Smartcard auth errors

Similar Messages

• Auth Error in BW while executing a query with Company hierarchy

  Hi All,
  I have an issue in BW Reporting auth objects.. Hope to get resolved here.
  We are using BI 7.0. However We  are still using the Reporting auth objects for fiield level security. We are having a problem while executing a query with company code hierarchy ,which is built on a multiprovider.
  The Background is as below
  Multiprovider: ZM_CD01 with 5 infocubes
  Query: Has 0COMP_CODE as free characteristics with display hierarchy for Japan (Node APSC_012 is fixed value)
  Node APSC_012 has 4070,4076,407A,408A,9830 company code values under it.
  Reporting Auth Objects:
  Z0COMPCODE: (for flat values)
  4070,4076,407A,408A,407M,407P,8236, :
  ZHCOMPCODE: (For tree structure)
  4070,4076,407A,408A,407M,407P,8080, :
  APSC_MGMT_HIER (Nodes: APSC_012,APSC019)
  Both the reporting authorization objects are checked for multi provider ZM_CD01 in RSSM
  While executing the query the following Auth error is received.
  You do not have authorization to read object  "Z0COMPCODE" authorization on '0COMP_CODE'
  When I change the values for Z0COMPCODE to * it works fine. No Auth error.
  Please help me resolve this issue. It is very critical now as the user needs to execute some important reports.
  Thanks in Advance.
  Ramkumar C

  Hi Chandra,
  Try the following:
  1. Go to tcode RSSM
  2. Enter the cube ZM_CD01 (all the other cubes) then click change.
  3. Afterwards, u201Cunchecku201D ALL Authorization Objects under this cube. (Repeate the same for all the cubes)
  4. Click Save.
  This will resolve the issue.
  Rgds,
  Raghu

• Improper message coming on console  " ftpd[16809]: [ID 487707 auth.error] load_modules: can not open module /usr/lib/security/pam_unix_session.so.1"

  Hi All,
  I am using solaris 10u10 on Sun Fire platform. I am getting below message on cosole.
  ftpd[16809]: [ID 776383 auth.error] open_module: stat(/usr/lib/security/pam_unix_session.so.1) failed: No such file or directory
  ftpd[16809]: [ID 487707 auth.error] load_modules: can not open module /usr/lib/security/pam_unix_session.so.1
  ftpd[16810]: [ID 776383 auth.error] open_module: stat(/usr/lib/security/pam_unix_session.so.1) failed: No such file or directory
  ftpd[16810]: [ID 487707 auth.error] load_modules: can not open module /usr/lib/security/pam_unix_session.so.1
  ftpd[16815]: [ID 776383 auth.error] open_module: stat(/usr/lib/security/pam_unix_session.so.1) failed: No such file or directory
  ftpd[16815]: [ID 487707 auth.error] load_modules: can not open module /usr/lib/security/pam_unix_session.so.1
  ftpd[16816]: [ID 776383 auth.error] open_module: stat(/usr/lib/security/pam_unix_session.so.1) failed: No such file or directory
  ftpd[16816]: [ID 487707 auth.error] load_modules: can not open module /usr/lib/security/pam_unix_session.so.1
  ftpd[16817]: [ID 776383 auth.error] open_module: stat(/usr/lib/security/pam_unix_session.so.1) failed: No such file or directory
  ftpd[16817]: [ID 487707 auth.error] load_modules: can not open module /usr/lib/security/pam_unix_session.so.1
  Also the file is present on the server 
  root@atrcx1454/var/adm> ls -lrt /usr/lib/security/pam_unix_session.so.1
  -rwxr-xr-x   1 root     bin        20652 Mar 19  2008 /usr/lib/security/pam_unix_session.so.1
  Can anyone help why above message is coming on console

  Is the ftp daemon that you use provided by the Solaris media ? If this is not the case, then would recommend to contact the software maintainer for more help.
  And regarding chroot, please check this URL to know what it is : Sandbox (computer security) - Wikipedia, the free encyclopedia
  Depending how this environment is configured, the library is maybe not present in this one.

• I keep getting error 3322 suberror 1000136 DRM auth. error using Firefox

  I keep getting error 3322 suberror 1000136 DRM auth. error using Firefox but have no problem playing same content in Chrome. I uninstalled and reinstalled Firefox but kept personal settings, which did not fix the problem. Can you help?

  You may have had a change in hardware since the last time you accessed protected content with Firefox. To reset the protected content licenses, go to the settings manager, and click on Reset Content Licenses. Here is a link to the settings manager: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager08.htm l
  See also this forum post: http://forums.adobe.com/message/3051713
  We are working on automatic recovery from this error condition.

• Mail Server Error - 21055: auth: Error: od?

  Hi,
  Just upgraded to OSX 10.8 Mountain Lion, now my email services have gone AWOL.
  The server logs are telling me  [DateTime domain.com] log[21055]:auth: Error: od (username, ip address): authentication failed for user=me, method=DIGEST-MD5
  From a client (MS offlook) point of view I'm getting :
  Your message did not reach some or all of the intended recipients.
  Subject:    test
        Sent: 06/08/2012 19:09
  The following recipient(s) cannot be reached:
        '[email protected]' on 06/08/2012 19:10
              451 4.3.5 <unknown[ip address]>: Client host rejected: Server configuration error
  This used to work quite well with Lion and the Server Admin Tools.
  Is there anything I can try?
  Thanks in advance,
  Jeff.

  Thanks for getting back to me red shift, everything is now up and working again. 
  I think it was somthing to do with some folder permissions and some mail settings.  The mail server GUI supplied with Mountain Lion is all but useless and didn't help in any way in tracking down or resolving the problem. So, I've taken the plunge and set up MailServ for Mountain lion, its a much better mail server GUI client, and seemed to correct some of my postfix settings.
  I've tinkered a bit with command line mail stuff, but not quite at a level where I can fully administer it.
  Are there any good command line resources out there?  This is somthing I need to improve on.
  Cheers.

• Client auth error

  I am using iPlanet Web Server 6.0 SP4 on Solaris 2.8 that is enabled for SSL and Client-auth.
  In order to validate the client certificate, I configured this server to use my own Plug-in by adding authTrans line in "obj.conf":
  <Object name=default>
  AuthTrans fn="vsCheckClientCert"
  </Object>
  During startup, web server fails with following error.
  Thanks in advance!!!
  [20/Sep/2002:11:50:58] info ( 1984): successful server startup
  [20/Sep/2002:11:50:58] info ( 1984): iPlanet-WebServer-Enterprise/6.0SP4 B07/17/2002 14:04
  [20/Sep/2002:11:51:00] info ( 1985): Installing a new configuration
  [20/Sep/2002:11:51:00] info ( 1985): [LS ls1] https://xx-sun.yy.com, port 444 ready to accept requests
  [20/Sep/2002:11:51:00] info ( 1985): A new configuration was successfully installed
  [20/Sep/2002:11:51:01] info ( 1985): Using the Solaris VM v1.2.2 from Sun Microsystems Inc.
  [20/Sep/2002:11:51:01] info ( 1985): Java VM classpath: /usr/netscape/servers/plugins/servlets/examples/legacy/beans.10/SDKBeans10.jar:/usr/n
  etscape/servers/bin/https/jar/NSServletLayer.jar:/usr/netscape/servers/bin/https/jar/NSJavaUtil.jar:/usr/netscape/servers/bin/https/jar/Admin
  NativeUtil.jar:/usr/netscape/servers/bin/https/jar/NSJavaMiscUtil.jar:/usr/netscape/servers/bin/https/jar/servlet.jar:/usr/netscape/servers/b
  in/https/jar/servlet-2.3-filters-api.jar:/usr/netscape/servers/bin/https/jar/jsp092.jar:/usr/netscape/servers/bin/https/jar/jaxp.jar:/usr/net
  scape/servers/bin/https/jar/crimson.jar:/usr/netscape/servers/bin/https/jar/xalan.jar:/usr/netscape/servers/bin/https/jar/jspengine.jar:
  [20/Sep/2002:11:51:01] info ( 1985): Loading IWSSessionManager by default.
  [20/Sep/2002:11:51:01] info ( 1985): IWSSessionManager: Maximum number of sessions is 1000
  [20/Sep/2002:11:51:01] config ( 1985): for host 0.0.0.0 trying to GET /, Client-Auth reports: get-client-cert requires that security and SSL3
  be enabled.
  [20/Sep/2002:11:51:01] failure ( 1985): for host 0.0.0.0 trying to GET /, vsCheckClientCert reports: Couldn't get a client authentication cer
  tificate
  [20/Sep/2002:11:51:02] config ( 1985): for host 0.0.0.0 trying to GET /, Client-Auth reports: get-client-cert requires that security and SSL3
  be enabled.
  [20/Sep/2002:11:51:02] failure ( 1985): for host 0.0.0.0 trying to GET /, vsCheckClientCert reports: Couldn't get a client authentication cer
  tificate
  [20/Sep/2002:11:51:02] failure ( 1985): vs(https-cvm-test-444)Error getting document-root for this virtual server; please check your server c
  onfiguration.
  [20/Sep/2002:11:51:02] failure ( 1985): vs(https-cvm-test-444)Cannot create web applications virtual server environment.
  [20/Sep/2002:11:51:02] failure ( 1985): Internal Error: Failed to initialize web application environment (web-apps.xml) for virtual server (h
  ttps-cvm-test-444)
  [20/Sep/2002:11:51:02] info ( 1985): Internal Error: Failed to initialize web application environment (web-apps.xml) for virtual server (http
  s-cvm-test-444)
  [20/Sep/2002:11:51:02] failure ( 1985): The new configuration was rejected, rolling back

  Thanks for the reply!!
  My SAF (vsCheckClientCert) works fine if I disable the servlets. It also works by disabling the Web Application State in server.xml
  <VSCLASS id="defaultclass" objectfile="obj.conf" rootobject="default" acceptlanguage="off">
  <VS id="https-cvm-test-444" state="on" urlhosts="psingal-sun.verisign.com" mime="mime1" aclids="acl1" connections="group1">
  ===> <VARS webapps_file="web-apps.xml" webapps_enable="off"/>
  </VS>
  </VSCLASS>
  I am facing the problem only with iPlanet 6.0, the SAF worked fine with "Servlet Enabled" in the previous releases of iPlanet 4.x. Is there any way by which my SAF works with default server settings i.e. Servlet Enabled and Web Application State On?

• SSRS 2008 R2 auth error

  Hi Everyone,
  I'm migrating from one server to another. SSRS works on the old setup just fine, and I've managed to get it working for me (as admin) on the new server just fine (both by browsing locally and from my laptop remotely). FYI, the new Sql Server is on a hosted
  server which is not part of our domain - but the same users are created on both. 
  However, a user I'm testing the new server with (who isn't an admin) cannot get SSRS to work. I've added her in SSRS under Site Settings as a user, and also given access in the root folder settings.
  RDPing on the new server and running  IE (http://localhost/Reports), she gets the error: "User <domain\username> does not have the required permissions. Verify that sufficient permissions have been granted and Windows User Account Control
  (UAC) restrictions have been addressed). This doesn't happen in Chrome locally - that's a whole other set of errors!
  Trying remotely (from her laptop on our LAN), she gets the main Report Manager page, with the list of all reports on it. However, when she selects a report, she gets:
  -And error has occurred during report processing. (rsProcessingAborted)
   - Cannot create a connection to data source 'DataSource1'. (rsErrorOpeningConnection)
    - Login failed for user '<DB machine/username>'
  "DataSource1" is the default data connection within the report definition and is just setup for Windows Auth. Looking on the existing setup, I cannot see her with a username on sql server, and yet it still works!
  As you can see, very different behaviours. Ideally, I'm after getting the remote connection from the laptop working - but I would like to understand both issues ideally.
  I've got the old infrastructure and compared permissions for various things but I cannot see any differences. Any help would be appreciated!

  Hi Tifosi256,
  According to your description, you have issue when migrating your SQL server to another server. A user with granted permission can’t access Report Manager on IE/Firefox locally. And when connecting server remotely, this user can’t open a connection to data
  source. Right?
  In Reporting Service, we can use Windows User Account to access Report in browser. In different browsers, they have different security level for different system roles. In this scenario, the user is not system admin, when she access the Report Manager, the
  site of Report Manager might be denied by IE/Firefox. And when the user back to her laptop, I think she might be system admin in her own system. So the Report Manager site can be accepted by browser. For this reason, we can go to IE/Firefox, add the Report
  Manager URL as Trusted site. 
  For the data source connecting issue, the reason why the user can’t open a connection to data source because when we connect to data source, we act as a Windows User. If this user has no authority to access database, it will be unable to open a connection
  to data source. However, we have two options to solve this problem. One is go to Database Engine in SQL Server Management Studio. Add the user in Security. 
  The other is go to the Report properties in Report Manager. In Data Sources, Select Credentials stored securely in the report server. Put in a Window User Account which has authority to access the database. Select Use as Windows credentials when connecting
  to the data source. So we can act as the user with granted authority when connecting data source.
  If you have any question, please feel free to ask.
  Best Regards,
  Simon Hou
    

• 802.1x Auth Error After Installing AirPort Update 2007-002 and 10.4.9

  After installing the AirPort Extreme Update 2007-002 (and 10.4.9, but I doubt that update did it), I am unable to log into my campus's wireless network. I get the message "802.1x Authentication has failed. (Error: 1001 on port en1)"
  I've double-checked the settings, and all looks good. Other Macs are able to log in fine but they do not have this update applied.
  Other wireless connections from this computer work fine, including using another SSID on this wireless network using WPA/TKIP. Only the 802.1x auth is failing.
  I'm a systems admin for the college, and I can see in the radius logs that an error is generated:
  "Unexpected error. Possible error in server or client configuration."
  I'm the only one getting this error. Anyone have any ideas about this?
  Thanks in advance.
  truk

  I finally discovered what was going on. When doing either the 10.4.9 update or the Airport update, my /System/Library/Keychains/X509Anchors file was either corrupted or completely emptied. The file did remain with 0K size.
  I started noticing that all SSL connections from the computer were failing (Safari, iChat, whatever) that depended on the Mac OS X components to do the SSL validation. (Firefox continued to work fine, as it has its own SSL stack.) I then ran the Keychain file check in Keychain, which alerted me to the exact file problem.
  My wife also has a MacBook with the same version of Mac OS X, so I was able to copy her X509Anchors file to my computer and everything worked perfectly after that. SSL came back, iChat works, Safari works with SSL, and 802.1x works again.
  Hope that helps someone else...

• Password file auth - error ORA-01990: error opening password file '/p00/ora

  Hi, Im setting up password file auth on our existing database.
  Ive run this
  orapwd file=orapwdt04.pwd password=secret entries=5
  then set this in the .ora file
  remote_login_passwordfile=exclusive
  But when I restart the dabase im getting this error
  ORA-01990: error opening password file '/p00/oraprod/9.2.0/dbs/orapw'
  How / where do I tell the database to look for the password file.
  Im running on AIX and Oracle 9.2.0.6
  thanks for looking.

  password filename must be in the format of orapw<sid> and location of the file $ORACLE_HOME/dbs

• Client-Auth errors

  Hi all,
  I have a SOWS 6.1 and I am getting the following error eache time a user try to get the page:
  Client-Auth reports: Unexpected error receiving data: -5938
  Do you know what it should be?
  Thanks in advance

  Can you tell us the exact configuration you have.
  Send a request to the server to capture the details of initial handshake which performs the client authentication through ssltap. Save the output. Also, when the
  certificates are exchanged ssltap will save them to a file (see the output of
  ssltap for the filenames it used). Get those cert files as well.

• LDAP Auth Error ccmuser web access

  Hi,
  I have a CUCM v9.1 with an issue for access to the ccmuser web page using the AD Credentials, I've configured the LDAP Auth in the CUCM with no error messages and also the web access for my users like this:
  When I access the site http://cucm_ip_add/ccmuser first I get this message:
  After that I try to log into to the web page but I get this error:
  I have no issues importing the users, the problem is with the authentication.
  I've checked the ldap port and I'm not using global catalog so the correct one is 389 (tried 3268 and I got an error message from the cucm ldap authentication config page).
  Any ideas guys??
  Thanks in advance.

  One commone one is that CUCM treats the username field as case sensitive. Does it have any upper case characters? You can see this within /ccmadmin under End User Configuration.
  If that's not it, either a Wireshark of the LDAP bind or a stare/compare between your sync agreement and the auth config to see why one can get the user object but the other cannot bind as that person.
  Please remember to rate helpful responses and identify helpful or correct answers.

• Wireless Auth errors

  I am trying to setup leap authentication on a 1100 AP, with local radius.
  Getting the following debug errors:
  *Mar  2 10:23:05.311: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 0023.6c85.32cd
  *Mar  2 10:23:05.311: dot11_auth_dot1x_send_client_fail: Authentication failed for 0023.6c85.32cd
  *Mar  2 10:23:05.311: %DOT11-7-AUTH_FAILED: Station 0023.6c85.32cd Authentication failed
  *Mar  2 10:23:10.592: AAA/BIND(00000070): Bind i/f 
  *Mar  2 10:23:10.592: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  *Mar  2 10:23:10.592: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0023.6c85.32cd
  *Mar  2 10:23:10.592: dot11_auth_dot1x_send_id_req_to_client: Client 0023.6c85.32cd timer started for 30 se
  Any ideas what could be wrong with my config:
  aaa new-model
  aaa group server radius rad_eap
  server 172.16.1.35 auth-port 1812 acct-port 1813
  aaa authentication login eap_methods group rad_eap
  aaa session-id common
  dot11 syslog
  dot11 ssid XXX
     authentication open eap eap_methods
     authentication network-eap eap_methods
     guest-mode
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption key 1 size 40bit 7 873B0AA56FCA transmit-key
  encryption mode wep mandatory
  broadcast-key change 300
  ssid XXX
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  channel 2437
  station-role root
  rts threshold 2312
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 172.16.1.35 255.255.255.0
  no ip route-cache
  radius-server local
    nas 172.16.1.35 key 7 14001305020B297D727E
    user xxxx nthash 7 0027435225792D535F796A6B2A3852444A59285D78097D7B6A177B325144545374
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 172.16.1.35 auth-port 1812 acct-port 1813 key 7 120E04191C040F527C7D
  radius-server vsa send accounting
  bridge 1 route ip

  If you are not using any EAP authentication, then remove the below commands..
  authentication open eap eap_methods
     authentication network-eap  eap_methods
  and issue just "authentication open"
  then try connecting the wireless using the WEP key that you have configured.
  Regards
  Surendra

• Auth error while post good receipt thru vl02n

  Hi,
  During Post good receipt thru t-code vl02n i am facing error as - "You have no authorization for this transaction with movement type 653"
  In the role i have given auth for vl01n,vl02n and vrre
  So pl guide to resolve this issue

  Hi
  please perform the transaction again. On error type /osu53 in transaction window. System will open new session and you will get details of Missing Authorizations. Give it to your Basis person to grant those missing objects.
  enjoy
  Atul

• CAS + SPNEGO + Auth error

  Hello experts,
  I have the followin platform:
  Tomcat 6.0.18
  CAS Server 3.2.1
  cas-server-support-spnego-3.2.1.jar
  jcifs-1.3.8.jar
  jcifs-ext-1.2.3.jar
  I followed this guide to install CAS SPNEGO:
  http://www.ja-sig.org/wiki/display/CASUM/SPNEGO
  I was succesfuly able to generate ticket with Java:
  C:\Program Files\Java\jre6\bin>klist -k
  Key tab: C:\Tomcat\webapps\cas\spnaccount.keytab, 1 entry found.
  [1] Service principal: HTTP/[email protected]
           KVNO: 3
  C:\Program Files\Java\jre6\bin>kinit [email protected]
  Password for [email protected]:
  New ticket is stored in cache file C:\Documents and Settings\idm\krb5cc_idm
  C:\Program Files\Java\jre6\bin>klist
  Credentials cache: C:\Documents and Settings\idm\krb5cc_idm
  Default principal: [email protected], 1 entry found.
  [1]  Service Principal:  krbtgt/[email protected]
       Valid starting:  May 10, 2009 15:14
       Expires:         May 11, 2009 01:14
  C:\Program Files\Java\jre6\bin>
  But when I try to authenticate using CAS this is what I get an error.
  Any ideas what's wrong?
  R

  There's a new error now:
  C:\Documents and Settings\idm>cd %java_home%\bin
  C:\Program Files\Java\jre6\bin>ktpass.exe /out C:\Tomcat\webapps\cas\spnaccount.keytab /princ HTTP/lab-adm-01.labtst.net
  [email protected] /pass mypassword123 /mapuser [email protected] /ptype krb5_nt_principal /crypto DES-CBC-MD5
  Targeting domain controller: Labtst-dc-02.labtst.net.il
  Successfully mapped HTTP/lab-adm-01.labtst.net.il to spnaccount.
  Key created.
  Output keytab to C:\Tomcat\webapps\cas\spnaccount.keytab:
  Keytab version: 0x502
  keysize 70 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keyleng
  th 8 (0xe31f437cf18c0e91)
  C:\Program Files\Java\jre6\bin>kinit -J-Dsun.security.krb5.debug=true -k HTTP/lab-adm-01.labtst.net.il
  Config name: C:\WINDOWS\krb5.ini
  KinitOptions cache name is C:\Documents and Settings\idm\krb5cc_idmPrincipal is HTTP/[email protected]
  Kinit using keytab
  KeyTabInputStream, readName(): LABTST.NET.IL
  KeyTabInputStream, readName(): HTTP
  KeyTabInputStream, readName(): lab-adm-01.labtst.net.il
  KeyTab: load() entry length: 70; type: 3Added key: 3version: 3
  Ordering keys wrt default_tkt_enctypes list
  default etypes for default_tkt_enctypes: 3.
  0: EncryptionKey: keyType=3 kvno=3 keyValue (hex dump)=
  0000: E3 1F 43 7C F1 8C 0E 91
  Kinit realm name is LABTST.NET.IL
  Creating KrbAsReq
  KrbKdcReq local addresses for lab-adm-01 are:
          lab-adm-01/8.205.130.125
  IPv4 address
  default etypes for default_tkt_enctypes: 3.
  KrbAsReq calling createMessage
  KrbAsReq in createMessage
  Kinit: sending as_req to realm LABTST.NET.IL
  KrbKdcReq send: kdc=labtst-dc-02.labtst.net.il UDP:88, timeout=30000, number of retries =3, #bytes=182
  KDCCommunication: kdc=labtst-dc-02.labtst.net.il UDP:88, timeout=30000,Attempt =1, #bytes=182
  KrbKdcReq send: #bytes read=175
  KrbKdcReq send: #bytes read=175
  reading response from kdc
  KDCRep: init() encoding tag is 126 req type is 11
  KRBError:         sTime is Wed May 13 10:02:09 IDT 2009 1242198129000
           suSec is 246135
           error code is 25
           error Message is Additional pre-authentication required
           realm is LABTST.NET.IL
           sname is krbtgt/LABTST.NET.IL
           eData provided.
           msgType is 30
  Pre-Authentication Data:         PA-DATA type = 11
           PA-ETYPE-INFO etype = 3
  Pre-Authentication Data:         PA-DATA type = 2
           PA-ENC-TIMESTAMP
  Pre-Authentication Data:         PA-DATA type = 15
  Kinit: PREAUTH FAILED/REQ, re-send AS-REQ
  Updated salt from pre-auth = LABTST.NET.ILspnaccount
  KrbAsReq salt is LABTST.NET.ILspnaccountPre-Authenticaton: find key for etype = 3
  AS-REQ: Add PA_ENC_TIMESTAMP now
  EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
  KrbAsReq calling createMessage
  KrbAsReq in createMessage
  Kinit: sending as_req to realm LABTST.NET.IL
  KrbKdcReq send: kdc=labtst-dc-02.labtst.net.il UDP:88, timeout=30000, number of retries =3, #bytes=271
  KDCCommunication: kdc=labtst-dc-02.labtst.net.il UDP:88, timeout=30000,Attempt =1, #bytes=271
  KrbKdcReq send: #bytes read=153
  KrbKdcReq send: #bytes read=153
  reading response from kdc
  KDCRep: init() encoding tag is 126 req type is 11
  KRBError:         sTime is Wed May 13 10:02:10 IDT 2009 1242198130000
           suSec is 540470
           error code is 24
           error Message is Pre-authentication information was invalid
           realm is LABTST.NET.IL
           sname is krbtgt/LABTST.NET.IL
           eData provided.
           msgType is 30
  Pre-Authentication Data:         PA-DATA type = 11
           PA-ETYPE-INFO etype = 3
  Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-authentication information was invalid
  KrbException: Pre-authentication information was invalid (24)
          at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
          at sun.security.krb5.KrbAsReq.getReply(Unknown Source)
          at sun.security.krb5.internal.tools.Kinit.sendASRequest(Unknown Source)
          at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
          at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
  Caused by: KrbException: Identifier doesn't match expected value (906)
          at sun.security.krb5.internal.KDCRep.init(Unknown Source)
          at sun.security.krb5.internal.ASRep.init(Unknown Source)
          at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
          ... 5 moreP.S
  Thanks for bringing me this far wangwj, your help is much appreciated.

• SMTP auth error, but Cyrus OK

  We're using WGM for email setup and admin. We have around 1,000 users, 700 of which are on our network and don't use SMTP auth, and 300 who are off our network and do use SMTP auth. All is well, except for one account. This account was set up to forward mail, and several months later they asked us to make it a login account. They can log in and get mail, but when they try to send, SMTP authentication fails. The line in the SMTP log is:
  Aug 30 10:39:43 mailx postfix/smtpd[5919]: warning: AOD: Authentication failed for user user@domain. (Open Directroy error: -14090)
  I've tried all the usual stuff (re-entering the password in Mail.app, etc), and went so far as to delete and re-create the account in WGM, but it still fails in the same way. Any ideas as to how to fix this, or how to further troubleshoot it? Thanks.

  Which Auth types do you have enabled in Server
  Admin?
  SMTP: CRAM-MD5 + Login
  IMAP & POP: everything but Kerberos
  If you could, please paste unmodified output of
  "postconf -n".
  mailx:~ admin$ postconf -n
  alias_maps = hash:/etc/aliases
  command_directory = /usr/sbin
  config_directory = /etc/postfix
  daemon_directory = /usr/libexec/postfix
  debugpeerlevel = 2
  enableserveroptions = yes
  html_directory = no
  inet_interfaces = all
  mail_owner = postfix
  mailboxsizelimit = 0
  mailbox_transport = cyrus
  mailq_path = /usr/bin/mailq
  manpage_directory = /usr/share/man
  messagesizelimit = 26214400
  mydestination = $myhostname,localhost.$mydomain,localhost,opendoor.com
  mydomain = opendoor.com
  mydomain_fallback = localhost
  myhostname = mailx.opendoor.com
  mynetworks = 127.0.0.1/32,66.241.64.0/19,207.55.236.0/22
  mynetworks_style = host
  newaliases_path = /usr/bin/newaliases
  ownerrequestspecial = no
  queue_directory = /private/var/spool/postfix
  readme_directory = /usr/share/doc/postfix
  recipient_delimiter = +
  sample_directory = /usr/share/doc/postfix/examples
  sendmail_path = /usr/sbin/sendmail
  setgid_group = postdrop
  smtpdclientrestrictions = hash:/etc/postfix/smtpdreject
  smtpdpw_server_securityoptions = login,cram-md5
  smtpdrecipientrestrictions = permitsasl_authenticated,permit_mynetworks,reject_unauthdestination,permit
  smtpdsasl_authenable = yes
  smtpdtls_keyfile =
  smtpduse_pwserver = yes
  unknownlocal_recipient_rejectcode = 550
  virtualmailboxdomains = hash:/etc/postfix/virtual_domains
  virtual_transport = lmtp:unix:/etc/mail/db/socket/lmtp
  mailx:~ admin$