting Ticket and the ID of the requested serviceand authenticator (which is composed of the client ID and the timestamp), all encrypted using the client/TGS session key.
Then upon receiving these messages the TGS sends the followings to the client:
A: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/server session key) encrypted using the service's secret key.
B: Client/server session key encrypted with the client/TGS session key.
Now I'm wondering how to obtain A and B throught the kerberos login in GSS-API . I have the following code that I use to request a kerberized service but it returns only a KerberosTicket in PrivateCredentialsSet for the Subject. A sessionKey can also be obtained form this KerberosTicket ! Which session key is this ? the session key B described above? and Where to get the Client-to-server ticket (A) described above ?
Thanks for any help !
Alex
lc = new LoginContext("login-client", new TextCallbackHandler());
lc.login();
mysubject = lc.getSubject();
java.util.Set principals = lc.getSubject().getPrincipals();
java.util.Iterator iterador = principals.iterator();
if (iterador.hasNext()){
KerberosPrincipal principal = (KerberosPrincipal) iterador.next();
clientName =principal.getName();
PrivilegedAction generateServiceTicket = new ClientAction(clientName,"[email protected]");
Subject.doAs(mysubject, generateServiceTicket);
Set prvCredentials = lc.getSubject().getPrivateCredentials();
for (Iterator i = prvCredentials.iterator(); i.hasNext(); j++) {
KerberosTicket ticket = (KerberosTicket) i.next();
prvKrbCrds = (KerberosTicket[]) mysubject.getPrivateCredentials().toArray(new KerberosTicket[0]);
public Object run() {
try{
GSSManager manager = GSSManager.getInstance();
Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
GSSName userName = manager.createName(pn,GSSName.NT_USER_NAME);
GSSCredential cred = manager.createCredential(usr,
GSSCredential.DEFAULT_LIFETIME,
krb5Mechanism,
GSSCredential.INITIATE_ONLY);
GSSName peerName = manager.createName(servicename,
GSSName.NT_HOSTBASED_SERVICE, krb5Mechanism);
GSSContext setContext = manager.createContext(peerName, krb5Mechanism, cred,
GSSContext.DEFAULT_LIFETIME);
setContext.requestInteg(false);
setContext.requestConf(false);
byte[] inputBuf = new byte[0];
byte[] tkt = setContext.initSecContext(inputBuf, 0, 0);
}catch(GSSException gsse){
gsse.printStackTrace();
}

In Kerberos when requesting services, the client sends the following two messages to the TGS: A composed message of the Ticket-Granting Ticket and the ID of the requested serviceand authenticator (which is composed of the client ID and the timestamp), all encrypted using the client/TGS session key.
Then upon receiving these messages the TGS sends the followings to the client:
A: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/server session key) encrypted using the service's secret key.
B: Client/server session key encrypted with the client/TGS session key.
Now I'm wondering how to obtain A and B throught the kerberos login in GSS-API . I have the following code that I use to request a kerberized service but it returns only a KerberosTicket in PrivateCredentialsSet for the Subject. A sessionKey can also be obtained form this KerberosTicket ! Which session key is this ? the session key B described above? and Where to get the Client-to-server ticket (A) described above ?
Thanks for any help !
Alex
lc = new LoginContext("login-client", new TextCallbackHandler());
lc.login();
mysubject = lc.getSubject();
java.util.Set principals = lc.getSubject().getPrincipals();
java.util.Iterator iterador = principals.iterator();
if (iterador.hasNext()){
KerberosPrincipal principal = (KerberosPrincipal) iterador.next();
clientName =principal.getName();
PrivilegedAction generateServiceTicket = new ClientAction(clientName,"[email protected]");
Subject.doAs(mysubject, generateServiceTicket);
Set prvCredentials = lc.getSubject().getPrivateCredentials();
for (Iterator i = prvCredentials.iterator(); i.hasNext(); j++) {
KerberosTicket ticket = (KerberosTicket) i.next();
prvKrbCrds = (KerberosTicket[]) mysubject.getPrivateCredentials().toArray(new KerberosTicket[0]);
public Object run() {
try{
GSSManager manager = GSSManager.getInstance();
Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
GSSName userName = manager.createName(pn,GSSName.NT_USER_NAME);
GSSCredential cred = manager.createCredential(usr,
GSSCredential.DEFAULT_LIFETIME,
krb5Mechanism,
GSSCredential.INITIATE_ONLY);
GSSName peerName = manager.createName(servicename,
GSSName.NT_HOSTBASED_SERVICE, krb5Mechanism);
GSSContext setContext = manager.createContext(peerName, krb5Mechanism, cred,
GSSContext.DEFAULT_LIFETIME);
setContext.requestInteg(false);
setContext.requestConf(false);
byte[] inputBuf = new byte[0];
byte[] tkt = setContext.initSecContext(inputBuf, 0, 0);
}catch(GSSException gsse){
gsse.printStackTrace();
}

Error while creating service tickets

Hi all,
we are facing the followin error when we try to create a service ticket in WEB UI.
Version CRM 7 with EhP1 installed.
Please find the error details
Context initialization failed in view ICCMP_BTPARTNER/PartnerTable of UI Component ICCMP_BTPARTNER
An exception has occurred Exception Class CX_CRM_IC_JEXCEPTION - Exception CX_CRM_IC_JEXCEPTION occurred (program: CL_CRM_IC_MCM_SESSION_PROXY===CP, include: CL_CRM_IC_MCM_SESSION_PROXY===CM00C, line: 28).
Method: CL_CRM_IC_MCM_SESSION_PROXY=>GET_LOGON_STATUS
Source Text Row: 28
Initialization of view ICCMP_BTPARTNER/PartnerTable of UI Component ICCMP_BTPARTNER failed
An exception has occurred Exception Class CX_CRM_IC_JEXCEPTION - Exception CX_CRM_IC_JEXCEPTION occurred (program: CL_CRM_IC_MCM_SESSION_PROXY===CP, include: CL_CRM_IC_MCM_SESSION_PROXY===CM00C, line: 28).
Method: CL_CRM_IC_MCM_SESSION_PROXY=>GET_LOGON_STATUS
Source Text Row: 28
Cannot display view ICCMP_BTPARTNER/PartnerView of UI Component ICCMP_BTPARTNER
An exception has occurred Exception Class CX_CRM_IC_JEXCEPTION - Exception CX_CRM_IC_JEXCEPTION occurred (program: CL_CRM_IC_MCM_SESSION_PROXY===CP, include: CL_CRM_IC_MCM_SESSION_PROXY===CM00C, line: 28).
Method: CL_CRM_IC_MCM_SESSION_PROXY=>GET_LOGON_STATUS
Source Text Row: 28
Initialization of view ICCMP_BTPARTNER/PartnerView of UI Component ICCMP_BTPARTNER failed
An exception has occurred Exception Class CX_BSP_WD_RUNTIME_ERROR - View ICCMP_BTPARTNER/PartnerTable in component ICCMP_BTPARTNER could not be bound
Method: CL_BSP_WD_VIEW_CONTROLLER=>BIND_VIEW
Source Text Row: 165
Cannot display view ICCMP_BTPARTNER/PartnerViewSet of UI Component ICCMP_BTPARTNER
An exception has occurred Exception Class CX_BSP_WD_RUNTIME_ERROR - View ICCMP_BTPARTNER/PartnerTable in component ICCMP_BTPARTNER could not be bound
Method: CL_BSP_WD_VIEW_CONTROLLER=>BIND_VIEW
Source Text Row: 165
Worker session error in session initialization (SAM_QUEUE NOT SET )
No categorization schema assigned to application
I am using IE 7 version. The CRM application is installed in Windows SQL server 2008.
I have checked and the acitivated all the required service in SICF. The services are running.
Please guide me through about how to solve this issue.
regards,
Chandru

Hi Chandru,
Check if the following [thread1|No categorization schema assigned to application area (SERVICE_ORDER.....)] [thread2|No Categorization Schema assigned to application Area] helps you.
Regards,
Saumya

Service ticket not found in the subject

Hi,
I've got simple authorisation working from Java to an Linux MIT KDC. I've also got tickets via kinit from the kdc on the Linux server. I'm trying to use JAAS sample code:
Does anyone know how I can get this to work?
MY login.conf file is
GSSClient{
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache="true";
Rserver{
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
doNotPrompt=true
keyTab="/etc/harsh.keytab"
principal="Rserver/kdc.mahindrabt.com";
and the error which i am getting is i have enable debug
ratnesh
Name of the [email protected]
before peerlc.login()
KinitOptions cache name is /tmp/krb5cc_0
DEBUG <CCacheInputStream> client principal is [email protected]
DEBUG <CCacheInputStream> server principal is krbtgt/[email protected]
DEBUG <CCacheInputStream> key type: 16
DEBUG <CCacheInputStream> auth time: Thu Dec 18 15:20:02 IST 2003
DEBUG <CCacheInputStream> start time: Thu Dec 18 15:20:02 IST 2003
DEBUG <CCacheInputStream> end time: Fri Dec 19 01:20:02 IST 2003
DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 05:30:00 IST 1970
CCacheInputStream: readFlags() INITIAL;Host address is 10.3.1.110
DEBUG <CCacheInputStream>
DEBUG <CCacheInputStream> client principal is [email protected]
DEBUG <CCacheInputStream> server principal is host/[email protected]
DEBUG <CCacheInputStream> key type: 1
DEBUG <CCacheInputStream> auth time: Thu Dec 18 15:20:02 IST 2003
DEBUG <CCacheInputStream> start time: Thu Dec 18 16:17:13 IST 2003
DEBUG <CCacheInputStream> end time: Fri Dec 19 01:20:02 IST 2003
DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 05:30:00 IST 1970
CCacheInputStream: readFlags()Host address is 10.3.1.110
DEBUG <CCacheInputStream>after peerlc.login()
prior to subject.doAs()
value of s isSubject:
Principal: [email protected]
Private Credential: Ticket (hex) =
0000: 61 82 01 06 30 82 01 02 A0 03 02 01 05 A1 10 1B a...0...........
0010: 0E 4D 41 48 49 4E 44 52 41 42 54 2E 43 4F 4D A2 .MAHINDRABT.COM.
0020: 23 30 21 A0 03 02 01 00 A1 1A 30 18 1B 06 6B 72 #0!.......0...kr
0030: 62 74 67 74 1B 0E 4D 41 48 49 4E 44 52 41 42 54 btgt..MAHINDRABT
0040: 2E 43 4F 4D A3 81 C3 30 81 C0 A0 03 02 01 01 A1 .COM...0........
0050: 03 02 01 01 A2 81 B3 04 81 B0 CB 01 79 E9 43 1A ............y.C.
0060: AE 64 90 28 83 D6 79 82 6A 4C 26 08 A9 C2 59 E7 .d.(..y.jL&...Y.
0070: 21 2E 4C 41 81 B5 01 75 9A 24 87 C0 30 3B F9 A7 !.LA...u.$..0;..
0080: 6B 4E 5D 29 5D A0 9F 91 55 92 D6 FD E4 4B 0A 84 kN])]...U....K..
0090: 06 5B 07 14 00 7E 96 C6 2F 15 4B 34 9F D6 0D E2 .[....../.K4....
00A0: 89 48 B3 78 63 B8 A0 B0 81 14 28 A8 3F 29 A5 D7 .H.xc.....(.?)..
00B0: 64 D5 40 B7 19 A8 6D FC F2 82 86 02 C5 13 32 AA [email protected].
00C0: A8 42 A5 8B 3D 52 DB 83 C7 1F 19 31 3E 6C 87 B0 .B..=R.....1>l..
00D0: BD A5 6A 26 8E DB 2C EA F5 06 2F 90 0A DA 77 58 ..j&..,.../...wX
00E0: CC 0A 67 27 4E 51 7D 74 50 08 79 E4 06 EA C9 30 ..g'NQ.tP.y....0
00F0: E4 F8 40 51 F5 D9 FA C1 AF D9 D3 2E 4A 32 59 CC [email protected].
0100: 10 1A 0F AA 7D 98 30 9B A7 26
Client Principal = [email protected]
Server Principal = krbtgt/[email protected]
Session Key = EncryptionKey: keyType=16 keyBytes (hex dump)=
0000: 9B B5 0E FB 8F 49 64 8F 32 31 10 AE 6E A8 BA 80 .....Id.21..n...
0010: C4 16 45 4A 92 34 A1 02
Forwardable Ticket false
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Thu Dec 18 15:20:02 IST 2003
Start Time = Thu Dec 18 15:20:02 IST 2003
End Time = Fri Dec 19 01:20:02 IST 2003
Renew Till = Null
Client Addresses clientAddresses[0] = /10.3.1.110
GSSClient... Getting client credentialsFound ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri Dec 19 01:20:02 IST 2003
GSSClient... GSSManager creating security context
GSSClient... Sending token to server over secure contextEntered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri Dec 19 01:20:02 IST 2003
Service ticket not found in the subject
Credentials acquireServiceCreds: same realm
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumTypeKrbException: KDC has no support for encryption type (14)
at sun.security.krb5.internal.crypto.p.a(DashoA6275:58)
at sun.security.krb5.EncryptedData.<init>(DashoA6275:84)
at sun.security.krb5.KrbApReq.b(DashoA6275:438)
at sun.security.krb5.KrbApReq.a(DashoA6275:211)
at sun.security.krb5.KrbApReq.<init>(DashoA6275:172)
at sun.security.krb5.KrbTgsReq.a(DashoA6275:319)
at sun.security.krb5.KrbTgsReq.<init>(DashoA6275:166)
at sun.security.krb5.KrbTgsReq.<init>(DashoA6275:87)
at sun.security.krb5.internal.az.a(DashoA6275:289)
at sun.security.krb5.internal.az.a(DashoA6275:106)
at sun.security.krb5.Credentials.acquireServiceCreds(DashoA6275:490)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:580)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:213)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)
at GSSClient.run(GSSClient.java:184)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:320)
at GSSClient.login(GSSClient.java:124)
at GSSClient.main(GSSClient.java:63)
GSSClient... GSS Exception No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))after to getting context
Client authentication deined..
If i dosnt do kinit it work fine
Cheers
Harsh Ahuja

I think you do have a ticket in your subject, problem is that they ar'nt readable by suns core librarys. Sun seems to lack suport for des3-cbc-sha1. Try creating tickets with des-cbc-crc.
wikm@empusa:~$ klist -a
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: [email protected]
Cache version: 4
Server: krbtgt/[email protected]
Ticket etype: des-cbc-crc, kvno 1
Auth time: Dec 22 15:31:03 2003
End time: Dec 23 01:31:03 2003
Ticket flags: initial
Addresses: IPv4:130.237.95.15
Server: [email protected]
Ticket etype: des-cbc-crc, kvno 2
Auth time: Dec 22 15:31:03 2003
End time: Dec 23 01:31:03 2003
Ticket flags:
Addresses: IPv4:130.237.95.15
/ Mikael

New Fields on Service Ticket

Hi Folks
We are currently working on CRM 4.0. We have a new requirement where I need to add new fields to the Service Ticket. I added the new fields using EEWB and it works perfectly on SAP GUI. Now I need to add those new fields on CRM Webclient also.
On the Service Ticket screen on webclient, we have a pusbutton. Upon clicking that button, a new pop up page will open which was a page created using 'Pages with Flow Logic'. Can you please explain the process to add my custom fields on this pop up page which were created using EEWB?
I tried to create Context Node in that Page. But I couldn't create it.
Any help would be highly appreciated.
Thanks
Hari

Hi Hari,
If you want to process ticket fields within the CRM 4.0 IC WebClient, I do not think it is a good idea to use an extra page with flow-logic. I suppose that the server will execute the extra page with flow-logic in a new HTTP session: which means that the changes that you do in memory in one session are not available to the other one, until you actually save changes to the DB. Only way to exchange data between IC WebClient and page with flow-logic would be on the client side, via javascript. Additionally, I would not recommend using popups, unless you manage to get them modal (i.e. they stay on top). Otherwise they tend to disappear behind the IC WebClient.
I would suggest to remain within SAP's MVC design-pattern: Either you manage to show those new fields directly on SrvtHead.htm, and then it is just a matter to make the context node available, on which you have added the EEWB fields, or you create a new view to display only those fields separately (for example Z1_CRM_IC/SrvTSurvey) ; but this means some definition work in the runtime repository.
You need to perform declaration of new objects in the runtime repository:
- create a new page fragment (in my example: Z1_CRM_IC/SrvTSurvey) that you add in a redefinition of CRM_IC_All_Viewsets_wo_BUPA_and_Main.xml
e.g.
<ViewSet id="Z1_CRM_IC/SrvTSurveySet">
<ViewArea id="SrvTSurvey" views="Z1_CRM_IC/SrvTSurvey"/>
</ViewSet>
- add your view to redefinition of StdWorkareaOccupation.xml
e.g.
ServiceView StdResp
                        CmgASearch CmgADetail CmgAAttrMore CmgAFullView CmgAFullLog
                        CmgAHierarchy CmgAClassification CaseANavigation
                        PaymMainViewSet PaymAssignViewSet ChangeHistorySet
                        MktIOViewSet PartOAViewSet Z1_CRM_IC/SrvTSurveySet
Then you need to define an object link in runtime repository, to enable navigation from SrvTHead to your own view:
- add new navigation link to redefined CRM_IC_All_NavLinks.xml.
e.g.
<NavigationalLink name="SrvTHeadToSrvTSurvey">
     <Source viewRef="SrvTHead" outboundPlugRef="outboundPlug"/>
     <Targets>
          <Target viewRef="Z1_CRM_IC/SrvTSurvey" inboundPlugRef="inboundPlug"/>
     </Targets>
</NavigationalLink>
Navigation links from SrvTHead to your view and vice-versa are invoked from the DO_HANDLE_EVENT method of the respective view controller.
Hope you can use those ideas
Best regards
Walter

Error - "service ticket can't saved as status is open"

Hello Friends,
We are automating the service ticket generation . I have developed a code to generate a service ticket by hard coding the values.
When I try to execute the code it is giving me an error that"service ticket could not be saved as the status is open." I tried changing the status but it is giving me the same error. Had anyone faced the same problem....Please help me...I am posting the code also...
I also changed the ls_status-status = 'I1026' (open). to "I1003"(in process) but the error is same. can anyone help me.....please...
Thanks a lot...

Post Author: Ted Ueda
CA Forum: JAVA
The PSReportFactory service, CR Page Server, is only for viewing Crystal Report formats, and not instances in other formats.
For the other formats, ensure you list the SI_FILES property in the InfoStore query, then cast the resulting InfoObject to IContent. The IContent interface support methods to stream the file content from the File Repository Server.
Sincerely,
Ted Ueda

Service Ticket request failed

Hey,
Has anyone seen this "alert" coming from the domain controllers?
Service ticket request failed
I want to false positive it out because I've investigated.
But I'd rather go to the server guys with a fix ...

Yes your understanding is correct. The recommended approach is to tune out all the unneeded raw events at the reporting device itself.
This will save both the network and MARS from unnecessary traffic. You can find more details about this error at the following:
http://support.microsoft.com/kb/824905
http://technet.microsoft.com/en-us/library/bb742435.aspx
Regards
Farrukh

ICWC service ticket saving

Hi all of you,
We are working in CRM 5.0 ICWC
My issue is with the SRVTHEAD.HTM view in the service ticket,
this is the error:
Exception CX_SY_MESSAGE_IN_PLUGIN_MODE occurred
"Check the part of the source code where the exception was triggered in transaction SE38.
Program include: LCRM_ORDER_APIU02
Source code line: 208"
can some one help me with debugging of this .
I'm unable to save the ticket.
Strangely the same settings in Development server are working but only sometimes, at other times i get the same error there also.
Please help it's uregent
Regards
Raj

Hello Raj,
The information from the short dump/error message mostly doesn't give you enough detail to start looking for errors.
You say the error occurs when you save the service ticket. So, open the controller class of the view (srvthead.htm) and look for an event handler that handles the "SAVE", mostly called EH_ONSAVE.
I suggest you place a breakpoint there and debug from there on each time going deeper and deeper in the called function modules/methods to find the exact cause of the problem.
It can be a long and painful proces but if you really have no clue why this error happens I'm affraid that this is your only option....
Hope this helps,
Regards,
Joost

Where is Service Ticket Categories in BOL

We're using CRM_IC in 5.0 and we need to add Service Ticket Categories to the FollowupDetails view.
I know categories exist in BOL because they are in the Context of another view (SrvTViewSet). But I cannot find them anywhere in the BOL/GENIL browser, and the workbench doesn't show where they got it from for the SrvTViewSet.
Is there anyway to search for something in BOL? Or does anyone know where Categories are?
Thanks

Hi,
SAP provides a Web Server filter that can be used for an authentication by means of http header varaible and a dynamic link library for verifying SSO tickets in 3rd party software which can be used to provide support for SAP Logon Tickets in Java applications.
Please go through these links:
Single Sign-On of Windows-based Web Service Clients using SAP Logon Tickets
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/5bc7e899-0e01-0010-cca9-84f45118dd17
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/ae399f0d-0301-0010-cebf-bb13f430af55
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/47d0cd90-0201-0010-4c86-f81b1c812e50
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4f209cf3-0201-0010-1db5-d2e33048b6c8
Hope it helps.
Regards,
Mona
Edited by: Mona Kapur on Jan 21, 2008 8:11 PM

Kerberos Service tickets & Service server

Similar Messages

Maybe you are looking for