Kerberos SSHD

Similar Messages

• Solaris 10 Kerberos problem

  I have a problem with a kerberos installation on Solaris 10.
  I modiefied the krb5.conf and pam.conf file, if I do a kinit or klist kerberos is working fine.
  If I try to login with ssh I get this error:
  [ID 537602 auth.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: No such file or directory
  What does this mean ?
  Regards,
  Ar_min

  my first guess is you are missing your keytab (/etc/krb5/krb5.keytab). ssh uses a host/FQDN@<KRB5 REALM> entry in the keytab for auth. other kerbirized services may use the same entry or ftp/FQDN@<KRB5 REALM>, ldap/FQDN@<KRB5 REALM> (openldap for example).
  if you created that host entry on your kdc (or in AD, and then used ktpass to export it), and you imported it ok, run sshd in debug mode to see more: /usr/lib/ssh/sshd -ddd -p 220 (-p 220 is the port to connect to)

• Solaris 10 sshd + GSSAPI auth appears to fail with long usernames.

  Solaris 10 sshd using GSSAPI mode appears to fail with long usernames.
  We have recently jumbo-patched solaris 10 server and windows 2k3 kerberos kdc. We wish to provide the single sign on thing for our Windows users, as written up in http://220-245-28-18.static.tpgi.com.au/~irvinee/gssapi-sol10/gssapi-howto.html
  Everything is fine, until a user with a ten character username comes along. The ten character username does not get the single sign on experience
  However, he can kinit fine on Solaris 10 server and also on other unix clients.
  If I switch from the stock solaris 10 sshd to a self-compiled OpenSSH linked against MIT Kerberos, the 10 char username gets single-sign-on and all is well..
  I note I have no problem when the server is FreeBSD 6.2 and the client is stock solaris 10 ssh.
  It seems to be the Solaris 10 sshd only that is affected. Before I write up a bug report, has anyone else come across the same problem?

  I finally got it working. I think my problem was that I was coping and pasting the /etc/pam.conf from Gary's guide into the pam.conf file.
  There was unseen carriage returns mucking things up. So following a combination of the two docs worked. Starting with:
  http://web.singnet.com.sg/~garyttt/Configuring%20Solaris%20Native%20LDAP%20Client%20for%20Fedora%20Directory%20Server.htm
  Then following the steps at "Authentication Option #1: LDAP PAM configuration " from this doc:
  http://docs.lucidinteractive.ca/index.php/Solaris_LDAP_client_with_OpenLDAP_server
  for the pam.conf, got things working.
  Note: ensure that your user has the shadowAccount value set in the objectClass

• Trouble with Kerberos and SSH

  I'm working in a test environment to configure Solaris 10 hosts to authenticate against an Active Directory environment using LDAP and Kerberos. I have all of the hard parts done - I can login locally, ssh, telnet, ftp, etc to the Solaris 10 device using a username/password within the Active Directory.
  I am having trouble, however, getting SSH to forward Kerberos tickets for passwordless authentication. I can login locally to a Solaris box, run a klist to verify that I have a Kerberos ticket, and the ssh to another Solaris 10/Kerberos box, but I am still prompted for my password. Below is a snippet of SSH debug traffic:
  debug1: GSS-API error while calling GSS_Init_sec_context(): An invalid name was supplied
  service not available
  debug1: Skipping GSS-API mechanism kerberos_v5 (An invalid name was supplied
  service not available
  No amount of googling has been able to help me thus far. Perhaps you can.

  Apparantly my initial problem was related to hostname resolution; I initially was accessing everything by IP address because it was easier than setting up a DNS server in my testing environment. I have resolved those issues within my testing environment, but I still can't seem to get SSH to pass the Kerberos ticket along, or maybe SSHD isn't accepting it. This is what I see now, after getting a Kerberos ticket with kinit and attempting to ssh to another host:
  debug1: Next authentication method: gssapi-with-mic
  debug1: ssh_gssapi_init_ctx(<xxxxxxxxxxxxxxxxxxxx>)
  debug3: ssh_gssapi_import_name: snprintf() returned 41, expected 42
  debug2: we sent a gssapi-with-mic packet, wait for reply
  But it moves on to the next method, never receiving a reply. What's up?

• Lion sshd vulneribility

  To keep PCI DSS Compliance for our home business our mac mini is probed quarterly for security vulnerabilities. We use ssh to remotely login. The Lion 10.7.3 ssh version supplied is OpenSSH5.6. When we attempt to login, Lion launches sshd (which reports as OpenSSH5.6). The security scans report a vulneribilty in OpenSSH5.6:
  "Description: OpenSSH 5.6 is vulnerable Severity: Area of Concern CVE: CVE-2011-0539 Impact: This document describes some vulnerabilities in the OpenSSH cryptographic login program. Outdated versions of OpenSSH may allow a malicious user to log in as another user, to insert arbitrary commands into a session, or to gain remote root access to the OpenSSH server. Resolution Upgrade to [http://www.openssh.org] OpenSSH version 5.8 or higher, or install a fix from your operating system vendor. Vulnerability Details: Service: ssh"
  If we use macports to upgrade to OpenSSH5.9, it only upgrades our user OpenSSH version, NOT the system OpenSSH version. Lion seems to allow only login to the system OpenSSH. The sshd version in Lion is a modified version of OpenSSH5.6.
  We tried to replace the system version with the macports version but lost the ability to successfully login because we cannot properly coordinate authentication/password processing. The macports version includes the PAM and Kerberos dependencies.
  We are looking for some help to keep us PCI DSS compliant and allow remote login using ssh.
  Running OS X 10.7.3

  I've continued to try to get the OpenSSH5.9p1 to run sshd and authenticate properly. I set it up on another port. Running it is easy but figuring out how to get the authentication process properly set up is a challenge so far.
  I checked that the system was using the new versions:
  $ which ssh sshd ssh-agent ssh-add
  /opt/local/bin/ssh
  /opt/local/sbin/sshd
  /opt/local/bin/ssh-agent
  /opt/local/bin/ssh-add
  But from anywhere if I:
  $ssh -p newport -v me@home_ip_address
  OpenSSH_5.9p1, OpenSSL 1.0.1a 19 Apr 2012
  debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9
  debug1: match: OpenSSH_5.9 pat OpenSSH*
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_5.9
  debug1: Next authentication method: password
  me@home_ip_address's password:
  debug1: Authentications that can continue: publickey,password,keyboard-interactive
  Permission denied, please try again.
  me@home_ip_address's password:
  When I use the system version I am prompted with:
  debug1: Next authentication method: keyboard-interactive
  Password:
  debug1: Authentication succeeded (keyboard-interactive).
  I though password authentication was keyboard interactive. Maybe it's challenge  response authentication. I'm looking into this to see if that's what I need to change.
  On a related topic I noticed that in debug mode there were identity files that had a different value at the end of the line. I'm not sure what that's telling me, particualrly the first one which is "1" in the user version and "-1" in the system version.
  User process:
  debug1: identity file /Users/me/.ssh/id_rsa type 1
  debug1: identity file /Users/me/.ssh/id_rsa-cert type -1
  debug1: identity file //Users/me/.ssh/id_dsa type 2
  debug1: identity file /Users/me/.ssh/id_dsa-cert type -1
  debug1: identity file /Users/me/.ssh/id_ecdsa type -1
  debug1: identity file /Users/me/.ssh/id_ecdsa-cert type -1
  System process:
  debug1: identity file /Users/me/.ssh/id_rsa type -1
  debug1: identity file /Users/me/.ssh/id_rsa-cert type -1
  debug1: identity file /Users/me/.ssh/id_dsa type 2
  debug1: identity file /Users/me/.ssh/id_dsa-cert type -1
  debug1: identity file /Users/me/.ssh/id_ecdsa type -1
  debug1: identity file /Users/me/.ssh/id_ecdsa-cert type -1
  Any clues or pointers are appreciated.

• [solved] sshd comes back to port 22 after a reboot whatever the config

  Hi all,
  I'm a bit confused, I'vre tried to change sshd port (from 22 to 1022)
  restarting sshd was ok, sshd started using port 1022.
  but after a reboot, sshd goes back using port 22... I can't see anything in the journalctl logs regarding sshd failing to setup on the 1022 port..
  my sshd_config file:
  # $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
  # This is the sshd server system-wide configuration file. See
  # sshd_config(5) for more information.
  # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
  # The strategy used for options in the default sshd_config shipped with
  # OpenSSH is to specify options with their default value where
  # possible, but leave them commented. Uncommented options override the
  # default value.
  #AddressFamily any
  #ListenAddress 0.0.0.0
  #ListenAddress ::
  # The default requires explicit activation of protocol 1
  #Protocol 2
  # HostKey for protocol version 1
  #HostKey /etc/ssh/ssh_host_key
  # HostKeys for protocol version 2
  #HostKey /etc/ssh/ssh_host_rsa_key
  #HostKey /etc/ssh/ssh_host_dsa_key
  #HostKey /etc/ssh/ssh_host_ecdsa_key
  #HostKey /etc/ssh/ssh_host_ed25519_key
  # Lifetime and size of ephemeral version 1 server key
  #KeyRegenerationInterval 1h
  #ServerKeyBits 1024
  # Ciphers and keying
  #RekeyLimit default none
  # Logging
  # obsoletes QuietMode and FascistLogging
  #SyslogFacility AUTH
  #LogLevel INFO
  # Authentication:
  #LoginGraceTime 2m
  PermitRootLogin no
  #StrictModes yes
  #MaxAuthTries 6
  #MaxSessions 10
  RSAAuthentication no
  PubkeyAuthentication yes
  # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
  # but this is overridden so installations will only check .ssh/authorized_keys
  AuthorizedKeysFile .ssh/authorized_keys
  #AuthorizedPrincipalsFile none
  #AuthorizedKeysCommand none
  #AuthorizedKeysCommandUser nobody
  # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
  #RhostsRSAAuthentication no
  # similar for protocol version 2
  #HostbasedAuthentication no
  # Change to yes if you don't trust ~/.ssh/known_hosts for
  # RhostsRSAAuthentication and HostbasedAuthentication
  #IgnoreUserKnownHosts no
  # Don't read the user's ~/.rhosts and ~/.shosts files
  #IgnoreRhosts yes
  # To disable tunneled clear text passwords, change to no here!
  PasswordAuthentication no
  #PermitEmptyPasswords no
  # Change to no to disable s/key passwords
  ChallengeResponseAuthentication no
  # Kerberos options
  #KerberosAuthentication no
  #KerberosOrLocalPasswd yes
  #KerberosTicketCleanup yes
  #KerberosGetAFSToken no
  # GSSAPI options
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
  # Set this to 'yes' to enable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
  # be allowed through the ChallengeResponseAuthentication and
  # PasswordAuthentication. Depending on your PAM configuration,
  # PAM authentication via ChallengeResponseAuthentication may bypass
  # the setting of "PermitRootLogin without-password".
  # If you just want the PAM account and session checks to run without
  # PAM authentication, then enable this but set PasswordAuthentication
  # and ChallengeResponseAuthentication to 'no'.
  UsePAM yes
  #AllowAgentForwarding yes
  #AllowTcpForwarding yes
  #GatewayPorts no
  #X11Forwarding no
  #X11DisplayOffset 10
  #X11UseLocalhost yes
  #PermitTTY yes
  PrintMotd no # pam does that
  #PrintLastLog yes
  #TCPKeepAlive yes
  #UseLogin no
  UsePrivilegeSeparation sandbox # Default for new installations.
  #PermitUserEnvironment no
  #Compression delayed
  #ClientAliveInterval 0
  #ClientAliveCountMax 3
  #UseDNS yes
  #PidFile /run/sshd.pid
  #MaxStartups 10:30:100
  #PermitTunnel no
  #ChrootDirectory none
  #VersionAddendum none
  # no default banner path
  #Banner none
  # override default of no subsystems
  Subsystem sftp /usr/lib/ssh/sftp-server
  # Example of overriding settings on a per-user basis
  #Match User anoncvs
  # X11Forwarding no
  # AllowTcpForwarding no
  # PermitTTY no
  # ForceCommand cvs server
  AllowUsers kamou
  Port 1022
  any help would be greatly appreciated.
  Cheers,
  kamou
  Last edited by kamou (2014-10-05 22:53:17)

  seems like you'r right,
  sshd.socket is active:
  sshd.socket loaded active listening sshd.socket
  I've changed the ListenStream Parameter and now it woks fine.
  thanks a lot.
  kamou

• Configuration of sshd to allow port forwarding (tunneling)?

  I'm having a tough time setting up my sshd daemon to allow me to tunnel.  I use the following to connect and get these bind errors as shown below:
  $ ssh bigbox -D 7000
  bind: Address already in use
  channel_setup_fwd_listener: cannot listen to port: 7000
  Could not request local forwarding.
  Can someone advise me what I need to enable to allow tunneling/forwarding?  Here is my server's /etc/ssh/sshd_config
  # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
  ListenAddress 0.0.0.0
  Protocol 2
  ChallengeResponseAuthentication no
  UsePAM yes
  AllowAgentForwarding yes
  AllowTcpForwarding yes
  #GatewayPorts yes
  #X11Forwarding yes
  #X11DisplayOffset 10
  #X11UseLocalhost yes
  PrintMotd yes
  PrintLastLog yes
  TCPKeepAlive yes
  #UseLogin no
  #UsePrivilegeSeparation yes
  #PermitUserEnvironment no
  #Compression delayed
  #ClientAliveInterval 0
  #ClientAliveCountMax 3
  #UseDNS yes
  #PidFile /var/run/sshd.pid
  #MaxStartups 10
  PermitTunnel yes
  #ChrootDirectory none
  # override default of no subsystems
  Subsystem sftp /usr/lib/ssh/sftp-server
  DenyUsers root
  Last edited by graysky (2010-01-23 19:48:20)

  Here my functional sshd_config that I use as a socks proxy -- keep in mind this is using key authentication, so don't lock yourself out by accident! Notice you have to define the port you are using -- make sure first it's not being used by another application, which could also result in the error message you saw.
  I setup the socks proxy on the client machine by: ssh -fND <localport> -l <login> -p <server port> <location>
  so if you have sshd running on port 7000 on your server: ssh -fND 7000 -l graysky -p 7000 bigbox.
  (although without the -l and -p if bigbox is defined in .ssh/config)
  # Package generated configuration file
  # See the sshd(8) manpage for details
  # What ports, IPs and protocols we listen for
  Port 7000
  # Use these options to restrict which interfaces/protocols sshd will bind to
  #ListenAddress ::
  #ListenAddress 0.0.0.0
  Protocol 2
  # HostKeys for protocol version 2
  HostKey /etc/ssh/ssh_host_rsa_key
  HostKey /etc/ssh/ssh_host_dsa_key
  #Privilege Separation is turned on for security
  UsePrivilegeSeparation yes
  # Lifetime and size of ephemeral version 1 server key
  KeyRegenerationInterval 3600
  ServerKeyBits 768
  # Logging
  SyslogFacility AUTH
  LogLevel INFO
  # Authentication:
  LoginGraceTime 120
  PermitRootLogin no
  StrictModes yes
  RSAAuthentication yes
  PubkeyAuthentication yes
  AuthorizedKeysFile %h/.ssh/authorized_keys
  # Don't read the user's ~/.rhosts and ~/.shosts files
  IgnoreRhosts yes
  # For this to work you will also need host keys in /etc/ssh_known_hosts
  #RhostsRSAAuthentication no
  # similar for protocol version 2
  #HostbasedAuthentication no
  # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
  #IgnoreUserKnownHosts yes
  # To enable empty passwords, change to yes (NOT RECOMMENDED)
  PermitEmptyPasswords no
  # Change to yes to enable challenge-response passwords (beware issues with
  # some PAM modules and threads)
  ChallengeResponseAuthentication no
  # Change to no to disable tunnelled clear text passwords
  PasswordAuthentication no
  # Kerberos options
  #KerberosAuthentication no
  #KerberosGetAFSToken no
  #KerberosOrLocalPasswd yes
  #KerberosTicketCleanup yes
  # GSSAPI options
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
  X11Forwarding yes
  X11DisplayOffset 10
  PrintMotd no
  PrintLastLog yes
  TCPKeepAlive yes
  #UseLogin no
  #MaxStartups 10:30:60
  Banner /etc/issue.net
  # Allow client to pass locale environment variables
  AcceptEnv LANG LC_*
  Subsystem sftp /usr/lib/openssh/sftp-server
  UsePAM yes
  Good luck!
  Scott

• Mountain Lion can't authenticate against OpenLDAP/Kerberos KDC

  Please help this joint venture customer Apple—
  I have been unable to succesfully login with network accounts since upgrading to Mountain Lion.
  However, I can login via ssh and am issued kerberos tickets and all autofs mounted directories mount as expected.
  I have modified the following files:
  /etc/pam.d/authorization
  # authorization: auth account
  auth       sufficient     pam_krb5.so use_first_pass default_principal
  auth       optional       pam_ntlm.so use_first_pass
  auth       required       pam_opendirectory.so use_first_pass
  account    required       pam_opendirectory.so
  /etc/pam.d/screensaver
  auth       sufficient     pam_krb5.so use_first_pass default_principal
  auth       required       pam_opendirectory.so use_first_pass
  account    required       pam_opendirectory.so
  account    sufficient     pam_self.so
  account    required       pam_group.so no_warn group=admin,wheel fail_safe
  account    required       pam_group.so no_warn deny group=admin,wheel ruser fail_safe
  /etc/pam.d/sshd
  auth       sufficient     pam_krb5.so default_principal
  auth       optional       pam_ntlm.so try_first_pass
  auth       optional       pam_mount.so try_first_pass
  auth       required       pam_opendirectory.so try_first_pass
  account    required       pam_nologin.so
  account    required       pam_sacl.so sacl_service=ssh
  account    required       pam_opendirectory.so
  password   required       pam_opendirectory.so
  session    required       pam_launchd.so
  session    optional       pam_mount.so
  /etc/openldap/ldap.conf
  # LDAP Defaults
  # See ldap.conf(5) for details
  # This file should be world readable but not world writable.
  BASE dc=foo,dc=bar
  URI ldap://dummy.foo.bar
  TLS_CACERT  /etc/openldap/dummy.ldap.pem
  TLS_REQCERT allow
  TIMELIMIT   20
  TIMEOUT     30
  TLS_CACERTDIR /etc/openldap/cacerts
  /etc/krb5.conf
  [libdefaults]
  default_realm = FOO.BAR
  noaddresses = TRUE
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true
  proxiable = true
  allow_weak_crypto = true
  [realms]
  FOO.BAR = {
    kdc = dummy.foo.bar.:88
    admin_server = dummy.foo.bar.:88
    default_domain = foo.bar
  [domain_realm]
  .foo.bar = FOO.BAR
  foo.bar = FOO.BAR
  [appdefaults]
  pam = {
    debug = true
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  I've edited my OD config template as documented online... (my EL6 OpenLDAP server advertises GSSAPI)
  <key>Denied SASL Methods</key>
                                <array>
                                          <string>CRAM-MD5</string>
                                          <string>DIGEST-MD5</string>
                                          <string>NTLM</string>
                                          <string>GSSAPI</string>
                                </array>
  In my troubleshooting I have found the following links:
  http://www.fh-trier.de/index.php?id=12207
  http://itsabicycle.com/2011/10/14/ldap-authentication-simple-binds-os-x-lion-107 2/
  http://blog.smalleycreative.com/administration/fixing-openldap-authentication-on -os-x-lion/
  http://derflounder.wordpress.com/2012/03/02/
  https://discussions.apple.com/thread/3832156?start=0&tstart=0
  http://www.diastelo.org/blog/mac-os-x-10-7-kerberos-is-back/
  http://iwatts.blogspot.ca/2012/01/osx-1072-openldap-authentication.html
  Please help!
  Rob

  I've found that also adding the /etc/auth changes that have been used in the past OS versions can help with auth at the loginwindow:
  /bin/cp /etc/authorization /etc/authorization.save
  /usr/libexec/PlistBuddy /etc/authorization -c "set rights:system.login.console:mechanisms:4 builtin:krb5authnoverify,privileged"

• Sshd for gssapi authentication

  Hi I want to configure sshd in solaris 8 for gssapi authentication. I have uncommneted GSSAPIAuthentication yes and GSSAPICleanupcredentials yes in sshd_file.
  After that when I am trying to restart sshd using /etc/init.d/sshd start I am getting message that unspported option GSSAPIAuthentication and unspported option GSSAPICleaupcredentials.
  From where i can enable GSSAPI authentication for kerberos.

  where did you get this ver of ssh? if its built from src, you probably need to compile/install mit or heimdal krb5 before trying to get gssapi auth to work. the stock krb5 with solaris 8 (seam) is not very good compared to what comes with 9+.

• SSO using Kerberos with SAP Logon Tickets

  Hi,
  I am creating a Repository Manager for the Portal Knowledge Management System and I want to use SSO to a backend IIS application and I have a few questions here. 
  I have a three tiered architecture. 
  A.  The presentation tier (SAP Portal which has my Repository Manager implementation)
  B.  ASP.NET web service data layer.
  C.  Backend document management system which runs on IIS. 
  I have installed the ISAPI filter on my ASP.NET application server and have enabled this HOST account for delegation in MSAD 2003.   Server B will use Kerberos constrained delegation to access Server C, which is an IIS backend server. 
  My question is how do I pass an SAP Logon Ticket to an ASP.NET web service request from my Repository Manager implementation?  Basically how do I just make an HTTP request to an ASP.NET application from some portal iView or WebDynPro code and pass along the SAP Logon Ticket in the request so it can be interpreted by the ISAPI filter on the IIS server.  Does anyone have any sample code or an application here that does this?
  Thanks,
  Scott

  Hi Scott
  Did you managed to find out anything regarding how to pass SAP Logon ticket to ASP.NET Webservice. Can you share it with me?
  regards
  ram

• Error Kerberos

  Post Author: hqcire
  CA Forum: Authentication
  I'm running Windows server 2003 + IIS 6.0 + windows AD + SSO and I try to used the Kerberos Token. But I Have this error I did those SETSPN: SETSPN -A BOBJCentralMS/aaaa.dev.bbbb.qc.ca dev\user123 SETSPN -A BOBJCentralMS/ aaaa dev\user123 SETSPN -A HTTP/aaaa.dev.bbbb.qc.ca dev\user123 ERROR 1 A Kerberos Error Message was received: on logon session Client Time: Server Time: 15:23:8.0000 2/26/2008 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc00000bb KLIN(0) Client Realm: Client Name: Server Realm: DEV.bbbb.QC.CA Server Name: host/aaaa.dev.bbbb.qc.ca Target Name: host/aaaa.dev.bbbb.qc.ca @DEV.bbbb.QC.CA Error Text: File: 9 Line: ae0 Error Data is in record data. ERROR 2 A Kerberos Error Message was received: on logon session Client Time: Server Time: 15:22:32.0000 2/26/2008 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: Client Realm: Client Name: Server Realm: DEV.bbbb.QC.CA Server Name: cccc.dev.bbbb.qc.ca Target Name:cccc.dev.bbbb.qc.ca @DEV.bbbb.QC.CA Error Text: File: 9 Line: ae0 Error Data is in record data. ERROR 3 A Kerberos Error Message was received: on logon session Client Time: Server Time: 15:22:30.0000 2/26/2008 Z Error Code: 0x34 KRB_ERR_RESPONSE_TOO_BIG Extended Error: Client Realm: Client Name: Server Realm: DEV.bbbb.QC.CA Server Name: host/aaaa.dev.bbbb.qc.ca Target Name: host/aaaa.dev.bbbb.qc.ca @DEV.bbbb.QC.CA Error Text: File: 9 Line: ae0 Error Data is in record data. What is my problem ?

  Post Author: hqcire
  CA Forum: Authentication
  I used WFETCH to have more information.  There's whta I have
  started....WWWConnect::Connect("placebo","443")\nsource port: 3055\r\nISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\nSEC_I_CONTINUE_NEEDED\nREQUEST: **************\nGET D:\SystProd\BOE\BusinessObjects Enterprise 11.5\Web Content HTTP/1.1\r\nHost: placebo\r\nAccept: /\r\nConnection: Keep-Alive\r\nAuthorization: Kerberos YIIMAQYJKoZIhvcSAQICAQBuggvwMIIL7KADAgEFoQMCAQ6iBwMFACAAAACjggsUYYILEDCCCwygAwIBBaERGw9ERVYuSFlEUk8uUUMuQ0GiGjAYoAMCAQKhETAPGwRIVFRQGwdwbGFjZWJvo4IK1DCCCtCgAwIBF6EDAgECooIKwgSCCr4k5OSUJ9fiV7KWJvAfjdWHY8Sl6cRMt7KXeR7D2LmgAZXHnWAZBdd2TXjVYCCQ2OIOPZKOnJmuvIy9pzXc/mzgUJuB9O999aQjNPBUEf6bss8cE8FPOceFXH1oYLhUFXidns7ykFTGB/iC2sxzeYBUZL0xXALbd5zprZQxg3WRaOcCJe0v8BsrKglV56cnKdSDWHcBuvbfxKYS2nUnnVYApoMjzqZKilHMXtfcDCsdn66e99U483TYxbqMJcQqiJEuntGdc/w/eGqKVsPC9iTZAJmPCBE88zxmTdcQtt9ZsHkxOmuHrJILH2vf1j/xP9pzFIZOf7Y5sRNYKwn74Ee7fHbY5CwVnPpM3wCnBsyYGWZ3e90BtF7Z2xklT/Gmvw7yHCKrIwAZvnc6yVMsrMhqsqJUHimFRlzddUzoH/L5HPDX5TDUoeuBeO4X6zLteIMIOGcQ1C47W59R3qscwZDWWJL4T/R7TjpY3PLsQcaHv/fUuo6lv8gRzYaS9tljJQMr6BwFgw4xS2TyyZZBaKqdbYuH/Y1wksu1XDIwTYpkgLex7xsZC5CCP1FJP7TKQA3V1fpZbdAgOZRCdFCTzl0UbYt2qrIKB4a7bKVsfmJefDHVHoLf7LBQC8/fKA696Qxdph6/PRYh4KwhwEMWM3nGkNnB2MpLqhVXxhDio0bhiZtEmFUVjylZepikLEP9AfC2j4IoiVPu2BujhW79/SR9Gl2HQrSlpXnHzhtCT7hSoKH8Zm99jnofpiBJk6tD4LsbRuDeWYf4X3Mw5qns7/SD6umCHMs2eNtgt/H2d6cJxBEc81nbdoU3fIErlC2jSsjo7Tv4xeiLNbi7nH7woXvzFYIGlRrVILRRbteoA5269Ju8rB1UKestiPsvxo9sz265eEKgotDVNUIBn7f6TXd4Bjr1lOhzq2zY9v7kK21y95cxHHqKaNBGVnbz7Y9EYaxyGQrEG7oXf8/herH/IRTfmabKSU8JBHOt7RBwgCh46Qmt6DisyIr0dkLH2m1xlS6dbtELLjRj0EXxAUMxt7ufFcmE3hEK9JRmGhuwi5SFKCcUKNlJbgWwf6Od/oySbXoaBamoh0w1t/98XGFUR8JCn5V7x5oAxG9oCABmCKdq6cy7XR9F8PKcqbtbZC2EM7Bcyvpk4HJSZKTL7YCbtzwWTDbEZmm1wQvroCu7JXU1qhpWLvJPzfm9Hi2xU5UYgIMfdcqK8uNOys2QPkCdFqcHrLUDQH/dQ9PksFnk2oJORbjR0L94FJgtTowurn3xt13j9wq5solwcSJnTWTiX4g7Xx2ciBTcE1fJfIN/LaPGFq1hQfM7f0pIgwQH/Up0BGHPiOfTBe9VGWswoQaygXxb4aD3aLPahP4BrkfcnIRv61Y7xS6yWgGvkizY5oVwgpi6l8kRkui7L8s3PLJfDZ28CBO3eoxeCbtMcjijKI1mQ0me5VFoEfpUVdkaOFBlX2Lb1qgR7BA/eIXCcToTmXCk7lPHkt8wIUzzl4g8950lLn0o0WPpMm1V+5/ab11ySSlF5n6s3kNvrLOSRcrCJ4sXWPAYbI7pqHgDah7iJtZsSaMFglSpKAV734pWSx7fybUuxxvL48ELGSGogaeCutKpOoabvA3nz1J471cRwrBVQXnFMt2b3Z1rCnDYC6B2L30gu3IASvpWZZAnn4Jzq64CD/RhtgUxYQW5cJX0B01xlLZRZ9ANruTmO8B/Ui/ZWLJYb3A8sSzKtA7Q0QNCXPk2sXvC6RWiEJUsKz/rYWdgNGkqhNKVFyLaxvFNYPDI2P4bf5fbOwuYbIyYrXfO8pZU8GqlOTXzVANOxPpaVyD22Q5o2wcVeShg0f0YILFaSD5CF31KGo5KTR5AyP8WRMH9Kvjs7hq8RG7DkLHdGannsLXll5DIuaPARVvoVF06PjktDHOaQnjYDnnnOw6V0QKq8oItDEemeWw7gQwgFIzGtRvzK6yX6zrNqTGOOhc2P/GZtN03Afe7DxNmIC2FNMT0aaVBnvoysQyqGEnUyp4PrhhDhkLDHLDiSJgWf/u82IzdMcBkJisBdswu0jVTyWnowX2b8GI8F1aCzD0cxcahhYNgxA58ouFzmmoeRhf0vFMqpv2GQlE2eKIMmCQ50jDHHfABw5KUiIr68NV1mqzUxan9QwKHvFrPVnIxsS4K0c95KMX1/NaYNpoBC2iVsRljj0LiQZs0rRYe/aM7IFY71Zqw8vuIxuE64QOMsBNGs8pDQBNhPzy2sKG01JjU5nSsh4Rv6kX4HGh2aV6Nb6bsJ59EOQa7IkVsZkJ9TPgglRiSdHq0G4PHB/asfEHZkVZB2aJzPMiUYVYpu6s/zX37S08U9fYl6ygHKiR1gQU0gWlDA/A4I4r5S8t1jaTlrmDqAe64bd56P/Fhr7zpYz/1FZ98TOTHh7DHWnm5tzj6JyPrUcY7OtJrQVGObWCM0/g1pv13ektbgw7b/evAcahKnTRiJnjvwFj16G0057c88EV7T5ivVGhD9viKqR7hKJuxvmCVbhSvY7jRbVTNrR52FUIEFkk0FVkU6VkfdpCZTsDrmeQ/Rhad79jtKeudzO6vLKY8vdC7YE51o/Pid2Ebi6UbuznKONKGVBxEa2KArVc/UDbbT9YSPN9kfPlzgxSB/lc2zDr6bWaRiuL6xfxP36ofoWhyeybtFGjwjormCUEmkf1uxoMRKRzJEtFlGrN/B8DMxmZSobeOsObyjTDZ6XSMOjGUNnJwojiQ5ptzLf1iEQ1aYs4BJPnvjHYsBwZFr6wkN1wIDFNgm1IRX4lXTvrJwjumKCLRLN97DJGqR3m7R8WophOotAUfT0ccWY0DOcUJgArVDQvwrMr1UdPk2Wp5WPS8utwRahSFt4xCWhbd25ST5I81zRpQt8RGjaCwvW3c4YoaSJ3Zd20ZQJ3kmGbV1T9jpozMpEned7TthohNde0GTS7QwCb6oPCJLmlc00sB3SIDk6pdhQJf9u15ydrQFxeAWvKWjpRRQ2f8W/h281twvOkNJLbEBs66ZJPQlDcZdpSswin4h6nGiuBGf9X/i2GoxZ2yaDVPfdazPtin6O3MPtIxPilKHIBwsQXLPV4Tjs0YeFKGJkAezCOMA8mo9iGwEOmTC73heKApyyRKpE2CKNWTWwXXMsyObpGOkmQI3hFt4uj6TOjFOFIqliRMBm9OSnPaWenbJD3MJ23jmszEDmPhJgayK2JGwuYzp9RLwALP1UhDEGbVtpR1NquSapaXxuAJcoJ7c9OZ63Jz2mWXJWqcOu6gb4qHNfi4tS/4oLEKcPAfOpxTnhCvXOPks1DM2TclPxkZd9J9fHMxdfsXozcVrA98169EILHoa4yeoJ/iPhD9qyNnTI95eDjaVcngdSrNmw6VX5IUbGV8Jg3mf8XMzOPa/Iyp5OYTMktL7SL3UNIOPafPte3wMfsxNE/ZOuw2KeDAQtNlm2qy0/UmFNurlbAKtINZDcq6rVEBO79DDq53WNBXNm/RYIAuze1mt6UGusSed0HjdckLhIEX12dklM8fpspULrItbmjjBqDzeCq0EJHtqepgbV5I8417DKPoUjtSqmmsAoVEAN9HfX6i4cxZgtubL1QtByI6SBvjCBu6ADAgEXooGzBIGw6nOV/0EFjDnf1MK8uSeNUehzQRkQNR/DSLJIm2G49hJeW7q5V3RVIZf243qJwgonLr0v1cPh/BJE3bij6WlECbnA8LhCsY9poQQd8/JIJpxU/MFlMUAFllBZFrn0CUdzhxDcSbDoTOFQDKCxCc0GwNk7VGVNkKVBaKgWciqVPfdCmVVCwazCczfjodTlhyqRXpv1ufuF1ZGIw7e2676wYfyWjWiDwwqTDMlEMhVL8=\r\n\r\nRESPONSE: **************\nHTTP/1.1 400 Bad Request\r\nContent-Type: text/html\r\nDate: Thu, 28 Feb 2008 14:45:39 GMT\r\nConnection: close\r\nContent-Length: 20\r\n\r\n<h1>Bad Request</h1>WWWConnect::Close("placebo","443")\nclosed source port: 3055\r\nfinished.

• Configuring Windows XP to use IIS w/ Kerberos

  I need to build a Windows XP SSO solution using IIS 5.1 with Integrated Windows Authentication using Kerberos protocol. IIS will then pass the request over to another application which will need to use a Kerberos JAAS module to authenticate the respective users to the application.
  Does anyone have any instructions or tips on accomplishing these set of tasks? I have very limited experience with Kerberos. Any help would be much appreciated.
  Note: I've gotten this to work using NTLM, so I would like to know the level of difficulty in making the switch over to Kerberos.
  Thanks a lot in advance!
  Message was edited by:
  YvesG

  Because in SAP Help on topics <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm">Single Sign-On with Microsoft Kerberos SSP</a> and
  <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/44/0ebf6c9b2b0d1ae10000000a114a6b/content.htm">Configuring the Application Server</a>, tell to copyt the gsskrb5.dll file(see SAP Note 595341), to the following directory on the central instance: Drive:\%windir%\system32.
  This text let me think that central instance is installed on a Windows Server, but on SAP Help docs I didn't found the specific information that the central instance must be installed on a Windows Server.

• Portal Drive Single Sign On and Kerberos Authentication

  Hi,
  We are using NW2004s SP10 Portal and we have successfully configured Kerberos authentication with Windows Active Directory 2003. To access the KM Content in windows explorer format, we are using Portal Drive but Portal Drive still asks for authentication i.e. SSO is not working for Portal Drive. I have understood from the forums and sap help site that SSO from portal drive will work only for NTLM authentication and client certificates. Can you please help regarding below questions.
  1. Can Kerberos and NTLM authentication be configured together.
  2. If yes, what are the steps to configure NTLM authentication for NW2004s SAP Portal and Active Directory 2003.
  3. Any other approach to make Portal Drive SSO work.
  Helpful answers will be rewarded.
  Regards,
  Chandra

  Hi Gregor,
  I did two things:
  first i made a change in the portalapp.xml in the PAR file "com.sap.km.cm.par". In the section authentication scheme for "docs" I changed the authentication scheme to "default" to make sure that documents are opened using the default authentication scheme (SPNego) instead of basic authentication
  second, I used the SPNego wizard to configure SPNego. So I didn't adjust anything in the Visual Admin or the authentication template apart from adding the Template to the Ticket policy configuration.
  Again, this only worked after installing the latest vesion.
  Hope this helps
  Marcel

• Kerberos Single Sign On and Query Designer for BI forcing user to log in

  Hello experts,
  Our company just implemented SSO using Kerberos for Portal and BI.  However when a user trying to open a query using the Query Designer to connect to the portal, they have to log in again.  Anyone know why?

  Is this for every user or only to certain user?
  also check the browser authentication.  --> Tools --> Internet Options --> Advanced --> Under Security --> Enable Integrated windows authentication.
  /padmanaban

• BO XI Release 2 - NLTM versus Kerberos Authentication

  Hello,
  I have some problem with Authentication. At first time I set up only in CMS Kerberos Authentication, but now I would like to change it to NLTM, but if I clear the Use Kerberos authentication and I mark off Use NTLM authentication and I set up update, it doesn´t work.
  Authentication Options
  Use NTLM authentication 
  Use Kerberos authentication
           Cache security context (required for SSO to database) 
         Service principal name:  
  Thank you very much for your answer,
  unhappy:( Marika

  You can set up kerberos for both, it's required for java. .net will support both kerberos and NTLM although unless you are trying to delegate credentials all the way to your DB, then it usually isn't desired in .net because the configuration is far more complex
  You can simple look at your logon url to figure out if you are hitting IIS (urls end in aspx and no port #) or tomcat(urls end in .do and port 8080).
  Regards,
  Tim