Sharing application security context

Similar Messages

• What is the security context when deploying application using SCCM 2012?

  As far as i know when using Group Policy the software is always installed under SYSTEM security context. However i cannot find any information related to SCCM 2012 (and deploying applications) security context.
  Also is there a difference in doing "Install for User" or "Install for Device/System"?
  Thanks

  Thanks. Just to confirm that if you use Group Policy and you Publish the msi for user when the user install it from Add/Remove Programs it is still going to be executed in SYSTEM security context?
  And while we are on this topic - is the above (about the security context in SCCM 2012) written anywhere in some official MS web page?
  Not sure about the context for Intellimirror, but for ConfigMgr it's as Ronnie and Torsten stated. This may be documented somewhere, not sure. Not everything is documented though -- in fact, I'd say less than 25% (probably less than 10%) of everything
  to be known about ConfigMgr is officially documented. Note that this is the same for any product -- there simply are far too many permutations and possibilities to document them all. 
  Jason | http://blog.configmgrftw.com

• Setting security context in sql*plus session

  Hi,
  For a SQL*Plus session under an account that doesn't have execute privileges on fnd_global, is there any way to set the application security context similar to the way fnd_global.apps_initialize does?
  For example, as APPS one can do this:
  <br>
  sqlplus apps/...
  SQL>  select SYS_CONTEXT('FND','USER_ID' ) as fnd_user_id from dual;
  FND_USER_ID
  1 row selected.
  SQL> execute fnd_global.apps_initialize( ... );
  SQL> select SYS_CONTEXT('FND','USER_ID' ) as fnd_user_id from dual;
  FND_USER_ID
  123456
  1 row selected.What I'd like to do is something like this ...
  <br>
  sqlplus scott/...
  SQL> ... call some EBizSuite procedure where I can supply or
  be prompted for an EBizSuite user name, password, and responsibility ...
  SQL> select SYS_CONTEXT('FND','USER_ID' ) as fnd_user_id from dual;
  FND_USER_ID
  123456
  1 row selected.

  Hi
  Is there any method to initialize the environment using Java API.
  how to call the function fnd_global.apps_initialize
  Can you explain the required parameters.
  Asheesh

• How to share security context between different application ?

  Hi all,
  I have two applications(ADF faces + BC, JDev 10.1.3.1) deployed into OAS 10.1.3.1.
  The two applications are :
  1) SalesApp -> main menu page = SalesMenu.jspx
  2) ReportApp -> main menu page = ReportMenu.jspx
  I want implement security using CustomLogin.
  The question is :
  How can I share security context between the applications ?
  What I mean is, from SalesMenu.jspx there is one menu item to jump into ReportMenu.jspx, and I want user no need to Login again, Login is once and the user is recognized in the two apps. How to achieve that ?
  Thank you for your help,
  xtanto

  Xtanto,
  actually you can't if these are separate J2EE application deployments. The session is not shared and thus the authentication is lost. I heard that OracleAs is planning to implement a feature that allows you to share the session and thus a context between two J2EE deployments. I am not 100 % sure this is the case and will check with OC4J Product Management
  Frank

• Cannot start my application in a secure context

  Hi
  I have a problem starting my client in a secure context when I use a library that uses commons-logging. (And that are quite a lot)
  Exception in thread "AWT-EventQueue-0" java.lang.ExceptionInInitializerError
  at org.springframework.util.ClassUtils.<clinit>(Class Utils.java:73)
  at org.springframework.core.io.DefaultResourceLoader. <init>(DefaultResourceLoader.java:52)
  at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
  at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
  at java.awt.EventDispatchThread.run(Unknown Source)
  Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission org.apache.commons.logging.LogFactory.HashtableImp l read)
  at java.security.AccessControlContext.checkPermission (Unknown Source)
  at java.security.AccessController.checkPermission(Unk nown Source)
  at java.lang.SecurityManager.checkPermission(Unknown Source)
  at java.lang.SecurityManager.checkPropertyAccess(Unkn own Source)
  at java.lang.System.getProperty(Unknown Source)
  at org.apache.commons.logging.LogFactory.createFactor yStore(LogFactory.java:320)
  at org.apache.commons.logging.LogFactory.<clinit>(Log Factory.java:1725)
  ... 34 more
  private static final Hashtable createFactoryStore() {
  Hashtable result = null;
  -- > Line 320 String storeImplementationClass
  = System.getProperty(HASHTABLE_IMPLEMENTATION_PROPER TY);
  if (storeImplementationClass == null) {
  storeImplementationClass = WEAK_HASHTABLE_CLASSNAME;
  I do not get the Problem If I sign the jars and use the 'permision-all' tag in my jnlp, but that is not what I want.
  The problem seems to be that I cannot read SystemProperties.
  Can that be configured somehow?
  Does anyone have an idea how to overcome that problem ???

  Hi
  For me it smells like hardware fault.
  I can imagine that some part like CPU or maybe the GPU died.
  Why? I dont think that someone would be able to provide you an proper explanation
  However, since your notebook is really new, the unit should be fixed free of charge.
  Get in contact with an local Toshiba authorized service provider and ask for assistance.
  Other option might be the notebook dealer who sells this unit.
  Maybe you could replace it with another new one.

• Shared Application File System.

  After moving to shared application tier in production
  In $IAS_ORACLE_HOME/Apache/Apache/conf I see the security.conf file has version security_ux_ias1022.conf 115.25 2009/04/23 10:04:40 mmanku ship $
  but in $CONFIG_TOP/Apache/Apache/conf the sercurity.conf file has the following version security_ux_ias1022.conf 115.29 2009/12/21 05:56:02 sbandla ship $
  Which top does oracle use ?
  why is the shared IAS Home have a lower version of than the CONFIG_TOP
  why does not the one which is not used gets deleted?

  Hi;
  Please check below notes which could be helpful for your issue:
  Explanation of Context Variables for Shared Application File System in R12 and 11i [ID 1070152.1]
  Sharing the Application Tier File System in Oracle Applications Release 11i [ID 233428.1]
  If its not help i suggest rise SR while you are waiting other forum users response here
  Regard
  Helios

• The server principal "XYuser" is not able to access the database "Ydb" under the current security context

  SQL2005 on winserver 2003. I have a view in Xdb that accesses tables in 2 different databases (Xdb and Ydb) on the same server. I have mixed mode security. I have a SQL user (XYuser) that has read access to all tables and views on both databases, yet when I try to access the view using a C# windows application I get the following error:
  The server principal "XYuser" is not able to access the database "Ydb" under the current security context
  This same scenario works under SQL 2000. I looked through the postings and tried to set TRUSTWORTHY ON on both databases but that didn't help. I can access any other views or tables on the SQL 2005 server, just not the one that joins the tables cross databases. Any help is much appreciated... john

  This appears to be a Login/Database Mapping issue.  I was having this problem, but was able to resolve it as follows:
  Using the SQL Server management Studio:
  In the Object explorer, under the SERVER security folder (not the database security folder), expand Logins. 
  That is: ServerName -> Security -> Logins
  NOT: ServerName -> Databases -> DatabaseName -> Security -> Users
  Select the Login that is having the troubles.  Right click on the Login and select ‘Properties.’
  The ‘User Mapping’ page should list all databases on the server with a check mark on the databases that the Login has been mapped to.  When I was getting the error, the database in question was not checked (even though the Login was assigned as a User on the database itself).  Map the Login by checking the box next to the database name.  Set the default schema.  Then select the roles for the Login in the Database role membership list box.  I selected db_datareader and public.  After clicking OK to save the changes, the problem was resolved.
  In order to ‘Map’ the Login, the Login must not already be as User on the database, so you may have to go to the database security (ServerName -> Databases -> DatabaseName -> Security -> Users) and delete the Login from the list of database Users before mapping the Login to the database.

• Current Security Context Not Trusted When Using Linked Server From ABAP

  Hello,
  I am experiencing a head-scratcher of a problem when trying to use a Linked Server connection to query a remote SQL Server database from our R/3 system.  We have had this working just fine for some time, but after migrating to new hardware and upgrading OS, DBMS, and R/3, now we are running into problems.
  The target database is a named instance on SQL Server 2000 SP3, Windows 2000 Server.  The original source R/3 system was 4.7x2.00, also on SQL Server 2000 (SP4), Windows 2000 Server.  I had been using a Linked Server defined via SQL Enterprise Manager (actually defined when the source was on SQL Server 7), which called an alias defined with the Client Network Utility that pointed to the remote named instance.  This alias and Linked Server worked great for several years.
  Now we have migrated our R/3 system onto new hardware, running Windows Server 2003 SP1 and SQL Server 2005 SP1.  The application itself has been upgraded to ECC 6.0.  I performed the migration with a homogeneous system copy, and everything has worked just fine.  I redefined the Linked Server on the new SQL 2005 installation, this time avoiding the alias and referencing the remote named instance directly, and it tests out just fine using queries from SQL Management Studio.  It also tests fine with OSQL called from the R/3 server console, both when logged on as SAPServiceSID with a trusted connection, and with a SQL login as the schema owner (i.e., 'sid' in lowercase).  From outside of R/3, I cannot make it fail.  It works perfectly.
  That all changes when I try to use the Linked Server within an ABAP application, however.  The basic code in use is
  EXEC SQL.
     SET XACT_ABORT ON
     DELETE FROM [SERVER\INSTANCE].DATABASE.dbo.TABLE
  ENDEXEC.
  The only thing different about this code from that before the upgrade/migration is the reference to [SERVER\INSTANCE] which previously used the alias of just SERVER.
  The program short dumps with runtime error DBIF_DSQL2_SQL_ERROR, exception CX_SY_NATIVE_SQL_ERROR.  The database error code is 15274, and the error text is "Access to the remote server is denied because the current security context is not trusted."
  I have set the "trustworthy" property on the R/3 database, I have ensured SAPServiceSID is a member of the sysadmin SQL role, I've even made it a member of the local Administrators group on both source and target servers, and I've done the same with the SQL Server service account (it uses a domain account).  I have configured the Distributed Transaction Coordinator on the source (Win2003) system per Microsoft KB 839279 (this fixed problems with remote queries coming the other way from the SQL2000 system), and I've upgraded the system stored procedures on the target (SQL2000) system according to MS KB 906954.  I also tried making the schema user a member of the sysadmin role, but naturally that was disastrous, resulting in an instant R/3 crash (don't try this in production!), so I set it back the way it was (default).
  What's really strange is no matter how I try this from outside the R/3 system, it works perfectly, but from within R/3 it does not.  A search of SAP Notes, SDN forums, SAPFANS, Microsoft's KnowledgeBase, and MSDN Forums has not yielded quite the same problem (although that did lead me to learning about the "trustworthy" database property).
  Any insight someone could offer on this thorny problem would be most appreciated.
  Best regards,
  Matt

  Good news! We have got it to work. However, we did it in something of
  a backwards way, and I'm sure you'll laugh when you see how it was done. Also, the solution depends upon the fact that the remote server is still using SQL Server 2000, and so doesn't have quite so many restrictions placed upon it for distributed transactions and Linked Servers as SQL Server 2005 now does.
  At the heart of the solution is the fact that the Linked Server coming FROM the remote server TO our SAP system works fine. Finally, coupled with the knowledge that using DBCON on the SAP side to the remote server also does actually provide a connection (see Notes 323151 and 738371), we set up a roundabout way of achieving our goal. In essence, from ABAP, we set up the DBCON connection to the remote server, at which point all the Native SQL commands execute in the context of the remote server. From within that connection, we
  reference the tables in SAP via the Linked Server defined on the remote
  server, as if SAP were the remote server, selecting data from SAP and inserting it into the remote (but apparently local to this connection) tables.
  So, to spell it out, we define a Linked Server on the remote server pointing back to the SAP server as SAPSERV, with a SQL login mapping defined on the remote system pointing back to a SQL login in the SAP database. We also define a connection to the remote server from SAP using DBCON, using that remote SQL login for authentication.
  Then, in our ABAP code, we simply do something along the lines of
  exec sql.
     set connection 'REMOTE'
  endexec.
  exec sql.
     connect to 'REMOTE'
  endexec.
  exec sql.
     insert into REMOTE_TABLE
        select * from SAPSERV.SID.sid.SAP_TABLE
  endexec.
  exec sql.
     commit
  endexec.
  exec sql.
     disconnect 'REMOTE'
  endexec.
  This is, of course, a test program, but it demonstrated that it worked,
  and we were able to see that entries were appropriately deleted and inserted in the remote server's table. The actual program for use is a little more complex, in that there are about four different operations at different times, and we had to resolve the fact that the temp table SAP_TABLE was being held in a lock by our program, resulting in a deadly embrace, but our developer was able to work that out, and all is now well.
  I don't know if this solution will have applicability to any other customers, but it works for us, for now.
  SAPSERV, REMOTE, REMOTE_TABLE, and SAP_TABLE are, of course, placeholder names, not the actual server or table names, so as not to confuse anyone.
  Best regards,
  Matt

• How can Manage Permissions for DB in Shared Services Security Mode

  In shared services security mode, after provisioning users for Essbase applications, only can assign database calculation and filter access. How can I grant permissions "Access Databases" like in native mode?

  Essbase will be default be in shared services security mode in 11.1.2, the wizard will not migrate security when in this mode.
  It is possible to revert it back but if you don't know the process then it is worth looking at alternatives first.
  You could use LCM to export the provisioning and then import into your target environment.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• How to pass the security context between different OC4J servers

  My problem is the following: it seems that there is no standard J2EE solution in a production environment with more than one J2EE application server products to pass the security context between different J2EE application servers.
  I have a distributed application on two different OC4J servers, let's say that we have the web layer (with servlets) deployed on a server instance Server1 and the EJBs deployed on a second OC4J server Server2. If an user is authenticated at the web tier (in Server1) it gets a Principal object. It seems that the same Principal object cannot be used for authorization in the second application server, Server2. This means that in the server Server2 the authentication should be done again. It means that it should be duplicated the mechanism for authentication on Server2 (together with the passwords, users, and so on), thing that is a clear disadvantage of this approach.
  Do you know if there is a specific OC4J solution for this approach?
  Thank you,
  Marinel

  I have a simmilar issue? Did you succeeded to find a solution?

• Shared Services Security Migration

  Hi All,
  I need to migrate Shared Services Security from one server to another server(applications already migrated).
  Can you please let me know if we copy essbase.sec file will it work, or any other process we need to follow.
  Thanks,
  Pinky

  Dear Pinky,
  As John just mentioned - it depends a bit on the version that you use as well (11.1.2 is different from 11.1.1.3.x is different from 9.x)
  but you may find useful information in these guides:
  http://download.oracle.com/docs/cd/E12825_01/epm.111/epm_security.pdf
  http://download.oracle.com/docs/cd/E12825_01/epm.111/epm_backup_recovery.pdf
  The CSSImportExport utiity is documented within its own zip folder on your installation of HSS (if you are using version 11.1.1.x)
  Basically you can think of the process as a backup and restore on a different machine.
  The complete list of steps is way too detailed and complex and touches too many sensitive areas to handle it in a thread here.
  (especially as I do not know the versions of HSS/Essbase, the OS or the scope of this migration)
  best regards
  Torben

• Cisco asa security context active/active failover

  Hi,                  
  I have two Cisco ASA 5515-X appliance running OS version 8.6. I want to configure these two appliance in multiple context mode mode.
  Each ASA appliance will have two security context named "ctx1" & "ctx2".
  I have to configure failover on these two ASA appliance such that "ctx1" will be active in one ASA box and "ctx2" will be active and process the traffic on second box to achieve this i will configure two failover group 1 & 2. And assign "ctx1" interfaces in failover group 1 and "ctx2" interface to group 2.
  I am a reading a book on failover configuration in active/active in that below note is mentioned.
  If an interface is used as the shared interface between multiple contexts, then all of those contexts need to be in the same failover redundancy group.
  What this means? can someone please explain because i also want to use a shared interface which will be used by "ctx1" & "ctx2". In this case shared interface can be used in failover group 1 & 2 ?
  Regards,
  Nick

  Yout will have to contact [email protected] or open a TAC case in order to have a new activation key generated. They can do that once they confirm your eligibility.

• Security context issue when executing a SQL command in SQLCMD

  Simplified core issue below:
  I have myscript.sql that has:
  SELECT name FROM Sys.Databases
  GO
  USE mydatabase
  GO
  EXEC mystoredprocedure 'myparameter'
  GO
  When I open cmd.exe and use:
  SQLCMD -S localhost\myinstance -i script.sql
  It executes fine.
  When I open cmd.exe in C# using the Process class and execute the same command I get the following error:
  name
  master
  tempdb
  model
  msdb
  mydatabase
  (5 rows affected)
  Msg 916, Level 14, State 1, Server localhost\myinstance, Line 1
  The server principal "NT AUTHORITY\SYSTEM" is not able to access the database "mydatabase" under the current security context.
  Msg 2812, Level 16, State 62, Server localhost\myinstance, Line 1
  Could not find stored procedure 'mystoredprocedure'.
  And now the detailed explaination:
  I created an MSI which installs my custom application.
  During the bootstrap process, SQL Server 2012 Express is installed using the following parameters:
  /INSTANCEID="SQLEXPRESS"
  /ACTION="Install"
  /FEATURES=SQLEngine,Replication
  /HELP="False"
  /INDICATEPROGRESS="False"
  /Q="True"
  /QS="False"
  /ROLE="AllFeatures_WithDefaults"
  /ENU="True"
  /ERRORREPORTING="False"
  /SQMREPORTING=0
  /INSTANCENAME="SQLEXPRESS"
  /AGTSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
  /AGTSVCSTARTUPTYPE="Disabled"
  /ISSVCSTARTUPTYPE="Automatic"
  /ISSVCACCOUNT="NT AUTHORITY\NetworkService"
  /ASSVCSTARTUPTYPE="Automatic"
  /ASCOLLATION="Latin1_General_CI_AS"
  /ASDATADIR="Data"
  /ASBACKUPDIR="Backup"
  /ASTEMPDIR="Temp"
  /ASCONFIGDIR="Config"
  /ASPROVIDERMSOLAP="1"
  /SQLSVCSTARTUPTYPE="Automatic"
  /FILESTREAMLEVEL="0"
  /ENABLERANU="True"
  /SQLCOLLATION="SQL_Latin1_General_CP1_CI_AS"
  /SQLSVCACCOUNT="NT Authority\Network Service"
  /SECURITYMODE="SQL"
  /ADDCURRENTUSERASSQLADMIN="True"
  /RSSVCACCOUNT="NT AUTHORITY\NETWORK SERVICE"
  /RSSVCSTARTUPTYPE="Automatic"
  /RSINSTALLMODE="FilesOnlyMode"
  /HIDECONSOLE
  /IACCEPTSQLSERVERLICENSETERMS
  /SAPWD="***************"
  The MSI then executes an Installer class DLL written in C# which restores a database to the SqlExpress instance.
  When the restore is completed, the Installer class then uses the Process class to launch CMD.exe and execute the SQL script using SQLCMD.
  Process vProcess = new Process();
  ProcessStartInfo vStartInfo = new ProcessStartInfo("cmd.exe");
  vStartInfo.Arguments = "/c set path=%path%;" + Context.Parameters["TargetDir"] + "\\; && sqlcmd -S LocalHost\\myinstance -i myscript.sql";
  vProcess.StartInfo = vStartInfo;
  vProcess.Start();
  vProcess.WaitForExit(30000);
  This is where I get the error mentioned above.
  However if I execute the same command manually by opening CMD.exe from the RUN command, it executes perfectly.
  I can not use -U or -P to supply a user / password, I MUST use integrated security.
  Additional info:
  Previously SQL Server 2008 Express has been in use for the bootstrapper, and this issue did not occur.
  The database the MSI restores is also built from SQL Server 2008. (Will be built from 2012 in the future.)
  Installation is performed on an account with administrative rights.
  Running the installer AS Administrator does not fix the issue.
  Any help would be greatly appreciated, as well please let me know if additional info is required.
  Thank you

  I'm having a similar issue where I'm using a batch file to execute commands to a group of servers. I can use the batch commands when updating MyDatabase but get the security context error when I try to update MyDatabase with a join to TheirDatabase except
  on servers where I am sysadmin.   Like I said, I can update MyDatabase as long as I don't join to TheirDatabase.
  Update A
  Set A.CCMCoderStaffSID = IsNull(B.StaffSID, -1)
  From MyDatabase.[R_Encounter].[VejdPfcsLinkageDataF19610x5] A
  Left Join ThierDatabase.Staff.Staff B on
  A.Sta3n = B.Sta3n and A.[CCMCoderF200IEN]= B.StaffIEN
  Error:
  Msg 916, Level 14, State 1, Server R04PHIDWH58, Line 1
  The server principal "MyDomain\ME" is not able to access the database "TheirDatabase" under the current security context.
  Line from batch:
  sqlcmd -S Server54 -d MyDatabase -i D:\ETLDevelopment\R04\Me\querytools\%RAWTablesScript%  -o D:\ETLDevelopment\R04\Me\UpdateSIDV1.txt

• Shared applications among user profiles?

  My wife and I have separate user profiles for our home computer. When I upload photos she can not access them from iPhoto unless she is logged in to my profile. The same is true for me if she uploads photos.
  Is there a way for us to have a universal or shared applications (at this time, specifically iPhoto) across multiple profiles?

  What you mean by 'share'.
  If you want the other user to be able to see the pics, but not add to, change or alter your library, then enable Sharing in your iPhoto (Preferences -> Sharing), leave iPhoto running and use Fast User Switching to open the other account. In that account, enable 'Look For Shared Libraries'. Your Library will appear in the other source pane.
  Any user can drag a pic from the Shared Library to their own in the iPhoto Window.
  Remember iPhoto must be running in both accounts for this to work.
  If you want the other user to have the same access to the library as you: to be able to add, edit, organise, keyword etc. The problem here is that OS X works very hard to keep your data safe and secure from the other users. You're trying to beat what's built in to the system. So, to beat the system
  Quit iPhoto in both accounts
  Move the iPhoto Library Folder to an external HD set to ignore permissions. You could also use a Disk Image or even partition your Hard Disk.
  In each account in turn: Hold down the option (or alt) key and launch iPhoto. From the resulting dialogue, select 'Choose Library' and navigate to the new library location. From that point on, this will be the default library location. Both accounts will have full access to the library, in fact, both accounts will 'own' it.
  However, there is a catch with this system and it is a significant one. iPhoto is not a multi-user app., it does not have the code to negotiate two users simultaneously writing to the database, and trying will cause db corruption. So only one user at a time, and back up, back up back up.
  Lastly: This method seems a little clunky at first, but works very well. Most importantly, it uses the System to do the job for you.
  Create a new Account on your Mac, call it Media. Create an iPhoto Library there. (BTW: This will work for iTunes too.)
  Enable Sharing on the Library:(Preferences -> Sharing), leave iPhoto running and use Fast User Switching to open the other accounts. In those accounts, enable 'Look For Shared Libraries'. The Library will appear in the other source pane.
  This means that both users will be able to see the pics. If you want to use a pic then simply drag it from the shared Library to your own in the iPhoto Window. This means that each user can have their own edits.
  If you want to add photos to the Library: Log into the Media account for that purpose.
  To make it all seamless: Set your Mac to log into the Media Account automatically. Set iPhoto to launch on log-in. Then switch to your own account using Fast User Switching.
  Net result: a Library that's permanently available to all users but also protected. Each user can have their own versions of the pics if they want.
  No partitioning, no permissions issues. Uses no extra disk space. What's not to like?
  Regards
  TD

• Using NT Security Context with JNDI to talk to AD

  Hello all,
  Is there a way in JNDI to connect to Active Directory using the current NT Security Context like ADSI does?
  I want to run a Java program as a service under Win2k.
  I want to assign a user for it to run as (on service start).
  When the program is executing, I need to access AD (wish it wasn't so, but out of my hands), preferrably with JNDI, to read/write data.
  I would like to be able to connect without having to set SECURITY_AUTHENTICATION to "simple" and providing a username and password since as a service, I don't want to interract with the desktop.
  In ADSI, I could set the ADS_SECURE_AUTHENTICATION flag and it would use the NTLM to access AD.
  Is there something similar in JNDI? I've searched the forums, but have only found examples of people using JAAS and GSSAPI (which requires entering a username/password and authenticating against a Kerberos realm) or simple authentication (which requires entering a username/password).
  Any help would be appreciated.
  Regards,
  plb

  Thanks schmid03,
  FYI, I am on Win2K Advanced Server running J2SDK 1.4.0_01.
  Tried changing the conf file, but still a no go. Here's what's happening now...
  Get a pop-up window titled "16 bit MS-DOS Subsystem"
  Message: c:\WINNT\system32\ntvdm.exe Error while setting up environment for the application. Choose 'Close' to terminate the application.
  Buttons: Close, Ignore
  after calling "lc.login ();"
  but then I can get the Subject and print out Principal (name) and it is correct.
  However, in JNDI call "new InitialDirContext ();" I receive:
  GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
  at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:142)
  at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:70)
  at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
  at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
  at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:59)
  at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:36)
  at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:96)
  at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:178)
  at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)
  at com.sun.security.sasl.gsskerb.GssKerberosV5.evaluateChallenge(GssKerberosV5.java:160)
  at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:113)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:324)
  at com.sun.jndi.ldap.LdapClient.saslBind(LdapClient.java:374)
  at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:190)
  at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2516)
  at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:263)
  at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:76)
  at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
  at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
  at javax.naming.InitialContext.init(InitialContext.java:219)
  at javax.naming.InitialContext.<init>(InitialContext.java:195)
  at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:80)
  at Test$MyAction.run(Test.java:196)
  at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.Subject.doAs(Subject.java:319)
  at Test.go(Test.java:132)
  at Test.main(Test.java:73)
  I'll check these new messages against other posts in the forum to see if there are similar problems...
  If anyone already knows this problem and a fix, please enlighten.
  Regards,
  plb