Regarding Kerberos authentication for webservices.

Similar Messages

• Configuring Kerberos authentication for SSRS in native mode - SSRS 2008 R2-2012

  Hi,
  I've a SSRS native mode installation on a server and a SSAS installation on another server.
  In order to configure the Kerberos authentication for SSRS native mode, I need to register one SPN for the report server service, one SPN for SSAS service and to configure SSRS to use the negotiate authentication type, isn't it?
  Thanks

  Hi pscorca,
  If we have applications that only use Kerberos authentication and we are using RSWindowsNegotiate AuthenticationType, we must create a Service Principal Name (SPN) for the Report Server service if we configure it to run as a domain user account.
  Before setting up constrained delegation, we must register a
  Service Principle Name (SPN) for the Analysis Services instance. We will need the Analysis Services SPN when configuring Kerberos constrained delegation for middle tier services.
  There is a document about Enabling Kerberos Authentication for Reporting Services, you can refer to it.
  http://blogs.technet.com/b/rob/archive/2011/11/23/enabling-kerberos-authentication-for-reporting-services.aspx
  Hoe this helps.
  Regards,
  Alisa Tang
  Alisa Tang
  TechNet Community Support

• OSB: HTTP digest authentication for WebServices

  Hi,
  How do I configure HTTP digest authentication for WebServices offered by the OSB (Proxy Services with WS as transport)?
  Best regards
  Dimo

  Did you figure out how to do it.?

• Enable Kerberos Authentication for OWA only

  Hi guys,
  Having a customer that asked me if we can enable Kerberos Authentication for OWA only?
  When reading various blogposts (official and unofficial sources) it seems that this is done for the whole CASArray which means every vdir right? Is this so and shall we instead aim for using kerberos for both MAPI/Outlook Anywhere and OWA?
  Found this for MAPI clients: http://blogs.technet.com/b/exchange/archive/2011/04/15/recommendation-enabling-kerberos-authentication-for-mapi-clients.aspx
  This seems to be more complicated?

  Hi Fredrik,
  Base on my search , I found an article which may give you some hints:
  OWA publishing using Kerberos Constrained Delegation method for authentication delegation
  This article is to show case how you would configure kerberos constrained delegation method for authentication delegation .We would use the OWA publishing post as reference.
  Best regards,
  Niko Cheng
  TechNet Community Support

• Authentication for Webservice

  Hi All,
  I have exposed my outbound interface as a webservice sucessfully
  But the problem is I need to provide a User Id  to contact XI SOAP adapter. I dont require any authentication for this webservice client. How can I disable the authentication check for this particular webservice.
  I have seen some forum posts, which suggested me to make some modification in web.xml which will disable auth for all webservices. Is it possible for me to disable the authentication check only for this particular webservice?
  Regards,
  Jai Shankar

  Jai,
  ><i>How can I disable the authentication check for this particular webservice.</i>
  Check this thread. But this will turn of Authentication for all SOAP Sender Adapters.
  User Names and Passwords in SOAP adapter
  ><i>I have seen some forum posts, which suggested me to make some modification in web.xml which will disable auth for all webservices. Is it possible for me to disable the authentication check only for this particular webservice?</i>
  Its either for all SOAP adapters or for none . there is no middle ground.
  Better way is to use Access Control List.
  Regards
  Bhavesh

• Kerberos Authentication for EP 7.0 Portal

  We are implementing Kerberos Authentication on our EP7 Portal. In our landscape we have
  2 main domains (US & INTL). In each of the domain we have several domain controllers (more than 10 each). We had the following queries:
  1) We have a mix of domain controllers running on win 2000 and win 2003. Will this cause any issue with the SPNego configuration?
  2) Since we have more than 10 DCs in each domain do we need to add all the DCs as KDCs in the step 2 of SPNego wizard?
  System Details
  1) Portal Version à EP7 SP13
  2) Operating System à SunOS (sparcv9) 5.9
  3) LDAP à MS ADS
  4) DB à Oracle 10.2.0.2.0 - 64bit
  Thanks.

  Hi Lisandro,
  For Q1:  I don't think there should be a problem with the mixture of DCs types.
  For Q2: You only need to configure one DC in the wizard (a W2003 server may be the best choice). This is just the DC that the wizard talks to during configuration.
  Hope this helps,
  Darren

• Kerberos Authentication for Oracle 9i ODBC

  Hi,
  I want to connect to Oracle 9i database through ODBC with Kerberos Authentication. Can any one able to provide some document/Sample Code/Web Resource ???
  Thanks,
  Zahir

  Hi,
  I want to connect to Oracle 9i database through ODBC with Kerberos Authentication. Can any one able to provide some document/Sample Code/Web Resource ???
  Thanks,
  Zahir

• User authentication for webservices

  Hi,
  I am using Oracle R12.
  I want to know how oracle handles user authentication when calling custom APIs through Integrated SOA Gateway.
  I know that we are using security headers to do this.  The header part is given below.
     <soapenv:Header>
       <xx:SOAHeader>
          <xx:Responsibility>INVENTORY_VISION_OPERATIONS</xx:Responsibility>
          <xx:RespApplication>INV</xx:RespApplication>
          <xx:SecurityGroup>STANDARD</xx:SecurityGroup>
          <xx:NLSLanguage>AMERICAN</xx:NLSLanguage>
          <xx:Org_Id>204</xx:Org_Id>
       </xx:SOAHeader>
       <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
          <wsse:UsernameToken wsu:Id="UsernameToken-1">
             <wsse:Username>uname</wsse:Username>
             <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">pwd</wsse:Password>
             <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">rerr6et6eHFV</wsse:Nonce>
             <wsu:Created>2013-02-13T08:58:50.649Z</wsu:Created>
          </wsse:UsernameToken>
       </wsse:Security>
    </soapenv:Header>
  But when a person is simply logging in to the application how can we choose a responsibility without know what responsibilities a person has?
  The  <xx:SOAHeader></xx:SOAHeader> is not mandatory. So can i simply not pass this header? Or is there a default responsibility that can be specified for all users?
  Also in what scenarios is the <wsse:Security> header not required? I recently checked and found that even without providing the Security header, it is possible to execute service in ISG. Hence the question.
  Thanks,
  Anoop

  Hi,
  Ok, so you want to know for an user , what responsibility you should use in order to be able to perform the invocation?
  Here is an example for Sysadmin user
  Select usr.user_name,usr.user_id, resp.RESPONSIBILITY_NAME ,
  resp.RESPONSIBILITY_KEY, grp.SECURITY_GROUP_KEY, grp.SECURITY_GROUP_ID,
  APP.APPLICATION_SHORT_NAME ,APP.APPLICATION_ID
  From FND_USER_RESP_GROUPS furg, FND_USER usr, fnd_responsibility_vl
  resp,FND_SECURITY_GROUPS grp,FND_APPLICATION APP
  where furg.user_id=usr.user_id
  and furg.RESPONSIBILITY_ID=resp.RESPONSIBILITY_ID
  and furg.SECURITY_GROUP_ID=grp.SECURITY_GROUP_ID
  and furg.RESPONSIBILITY_APPLICATION_ID=APP.APPLICATION_ID
  and usr.user_name='SYSADMIN'
  regards
  Mihai

• Kerberos authentication for Excel Services

  Hi,
  I am configuring Keberos for Excel Service Application and facing some issue. Things i have done so far:
  Configured web application to use Kerberos: Verified it from server authentication logs, klist and net mon that web application is using kerberos.
  Excel service Account: domain\ExcelSVA
  SQL server service account: domain\SQLSERV
  C2WTS account : domain\C2wts
   set spn on in using setspn - s sp/excelservices domain\ExcelSVA and delegated constarined authentication to domain\SQLSERV
  then setspn - s sp/c2wts domain\C2wts and delegated constrained authentication to domain\SQLSERV.
  C2WS account has impersonate identity ,logon as service and act as part of OS rights in app servers where excel and c2wt are running 
  Now when i try to refresh data i get error :The data connection uses Windows Authentication and user credentials could not be delegated.
  The following connections failed to refresh: SQLServername port, databasename
  http://technet.microsoft.com/en-us/library/ff487975.aspx
  First 3 errors don't apply to me since i cant see these errors in SP log files and my sharepoint and database servers are in same domain.
  For UPN, there is a email id assoisated with account that i am using and i have been using that email id to logon to other services in my company so UPN should be done too.
  The Excel Services service account must have Active Directory permissions to query the object. Now this got me confusing. Where do i actually
  give this? In sql server or AD? Which object does it need to query? The excel database in sql server. If it is so, then the permission needs to be granted on sql .
  Also this link http://social.msdn.microsoft.com/Forums/en-US/99a3cf4f-dabc-4ac9-9ea8-afa677199ffa/kerberos-and-excel-services?forum=sharepointgeneralprevious
  Microsoft solution described here is weired. I don't think sql server has c2wts or excel service application started on it. And from drop down list that is i don't know what is the solution talking of.
  Does any one have any idea if i am missing any delegation or any step?
  sachin

  Any idea??
  sachin

• Digest authentication for webservices

  Hi,
  Does WLS9.2 support digest authentication?
  protocol described in RFC 2617 (http://www.ietf.org/rfc/rfc2617.txt)
  Thanks

  Did you figure out how to do it.?

• Kerberos Authentication Failure for POP3 After Upgrading to 10.6.5

  So I just upgraded from 10.6.4 to 10.6.5 and now Kerberos authentication for POP3 from Mail fails. Kerberos authentication for SMTP outgoing mail is just fine, it's only POP3 incoming mail that fails to authenticate. POP3 Kerberos authentication still works fine for the same account from another machine running 10.5.8. The mailaccess.log file contains the following:
  Nov 23 15:36:59 server master[423]: about to exec /usr/bin/cyrus/bin/pop3d
  Nov 23 15:36:59 server pop3[423]: executed
  Nov 23 15:37:00 server pop3[423]: accepted connection
  Nov 23 15:37:00 server pop3[423]: Major Error (1): A token was invalid (gssaccept_seccontext)
  Nov 23 15:37:01 server pop3[423]: Minor Error (1): Token header is malformed or corrupt (gssaccept_seccontext)
  Nov 23 15:37:01 server pop3[423]: Major Error (1): A token was invalid (gssaccept_seccontext)
  Nov 23 15:37:01 server pop3[423]: Minor Error (1): Token header is malformed or corrupt (gssaccept_seccontext)
  Nov 23 15:37:04 server pop3[423]: badlogin: FQDN [192.168.0.4] GSSAPI
  Nov 23 15:37:04 server master[52]: process 423 exited, status 0
  The server is running Mac OS X Server 10.4.11 and cannot be upgraded any further than as it is ancient hardware.
  Any thoughts?
  Cheers,
  Derek

  Makes perfect sense to me that ending one session by logging out enables him to begin a new session by logging back in. I give the young man credit for figuring out how to get around this deficiency in Parental Controls, as, deep down, I'm sure you do, too.
  If you can't trust him to stick to his agreed upon half an hour a day, you can always (threaten to) lock him out of the computer for 23.5 hrs/day using the Bedtime settings. ; )

• Kerberos Authentication between Sharepoint 2013 Foundation - SSRS 2012 - Oracle 11g failing with ORA-12638: Credential retrieval failed

  I have set up SharePoint 2013 Foundation, SharePoint Reporting Services and SQL Server 2012 in a single server. I then created a Data Connection to Oracle 11g. Upon testing the connection, it throws the error “ORA-12638: Credential retrieval failed”.
  Given below are the steps of installation and configuration.
  Installation till basic authentication:
  The installation has been done in a
  single server.
  Installed SQL Server 2012 (Developer version).
  Selected only the following features:
  Database Engine Services
  Analysis Services
  Reporting Services – SharePoint
  Reporting Services Add-in for SharePoint Products
  Management Tools – Basic
  - Management Tools - Complete
    2. Installed SQL Server 2012 SP1.
    3. Installed SQL Server 2012 SP2.
    4. Installed SharePoint Foundation 2013.
    5. Created web application (without Kerberos; we did not even create the SPNs).
        The application pool has been configured to use Reporting Services account since it is a single server installation. This account has been registered as a managed
  account.
    6. Created Site Collection.
    7. Verified that Reporting Services is not installed.
    8. Installed SharePoint Reporting Services from SharePoint 2013 Management Shell.
    9. Verified that Reporting Services is installed.
   10. Created a new SQL Server Reporting Services Service Application and associated the Web Application to the new SQL server Reporting Services Service Application.
    11. Verified that SQL Server Reporting Services Service Application and its proxy have started. Reset IIS.
    12. Created a Site.
    13. Created a Data Connection library with “Report Data Source” content type.
    14. Created a Report Model library with “Report Builder Model” content type.
    15. Created a Report library with “Report Builder Report” content type.
    16. Uploaded an SMDL to the Report Model library.
    17. Added the top level site to Local Intranet instead of as a Trusted Site in the browser settings.
    18. Able to create and save a report using Report Builder.
  Hence, basic authentication is working and SSRS is able to connect to Oracle database.
  Next we have to configure Kerberos settings between SharePoint and SQL Server.
  Implementation of Kerberos authentication
  In the Report Server machine, opened the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\WebServices\Reporting\rsreportserver.config  and added the Authentication Types of RSWindowsNegotiate
  and RSWindowsKerberos.
   2.  Set up the following SPNs.
                 a) SQL Server Database Engine service (sqlDbSrv2):
                  setspn -S MSSQLSvc/CER1110:1433 CERDEMO\sqlDbSrv2
                  setspn -S MSSQLSvc/CER1110.cer.demo.com:1433 CERDEMO\sqlDbSrv2
               In the Delegation tab of the account, selected "Trust this user for delegation to any service (Kerberos only)".
  b) Account: SharePoint Setup Admin account (spAdmin2)
       setspn -S HTTP/CER1110:9999 CERDEMO\spAdmin2
                  setspn -S HTTP/CER1110.cer.demo.com:9999 CERDEMO\spAdmin2
                  In the Delegation tab of the account, selected "Trust this user for delegation to any  service
  (Kerberos only)".
  c) Account: SQL Server Reporting Service account (sqlRepSrv2)
                     setspn -S HTTP/CER1110 CERDEMO\sqlRepSrv2
                     setspn -S HTTP/CER1110.cer.demo.com CERDEMO\sqlRepSrv2
                     In the Delegation tab of the account, selected "Trust this user for delegation to any service
  (Kerberos only)".
    3. Configure the Web Application to use “Negotiate (Kerberos)”.
    4. Logged in as SharePoint Administrator to the SharePoint server and opened the top level site in the IE browser.
       The Event Viewer logged the login process for the SharePoint Administration account as
  Negotiate and not Kerberos.
    5. Implemented Kerberos for Oracle database and client.
       Able to connect to the Oracle database via Kerberos authentication using SQL Plus.
    6. Turn on Windows Firewall.
    7. While testing the site's data connection using Kerberos settings, got the error
  “Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials.”
        Note: The Data Connection for basic authentication still worked.
    8. Created a Claims to Windows Token Service account (spC2WTS2).
    9. Started the Claims to Windows Token Service.
   10. Registered the Claims to Windows Token Service account as a Managed Account.
   11. Changed the Claims To Windows Token Service to use the above managed account.
   12. Verified that the Claims to Windows Token Service account (spC2WTS2) is automatically added to the WSS_WPG local group on the SharePoint box.
        Note: The Reporting Services service account is also a part of the WSS_WPG local group.
   13. Added the Claims to Windows Token Service account (spC2WTS2) to the Local Admin Group on the machine having the SharePoint App Server.
   14. In the SharePoint box, added the Claims to Windows Token Service account (spC2WTS2) in the Act as part of the operating system policy right.
   15. The Claims to Windows Token Service account (spC2WTS2) has the WSS_WPG group configured.
        When the C2WTS service was configured to use the managed account Claims to Windows Token Service account (spC2WTS2) earlier, the spC2WTS2 account was automatically
  added to the WSS_WPG local group on the SharePoint box. The WSS_WPG group in turn is configured in c2wtshost.exe.config file.
   16. Verified that the Reporting Services account is a managed account and part of the WSS_WPG group.
   17. Earlier Service Application Pool - SQL Server Reporting Services App Pool service was associated with the SharePoint Admin account.
        Changed this to associate the Reporting Service account with the Service Application Pool - SQL Server Reporting Services App Pool service.
   18. Changed the delegation of the Reporting Service account to constrained delegation with Protocol Transitioning. This is because we are transitioning from one authentication scheme (Claims) to another (Windows Token).
        For this, the delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use
  any authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
        Note: The Reporting Service account already had an HTTP SPN.
   19. Next, the goal was to make the Claims To Windows Token Service account match the Reporting Service account.
         For this, we created a fake SPN for the Claims To Windows Token Service account since the delegation tab was missing.
         The delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use any
  authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
   20. Restarted the SharePoint server.
   21. Tested the data connection with the Kerberos settings again.
         Got the error
  “ORA-12638: Credential retrieval failed”.
  Can anyone tell me what is wrong with this setup?

  http://www.freeoraclehelp.com/2011/10/kerberos-authentication-for-oracle.html
  Problem4: ORA-12638: Credential retrieval failed
  Solution:  Make sure that SQLNET.KERBEROS5_CC_NAME is set in sqlnet.ora and okinit has been run before attempting to connect to the database.
  Do check 
  http://webcache.googleusercontent.com/search?q=cache:5a2Pf3FH7vkJ:externaltable.blogspot.com/2012/06/kerberos-authentication-and-proxy-users.html+&cd=5&hl=en&ct=clnk&gl=in
  If this helped you resolve your issue, please mark it Answered. You can reach me through http://itfreesupport.com/

• Issue in confuguration of Kerberos authentication

  Hi all
  We are trying to configure Kerberos authentication for single sign-on on a SAP WAS 6.40 Java System. We configured the Kerberos using SPNEGO wizard. After configuring when we tried to login to UME, but it prompted for Username and Password which confirms that single sign on is not working.
  In default trace file we got the following info
  i. Key for the principal [email protected] not available in default key     tab
  ii. [Krb5LoginModule] authentication failed
       Unable to obtain password from user
  iii. Login module com.sun.security.auth.module.Krb5LoginModule from authentication stack com.sun.security.jgss.accept does not authenticate the caller.
  iv. LOGIN.FAILED
      Unable to obtain password from user
  1. Why password cannot be obtained from user?
  2. Is there a default keytab other than the one created by the spnego wizard?
  3. If there is one, then can we add the key for [email protected]  in         that file and how?
  4. How can this be resolved?
  Regards
  Deepu

  Your log files are recording an authentication error, so that usually means your login information is incorrect, or just corrupted. Try reseting your Kerberos password, and if that doesn't work, double-check your Kerberos connectivity and configuration settings.

• Real time collaboration issue after Kerberos authentication setup

  Hi,
  We are using SPNego (kerberos) authentication for our portal (EP 7.0 SP10). When user clicks on log off link, he comes back to the portal home page again so there is no way for the user to log off from the portal. I don't see this as a problem for the users who are not having access to collaboration. But for the users having access to collaboration, when they login to the portal second time (before expiry of the first login session which they couldn't close as log off is not working), they get warning stating
  "You are logged to the same portal already. Real-time collaboration capabilities will not be available in the current portal session until you terminate the other session and then restart this one by refreshing the browser or logging on again."
  How to resolve this?
  Helpful answers will be rewarded
  Regards,
  Chandra

  Most people set the logoff link to a URL which contains soem javascript which closes the browser.
  Paul

• Using Kerberos authentication on Forms and Reports version 11.1.2

  Hi
  I have configured Kerberos authentication for Forms on the server and it works fine, but I cannot get it to work for Reports.
  When I access the database for Forms I use a connect string that looks like this: /@tns_name The Forms server is running using a domain user and the database user is externally identified. It just works.
  I have tried the same for Reports but it is not accepted. In the URL I have written userid=/@tns_name and the Reports server then asks for user id and password with a pre filled tns_name. I have tried to put the userid parameter in cgicmd.dat but the result is the same. Even enabled SSO in rwservlet.properties using singlesignon>yes</singlesignon> but it just do not work.
  I have bounced the server every time I have made a change to be absolutely that the changes had taken effect.
  The question is: How do I tell the Reports server that I do not want to apply user id and password but just the tns_name, like /@tns_name
  I know Kerberos authentication is not an area that is well known and I have spent hours over the years to find out how to make the configuration work.

  Questions regarding version compabilities come up quite often, yet the answer is still the same: have a look at the certification matrix http://www.oracle.com/technetwork/developer-tools/forms/oracle-forms-11gr2certmatrix-519680.xls
  for installation instructions on your chosen platform have a look at the installation manual: http://docs.oracle.com/cd/E24269_01/doc.11120/e23960/toc.htm
  What do you plan to do with SOA suite? This isn't needed for forms&reports.
  cheers