Preauthentication failed whit gssapi kerberos authentication

Similar Messages

• Error=49 from the LDAP server for GSSAPI Kerberos authentication

  I am trying to find solution for ldapsearch failure with GSSAPI Kerberos authentication . I am running Sun Directory Server 5.2 P4 on a Solaris-9 sparc machine..
  Steps :
  bash-2.05# kinit tester1
  Password for [email protected]:
  bash-2.05#
  When I do ldapsearch , I am getting following logs on the server :
  tail -f /var/Sun/mps/slapd-bf1r-dsun-1/logs/access
  [22/Feb/2007:01:44:16 -0700] conn=32 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
  [22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:44:16 -0700] conn=32 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
  [22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:44:16 -0700] conn=32 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
  [22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:44:16 -0700] conn=32 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
  [22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=4 - UNBIND
  [22/Feb/2007:01:44:16 -0700] conn=32 op=3 msgId=-1 - closing - U1
  [22/Feb/2007:01:44:17 -0700] conn=32 op=-1 msgId=-1 - closed.
  [22/Feb/2007:01:45:50 -0700] conn=33 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
  [22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:45:50 -0700] conn=33 op=0 msgId=1 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
  [22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:45:50 -0700] conn=33 op=1 msgId=2 - RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
  [22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [22/Feb/2007:01:45:50 -0700] conn=33 op=2 msgId=3 - RESULT err=49 tag=97 nentries=0 etime=0
  [22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=4 - UNBIND
  [22/Feb/2007:01:45:50 -0700] conn=33 op=3 msgId=-1 - closing - U1
  [22/Feb/2007:01:45:51 -0700] conn=33 op=-1 msgId=-1 - closed.
  I am using default Identiy Mapping and the ldif file looks like this :
  dn: cn=default,cn=GSSAPI,cn=identity mapping,cn=config
  objectClass: dsIdentityMapping
  objectClass: nsContainer
  objectClass: dsPatternMatching
  objectClass: top
  cn: default
  dsMatching-pattern: ${Principal}
  creatorsName: cn=directory manager
  createTimestamp: 20070220045812Z
  dsMatching-regexp: uid=(.*)
  dsSearchBaseDN: ou=people,dc=test1,dc=com
  dsMappedDN: uid=${Principal},ou=people,dc=test1,dc=com
  modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
  t
  modifyTimestamp: 20070221082740Z
  Following is the snoop for LDAP on the server :
  bash-2.05# !snoop
  snoop -v port 389 | grep LDAP
  Using device /dev/eri (promiscuous mode)
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 0: Bind Request]
  LDAP: [Version]
  LDAP: [Object Name]
  LDAP: uid=tester1,ou=people,dc=test1,d
  LDAP: c=com
  LDAP: Authentication: SASL *[3]
  LDAP: [OctetString]
  LDAP: GSSAPI
  LDAP: [OctetString]
  LDAP: *** NOT PRINTED - Too long value ***
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 1: Bind Response]
  LDAP: [Result Code]
  LDAP: SASL Bind In Progress
  LDAP: [Matched DN]
  LDAP: [Error Message]
  LDAP: SASL Credentials [7]
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 0: Bind Request]
  LDAP: [Version]
  LDAP: [Object Name]
  LDAP: uid=tester1,ou=people,dc=test1,d
  LDAP: c=com
  LDAP: Authentication: SASL *[3]
  LDAP: [OctetString]
  LDAP: GSSAPI
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 1: Bind Response]
  LDAP: [Result Code]
  LDAP: SASL Bind In Progress
  LDAP: [Matched DN]
  LDAP: [Error Message]
  LDAP: SASL Credentials [7]
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 0: Bind Request]
  LDAP: [Version]
  LDAP: [Object Name]
  LDAP: uid=tester1,ou=people,dc=test1,d
  LDAP: c=com
  LDAP: Authentication: SASL *[3]
  LDAP: [OctetString]
  LDAP: GSSAPI
  LDAP: [OctetString]
  LDAP:
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation *[APPL 1: Bind Response]
  LDAP: [Result Code]
  LDAP: 1
  LDAP: Invalid Credentials
  LDAP: [Matched DN]
  LDAP: [Error Message]
  LDAP: SASL(-1): generic failure:
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- Lightweight Directory Access Protocol Header -----
  LDAP: *[LDAPMessage]
  LDAP: [Message ID]
  LDAP: Operation [APPL 2: Unbind Request]
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  TCP: Destination port = 389 (LDAP)
  LDAP: ----- LDAP: -----
  LDAP:
  LDAP: ""
  LDAP:
  Please help me on how to fix this issue.
  Thanks,
  Radhakrishnan

  I did reply on the other thread of yours...
  Ludovic

• GSSAPI Kerberos authentication and WS-Security

  Hi,
  We have a requirement to perform Kerberos authentication to a web service.
  The client is to be written in C# using Microsoft's Web Services
  Enhancements (WSE 3.0). WSE (which uses SSPI) has support for
  Kerberos authentication. The application server does not support Kerberos.
  The intention is to use the Java GSSAPI on the web service side to process
  a limited part of the WS-Security header.
  I've successfully processed the <wsse:BinarySecurityToken> to performed
  the actual authentication, I'm now left with checking the signatures.
  The values of the <DigestValue> and <SignatureValue> appear to always be
  20 bytes long (when decoded from Base64) which suggests they're the
  output from SHA1.
  The outputs from GSSContext.getMIC and GSSContext.wrap always start
  with the ASN.1 value 0x60. The <SignatureValue> donen't, therefore
  attempting to use verifyMIC or unwrap fail with:
  "GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)"
  It appears that the digest algorithm is SHA1 and the signature algorithm is
  HMAC-SHA1. So the <DigestValue> is probably just the SHA1 of the
  Canonical XML of the SOAP:Body. The HMAC algorithm requires access to
  the Kerberos private session key, which doesn't appear to be made
  available through the GSSAPI interface, so implementing our own functions
  doesn't seem to be an option.
  I've included the portion of the SOAP header I'm looking at below, apologies
  if the format's messed up.
  So what I'm looking for is:
       1) A way of Canonicalising the SOAP:Body so I can feed it into SHA1           
            (java.security.MessageDigest).
       2) A way of getting at the Kerberos session key through the GSSAPI so I
            can produce the <SignatureValue> from the <DigestValue> for      
            verification (javax.crypto.Mac).
  Any ideas ?
  Cheers
  Phil
  <wsse:Security soap:mustUnderstand="1">
  <wsu:Timestamp wsu:Id="Timestamp-343caad4-454a-4dcd-b206-3e6bf4ad0116">
  <wsu:Created>2006-04-27T13:00:48Z</wsu:Created>
  <wsu:Expires>2006-04-27T13:05:48Z</wsu:Expires>
  </wsu:Timestamp>
  <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-2c5a4b4a-4408-4ee8-8e32-9378c063d422">YIIB1AYJKoZIh<snip>==</wsse:BinarySecurityToken>
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
  <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
  <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
  <Reference URI="#Id-73b189ca-2ddd-4fcb-a60e-025e71857802">
  <Transforms>
  <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
  </Transforms>
  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
  <DigestValue>BRyjTgrnalo2YXtWUi80pzgoVso=</DigestValue>
  </Reference>
  </SignedInfo>
  <SignatureValue>ddTO413OprTwFPWj3NDx94PidZc=</SignatureValue>
  <KeyInfo>
  <wsse:SecurityTokenReference>
  <wsse:Reference URI="#SecurityToken-2c5a4b4a-4408-4ee8-8e32-9378c063d422" ValueType="http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ" />
  </wsse:SecurityTokenReference>
  </KeyInfo>
  </Signature>
  </wsse:Security>

  Hi Osman,
  Hope this blog will answer your Query: /people/rahul.nawale2/blog/2006/05/31/how-to-use-client-authentication-with-soap-adapter
  Documentation SOAP adapter - http://help.sap.com/saphelp_nw04/helpdata/en/69/a6fb3fea9df028e10000000a1550b0/content.htm
  Security settings for SOAP adapter - http://help.sap.com/saphelp_nw04/helpdata/en/56/992d4142badb2be10000000a1550b0/content.htm
  Regards
  Pothana

• GSSAPI Kerberos Authentication

  I have installed directory server 5.2 patch3 in x86 system. i cannot authenticate with kerberos principal. It gives me error as show below:
  ldapsearch -h ldap-server.ga.bcrlscsu.net -p 389 -o mech=GSSAPI -o authzid="user1" -b "" -s base "(objectclass=*)"
  ldap_sasl_interactive_bind_s: Invalid credentials
  ldap_sasl_interactive_bind_s: additional info: SASL(-1): generic failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible (No error)
  Could anyone please help me out, here!

  There's a viable Directory Server discussion forum,
  over at the Java ES tab of the fromt page of this forum site.
  http://forum.java.sun.com/index.jspa?tab=es
  You might consider placing your question there
  so that those with DS skills would see it.

• Kerberos Authentication: "Integrity check on decrypted field failed"

  Hi,
  I have configured a portal (NW 7.0 SP13) for Kerberos Authentication. I have another portal with exactly the same configuration (same MS-ADS etc, just a different user) which is working fine. But this one is giving me the error "Integrity check on decrypted field failed" (and Kerberos Auth fails).
  Any ideas?? I get the same error whether I use the keytab from the SPNEGO wizard, or the keytab from "ktpass -princ host/%HOST%@%DOMAIN% -pass %PASSWORD% -out keytab -mapUser %USER% +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL"
  The only difference I can see between the ldifde outputs of the two users (the one that works and the one that doesn't) is the one that doesn't has an extra SPN "HTTP/" - would that cause this error??
  Has anyone else had this error & what causes it?
  Many thanks in advance.
  Regards
  Jane
  Full error text:
  JGSS_DBG_CTX Creating context, initiator = no, input cred = not null
  JGSS_DBG_CRED getCred: only one cred, returning it
  JGSS_DBG_CRED getName found name: host/[email protected], mech=1.2.840.113554.1.2.2
  JGSS_DBG_CRED Krb5 name type = 0
  JGSS_DBG_CTX Creating context, cred usage = 2
  GSS Context created
  JGSS_DBG_UNMARSH Real token len 1641
  JGSS_DBG_UNMARSH Token oid 1.2.840.113554.1.2.2
  JGSS_DBG_UNMARSH inner token len 1630
  JGSS_DBG_PROV getFactory: index = 0 found factory
  JGSS_DBG_PROV getMechs: Mechanism(s) supported by provider IBMJGSSProvider
  JGSS_DBG_PROV 1.2.840.113554.1.2.2
  JGSS_DBG_PROV getMechs: 1 unique mechanism(s) found
  JGSS_DBG_PROV [0]: 1.2.840.113554.1.2.2
  JGSS_DBG_CTX Default list of negotiable mechs:
  1.2.840.113554.1.2.2
  JGSS_DBG_CTX ticket enc type = des-cbc-md5
  com.ibm.security.krb5.internal.KrbException, status code: 31
  message: Integrity check on decrypted field failed
  at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:31)
  at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:15)
  at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:32)
  at com.ibm.security.krb5.EncryptedData.decrypt(EncryptedData.java:106)
  at com.ibm.security.jgss.mech.krb5.k.a(k.java:248)
  at com.ibm.security.jgss.mech.krb5.k.b(k.java:188)
  at com.ibm.security.jgss.mech.krb5.k.acceptSecContext(k.java:533)
  at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:155)
  at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:153)
  at com.sap.security.core.server.jaas.SPNegoLoginModule.doHandshake(SPNegoLoginModule.java:738)
  at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:362)
  at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
  at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
  at java.security.AccessController.doPrivileged(AccessController.java:242)
  at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
  at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
  at java.lang.reflect.Method.invoke(Method.java:391)
  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
  at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
  at java.security.AccessController.doPrivileged(AccessController.java:242)
  at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
  at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
  at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:146)
  at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)
  at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)
  at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
  at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
  at java.security.AccessController.doPrivileged(AccessController.java:242)
  at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
  at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)
  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
  at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(AccessController.java:215)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
  com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
  JGSS_DBG_CTX Error authenticating request. Reporting to client
  Major code = 11, Minor code = 31
  org.ietf.jgss.GSSException, major code: 11, minor code: 31
  major string: General failure, unspecified at GSSAPI level
  minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.KrbException, status code: 31
  message: Integrity check on decrypted field failed

  Hi Désirée,
  Yes the service user has "Use DES encryption" set.
  In the end, it was resolved by changing the password and running the SPNEGO wizard again to generate a new keytab with the new password.
  Regards
  Jane

• Kerberos Authentication between Sharepoint 2013 Foundation - SSRS 2012 - Oracle 11g failing with ORA-12638: Credential retrieval failed

  I have set up SharePoint 2013 Foundation, SharePoint Reporting Services and SQL Server 2012 in a single server. I then created a Data Connection to Oracle 11g. Upon testing the connection, it throws the error “ORA-12638: Credential retrieval failed”.
  Given below are the steps of installation and configuration.
  Installation till basic authentication:
  The installation has been done in a
  single server.
  Installed SQL Server 2012 (Developer version).
  Selected only the following features:
  Database Engine Services
  Analysis Services
  Reporting Services – SharePoint
  Reporting Services Add-in for SharePoint Products
  Management Tools – Basic
  - Management Tools - Complete
    2. Installed SQL Server 2012 SP1.
    3. Installed SQL Server 2012 SP2.
    4. Installed SharePoint Foundation 2013.
    5. Created web application (without Kerberos; we did not even create the SPNs).
        The application pool has been configured to use Reporting Services account since it is a single server installation. This account has been registered as a managed
  account.
    6. Created Site Collection.
    7. Verified that Reporting Services is not installed.
    8. Installed SharePoint Reporting Services from SharePoint 2013 Management Shell.
    9. Verified that Reporting Services is installed.
   10. Created a new SQL Server Reporting Services Service Application and associated the Web Application to the new SQL server Reporting Services Service Application.
    11. Verified that SQL Server Reporting Services Service Application and its proxy have started. Reset IIS.
    12. Created a Site.
    13. Created a Data Connection library with “Report Data Source” content type.
    14. Created a Report Model library with “Report Builder Model” content type.
    15. Created a Report library with “Report Builder Report” content type.
    16. Uploaded an SMDL to the Report Model library.
    17. Added the top level site to Local Intranet instead of as a Trusted Site in the browser settings.
    18. Able to create and save a report using Report Builder.
  Hence, basic authentication is working and SSRS is able to connect to Oracle database.
  Next we have to configure Kerberos settings between SharePoint and SQL Server.
  Implementation of Kerberos authentication
  In the Report Server machine, opened the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\WebServices\Reporting\rsreportserver.config  and added the Authentication Types of RSWindowsNegotiate
  and RSWindowsKerberos.
   2.  Set up the following SPNs.
                 a) SQL Server Database Engine service (sqlDbSrv2):
                  setspn -S MSSQLSvc/CER1110:1433 CERDEMO\sqlDbSrv2
                  setspn -S MSSQLSvc/CER1110.cer.demo.com:1433 CERDEMO\sqlDbSrv2
               In the Delegation tab of the account, selected "Trust this user for delegation to any service (Kerberos only)".
  b) Account: SharePoint Setup Admin account (spAdmin2)
       setspn -S HTTP/CER1110:9999 CERDEMO\spAdmin2
                  setspn -S HTTP/CER1110.cer.demo.com:9999 CERDEMO\spAdmin2
                  In the Delegation tab of the account, selected "Trust this user for delegation to any  service
  (Kerberos only)".
  c) Account: SQL Server Reporting Service account (sqlRepSrv2)
                     setspn -S HTTP/CER1110 CERDEMO\sqlRepSrv2
                     setspn -S HTTP/CER1110.cer.demo.com CERDEMO\sqlRepSrv2
                     In the Delegation tab of the account, selected "Trust this user for delegation to any service
  (Kerberos only)".
    3. Configure the Web Application to use “Negotiate (Kerberos)”.
    4. Logged in as SharePoint Administrator to the SharePoint server and opened the top level site in the IE browser.
       The Event Viewer logged the login process for the SharePoint Administration account as
  Negotiate and not Kerberos.
    5. Implemented Kerberos for Oracle database and client.
       Able to connect to the Oracle database via Kerberos authentication using SQL Plus.
    6. Turn on Windows Firewall.
    7. While testing the site's data connection using Kerberos settings, got the error
  “Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials.”
        Note: The Data Connection for basic authentication still worked.
    8. Created a Claims to Windows Token Service account (spC2WTS2).
    9. Started the Claims to Windows Token Service.
   10. Registered the Claims to Windows Token Service account as a Managed Account.
   11. Changed the Claims To Windows Token Service to use the above managed account.
   12. Verified that the Claims to Windows Token Service account (spC2WTS2) is automatically added to the WSS_WPG local group on the SharePoint box.
        Note: The Reporting Services service account is also a part of the WSS_WPG local group.
   13. Added the Claims to Windows Token Service account (spC2WTS2) to the Local Admin Group on the machine having the SharePoint App Server.
   14. In the SharePoint box, added the Claims to Windows Token Service account (spC2WTS2) in the Act as part of the operating system policy right.
   15. The Claims to Windows Token Service account (spC2WTS2) has the WSS_WPG group configured.
        When the C2WTS service was configured to use the managed account Claims to Windows Token Service account (spC2WTS2) earlier, the spC2WTS2 account was automatically
  added to the WSS_WPG local group on the SharePoint box. The WSS_WPG group in turn is configured in c2wtshost.exe.config file.
   16. Verified that the Reporting Services account is a managed account and part of the WSS_WPG group.
   17. Earlier Service Application Pool - SQL Server Reporting Services App Pool service was associated with the SharePoint Admin account.
        Changed this to associate the Reporting Service account with the Service Application Pool - SQL Server Reporting Services App Pool service.
   18. Changed the delegation of the Reporting Service account to constrained delegation with Protocol Transitioning. This is because we are transitioning from one authentication scheme (Claims) to another (Windows Token).
        For this, the delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use
  any authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
        Note: The Reporting Service account already had an HTTP SPN.
   19. Next, the goal was to make the Claims To Windows Token Service account match the Reporting Service account.
         For this, we created a fake SPN for the Claims To Windows Token Service account since the delegation tab was missing.
         The delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use any
  authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
   20. Restarted the SharePoint server.
   21. Tested the data connection with the Kerberos settings again.
         Got the error
  “ORA-12638: Credential retrieval failed”.
  Can anyone tell me what is wrong with this setup?

  http://www.freeoraclehelp.com/2011/10/kerberos-authentication-for-oracle.html
  Problem4: ORA-12638: Credential retrieval failed
  Solution:  Make sure that SQLNET.KERBEROS5_CC_NAME is set in sqlnet.ora and okinit has been run before attempting to connect to the database.
  Do check 
  http://webcache.googleusercontent.com/search?q=cache:5a2Pf3FH7vkJ:externaltable.blogspot.com/2012/06/kerberos-authentication-and-proxy-users.html+&cd=5&hl=en&ct=clnk&gl=in
  If this helped you resolve your issue, please mark it Answered. You can reach me through http://itfreesupport.com/

• Updating hybrid configuration failed - Kerberos authentication: The network path was not found

  I'm configuring Exchange 2010 SP3 as a Hybrid server with Exchange Online. This is a single server running Exchange roles Mailbox, Client Access, Unified Messaging and Hub Transport.
  When I run the Manage Hybrid Configuration, I receive the following error:
  Updating hybrid configuration failed with error
  'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occurred while using Kerberos authentication: The network
  path was not found.
  The full text from the Hybrid Configuration log file (C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration)
  [1/5/2014 21:21:1] INFO:Opening runspace to
  http://[servername]/powershell?serializationLevel=Full
  [1/5/2014 21:21:1] INFO:Disconnected from On-Premises session
  [1/5/2014 21:21:1] ERROR:Updating hybrid configuration failed with error 'System.Management.Automation.Remoting.PSRemotingTransportException: Connecting to remote server failed with the following error message : WinRM cannot process the request. The following
  error occured while using Kerberos authentication: The network path was not found. 
   Possible causes are:
    -The user name or password specified are invalid.
    -Kerberos is used when no authentication method and no user name are specified.
    -Kerberos accepts domain user names, but not local user names.
    -The Service Principal Name (SPN) for the remote computer name and port does not exist.
    -The client and remote computers are in different domains and there is no trust between the two domains.
   After checking for the above issues, try the following:
    -Check the Event Viewer for events related to authentication.
    -Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
   Note that computers in the TrustedHosts list might not be authenticated.
     -For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
     at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
     at System.Management.Automation.Runspaces.Internal.RunspacePoolInternal.EndOpen(IAsyncResult asyncResult)
     at System.Management.Automation.Runspaces.RunspacePool.Open()
     at System.Management.Automation.RemoteRunspace.Open()
     at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.Connect(PSCredential credentials, CultureInfo sessionUiCulture)
     at Microsoft.Exchange.Management.Hybrid.Engine.Execute(ILogger logger, String onPremPowershellHost, PSCredential onPremCredentials, PSCredential tenantCredentials, HybridConfiguration hybridConfiguration)
     at Microsoft.Exchange.Management.SystemConfigurationTasks.UpdateHybridConfiguration.InternalProcessRecord()'.
  I have sought help, posting on the forum at community.office365.com -
  http://community.office365.com/en-us/forums/158/t/212265.aspx. But I've got to a point where I believe the problem is more to do with how PowerShell is operating on the on-prem Exchange server.
  Has anyone else come across this problem running the Hybrid Configuration Wizard?

  Hello Darrell,
  Have you verified the settings of Powershell virtual directories for the on-premises Exchange Servers? The following article has a list of some common issues with that virtual directory and how to correct them:
  http://technet.microsoft.com/en-us/library/ff607221(v=exchg.80).aspxI would take a look at the one titled "Configure Kerberos Authentication" specifically to ensure everything
  looks good.
  As the article states you can run the Exchange BPA and it will check if any of these exist as well.

• Exchange 2010 sp2 emc initialization error using "kerberos" authentication failed

  We use exchange 2010 SP2.
  We have 2 management stations, both w2k8 R2 SP1.
  I have one mangement station on which the emc and ems works ok.
  On the other management staiton (which is also in another ad site) the emc and ems don't work.
  I get the following error message : The attempt to connect to
  http://fqdnCasServer/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
  I have checked the time on the management station and on the exchange server and this is ok.
  It is not a permissions issue because the user functions ok on the other management station.
  On the bad management station I can open the emc once and after a minute I get an error message and the message access denied. From then on I can't connect any more.
  What am I doing wrong?
  Anyone any tips?
  Thanks,
  JB 

  This is what I get in the eventlog of the bad management station.
  Log Name:      MSExchange Management
  Source:        MSExchange CmdletLogs
  Date:          1/10/2012 11:39:27
  Event ID:      6
  Task Category: (1)
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      Server.domain.com
  Description:
  The description for Event ID 6 from source MSExchange CmdletLogs cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
  If the event originated on another computer, the display information had to be saved with the event.
  The following information was included with the event:
  Get-ExchangeServer
  {Identity=Servername}
  Domain/ou/ou/ou/ou/username
  Exchange Management Console-Local
  3080
  22
  00:00:00.3593888
  View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DN }'
  Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMTSTATION' couldn't be found on 'FQDN DC'.
  Context
  the message resource is present but the message is not found in the string/message table
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="MSExchange CmdletLogs" />
      <EventID Qualifiers="49152">6</EventID>
      <Level>2</Level>
      <Task>1</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2012-10-01T09:39:27.000000000Z" />
      <EventRecordID>11</EventRecordID>
      <Channel>MSExchange Management</Channel>
      <Computer>FQDN MGMT STATION</Computer>
      <Security />
    </System>
    <EventData>
      <Data>Get-ExchangeServer</Data>
      <Data>{Identity=MGMT STATION}</Data>
      <Data>domain/ou/ou/ou/ou/username</Data>
      <Data>
      </Data>
      <Data>
      </Data>
      <Data>Exchange Management Console-Local</Data>
      <Data>3080</Data>
      <Data>
      </Data>
      <Data>22</Data>
      <Data>00:00:00.3593888</Data>
      <Data>View Entire Forest: 'True', Configuration Domain Controller: 'FQDN DC', Preferred Global Catalog: 'FQDN DC', Preferred Domain Controllers: '{ FQDN DC }'</Data>
      <Data>Microsoft.Exchange.Configuration.Tasks.ManagementObjectNotFoundException: The operation couldn't be performed because object 'FQDN MGMT STATION' couldn't be found on 'FQDN DC'.</Data>
      <Data>Context</Data>
      <Data>
      </Data>
    </EventData>
  </Event>

• Kerberos authentication fail on ASA 5505 -Decrypt integrity-

  Hi,
  I'm trying to configure Kerberos authentication on ipsec-l2tp vpn tunnel. However, when I use my domain user to establish a connection I get this error:
  ASA-Oslo# kerberos mkreq: 0x176
  kip_lookup_by_sessID: kip with id 374 not found
  alloc_kip 0xd9b9bdf0
      new request 0x176 --> 11 (0xd9b9bdf0)
  add_req 0xd9b9bdf0 session 0x176 id 11
  In kerberos_build_request
  In kerberos_open_connection
  In kerberos_send_request
  ********** START: KERBEROS PACKET DECODE ************
  Kerberos: Message type KRB_AS_REQ
  Kerberos: Option forwardable
  Kerberos: Option renewable
  Kerberos: Option renewable accepted
  Kerberos: Client Name antonio.torres
  Kerberos: Client Realm IBISTIC.LOCAL
  Kerberos: Server Name krbtgt
  Kerberos: Start time 0
  Kerberos: End time -643858960
  Kerberos: Renew until time -653409600
  Kerberos: Nonce 0x5242a360
  Kerberos: Encryption type rc4-hmac-md5
  Kerberos: Encryption type des-cbc-md5
  Kerberos: Encryption type des-cbc-crc
  Kerberos: Encryption type des-cbc-md4
  Kerberos: Encryption type des3-cbc-sha1
  Kerberos: Address 10.40.49.1
  ********** END: KERBEROS PACKET DECODE ************
  In kerberos_recv_msg
  In kerberos_process_response
  ********** START: KERBEROS PACKET DECODE ************
  Kerberos: Message type KRB_AS_REP
  Kerberos: Client Name antonio.torres
  Kerberos: Client Realm IBISTIC.LOCAL
  ********** END: KERBEROS PACKET DECODE ************
  Kerberos library reports: "Decrypt integrity check failed"
  In kerberos_close_connection
  remove_req 0xd9b9bdf0 session 0x176 id 11
  free_kip 0xd9b9bdf0
  kerberos: work queue empty
  I've been looking for documentation about this error but I was not able to figure out what's wrong. I've already also turned off 'Do not require pre-authentication' on account option.
  Some one get also this error?
  Any help will be more than welcome,
  Thanks in advance,
  Antonio

  Hi,
  I'm trying to configure Kerberos authentication on ipsec-l2tp vpn tunnel. However, when I use my domain user to establish a connection I get this error:
  ASA-Oslo# kerberos mkreq: 0x176
  kip_lookup_by_sessID: kip with id 374 not found
  alloc_kip 0xd9b9bdf0
      new request 0x176 --> 11 (0xd9b9bdf0)
  add_req 0xd9b9bdf0 session 0x176 id 11
  In kerberos_build_request
  In kerberos_open_connection
  In kerberos_send_request
  ********** START: KERBEROS PACKET DECODE ************
  Kerberos: Message type KRB_AS_REQ
  Kerberos: Option forwardable
  Kerberos: Option renewable
  Kerberos: Option renewable accepted
  Kerberos: Client Name antonio.torres
  Kerberos: Client Realm IBISTIC.LOCAL
  Kerberos: Server Name krbtgt
  Kerberos: Start time 0
  Kerberos: End time -643858960
  Kerberos: Renew until time -653409600
  Kerberos: Nonce 0x5242a360
  Kerberos: Encryption type rc4-hmac-md5
  Kerberos: Encryption type des-cbc-md5
  Kerberos: Encryption type des-cbc-crc
  Kerberos: Encryption type des-cbc-md4
  Kerberos: Encryption type des3-cbc-sha1
  Kerberos: Address 10.40.49.1
  ********** END: KERBEROS PACKET DECODE ************
  In kerberos_recv_msg
  In kerberos_process_response
  ********** START: KERBEROS PACKET DECODE ************
  Kerberos: Message type KRB_AS_REP
  Kerberos: Client Name antonio.torres
  Kerberos: Client Realm IBISTIC.LOCAL
  ********** END: KERBEROS PACKET DECODE ************
  Kerberos library reports: "Decrypt integrity check failed"
  In kerberos_close_connection
  remove_req 0xd9b9bdf0 session 0x176 id 11
  free_kip 0xd9b9bdf0
  kerberos: work queue empty
  I've been looking for documentation about this error but I was not able to figure out what's wrong. I've already also turned off 'Do not require pre-authentication' on account option.
  Some one get also this error?
  Any help will be more than welcome,
  Thanks in advance,
  Antonio

• Remote PowerShell Connection to Lync Server With Kerberos authentication Fails

  Hi everyone ,
  Remote PowerShell to Lync Server With Kerberos authentication Fails .. Is there any reason for not being able to connect when authentication specified as Kerberos . But exactly same code works when Authentication is specified as "Negotiate"
  E.g :
  Error -
  $session=New-PSSession -ConfigurationName Microsoft.Powershell -ConnectionUri https://serverName.lync.com/ocspowershell/ -Credential $cred -Authentication Kerberos
  [serverName.lync.com] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. The authentication mechanism requested by the client is not supported by the server or unencrypted traffic is disabled in
  the service configuration. Verify the unencrypted traffic setting in the service configuration or specify one of the authentication mechanisms supported by the server.  To use Kerberos, specify the computer name as the remote destination. Also verify
  that the client computer and the destination computer are joined to a domain.To use Basic, specify the computer name as the remote destination, specify Basic authentication and provide user name and password. Possible authentication mechanisms reported by
  server:   Digest Negotiate For more information, see the about_Remote_Troubleshooting Help topic.
      + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
     eption
      + FullyQualifiedErrorId : PSSessionOpenFailed
  Works  -
  $session=New-PSSession -ConfigurationName Microsoft.Powershell -ConnectionUri https://serverName.lync.com/ocspowershell/ -Credential $cred -Authentication Negotiate

  Hi,
  Please double check if Windows Update is the latest version, if not, please update and then test again.
  Please also ensure that the workstation you are using has network access to the Certificate Authority that signed the certificate.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Server log having multiple Kerberos Authentication failed events

  I my windows server log i  can see so many Kerberos Authentication failure Events, Could you please explain why this is happening and how to resolve this?

  Hello Friend,
  here is the log
  Time of Day
  Name
  Source Country
  Destination IP
  Destination Country
  Destination Port
  Event Count
  2014-12-10 09
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  2
  2014-12-10 08
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  6
  2014-12-10 08
  4768: A Kerberos Authentication Ticket (tgt) Was Requested
  N/A
  Not Reported
  N/A
  Not Reported
  2
  2014-12-10 08
  4771: Kerberos Pre-authentication Failed
  N/A
  Not Reported
  N/A
  Not Reported
  2
  2014-12-10 07
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  14
  2014-12-10 07
  4768: A Kerberos Authentication Ticket (tgt) Was Requested
  N/A
  Not Reported
  N/A
  Not Reported
  1
  2014-12-10 06
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  12
  2014-12-10 06
  4768: A Kerberos Authentication Ticket (tgt) Was Requested
  N/A
  Not Reported
  N/A
  Not Reported
  2
  2014-12-10 05
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  16
  2014-12-10 05
  4768: A Kerberos Authentication Ticket (tgt) Was Requested
  N/A
  Not Reported
  N/A
  Not Reported
  1
  2014-12-10 04
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  22
  2014-12-10 03
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  8
  2014-12-10 03
  4768: A Kerberos Authentication Ticket (tgt) Was Requested
  N/A
  Not Reported
  N/A
  Not Reported
  1
  2014-12-10 02
  4624: An Account Was Successfully Logged On
  N/A
  0.0.0.0
  N/A
  Not Reported
  11
  2014-12-10 02
  4768: A Kerberos Authentication Ticket (tgt) Was Requested
  N/A
  Not Reported
  N/A
  Not Reported
  4

• Exchange Management Console couldn't start with Kerberos authentication failed

  When I was making changes to Client Access\owa settings, chaning from Basic authentication to Form authentication (upn name) then changed to Basic again. It was ok after changing to Form authentication but moment after changing back to Basic, I couldn't
  no longer access owa (blank page when one vertical line) and in Exchange Management Console, I got "Initialization failed" - The following error occured while attempting to connect to the specified Exchange server 'sgp-ex1.mydomain.com':
  The attempt to connect to http://sgp-ex1.mydomain.com/powershell using "Kerberos" authentication failed: Connecting to the remote server failed with the following error message: The WinRM client cannto process
  the request. It cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalid. For more information, see the about_Remote_Troubleshooting Help topic.
  I tried the troubleshooting tool from Exchange team blog:
  http://blogs.technet.com/b/exchange/archive/2010/12/07/3411644.aspx. It give 3 possible causes for this error: 1. WSMan module entry is missing from global module section of c:\Windows\System32\InetSrv\Config\ApplicationHost.config; 2. Kerbauth module shows
  up as Managed module or has been loaded in the Default Web Site Level; 3. The Path of the Powershell virtual directory has been modified.
  I checked carefully, all the 3 causes do not apply to my situation as WSman entry is in order, the Kerbauth is native and local and the path of Powershell virtual directory is correct.
  I find that in Application log, there are Event 2297 and 2307 dumped at the time of failure:
  The worker process for application pool 'MSExchangeSyncAppPool' encountered an error 'Confiugration file in not well-formed XML' trying to read configuration data from file '\\?\C:\inetpubl\temp\apppools\MSExchangeSyncAppPool\MSExchangeSyncAppPool.config',
  line number '2'. The data field contains the error code.
  Help is very much appreciated.
  Valuable skills are not learned, learned skills aren't valuable.

  Unfortunately, all the links you provided didn't help.
  The first link contains 3 methods:1 Removing WinRM feature and reinstalling. 2 Rename the web.config file in location C:\inetpub\wwwroot 3 Have you installed Microsoft Dynamics CRM 4. I?
  As my server is Windows 2008 R2, the first method does not apply. I couldn't find any web.config in c:\Inetpub\wwwroot. The web.config however is found in many times in .netframework and winsxs directories. The 3rd method doesn't apply as I don't have CRM.
  The 2nd link contains 3 possible causes. The first 2 are the same as the ones I mentioned in my initial post. I couldn't verify the last cause because when open Exchange Management Shell, I got this error: [sgp.ex1.mydomain.com] connecting to remote server
  failed with the following server failed with the following error message: The WinRM client cannot process the request, it cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalide. For more
  information, see the about_Remote_Troubleshooting Help topic.
  I do not think the user is not remote powershell enabled because the problem happened suddenly, while I was making changes to Authentication settings of OWA(default) in Client Access in Exchange Management Console. If the user account is not remote powershell
  enabled, then I couldn't event connect to EMC in the first place.
  The last link didn't help because I could open up modules under PowerShell virtual directory in IIS.
  I think since the event log is saying MSExchangeSyncAppPool.config and DefaultAppPool.config not well-formed XML, that might be a clue.
  In the event id 2307 this is the message:
  The worker process for application pool 'DefaultAppPool' encountered an error 'Configuration file is not well-formed XML
  ' trying to read configuration data from file '\\?\C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config', line number '2'.  The data field contains the error code.
  Valuable skills are not learned, learned skills aren't valuable.

• GSSAPI SASL Kerberos authentication

  I have Sun one Directory Server 5.2 P4 installed on Solars -Sparc system.
  For GSSAPI SASL Kerberos authentication to work, do I need to install a third party GSSAPI plugin(like PADL's) or is it enough to use the GSSAPI plugin that comes with Sune One bundle ?
  I got this doubt after going through the following link
  http://lists.fini.net/pipermail/ldap-interop/2005-March/000342.html .. Please clarify

  Hi Ludovic,
  I have fixed the Kerberos issue..I am getting following messages from the access logs on the server while doing ldapsearch
  tail -f /var/Sun/mps/slapd-bf1r-dsun-1/logs/access
  [20/Feb/2007:05:53:35 -0700] conn=21 op=0 msgId=1 - RESULT err=49 tag=97 nentries=0 etime=0
  [20/Feb/2007:05:53:35 -0700] conn=21 op=1 msgId=2 - UNBIND
  [20/Feb/2007:05:53:35 -0700] conn=21 op=1 msgId=-1 - closing - U1
  [20/Feb/2007:05:53:36 -0700] conn=21 op=-1 msgId=-1 - closed.
  [20/Feb/2007:05:56:18 -0700] conn=22 op=-1 msgId=-1 - fd=26 slot=26 LDAP connection from 10.7.30.185 to 10.7.30.16
  [20/Feb/2007:05:56:18 -0700] conn=22 op=0 msgId=1 - BIND dn="uid=tester1,ou=people,dc=test1,dc=com" method=sasl version=3 mech=GSSAPI
  [20/Feb/2007:05:56:18 -0700] conn=22 op=0 msgId=1 - RESULT err=49 tag=97 nentries=0 etime=0
  from ethereal i am getting the following message
  ----- Lightweight Directory Access Protocol Header -----
  LDAP: SASL(-13): authentication failur
  LDAP: e: GSSAPI Error: Unspecified GSS
  LDAP: failure. Minor code may provid
  LDAP: e more information (No error)
  My rootdse looks liks this for gssapi
  dn: cn=default,cn=GSSAPI,cn=identity mapping,cn=config
  objectClass: dsIdentityMapping
  objectClass: nsContainer
  objectClass: dsPatternMatching
  objectClass: top
  cn: default
  dsMatching-pattern: ${Principal}
  dsSearchBaseDN: ou=people,dc=cisco,dc=com
  creatorsName: cn=directory manager
  createTimestamp: 20070220045812Z
  dsMappedDN: uid=$1,ou=people,dc=test1,dc=com
  dsMatching-regexp: (.*)@(.*)
  modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
  t
  modifyTimestamp: 20070220102553Z
  Please help on this.
  Thanks,
  Radhakrishnan

• "Kerberos" authentication failed while trying to access EMC or EMS

  Salam,
  I have successfully installed Exchange 2010 SP1 on a transitional environment, the installation went smooth without any problem and I've done most of the trasitioning configuration from Exchange Server 2003 to Exchange Server 2010.
  Currently we're in the process of moving the mailboxes, but I've come across a problem recently which stopped all my work and I can no longer commence with this transition unless its solved.
  Sometimes when I try to access EMC or EMS I get the hereunder error:
  The following error occurred while attempting to connect to the specified Exchange server 'afhmail.arabfinancehouse.com.lb':
  The attempt to connect to http://afhmail.arabfinancehouse.com.lb/PowerShell using "Kerberos" authentication failed: Connecting to remote server failed
  with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
  I've read most of the articles found on the internet including
  http://msexchangeteam.com/archive/2010/02/04/453946.aspx to try to troubleshoot this problem but nothing has worked so far, I tried removing Win RM IIS extensions as well then adding them again with a restart and nothing. I tried the Kerbauth dll removal
  also nothing and the problem keeps to occur and the situation is not stable.
  Also I read in a KB article somewhere that if we have multiple domain controllers a single domain controller should be assigned on the Exchange Server (Organization Configuration, Server Configuration, Recipient Configuration) so I assigned the PDC to be selected
  by those configurations at startup, yet I am still facing the same problem.
  Again I emphasis that the problem comes and goes, at a time I can access EMS and at another is just gives me the Kerberos error.
  Thank you very much in advance,
  Kindest Regards.
  Abdullah Abdullah

  Hi Abdullah,
  Can you open the EMS?
  If yes, please run the WinRM QC and post the results here.
  If possible, please use another admin's account to log on to Exchange to try to open EMC.
  Frank Wang
  TechNet Subscriber Support
  in forum
  If you have any feedback on our support, please contact
  [email protected]
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• JNDI,AD,Kerberos Authentication, Windows

  Hi all,
  OS:
  Server: LDAP Server AD running on win2k server with KDC on the same machine
  Client: Sun's JNDI application on WinXP
  Senario:
  I managed to make the well-known tutorial example (list 1) work well on both jdk1.4.2_05 and jdk1.5.1_02. The main steps can be summarized as
  step 1: Kerberose authtication with lc.login() based on JAAS
  step 2: Assume the identity of the authenticated subject
  step 3: Run JNDI client application under this identity with Subject.doAS()
  Problem:
  It's very hard to force users to run their JNDI applications UNDER step 1 & 2. As you know, step 3 is run by a spawn child's thread and for this reason it's very hard to convince users including myself of doing SSO in this way. There should be a better way. Actually, KDC's realm is built in such a way that all applications and computers under the same realm should be SSO Kerberose aware -- that is -- once the intial authentication is done, the identity assuming should be valid for the entire login session (usually 8~10 hours).
  Solution:
  Step 0: Create client's user account 'testuser' on AD
  Step 1: Initially login using command kinit()
  C\: kinit test
  Password for testuser@REALM:mypassword
  New ticket is stored in cache file C:\Documents and Settings\abc\kerb5cc_abc
  Step 2: Run JNDI client application (list 2)
  Error:
  GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
       at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:133)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:72)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
       at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:37)
       at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:96)
       at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:178)
       at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)
       at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:155)
       at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
       at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
       at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
       at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
       at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
       at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
       at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
       at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
       at javax.naming.InitialContext.init(InitialContext.java:223)
       at javax.naming.InitialContext.<init>(InitialContext.java:197)
       at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
       at JndiClientAction.main(JndiClientAction.java:61)
  javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided]]
       at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:150)
       at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
       at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
       at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
       at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
       at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
       at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
       at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
       at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
       at javax.naming.InitialContext.init(InitialContext.java:223)
       at javax.naming.InitialContext.<init>(InitialContext.java:197)
       at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
       at JndiClientAction.main(JndiClientAction.java:61)
  Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided]
       at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:174)
       at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
       ... 13 more
  Caused by: GSSException: No valid credentials provided
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:69)
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:37)
       at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:96)
       at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:178)
       at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)
       at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:155)
       ... 14 more
  SOS:
  Can anyone pin point what's going wrong?
  Thanks in advance
  Spencer
  ------------------- LIST 1 -------------------
  import javax.naming.*;
  import javax.naming.directory.*;
  import javax.security.auth.login.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  import java.util.Hashtable;
  * Demonstrates how to create an initial context to an LDAP server
  * using "GSSAPI" SASL authentication (Kerberos v5).
  * Requires J2SE 1.4, or JNDI 1.2 with ldapbp.jar, JAAS, JCE, an RFC 2853
  * compliant implementation of J-GSS and a Kerberos v5 implementation.
  * Jaas.conf
  * racfldap.GssExample {com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true doNotPrompt=true; };
  * 'qop' is a comma separated list of tokens, each of which is one of
  * auth, auth-int, or auth-conf. If none is supplied, the default is 'auth'.
  class KerberosExample {
  public static void main(String[] args) {
  java.util.Properties p = new java.util.Properties(System.getProperties());
  p.setProperty("java.security.krb5.realm", "MYCOMPANY.ORG");
  p.setProperty("java.security.krb5.kdc", "mydomaincontroller.mycompany.org");
  p.setProperty("java.security.auth.login.config", "C:\\WINNT\\jaas.conf");
  System.setProperties(p);
  // 1. Log in (to Kerberos)
  LoginContext lc = null;
  try {
  lc = new LoginContext(GssExample.class.getName(),
  new TextCallbackHandler());
  // Attempt authentication
  lc.login();
  } catch (LoginException le) {
  System.err.println("Authentication attempt failed" + le);
  System.exit(-1);
  // 2. Perform JNDI work as logged in subject
  Subject.doAs(lc.getSubject(), new LDAPAction(args));
  // 3. Perform LDAP Action
  * The application must supply a PrivilegedAction that is to be run
  * inside a Subject.doAs() or Subject.doAsPrivileged().
  class LDAPAction implements java.security.PrivilegedAction {
  private String[] args;
  private static String[] sAttrIDs;
  private static String sUserAccount = new String("testuser");
  public LDAPAction(String[] origArgs) {
  this.args = (String[])origArgs.clone();
  public Object run() {
  performLDAPOperation(args);
  return null;
  private static void performLDAPOperation(String[] args) {
  // Set up environment for creating initial context
  Hashtable env = new Hashtable(11);
  env.put(Context.INITIAL_CONTEXT_FACTORY,
  "com.sun.jndi.ldap.LdapCtxFactory");
  // Must use fully qualified hostname
  env.put(Context.PROVIDER_URL, "ldap://mydomaincontroller.mycompany.org:389/DC=mycompany,DC=org");
  // Request the use of the "GSSAPI" SASL mechanism
  // Authenticate by using already established Kerberos credentials
  env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
  env.put("javax.security.sasl.server.authentication", "true");
  try {
  /* Create initial context */
  DirContext ctx = new InitialDirContext(env);
  /* Get the attributes requested */
  Attributes aAnswer =ctx.getAttributes( "CN="+ sUserAccount + ",OU=mydivision,OU=Departments");
  NamingEnumeration enumUserInfo = aAnswer.getAll();
  while(enumUserInfo.hasMoreElements()) {
  System.out.println(enumUserInfo.nextElement().toString());
  // Close the context when we're done
  ctx.close();
  } catch (NamingException e) {
  e.printStackTrace();
  ------------------- LIST 2 ------------------------------
  import javax.naming.*;
  import javax.naming.directory.*;
  import java.util.Hashtable;
  class JNDIClientAction {
  private static String[] sAttrIDs;
  private static String sUserAccount = new String("testuser");
  public static void main(String[] args) {
  // Set up environment for creating initial context
  Hashtable env = new Hashtable(11);
  env.put(Context.INITIAL_CONTEXT_FACTORY,
  "com.sun.jndi.ldap.LdapCtxFactory");
  // Must use fully qualified hostname
  env.put(Context.PROVIDER_URL, "ldap://mydomaincontroller.mycompany.org:389/DC=mycompany,DC=org");
  // Request the use of the "GSSAPI" SASL mechanism
  // Authenticate by using already established Kerberos credentials
  env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
  try {
  /* Create initial context */
  DirContext ctx = new InitialDirContext(env);
  /* Get the attributes requested */
  Attributes aAnswer =ctx.getAttributes( "CN="+ sUserAccount + ",OU=mydivision,OU=Departments");
  NamingEnumeration enumUserInfo = aAnswer.getAll();
  while(enumUserInfo.hasMoreElements()) {
  System.out.println(enumUserInfo.nextElement().toString());
  // Close the context when we're done
  ctx.close();
  } catch (NamingException e) {
  e.printStackTrace();
  }

  Hi,
  these Notes will help you :
  Note 352295 - Microsoft Windows Single Sign-On options
  Note 595341 - Installation issues with Single Sign-On and SNC
  Note 1580808 - SAP Logon 7.20: "SNC logon w/o SSO" for connection entry
  http://help.sap.com/saphelp_nwes72/helpdata/en/44/0ea40dc6970d1ce10000000a114a6b/frameset.htm
  For Windows SAP Servers pls download the libs of note 352295.
  For Linux use the one on OS level  ( /usr/lib64/libgssapi_krb5.so )
  For Linux make sure that the krb5 rpm packages are installed
  krb5-32bit.......
  krb5-...............
  krb5-client.......
  I hope this helps
  greetings
  oliver