Smartcard auth errors
Hi all!
I've tried to set up smart card logon to mac os x mavericks. My SC is RuToken ECP 64Kb. My steps:
1. Installed opensc-0.13.0
2. Installed rutoken support poackage (include librtpkcs11ecp.so and tokend for RuToken)
3. Generated RSA/2048 keys on token
4. Created local openssl CA, created CSR signed with token key
5. Created certificate with local CA for token, put it in token.
6. In Keychain Access added CA certificate to Syste, keychain and made it trusted
7. In Keychain Access validated both CA and token certificate, no problems found.
8. Added certificate hash to my user via sc_auth
Login after restart works fine, I'm inserting key and password prompt changes to PIN prompt and after typing PIN I successfully enter my system, that's ok.
But, if I lock screen or try to unlock something in System Prefs - there's no password/PIN prompt and auth fails. In /var/log/system.log there's next messages logged:
Mar 26 14:13:52 localhost authorizationhost[634]: ignorableRevocationStatusCode entered.
Mar 26 14:13:52 --- last message repeated 1 time ---
Mar 26 14:13:52 localhost authorizationhost[634]: _CanIgnoreLeafStatusCodes return: true
Mar 26 14:13:52 localhost authorizationhost[634]: -[__NSArrayM length]: unrecognized selector sent to instance 0x7fc0e2600080
Mar 26 14:13:52 localhost authorizationhost[634]: *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '-[__NSArrayM length]: unrecognized selector sent to instance 0x7fc0e2600080'
*** First throw call stack:
0 CoreFoundation 0x00007fff8d1d625c __exceptionPreprocess + 172
1 libobjc.A.dylib 0x00007fff9030fe75 objc_exception_throw + 43
2 CoreFoundation 0x00007fff8d1d912d -[NSObject(NSObject) doesNotRecognizeSelector:] + 205
3 CoreFoundation 0x00007fff8d1343f2 ___forwarding___ + 1010
4 CoreFoundation 0x00007fff8d133f78 _CF_forwarding_prep_0 + 120
5 CoreFoundation 0x00007fff8d0a9d48 CFStringCompareWithOptionsAndLocale + 72
6 authorizationhost 0x000000010fea53d9 SFBuiltinSmartCardSniffer_hint_user + 253
7 CoreFoundation 0x00007fff8d0cab76 __CFDictionaryApplyFunction_block_invoke + 22
8 CoreFoundation 0x00007fff8d0cab3c CFBasicHashApply + 124
9 CoreFoundation 0x00007fff8d0caa8d CFDictionaryApplyFunction + 173
10 authorizationhost 0x000000010fea57a7 SFBuiltinSmartCardSniffer_hint_user + 1227
11 authorizationhost 0x000000010fea227c nullPluginCreate + 1345
12 libdispatch.dylib 0x00007fff94f492ad _dispatch_client_callout + 8
13 libdispatch.dylib 0x00007fff94f51b76 _dispatch_barrier_sync_f_slow_invoke + 46
14 libdispatch.dylib 0x00007fff94f492ad _dispatch_client_callout + 8
15 libdispatch.dylib 0x00007fff94f50f03 _dispatch_main_queue_callback_4CF + 333
16 CoreFoundation 0x00007fff8d13d679 __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 9
17 CoreFoundation 0x00007fff8d0f8954 __CFRunLoopRun + 1636
18 CoreFoundation 0x00007fff8d0f80b5 CFRunLoopRunSpecific + 309
19 Foundation 0x00007fff920e2adc -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 253
20 Foundation 0x00007fff921cb4aa -[NSRunLoop(NSRunLoop) run] + 74
21 authorizationhost 0x000000010fea844b main + 284
22 libdyld.dylib 0x00007fff8d44c5fd start + 1
Mar 26 14:13:52 localhost ReportCrash[635]: Metadata.framework [Error]: couldn't get the client port
Mar 26 14:13:52 localhost ReportCrash[635]: DebugSymbols was unable to start a spotlight query: spotlight is not responding or disabled.
Mar 26 14:13:53 localhost com.apple.authd[36]: engine[632]: evaluate returned -60008 returning errAuthorizationInternal
Mar 26 14:13:53 localhost com.apple.launchd[1] (com.apple.security.authhost.00000000-0000-0000-0000-0000000186A8[634]): Job appears to have crashed: Abort trap: 6
Mar 26 14:13:53 localhost ReportCrash[635]: Saved crash report for authorizationhost[634] version 1.0 (55194.4) to /Library/Logs/DiagnosticReports/authorizationhost_2014-03-26-141353_localhost.c rash
Mar 26 14:13:53 localhost ReportCrash[635]: Removing excessive log: file:///Library/Logs/DiagnosticReports/authorizationhost_2014-03-26-124352_loca lhost.crash
Are there any possible solutions to that?
Hi,
I had the same problem and after much digging (including disassembling the authorizationhost binary) I noticed that this is because the authorizationhost process assumes that the "RecordName" for a user in the Users directory is a string, and if you have associated your Mac account with an Apple ID, it will be an array, causing that crash (it attempts to send a "length" message to an array object).
In practice, at least for me I could solve this problem by going to System Preferences -> Users & Groups, selecting the user for which I have associated the smart card, clicking the "Change…" button next to "Apple ID:", and removing all Apple ID's from the list.
Note: I have tested this on two of my computers but I don't yet know what effects this may have to services that rely on an Apple ID to operate, but at least basic iCloud and Home sharing services seem to work fine..
Similar Messages
-
Auth Error in BW while executing a query with Company hierarchy
Hi All,
I have an issue in BW Reporting auth objects.. Hope to get resolved here.
We are using BI 7.0. However We are still using the Reporting auth objects for fiield level security. We are having a problem while executing a query with company code hierarchy ,which is built on a multiprovider.
The Background is as below
Multiprovider: ZM_CD01 with 5 infocubes
Query: Has 0COMP_CODE as free characteristics with display hierarchy for Japan (Node APSC_012 is fixed value)
Node APSC_012 has 4070,4076,407A,408A,9830 company code values under it.
Reporting Auth Objects:
Z0COMPCODE: (for flat values)
4070,4076,407A,408A,407M,407P,8236, :
ZHCOMPCODE: (For tree structure)
4070,4076,407A,408A,407M,407P,8080, :
APSC_MGMT_HIER (Nodes: APSC_012,APSC019)
Both the reporting authorization objects are checked for multi provider ZM_CD01 in RSSM
While executing the query the following Auth error is received.
You do not have authorization to read object "Z0COMPCODE" authorization on '0COMP_CODE'
When I change the values for Z0COMPCODE to * it works fine. No Auth error.
Please help me resolve this issue. It is very critical now as the user needs to execute some important reports.
Thanks in Advance.
Ramkumar CHi Chandra,
Try the following:
1. Go to tcode RSSM
2. Enter the cube ZM_CD01 (all the other cubes) then click change.
3. Afterwards, u201Cunchecku201D ALL Authorization Objects under this cube. (Repeate the same for all the cubes)
4. Click Save.
This will resolve the issue.
Rgds,
Raghu -
Hi All,
I am using solaris 10u10 on Sun Fire platform. I am getting below message on cosole.
ftpd[16809]: [ID 776383 auth.error] open_module: stat(/usr/lib/security/pam_unix_session.so.1) failed: No such file or directory
ftpd[16809]: [ID 487707 auth.error] load_modules: can not open module /usr/lib/security/pam_unix_session.so.1
ftpd[16810]: [ID 776383 auth.error] open_module: stat(/usr/lib/security/pam_unix_session.so.1) failed: No such file or directory
ftpd[16810]: [ID 487707 auth.error] load_modules: can not open module /usr/lib/security/pam_unix_session.so.1
ftpd[16815]: [ID 776383 auth.error] open_module: stat(/usr/lib/security/pam_unix_session.so.1) failed: No such file or directory
ftpd[16815]: [ID 487707 auth.error] load_modules: can not open module /usr/lib/security/pam_unix_session.so.1
ftpd[16816]: [ID 776383 auth.error] open_module: stat(/usr/lib/security/pam_unix_session.so.1) failed: No such file or directory
ftpd[16816]: [ID 487707 auth.error] load_modules: can not open module /usr/lib/security/pam_unix_session.so.1
ftpd[16817]: [ID 776383 auth.error] open_module: stat(/usr/lib/security/pam_unix_session.so.1) failed: No such file or directory
ftpd[16817]: [ID 487707 auth.error] load_modules: can not open module /usr/lib/security/pam_unix_session.so.1
Also the file is present on the server
root@atrcx1454/var/adm> ls -lrt /usr/lib/security/pam_unix_session.so.1
-rwxr-xr-x 1 root bin 20652 Mar 19 2008 /usr/lib/security/pam_unix_session.so.1
Can anyone help why above message is coming on consoleIs the ftp daemon that you use provided by the Solaris media ? If this is not the case, then would recommend to contact the software maintainer for more help.
And regarding chroot, please check this URL to know what it is : Sandbox (computer security) - Wikipedia, the free encyclopedia
Depending how this environment is configured, the library is maybe not present in this one. -
I keep getting error 3322 suberror 1000136 DRM auth. error using Firefox
I keep getting error 3322 suberror 1000136 DRM auth. error using Firefox but have no problem playing same content in Chrome. I uninstalled and reinstalled Firefox but kept personal settings, which did not fix the problem. Can you help?
You may have had a change in hardware since the last time you accessed protected content with Firefox. To reset the protected content licenses, go to the settings manager, and click on Reset Content Licenses. Here is a link to the settings manager: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager08.htm l
See also this forum post: http://forums.adobe.com/message/3051713
We are working on automatic recovery from this error condition. -
Mail Server Error - 21055: auth: Error: od?
Hi,
Just upgraded to OSX 10.8 Mountain Lion, now my email services have gone AWOL.
The server logs are telling me [DateTime domain.com] log[21055]:auth: Error: od (username, ip address): authentication failed for user=me, method=DIGEST-MD5
From a client (MS offlook) point of view I'm getting :
Your message did not reach some or all of the intended recipients.
Subject: test
Sent: 06/08/2012 19:09
The following recipient(s) cannot be reached:
'[email protected]' on 06/08/2012 19:10
451 4.3.5 <unknown[ip address]>: Client host rejected: Server configuration error
This used to work quite well with Lion and the Server Admin Tools.
Is there anything I can try?
Thanks in advance,
Jeff.Thanks for getting back to me red shift, everything is now up and working again.
I think it was somthing to do with some folder permissions and some mail settings. The mail server GUI supplied with Mountain Lion is all but useless and didn't help in any way in tracking down or resolving the problem. So, I've taken the plunge and set up MailServ for Mountain lion, its a much better mail server GUI client, and seemed to correct some of my postfix settings.
I've tinkered a bit with command line mail stuff, but not quite at a level where I can fully administer it.
Are there any good command line resources out there? This is somthing I need to improve on.
Cheers. -
I am using iPlanet Web Server 6.0 SP4 on Solaris 2.8 that is enabled for SSL and Client-auth.
In order to validate the client certificate, I configured this server to use my own Plug-in by adding authTrans line in "obj.conf":
<Object name=default>
AuthTrans fn="vsCheckClientCert"
</Object>
During startup, web server fails with following error.
Thanks in advance!!!
[20/Sep/2002:11:50:58] info ( 1984): successful server startup
[20/Sep/2002:11:50:58] info ( 1984): iPlanet-WebServer-Enterprise/6.0SP4 B07/17/2002 14:04
[20/Sep/2002:11:51:00] info ( 1985): Installing a new configuration
[20/Sep/2002:11:51:00] info ( 1985): [LS ls1] https://xx-sun.yy.com, port 444 ready to accept requests
[20/Sep/2002:11:51:00] info ( 1985): A new configuration was successfully installed
[20/Sep/2002:11:51:01] info ( 1985): Using the Solaris VM v1.2.2 from Sun Microsystems Inc.
[20/Sep/2002:11:51:01] info ( 1985): Java VM classpath: /usr/netscape/servers/plugins/servlets/examples/legacy/beans.10/SDKBeans10.jar:/usr/n
etscape/servers/bin/https/jar/NSServletLayer.jar:/usr/netscape/servers/bin/https/jar/NSJavaUtil.jar:/usr/netscape/servers/bin/https/jar/Admin
NativeUtil.jar:/usr/netscape/servers/bin/https/jar/NSJavaMiscUtil.jar:/usr/netscape/servers/bin/https/jar/servlet.jar:/usr/netscape/servers/b
in/https/jar/servlet-2.3-filters-api.jar:/usr/netscape/servers/bin/https/jar/jsp092.jar:/usr/netscape/servers/bin/https/jar/jaxp.jar:/usr/net
scape/servers/bin/https/jar/crimson.jar:/usr/netscape/servers/bin/https/jar/xalan.jar:/usr/netscape/servers/bin/https/jar/jspengine.jar:
[20/Sep/2002:11:51:01] info ( 1985): Loading IWSSessionManager by default.
[20/Sep/2002:11:51:01] info ( 1985): IWSSessionManager: Maximum number of sessions is 1000
[20/Sep/2002:11:51:01] config ( 1985): for host 0.0.0.0 trying to GET /, Client-Auth reports: get-client-cert requires that security and SSL3
be enabled.
[20/Sep/2002:11:51:01] failure ( 1985): for host 0.0.0.0 trying to GET /, vsCheckClientCert reports: Couldn't get a client authentication cer
tificate
[20/Sep/2002:11:51:02] config ( 1985): for host 0.0.0.0 trying to GET /, Client-Auth reports: get-client-cert requires that security and SSL3
be enabled.
[20/Sep/2002:11:51:02] failure ( 1985): for host 0.0.0.0 trying to GET /, vsCheckClientCert reports: Couldn't get a client authentication cer
tificate
[20/Sep/2002:11:51:02] failure ( 1985): vs(https-cvm-test-444)Error getting document-root for this virtual server; please check your server c
onfiguration.
[20/Sep/2002:11:51:02] failure ( 1985): vs(https-cvm-test-444)Cannot create web applications virtual server environment.
[20/Sep/2002:11:51:02] failure ( 1985): Internal Error: Failed to initialize web application environment (web-apps.xml) for virtual server (h
ttps-cvm-test-444)
[20/Sep/2002:11:51:02] info ( 1985): Internal Error: Failed to initialize web application environment (web-apps.xml) for virtual server (http
s-cvm-test-444)
[20/Sep/2002:11:51:02] failure ( 1985): The new configuration was rejected, rolling backThanks for the reply!!
My SAF (vsCheckClientCert) works fine if I disable the servlets. It also works by disabling the Web Application State in server.xml
<VSCLASS id="defaultclass" objectfile="obj.conf" rootobject="default" acceptlanguage="off">
<VS id="https-cvm-test-444" state="on" urlhosts="psingal-sun.verisign.com" mime="mime1" aclids="acl1" connections="group1">
===> <VARS webapps_file="web-apps.xml" webapps_enable="off"/>
</VS>
</VSCLASS>
I am facing the problem only with iPlanet 6.0, the SAF worked fine with "Servlet Enabled" in the previous releases of iPlanet 4.x. Is there any way by which my SAF works with default server settings i.e. Servlet Enabled and Web Application State On? -
Hi Everyone,
I'm migrating from one server to another. SSRS works on the old setup just fine, and I've managed to get it working for me (as admin) on the new server just fine (both by browsing locally and from my laptop remotely). FYI, the new Sql Server is on a hosted
server which is not part of our domain - but the same users are created on both.
However, a user I'm testing the new server with (who isn't an admin) cannot get SSRS to work. I've added her in SSRS under Site Settings as a user, and also given access in the root folder settings.
RDPing on the new server and running IE (http://localhost/Reports), she gets the error: "User <domain\username> does not have the required permissions. Verify that sufficient permissions have been granted and Windows User Account Control
(UAC) restrictions have been addressed). This doesn't happen in Chrome locally - that's a whole other set of errors!
Trying remotely (from her laptop on our LAN), she gets the main Report Manager page, with the list of all reports on it. However, when she selects a report, she gets:
-And error has occurred during report processing. (rsProcessingAborted)
- Cannot create a connection to data source 'DataSource1'. (rsErrorOpeningConnection)
- Login failed for user '<DB machine/username>'
"DataSource1" is the default data connection within the report definition and is just setup for Windows Auth. Looking on the existing setup, I cannot see her with a username on sql server, and yet it still works!
As you can see, very different behaviours. Ideally, I'm after getting the remote connection from the laptop working - but I would like to understand both issues ideally.
I've got the old infrastructure and compared permissions for various things but I cannot see any differences. Any help would be appreciated!Hi Tifosi256,
According to your description, you have issue when migrating your SQL server to another server. A user with granted permission can’t access Report Manager on IE/Firefox locally. And when connecting server remotely, this user can’t open a connection to data
source. Right?
In Reporting Service, we can use Windows User Account to access Report in browser. In different browsers, they have different security level for different system roles. In this scenario, the user is not system admin, when she access the Report Manager, the
site of Report Manager might be denied by IE/Firefox. And when the user back to her laptop, I think she might be system admin in her own system. So the Report Manager site can be accepted by browser. For this reason, we can go to IE/Firefox, add the Report
Manager URL as Trusted site.
For the data source connecting issue, the reason why the user can’t open a connection to data source because when we connect to data source, we act as a Windows User. If this user has no authority to access database, it will be unable to open a connection
to data source. However, we have two options to solve this problem. One is go to Database Engine in SQL Server Management Studio. Add the user in Security.
The other is go to the Report properties in Report Manager. In Data Sources, Select Credentials stored securely in the report server. Put in a Window User Account which has authority to access the database. Select Use as Windows credentials when connecting
to the data source. So we can act as the user with granted authority when connecting data source.
If you have any question, please feel free to ask.
Best Regards,
Simon Hou
-
802.1x Auth Error After Installing AirPort Update 2007-002 and 10.4.9
After installing the AirPort Extreme Update 2007-002 (and 10.4.9, but I doubt that update did it), I am unable to log into my campus's wireless network. I get the message "802.1x Authentication has failed. (Error: 1001 on port en1)"
I've double-checked the settings, and all looks good. Other Macs are able to log in fine but they do not have this update applied.
Other wireless connections from this computer work fine, including using another SSID on this wireless network using WPA/TKIP. Only the 802.1x auth is failing.
I'm a systems admin for the college, and I can see in the radius logs that an error is generated:
"Unexpected error. Possible error in server or client configuration."
I'm the only one getting this error. Anyone have any ideas about this?
Thanks in advance.
trukI finally discovered what was going on. When doing either the 10.4.9 update or the Airport update, my /System/Library/Keychains/X509Anchors file was either corrupted or completely emptied. The file did remain with 0K size.
I started noticing that all SSL connections from the computer were failing (Safari, iChat, whatever) that depended on the Mac OS X components to do the SSL validation. (Firefox continued to work fine, as it has its own SSL stack.) I then ran the Keychain file check in Keychain, which alerted me to the exact file problem.
My wife also has a MacBook with the same version of Mac OS X, so I was able to copy her X509Anchors file to my computer and everything worked perfectly after that. SSL came back, iChat works, Safari works with SSL, and 802.1x works again.
Hope that helps someone else... -
Password file auth - error ORA-01990: error opening password file '/p00/ora
Hi, Im setting up password file auth on our existing database.
Ive run this
orapwd file=orapwdt04.pwd password=secret entries=5
then set this in the .ora file
remote_login_passwordfile=exclusive
But when I restart the dabase im getting this error
ORA-01990: error opening password file '/p00/oraprod/9.2.0/dbs/orapw'
How / where do I tell the database to look for the password file.
Im running on AIX and Oracle 9.2.0.6
thanks for looking.password filename must be in the format of orapw<sid> and location of the file $ORACLE_HOME/dbs
-
Hi all,
I have a SOWS 6.1 and I am getting the following error eache time a user try to get the page:
Client-Auth reports: Unexpected error receiving data: -5938
Do you know what it should be?
Thanks in advanceCan you tell us the exact configuration you have.
Send a request to the server to capture the details of initial handshake which performs the client authentication through ssltap. Save the output. Also, when the
certificates are exchanged ssltap will save them to a file (see the output of
ssltap for the filenames it used). Get those cert files as well. -
LDAP Auth Error ccmuser web access
Hi,
I have a CUCM v9.1 with an issue for access to the ccmuser web page using the AD Credentials, I've configured the LDAP Auth in the CUCM with no error messages and also the web access for my users like this:
When I access the site http://cucm_ip_add/ccmuser first I get this message:
After that I try to log into to the web page but I get this error:
I have no issues importing the users, the problem is with the authentication.
I've checked the ldap port and I'm not using global catalog so the correct one is 389 (tried 3268 and I got an error message from the cucm ldap authentication config page).
Any ideas guys??
Thanks in advance.One commone one is that CUCM treats the username field as case sensitive. Does it have any upper case characters? You can see this within /ccmadmin under End User Configuration.
If that's not it, either a Wireshark of the LDAP bind or a stare/compare between your sync agreement and the auth config to see why one can get the user object but the other cannot bind as that person.
Please remember to rate helpful responses and identify helpful or correct answers. -
I am trying to setup leap authentication on a 1100 AP, with local radius.
Getting the following debug errors:
*Mar 2 10:23:05.311: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 0023.6c85.32cd
*Mar 2 10:23:05.311: dot11_auth_dot1x_send_client_fail: Authentication failed for 0023.6c85.32cd
*Mar 2 10:23:05.311: %DOT11-7-AUTH_FAILED: Station 0023.6c85.32cd Authentication failed
*Mar 2 10:23:10.592: AAA/BIND(00000070): Bind i/f
*Mar 2 10:23:10.592: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar 2 10:23:10.592: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 0023.6c85.32cd
*Mar 2 10:23:10.592: dot11_auth_dot1x_send_id_req_to_client: Client 0023.6c85.32cd timer started for 30 se
Any ideas what could be wrong with my config:
aaa new-model
aaa group server radius rad_eap
server 172.16.1.35 auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa session-id common
dot11 syslog
dot11 ssid XXX
authentication open eap eap_methods
authentication network-eap eap_methods
guest-mode
interface Dot11Radio0
no ip address
no ip route-cache
encryption key 1 size 40bit 7 873B0AA56FCA transmit-key
encryption mode wep mandatory
broadcast-key change 300
ssid XXX
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
rts threshold 2312
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 172.16.1.35 255.255.255.0
no ip route-cache
radius-server local
nas 172.16.1.35 key 7 14001305020B297D727E
user xxxx nthash 7 0027435225792D535F796A6B2A3852444A59285D78097D7B6A177B325144545374
radius-server attribute 32 include-in-access-req format %h
radius-server host 172.16.1.35 auth-port 1812 acct-port 1813 key 7 120E04191C040F527C7D
radius-server vsa send accounting
bridge 1 route ipIf you are not using any EAP authentication, then remove the below commands..
authentication open eap eap_methods
authentication network-eap eap_methods
and issue just "authentication open"
then try connecting the wireless using the WEP key that you have configured.
Regards
Surendra -
Auth error while post good receipt thru vl02n
Hi,
During Post good receipt thru t-code vl02n i am facing error as - "You have no authorization for this transaction with movement type 653"
In the role i have given auth for vl01n,vl02n and vrre
So pl guide to resolve this issueHi
please perform the transaction again. On error type /osu53 in transaction window. System will open new session and you will get details of Missing Authorizations. Give it to your Basis person to grant those missing objects.
enjoy
Atul -
CAS + SPNEGO + Auth error
Hello experts,
I have the followin platform:
Tomcat 6.0.18
CAS Server 3.2.1
cas-server-support-spnego-3.2.1.jar
jcifs-1.3.8.jar
jcifs-ext-1.2.3.jar
I followed this guide to install CAS SPNEGO:
http://www.ja-sig.org/wiki/display/CASUM/SPNEGO
I was succesfuly able to generate ticket with Java:
C:\Program Files\Java\jre6\bin>klist -k
Key tab: C:\Tomcat\webapps\cas\spnaccount.keytab, 1 entry found.
[1] Service principal: HTTP/[email protected]
KVNO: 3
C:\Program Files\Java\jre6\bin>kinit [email protected]
Password for [email protected]:
New ticket is stored in cache file C:\Documents and Settings\idm\krb5cc_idm
C:\Program Files\Java\jre6\bin>klist
Credentials cache: C:\Documents and Settings\idm\krb5cc_idm
Default principal: [email protected], 1 entry found.
[1] Service Principal: krbtgt/[email protected]
Valid starting: May 10, 2009 15:14
Expires: May 11, 2009 01:14
C:\Program Files\Java\jre6\bin>
But when I try to authenticate using CAS this is what I get an error.
Any ideas what's wrong?
RThere's a new error now:
C:\Documents and Settings\idm>cd %java_home%\bin
C:\Program Files\Java\jre6\bin>ktpass.exe /out C:\Tomcat\webapps\cas\spnaccount.keytab /princ HTTP/lab-adm-01.labtst.net
[email protected] /pass mypassword123 /mapuser [email protected] /ptype krb5_nt_principal /crypto DES-CBC-MD5
Targeting domain controller: Labtst-dc-02.labtst.net.il
Successfully mapped HTTP/lab-adm-01.labtst.net.il to spnaccount.
Key created.
Output keytab to C:\Tomcat\webapps\cas\spnaccount.keytab:
Keytab version: 0x502
keysize 70 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keyleng
th 8 (0xe31f437cf18c0e91)
C:\Program Files\Java\jre6\bin>kinit -J-Dsun.security.krb5.debug=true -k HTTP/lab-adm-01.labtst.net.il
Config name: C:\WINDOWS\krb5.ini
KinitOptions cache name is C:\Documents and Settings\idm\krb5cc_idmPrincipal is HTTP/[email protected]
Kinit using keytab
KeyTabInputStream, readName(): LABTST.NET.IL
KeyTabInputStream, readName(): HTTP
KeyTabInputStream, readName(): lab-adm-01.labtst.net.il
KeyTab: load() entry length: 70; type: 3Added key: 3version: 3
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 3.
0: EncryptionKey: keyType=3 kvno=3 keyValue (hex dump)=
0000: E3 1F 43 7C F1 8C 0E 91
Kinit realm name is LABTST.NET.IL
Creating KrbAsReq
KrbKdcReq local addresses for lab-adm-01 are:
lab-adm-01/8.205.130.125
IPv4 address
default etypes for default_tkt_enctypes: 3.
KrbAsReq calling createMessage
KrbAsReq in createMessage
Kinit: sending as_req to realm LABTST.NET.IL
KrbKdcReq send: kdc=labtst-dc-02.labtst.net.il UDP:88, timeout=30000, number of retries =3, #bytes=182
KDCCommunication: kdc=labtst-dc-02.labtst.net.il UDP:88, timeout=30000,Attempt =1, #bytes=182
KrbKdcReq send: #bytes read=175
KrbKdcReq send: #bytes read=175
reading response from kdc
KDCRep: init() encoding tag is 126 req type is 11
KRBError: sTime is Wed May 13 10:02:09 IDT 2009 1242198129000
suSec is 246135
error code is 25
error Message is Additional pre-authentication required
realm is LABTST.NET.IL
sname is krbtgt/LABTST.NET.IL
eData provided.
msgType is 30
Pre-Authentication Data: PA-DATA type = 11
PA-ETYPE-INFO etype = 3
Pre-Authentication Data: PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data: PA-DATA type = 15
Kinit: PREAUTH FAILED/REQ, re-send AS-REQ
Updated salt from pre-auth = LABTST.NET.ILspnaccount
KrbAsReq salt is LABTST.NET.ILspnaccountPre-Authenticaton: find key for etype = 3
AS-REQ: Add PA_ENC_TIMESTAMP now
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsReq calling createMessage
KrbAsReq in createMessage
Kinit: sending as_req to realm LABTST.NET.IL
KrbKdcReq send: kdc=labtst-dc-02.labtst.net.il UDP:88, timeout=30000, number of retries =3, #bytes=271
KDCCommunication: kdc=labtst-dc-02.labtst.net.il UDP:88, timeout=30000,Attempt =1, #bytes=271
KrbKdcReq send: #bytes read=153
KrbKdcReq send: #bytes read=153
reading response from kdc
KDCRep: init() encoding tag is 126 req type is 11
KRBError: sTime is Wed May 13 10:02:10 IDT 2009 1242198130000
suSec is 540470
error code is 24
error Message is Pre-authentication information was invalid
realm is LABTST.NET.IL
sname is krbtgt/LABTST.NET.IL
eData provided.
msgType is 30
Pre-Authentication Data: PA-DATA type = 11
PA-ETYPE-INFO etype = 3
Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-authentication information was invalid
KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
at sun.security.krb5.KrbAsReq.getReply(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.sendASRequest(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
... 5 moreP.S
Thanks for bringing me this far wangwj, your help is much appreciated. -
SMTP auth error, but Cyrus OK
We're using WGM for email setup and admin. We have around 1,000 users, 700 of which are on our network and don't use SMTP auth, and 300 who are off our network and do use SMTP auth. All is well, except for one account. This account was set up to forward mail, and several months later they asked us to make it a login account. They can log in and get mail, but when they try to send, SMTP authentication fails. The line in the SMTP log is:
Aug 30 10:39:43 mailx postfix/smtpd[5919]: warning: AOD: Authentication failed for user user@domain. (Open Directroy error: -14090)
I've tried all the usual stuff (re-entering the password in Mail.app, etc), and went so far as to delete and re-create the account in WGM, but it still fails in the same way. Any ideas as to how to fix this, or how to further troubleshoot it? Thanks.Which Auth types do you have enabled in Server
Admin?
SMTP: CRAM-MD5 + Login
IMAP & POP: everything but Kerberos
If you could, please paste unmodified output of
"postconf -n".
mailx:~ admin$ postconf -n
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debugpeerlevel = 2
enableserveroptions = yes
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailboxsizelimit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
messagesizelimit = 26214400
mydestination = $myhostname,localhost.$mydomain,localhost,opendoor.com
mydomain = opendoor.com
mydomain_fallback = localhost
myhostname = mailx.opendoor.com
mynetworks = 127.0.0.1/32,66.241.64.0/19,207.55.236.0/22
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
ownerrequestspecial = no
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpdclientrestrictions = hash:/etc/postfix/smtpdreject
smtpdpw_server_securityoptions = login,cram-md5
smtpdrecipientrestrictions = permitsasl_authenticated,permit_mynetworks,reject_unauthdestination,permit
smtpdsasl_authenable = yes
smtpdtls_keyfile =
smtpduse_pwserver = yes
unknownlocal_recipient_rejectcode = 550
virtualmailboxdomains = hash:/etc/postfix/virtual_domains
virtual_transport = lmtp:unix:/etc/mail/db/socket/lmtp
mailx:~ admin$
Maybe you are looking for
-
Can't update my IOS on my ipad
I need to update my ipad to IOS 5. I have synced it with my computer itunes, I think. (At least, I got the message that it was synced and 'OK to disconnect'). However, when I try to update the IOS it tells me I will lose stuff on the ipad because I h
-
I'd like to present a total count of rows in the bottom of a report. how would you recommand me to do it??? the point is that it must be presented in each report so i thought to add some HTML code to "After Rows" section in the report template. but i
-
Is anyone getting this error message when connecting to the XServe Wiki/Blog? The error started after updating to Mac OS X Server 10.6.5. The versions of the server and UI don't match. Try clicking Reload; if that doesn't work, please make sure both
-
Use Raphael Vector Graphics Library in Adobe AIR
Have you used the Raphael Vector Graphics Javascript Library in Adobe AIR? What problems, pitfalls and challenges have you encountered? To the Adobe AIR Team: It would be tremendously helpful and will be much appreciated if you can create a sample Ad
-
E-Recruitment Webdynpro Flexibilization
Hi all, My project has implement E-Recruiting and using Webdynpro ABAP as the user interface. I am currently trying change the logo of my External Candidate startpage. I have configured an application configuration via SE80. The logo is reflected cor