SPNEGO Problem

Hello,
We have recently migrated out netweaver portal to a new hardware but spnego configuration is not working as before the migration process. We have followed many guides and check forums but we can't make it work.
please help.
Jonah

hi,
i would suggest to use webdiagtool to check the error when you open the website. Then post the error logs to check the problem, i had a similar issue but the netweaver version was 6.40? which version are you using?
can you check this doc.
SPNEGO Problem in Netweaver old releases 6.40
Let me know how it goes.
Regards,
Michael

Similar Messages

SPNEGO Problem HP-UX Java 1.4.2.18

Hello,
I have strange Problem with Spnego. I have updated the java and the portal. And now the spnego don't work.
The diagtool says :
[EXCEPTION]
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials fai
Any Ideas ??

Hi,
Using j2se 1.4.2_18, sapinst does not work correctly, neither.
1.4.2_17 was ok.
We should not use j2se1.4.2_18 now.
Regards,
TK

Risk Terminator ECC 6 - CC 5.2 - RFC Test: Program not registered

Dear board,
I am configuring the risk terminator functionality and stumble accross problems with the setup of the RFC destination from ECC to the CC. The connection test fails with "ERROR: program GRCRTTOCC5X not registered".
The RFC connection is of type TCP/IP, Registered Server Program, Default Gateway Value and Gateway host/service information I took from another working rfc connection.
The RFC connection is equal to the one set up in the RT configuration transaction, I have set up a dedicated connector on the CC with direction outound and GRCRTTOCC5X as report.
I have furthermore noticed that I am not able to active the SAP Adapter in the CC yet, a JCO error appears.
Any ideas?
Kind regards and many thanks,
Richard

Hi Richard,
I am sorry to bother you and distract with this query, but couldn't find your email in your profile.
Could you please contact me regarding your SPNego problem discussed in
SPNego - Windows integrated Single-Sign On not working - How to debug?
We are facing the same issue and I was curious whether you had a solution?
<b>Thanks so much</b>, Emir
My email is emirce at gmail dotcom.

Problem loggin in SPNego

Hi gurus,
i am getting the below error when i am trying to log in to url
http://<localhost>:<port>/spnego
Acquiring credentials for ream SASOL.COM failed
[EXCEPTION]
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
     at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
     at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
     at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
     at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
     at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
     at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
     at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
     at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:242)
     at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:31)
     at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:350)
Caused by: javax.security.auth.login.LoginException: No LoginModules configured for com.sun.security.jgss.accept
     at javax.security.auth.login.LoginContext.init(LoginContext.java:189)
     at javax.security.auth.login.LoginContext.<init>(LoginContext.java:404)
     at sun.security.jgss.LoginUtility.run(LoginUtility.java:56)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
     ... 9 more
please help me on this
thanks
kishore

Hi Kishore,
It seems that you have missed to configure the com.sun.security.jgss.accept policy configuration. As the manual configuration is not officially supported anymore please use the SPNEGO Wizard from SAP Note 994791 to setup SPNEGO. It will resolve this problem.
Regards,
Dimitar

Problems unwrapping SPNEGO token for Single Signon (SSO) in WebLogic Server

First of all, a quick description of our issue. We’ve tried many different things, but cannot get WebLogic to unwrap the SPNEGO token so it authenticates using Kerberos. We received several errors while trying to debug, here’s the one we see most:
KDC has no support for encryption type (14)
But we doubt it has anything to do with the encryption type, as these are set correctly everywhere.
We’ve tried following some of the instructions on the BEA website (which contain several errors).
One of them was also adding a host/ SPN (in krb5login.conf) but then, when using HTTP/ SPN we get the following error (it seems with multiple SPN’s it only takes the first or last SPN that was set):
Client not found in Kerberos database (6)
Next try was using the host/ SPN but that results in the following error:
Integrity check on decrypted field failed (31)
We’ve tried changing the default_enctypes in KRB5.INI (We’ve removed the entries, and also tried only DESCBC_MD5 and DES_CBC_CRC) but that did not change the behaviour.
We’ve tried adding the AllowTGTSessionKey registry key on client and server, but that didn’t change it either.
We are not sure what details you need for this to debug, so here’s what we’ve done to install the environment (please note that ip-addresses, domain, client and server names are made up and are different in real-life),
We have two domains:
Domain1 (DOMAIN1.COM) contains:
Domain Controller      “AD1”      with IP 192.168.0.1
Domain Controller      “AD2”      with IP 192.168.1.1
Client           “Client1”      with IP 192.168.2.1
Domain2 (DOMAIN2.COM) contains:
Domain Controller      “AD3”      with IP 10.0.0.1
Server (WebLogic)     “Server1”      with IP 10.0.1.2
Between Domain1 and Domain2 a firewall exists in which we’ve opened the relevant ports like LDAP (TCP 389), Kerberos (UDP 88), WebLogic (7001/7002).We do not see any firewall blocks on other ports…
We’ve configured AD1 (Microsoft AD with KDC) as follows:
1. Account “SSOAccountAD” created
2. Password never expires
3. DES encryption on
4. Do not require Kerberos preauthentication off
5. Password “Password” was reset several times
6. ServicePrincipalName was set using this
    setspn -A HTTP/Server1.DOMAIN1.COM SSOAccountAD7. ServicePrincipalName on AD1 was checked (and found to be ok) using this command:
    setspn -L SSOAccountAD8. KTPass was executed:
ktpass -princ HTTP/[email protected] -mapuser SSOAccountAD -pass Password9. User Logon name was checked, it's set to "HTTP/Server1"
10. ServicePrincipalName on AD2 was checked (and found to be ok) using this command:
setspn -L SSOAccountADWe’ve configured the WebLogic Server (Server1) as follows:
1. LDAP authentication was activated and test ok
2. Single Pass Negotiate Identity Asserter was created with Chosen Type “Authorization”
3. KRB5.INI file was created and added to %windir% (and C:\WINNT folder to be able to test with Java ktab and kinit which do not look in the %windir% folder):
[libdefaults]
default_realm = DOMAIN1.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes=DES-CBC-CRC
default_tgs_enctypes=DES-CBC-CRC
[realms]
DOMAIN1.COM = {
kdc = 192.168.0.1
admin_server = 192.168.0.1
default_domain = DOMAIN1.COM
[domain_realm]
.domain1.com = DOMAIN1.COM
domain1.com = DOMAIN1.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true4. We’ve installed JDK 1.5.0.12: jdk-1_5_0_12-windows-i586-p.exe
5. Keytab File was created (with password “Password”):
ktab -k SSOKeyTabFile -a HTTP/[email protected]. Keytab File and Kerberos communication was tested using:
kinit -k -t SSOKeyTabFile HTTP/[email protected]. Keytab File and Kerberos communication was tested using Java (incl. Debugging):
java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t SSOKeyTabFile HTTP/[email protected]. Keytab was listed:
java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Klist9. SSOKeyTabFile was copied to the WebLogic ProductionDomain folder
10. The krb5login.conf file was created and copied to the WebLogic ProductionDomain folder:
com.sun.security.jgss.initiate {
     com.sun.security.auth.module.Krb5LoginModule required
     principal="HTTP/[email protected]" useKeyTab=true
     keyTab=SSOKeyTabFile storeKey=true debug=true;
com.sun.security.jgss.accept {
     com.sun.security.auth.module.Krb5LoginModule required
     principal=" HTTP/[email protected] " useKeyTab=true
     keyTab=SSOKeyTabFile storeKey=true debug=true;
};11. WebLogic service and startWeblogic.cmd were modified with the following parameters:
-Djava.security.krb5.realm=DOMAIN1.COM
-Djava.security.krb5.kdc=192.168.0.1
-Djava.security.auth.login.config=<ProductionFolder>\krb5login.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Dweblogic.security.enableNegotiate=true
-DDebugSecurityAdjudicator=true
-Dweblogic.debug.DebugSecurityAtn=true
-Dweblogic.debug.DebugSecurityAtz=true
-Dweblogic.Debug.DebugSecurityATN=true
-Dweblogic.StdoutSeverityLevel=64
-Dweblogic.StdoutDebugEnabled=true
For the client pc (Client1) we’ve checked the browser settings:
     Automatic Logon only in Intranet Zone
     Enable Integrated Windows Authentication
On the client we’ve used “kerbtray.exe” to see whether a kerberos token is created, and it is (although with the full domain name, HTTP/Server1.domain1.com).
We’ve checked for Kerberos communication with Wireshark and see that the client does communicate, and passes the SPNEGO token to the WebLogic server, but we do not see any Kerberos communication on the WebLogic server. The server simply requests Authorisation again…
If required we have the full wireshark traces of the WebLogic Server and the Client. We also have very detailed WebLogic tracing which I can provide.
Any thoughts?
Kind Regards,
Nika.

It turned out to be solved by removing the SSOAccount in AD and recreating it (including re-setting the password, which had already been done several times).
Regards,
Nika.

V8 SP4 SPNEGO Identity Asserter problem

I configured my domain to authenticate against AD using the SPNEGO Identity Asserter.
Two questions.
1) How do I do authorization ? Do I enter the name of an AD group in the webapps weblogic.xml under Principal-Name? Or use weblogic groups (if so, how do the userids get matched) ?
2) It doesn't work - I get challenged for userid/pwd/domain.
In debug, I get:
"Found NTLM token when expecting SPNEGO"
What can I do about this ?
Some lines from debug...
<PrincipalAuthenticator.assertIdentity - Token Type: Authorization>
####<11-Feb-2005 18:03:27 o'clock GMT> <Debug> <SecurityDebug> <UKAPD285093> <admin> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Found NTLM token when expecting SPNEGO>
####<11-Feb-2005 18:03:27 o'clock GMT> <Debug> <SecurityDebug> <UKAPD285093> <admin> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <PrincipalAuthenticator.assertIdentity - IdentityAssertionException>
####<11-Feb-2005 18:03:27 o'clock GMT> <Debug> <SecurityDebug> <UKAPD285093> <admin> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <RoleManager.getRoles subject: Subject: 0
Resource: type=<url>, application=earspnegodemo, contextPath=/earspnegodemo, uri=/index.jsp, httpMethod=GET>
####<11-Feb-2005 18:03:27 o'clock GMT> <Debug> <SecurityDebug> <UKAPD285093> <admin> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Default RoleMapper getRoles(): input arguments:
Subject: 0
Thanks,
Mike

The documentation on dev2dev appears to change all the time and without notice. I run Google beta which caches all visited web pages and one of the documents for WL enterprise security has three different versions in my cache each with slightly different implementation instructions.
Anyway, I have implemented SSO using WL and AD using a third party Spnego identity asserter in the past and I presume the asserter which is now built in to sp4 works in the same way. You need to set up an active directory authenticator to enable weblogic to 'see' the users and roles in the AD domain.
When you access the protected web application from the client pc (the one in the AD domain) the url used has to contain the SPN name
eg http://domainname.project.net/test where domainname is the SPN.
and not http://192.168.7.2:7001/test
I think this is what triggers IE to send the kerberos ticket during the negotiate step.
The order of the identity asserters (in the WL console) is important the SPNEGO one should be first and the AD one should be second and have a value of SUFFICIENT for the control flag.
I have done all of the above and it still doesn't work but I think that there should be a servlet to handle the kerberos negotiation. A previous version of the WLES documentation does mention a negotiate servlet but has since been removed. I have sent an email to one of the security gurus at BEA, but as I am out of the office all week I don't know if I have a reply.
I don't know if the above is of any use but I will post more info as I get it.
Stephen

Problem in SPNego???

Hi all,
i am trying to implement SPNego on my server,
the steps i have done are
1)Deployed EARs
&#56256;&#56452; sap.comtcsecauthjmx~ear.ear
&#56256;&#56452; sap.comtcsecauthspnego~wizard.ear
&#56256;&#56452; security_example.ear
2)Created a service user as j2ee-E60(i.e. SID)
next step i have to do is set the service principal name(SPN)
i ran following command in command prompt
c:/> setspn -A HTTP/<j2ee host name> <service user>
but on this i am getting error that setspn is not an internal or external command..
Please Note: I am using windows server 2003 EE.
the doc i am using is for windows 2000 ADS environment,not for 2003 ADS,
can anyone guide me through??its very urgent
regards,
Ameya

Hi,
It appears the setspn.exe is not installed on your ADS. Try using this and then run the command.
http://www.microsoft.com/downloads/details.aspx?familyid=5fd831fd-ab77-46a3-9cfe-ff01d29e5c46&displaylang=en
Cheers!!

SPNEGO vs NTLM issue

Hi,
I'm trying to configure SSO for my web application using IIS as webserver
and the IIS-Weblogic proxy plugin provided by bea. I use Weblogic 8.1 SP4.
I followed the procedure described in the dev2dev documentation and now I am
stuck with a ntlm vs spnego issue.
Here is what I get from a full security debug in my Weblogic log:
<2005-06-09 13 h 50 EDT> <Debug> <SecurityDebug> <000000>
<PrincipalAuthenticator.assertIdentity - Token Type: Authorization>
<2005-06-09 13 h 50 EDT> <Debug> <SecurityDebug> <000000> <Found NTLM token
when expecting SPNEGO>
<2005-06-09 13 h 50 EDT> <Debug> <SecurityDebug> <000000>
<PrincipalAuthenticator.assertIdentity - IdentityAssertionException>
My iis plugin log shows that everything seems to be ok, the client first
receives a 401 response and then sends a [WWW-Authenticate] Negociate
header, including a Kerberos token in base 64. The only problem is that it
seems that this token is ntlm instead of spnego:
Thu Jun 09 13:50:07 2005 WLS info in sendRequest: myweblogicserver.com
recycled? 0
Thu Jun 09 13:50:07 2005 Hdrs from WLS:[WWW-Authenticate]=[Negotiate]
Thu Jun 09 13:50:07 2005 Hdrs to client:[WWW-Authenticate]=[Negotiate]
Thu Jun 09 13:50:07 2005 Going to send headers to the client. Status :401
Unauthorized xxx
Thu Jun 09 13:50:07 2005 Hdrs from client:[Authorization]=[Negotiate
TlRMTVNTUAABAAAAB7IIogYABgAxAAAACQAJACgAAAAFASgKAAAAD1NTUU5UMTY1NlNTUVZJRQ==]
Thu Jun 09 13:50:07 2005 Hdrs to WLS:[Authorization]=[Negotiate
TlRMTVNTUAABAAAAB7IIogYABgAxAAAACQAJACgAAAAFASgKAAAAD1NTUU5UMTY1NlNTUVZJRQ==]
Thu Jun 09 13:50:07 2005 Hdrs from WLS:[WWW-Authenticate]=[Negotiate]
Thu Jun 09 13:50:07 2005 Hdrs to client:[WWW-Authenticate]=[Negotiate]
Thu Jun 09 13:50:07 2005 Going to send headers to the client. Status :401
Unauthorized xxx
as a result of all this, I get a basic authentication prompt when I try to
access my web application.
any help would be greatly appreciated.
Thanks!

Hi,
Thanks for your information. I finally managed to solve my ntlm/spnego
issue. In fact, it seems that I had no problem other than trying to test it
from the same computer on which my WLS is installed. When I invoke my web
application from another computer on the network, I dont get this
ntlm/spnego issue.
But now I have another problem. First, when I try to access my web
application, WLS prompts me (in the server window) for the password of the
SPN account for my server. I though it was supposed to use the keytab file
for it, but anyway, this is maybe a part of my problem.
If I type the correct password, it continues, but I get this chained
exception:
>
GSSException: No valid credentials provided (Mechanism level: Attempt to
obtain new ACCEPT credentials failed!)
Caused by: javax.security.auth.login.LoginException: Pre-authentication
information was invalid (24)
Caused by: KrbException: Pre-authentication information was invalid (24)
Caused by: KrbException: Identifier doesn't match expected value (906)The root cause seems to be "Identifier doesnt match expected value".. I
really dont know what it means. I am still trying to solve this so any help
would be appreciated and I will also post any other information I get on the
subject.
Thanks
<regis piccand> a ?crit dans le message de news:
[email protected]..
Hi,
I am currently trying to achieve the same configuration, and I noticed
that this happens when, in the setup of the Single Passe Negotiate
Identity Asserter, you choose the SPNEGO.AtnAssertion type (which seems to
be here only for compatibility reason - see
http://e-docs.bea.com/wles/docs42/adminguide/providers.html#1150785).
Removing this type helped in my case. However, I am now stuck with a GSS
exception No Valid Credentials provided (see my post at
http://forums.bea.com/bea/thread.jspa?threadID=600004578&tstart=0)
Hope this helps,
Kind regards,
Regis

Could not validate SPNEGO token.java.lang.Exception: Checksum error.

Hello consultant:
We are trying configurated SSO usind SPNEGO module
We have a portal 7.0 ehp1 and Active Directory Microsoft versión 2003 native
we have followed the steps described in note Sap 1457499"Note 1457499 - SPNego add-on"
When we have logged with user Active Directory and we try access to portal we obtain following error:
Authorization check user error
We have Deploy the Web diagtool from SAP Note 1045019 on the J2EE server, run it and perform the
following steps:
1. Select "Component" = "security" and "Activity" = "all"
2. Click the "Go" button, followed by the "Add All" button
3. Select "Component" = "All" and in the "Search pattern" field write "com.sap.security.spnego"
4. Click the "Go" button, followed by the "Add All" button
5. Start the tool
Then we have reproduce the problem and stop the tool. The generated zip file will contain following error:
15:45:20:078 Error J2EE_GST_PRD SAPEngine_Application_Thread[impl:3]_15 ~p.security.spnego.krb5.crypto.DesCrypto Checksum error! checksum: 0xc46bfed8d0dbc54221ee75405c8cd5ac; calculated checksum: 0x6ead7e801608b729a6957597327f2ba5
15:45:20:078 Error J2EE_GST_PRD SAPEngine_Application_Thread[impl:3]_15 ~m.sap.security.spnego.SPNEGOLoginModule Could not validate SPNEGO token.
java.lang.Exception: Checksum error.
at com.sap.security.spnego.krb5.crypto.DesCrypto.decrypt(DesCrypto.java:43)
at com.sap.security.spnego.krb5.KrbEncryptedData.decrypt(KrbEncryptedData.java:81)
at com.sap.security.spnego.krb5.KrbApReq.decrypt(KrbApReq.java:67)
at com.sap.security.spnego.SPNEGOLoginModule.parseAndValidateSPNEGOToken(SPNEGOLoginModule.java:234)
at com.sap.security.spnego.SPNEGOLoginModule.processAuthorizationHeader(SPNEGOLoginModule.java:385)
at com.sap.security.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:102)
at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)
at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:88)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:61)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)
at java.lang.reflect.Method.invoke(Method.java:391)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:912)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:367)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:181)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:541)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:430)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
at com.sap.portal.navigation.Gateway.service(Gateway.java:126)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(AccessController.java:219)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
Could you help us?
Many thanks for your collaboration

<< Do not post the same question across a number of forums >>

Help-kerberos works with spnego keytab file but not in netbeans and Metro

Hi,
Appreciate if someone can shed some light on this problem and guide on what else am I missing.
I'm trying to call .NET based WCF webservice (MS Dynamics CRM - OrganizationSvc) from a java client. Started looking at Metro framework for interoperability. I was able to generate all the proxy classes and was able to write the code to invoke web service. However the challenge was using Kerberos based authentication and related setup.
I primarily followed the link below which was very helpful but had to dig more to get more specific details.
http://blogs.sun.com/enterprisetechtips/entry/building_kerberos_based_secure_services
Tried to follow netbeans route and hit some roadblocks in verifying the setup (krb5.conf & login.conf & wsit-client.xml). So, came across SPNEGO and used their examples, made changes accordingly and after experimenting with various configuration settings(krb5.conf and login.conf), finallyI was able to run HelloKDC & HelloKeytab files successfully.
krb5.conf_
[libdefaults]
default_realm = NA.CONVERGYS.COM
[realms]
NA.CONVERGYS.COM = {
kdc = CDCWW13.na.convergys.com
admin_server = CDCWW13.na.convergys.com
[domain_realm]
.na.convergys.com = NA.CONVERGYS.COM
login.conf_
spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="C:/WINDOWS/orldwv705_feb03.keytab"
doNotPrompt=false
storeKey=true
principal="HOST/ORLDWV705.na.convergys.com"
debug=true;
C:\spnego-r7>klist -k C:\WINDOWS\orldwv705_feb03.keytab
Key tab: C:\WINDOWS\orldwv705_feb03.keytab, 1 entry found.
[1] Service principal: HOST/[email protected]
KVNO: 7
With these settings, I was able to successfully make the call & Hello Keytab was able to get the Ticket and authenticate.
http://spnego.sourceforge.net/index.html
http://spnego.sourceforge.net/client_keytab.html
http://spnego.sourceforge.net/troubleshoot_hellokeytab.html
However, when I run the example in Netbeans with the setup mentioned in the link below, I run into following exception...
http://metro.java.net/guide/Developing_with_NetBeans.html#wsit_example_with_nb-creating_wsit_client
http://metro.java.net/guide/_Configuring_Kerberos_for_Glassfish_and_Tomcat.html
1) noticed that sc:KerberosConfig element in wsit-client.xml does not get updated automatically in netbeans ide, so manually edited to put the entries.
2) also followed the setup required in glassfish domain.xml & login.conf xml.
3) also noticed that netbeans setup requires us to use C:\Windows\krb5.ini file which is nothing but krb5.conf file referred elsewhere.)
wsit-client.xml_
<wsp:Policy wsu:Id="ClientKerberosPolicy"
xmlns:sc="http://schemas.sun.com/2006/03/wss/client"
xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
xmlns:scc="http://schemas.sun.com/ws/2006/05/sc/client"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sc:KerberosConfig wspp:visibility="private"
loginModule="KerberosClient"
servicePrincipal="HOST/ORLDWV705.na.convergys.com"
credentialDelegation="true" />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
ERROR
INFO: WSP5018: Loaded WSIT configuration from file: file:/C:/Documents%20and%20Settings/rchoppal/My%20Documents/NetBeansProjects/TestOrgSvc/build/web/WEB-INF/classes/META-INF/wsit-client.xml.
WARNING: [failed to localize] WSP_0075_PROBLEMATIC_ASSERTION_STATE({http://schemas.microsoft.com/xrm/2011/Contracts/Services}AuthenticationPolicy, UNKNOWN)
WARNING: [failed to localize] WSP_0019_SUBOPTIMAL_ALTERNATIVE_SELECTED(PARTIALLY_SUPPORTED)
INFO: >>>KinitOptions cache name is C:\Documents and Settings\rchoppal\krb5cc_rchoppal
INFO: >>> KrbCreds found the default ticket granting ticket in credential cache.
SEVERE: WSITPVD0050: Error while Securing Request Message.
com.sun.xml.wss.XWSSecurityException: Unexpected Exception in Kerberos login - unable to continue
at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:94)
at com.sun.xml.wss.impl.misc.WSITProviderSecurityEnvironment.doKerberosLogin(WSITProviderSecurityEnvironment.java:3049)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.populateKerberosContext(WSITClientAuthContext.java:911)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:318)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:291)
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
at sun.security.krb5.Credentials.acquireDefaultCreds(Credentials.java:451) (i tried to search open source code, but this line did'nt match exactly)
at sun.security.krb5.Credentials.acquireTGTFromCache(Credentials.java:272)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:589)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:85)
SEVERE: SEC2004: Container-auth: wss: Error securing request
javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
... 42 more
WARNING: StandardWrapperValve[TestOrgSvcServlet]: PWC1406: Servlet.service() for servlet TestOrgSvcServlet threw exception
javax.xml.ws.WebServiceException: Cannot secure request for {http://schemas.microsoft.com/xrm/2011/Contracts}CustomBinding_IOrganizationService
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:165)
Caused by: javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
... 40 more
Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
... 42 more
Edited by: user6748004 on Feb 3, 2011 5:36 PM
Edited by: user6748004 on Feb 3, 2011 5:38 PM

Hi Gasha,
The only change I did after this, was to try and use 'KerberosServer' configuration from the wsit-client.xml. Atleast, this enabled the glassfish application to load the configuration related to keytab etc, and use it to communicate with the WCF service for negotiation.
<sc:KerberosConfig wspp:visibility="private"
loginModule="KerberosServer"
servicePrincipal="HOST/ORLDWV705.na.convergys.com"
credentialDelegation="true" />
login.conf has
KerberosServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="C:/WINDOWS/orldwv705_feb03.keytab"
doNotPrompt=false
storeKey=true
principal="HOST/ORLDWV705.na.convergys.com"
debug=true;
fyi.. Used the following way to create the keytab
Keytab was created using below instructions
ktpass -princ HOST/[email protected]
-mapUser [email protected]
-mapOp set
-pass *
-crypto DES-CBC-MD5
-pType KRB5_NT_PRINCIPAL
-out orldwv705.keytab
Targeting domain controller: CDCWW13.na.convergys.com
Successfully mapped HOST/ORLDWV705.na.convergys.com to svcMSCRMDev.
Key created.
Output keytab to orldwv705.keytab:
Keytab version: 0x502
keysize 75 HOST/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x0bc27ca83891dc2a)
Also realised that we need to add 'HTTP/ORLDWV705.na.convergys.com' & 'http/ORLDWV705.na.convergys.com' using set SPN commands on the AD of the server where CRM is installed.
With these changes, the negotiate authentication seems to have happened using the Kerberos token from the keytab, but later ran into an error for which I was not able to get any clue to go forward. Someone in another post about this error suggested that it worked once they changed principal names, but when I tried I did'nt get any success.
This is where I'm struck now. What I don't know is if there is another setup from which we can try a similar interoperability example for ex.. weblogic 10.1 & eclipse which is more close to our real environment.
SEVERE: SEC2004: Container-auth: wss: Error securing request
java.lang.IllegalArgumentException: Missing argument
at javax.crypto.spec.SecretKeySpec.<init>(DashoA13*..)
at com.sun.xml.ws.security.impl.kerberos.KerberosContext.getSecretKey(KerberosContext.java:91)
at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:525)
Edited by: user6748004 on Apr 8, 2011 10:39 AM

HTTP/SPNEGO for "SSO" on MS Windows

HTTP/SPNEGO for "SSO" on MS Windows
Hi all of you !
The scene is simple : I got a software (All in plain java ) and some simple web access to this system. ( it's not a real web server wich will be in need for Apache or some big container it's just a few access to some informations of the software )
The client company is all MS Windows, and it's used to some SSO approach,
they got a AD server on Win2003, all laptops are under winXP Pro and got IE at least version 6
Now The question is this ;
I got
-a guy (properly authentified) who is
- using IE (properly setted)
- on a computer (properly attached to AD)
to access a ressource URL of my app
It's quite simple to send him a http 401 or 407 so IE go back to the AD server and get its token
BUT how can I manage in java to extract the account used by the client
from the SPENEGO token ? this is all I need
I cant find any help on this, So please if someone can help me in this...
I'm lost ... Thanks in adavnce for a simple hint or a url linking me on the good path

I forget :
Ok for the configuration, thanks to some of your posts (thanks all)
I know all the importants steps to be followed
For exemple I quote danielshrem last post on the thread http://forum.java.sun.com/thread.jspa?forumID=545&threadID=760214
<quote>
Hey Seema,
Indeed my server's principal was not the correct one, now everything is cool with rc4 encryption.
for all u dudes out there in need of Java HTTP kerberos auth here's a few simple configuration procedures:
1. on the Domain Controller add an HTTP SPN to the account running the web service (use setspn.exe). the SPN has to be in format HTTP/host@Realm or HTTP/host (this SPN worked for me). if u dont know exactly which SPN u need u can sniff an HTTP session on ethereal look for Kerberos AP Req-->ticket-->Server Name. from what i gather this is the principal the clients use.
2. on the DC add a mapping to the newly created SPN (use ktpass.exe)
3. on the host running the service create a keytab file containing the newly created HTTP principal (use java's ktab.exe)
4. make sure the SPN is set up OK by running kinit and pass the newly created keytab file and the newly created SPN.
once u recieve an ok result you are good to go (login and authenticate users)
hope this helps
Daniel.
</quote>
My problem (I know it must sounds stupid) : how do I extract the login account from this ?

Please help. Negotiate field in http header - Kerberos, SPNEGO, Base64... ?

Hello to you all.
I'm trying to implement a Kerberized SSO solution in Win2000
environment. The web servers are apaches, the clients are IE5.5+
But I had encountered the following problem:
I wrote a servlet in java on the web server that sends 401 http error
+ "Negotiate" in the www-authenticate field. Then the client sends me
back in the same field "Negotiate " and a long string that ends with
'==' and it's somehow encoded...
That's the problematic point. I saw it's encoded in base64, but
decoding it didn't brought me to anything. Furthermore, I read that
it's a spnego protocol. What am I doing with that? Does JDK1.4 gives
enough to work with that?
All I know that in that string is the TGS sent to me... and that's all
I need to authenticate my client, don't I?!
Do you know what should I do with that string? Can you tell me what am
I missing? Should I decode it with the '==' or without? What does it
mean anyway?
I'd really appriciate if you help me.
Thanks very much in advance,
Danik.

Close... SPNEGO is a GSSAPI mechanism for negotiating another mechanism. JDK 1.4 comes with a Kerberos mechanism provider out of the box, but not SPNEGO. Even though Microsoft's "Negotiate" auth method ends up negotiating Kerberos, you need to have a SPNEGO provider installed to effectively tell it to use Kerberos.
The '==' is Base64 padding (the Base64-encoded string will end in '=' or '==' if the input content length is not divisible by 3). You would include it when decoding. The byte array you get from decoding is fed to the acceptSecContext method in org.ietf.jgss.GSSContext -- but you will get an "unknown mechanism" error if you don't have a SPNEGO mechanism provider.
If you don't have the inclination to write a provider yourself (I know I wouldn't), and you have some cash to spend (I know I don't), you can get a SPNEGO provider from:
http://www.wedgetail.com/jcsi/sso/FAQ.html
They actually provide a complete solution for doing exactly what you are attempting.
If you are just looking to provide single sign-on to a web application for Windows clients, and you don't necessarily need to do it via Kerberos, jCIFS provides a solution for performing NTLM authentication (the precursor to Negotiate, which authenticates against NT/Samba domains). You can get jCIFS from
http://jcifs.samba.org
The site is temporarily transitioning to a new ISP, so the latest version (0.7.5) can actually be found at:
http://users.erols.com/mballen/jcifs
The client side of NTLM is also supported in JDK 1.4.2, which would allow single sign-on for applets or Java applications.

Direct links to the KM doesn't work under Kerberos (SPNego)

Hello,
We are running NW04 SP16 and successfully implemented Kerberos
authentication using the SPNego module.
The problem we are facing is this: If we put a URL to a certain KM file
at the browser, like this:
http://<host>:50000/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/....
The user is being prompted for User name and password and even after
entering the correct ones it doesn't work. If the same user is opening
this link from inside the portal (from an iView for example) the link
is working. When we used NTLM this option used to work.
I have implemented SAP Note 993579 yet it didn't solve the problem.
I also tried changing the Authentication Schema property of the com.sap.km.document template iView to "default" yet this as well didn't help.
Any suggestions?
Regards,
Roy

Hey Detlev,
Yes I am referring to the same oject.
The thing is that Brad says that the changing of the authentication schema needs to be done together with the note. I first tried the note and in order to track changes I reverted the note and tried the authentication schema change separately. I didn't try to implement both of them together. I will try it and let you know...
Regards,
Roy

SPNego not working for EP UME DB

Hi,
We have try to implement SPNego in EP 7.0 EHP2 SP9, We follow all steps maintain as per document attached to SAP Note 1488409.
But User is still prompted for logon screen.
Below is Hardware detail: (all are in same domain)
Active directory : Windows 2008 Enterprise Server R2
Portal Server: Windows 2008 Server Standard
Client : Windows Vista Ultimate SP2
Below is the steps which I performed to configure :
KDC Configuration:
Windows Domain: windomain.corp
FQDN Portal: ephost.windomain.corp
SID Portal: p11
- Create a service user j2ee-p11-ephost with password never expired
- Disable Data Encryption Standard (DES) support for this account
- Register SPN as below
setspn u2013a HTTP/ephost.windomain.corp j2ee-p11-ephost
UME Configuration :
Mapping Mode: Principal only
mapped to: logon ID
Configure Encryption Key:
-Using JDK1.6 we generated keytab file.
ktab u2013a j2ee-p11-ephost @ windomain.corp u2013k keytab
-Finally we add the generated keytab in Created Realm
-Enable the Realm
Adjust The Authentication Stack:
- In visual Administrator ServerXX -> Services -> Security Provider Service -> ticket
We add SPNegoLoginModule with OPTIONAL flag
-> Restart the Portal server.
Please help me.
Thanks & Regards,
Kaushal

Hi,
I think there was a problem on configuration with SPNego module configure in Visual Admin tool.
(Visual admin -> SID -> ServerXX -> Services -> Security provider -> ticket)
Below is how my login modules look like
com.sap.security.core.server.jaas.EvaluateTicketLoginModule : SUFFICIENT: ume.configuration.active = tue
SPNegoLoginModule : OPTIONAL : No Options define !!
BasicpasswordLoginModule: REQUISITE
com.sap.security.core.server.jaas.CreateTicketLoginModule: OPTIONAL : ume.configuration.active = tue
Am i forgort something to put in options for SPNegoLoginModule ?
Thanks & Regards,
Kaushal

Mega problem with OSX - XP - VISTA sharing

hello.
first of all i want to say that i am not network-guru (so you could see some silly stuff here =) but also i am not /basic/ user (i know how to plug a cable properly =) and i was trying to google my problem for a few days and finally i will try to find help here...
i have few machines with various operating systems;
osx 10.5.4
windows vista home premium
windows vista ultimate
windows xp sp2
there are 10 machines and all of them share at least 1 directory or disk over the network. all windows are set up to map network drives (also one disk from osx) and osx is connecting to windows drives through standard smb:// protocol.
now... i am aware of all the problems with sharing stuff between osx and win, especially in my case, so my first question would be:
is there any GOOD tutorial how to set up such network properly??
i have seen few of them but seems that there are problems occurring again (i guess mostly because of vistas :P)
for example;
i want one of my osx to share TWO DISKS and TWO FOLDERS.
in osx preferences i set up everything correctly in sharing and users (btw, guest account is disabled on ALL machines!) but when i log in (from any machine) i can see ALL DISKS plus TWO SHARED FOLDERS plus MY USER'S FOLDER and everything is accessible and writable etc... after few restarts and trying to disable/enable file sharing, clearing caches and such stuff on osx, i tried to edit smb.conf from /etc and also from /var/db and by default option in [homes] part which says 'browseable' is set to NO... i tried to change 'read only = no' to YES and changed 'com.apple: show admin all volumes = yes' to NO and after that some strange happened... (i will not emphasize reboot points of ALL computers but it was done after each step =)
xp machines could see TWO DISKS, ONE FOLDER, MY USER'S DIR
vista machines could see TWO DISKS, ONE FOLDER (different than xp), MY USER'S DIR
osx could see ALL DISKS, TWO FOLDERS, MY USER'S DIR
EVERYTHING was writable.
if i would click to browse one of those disks on osx i could see everything inside but if i go back to the root of that computer, disk would instantly DISAPPEAR and become unaccessible from that pc. same on others.
now i left smb.conf files in default setting so everybody can see everything and everything is writable. =( after googling 'smb.conf' combinations i have seen that some people have completely different setups... how could i know which one is right for my osx?
generally my second question is: WHAT SHOULD I DO TO MAKE EVERYTHING WORKS FINE?
i hope you understood my problem because i am little bit lost in all this...
in addition there are my smb.conf files
/etc/smb.conf
; Configuration file for the Samba software suite.
; ============================================================================
; For the format of this file and comprehensive descriptions of all the
; configuration option, please refer to the man page for smb.conf(5).
; The following configuration should suit most systems for basic usage and
; initial testing. It gives all clients access to their home directories and
; allows access to all printers specified in /etc/printcap.
; BEGIN required configuration
; Parameters inside the required configuration block should not be altered.
; They may be changed at any time by upgrades or other automated processes.
; Site-specific customizations will only be preserved if they are done
; outside this block. If you choose to make customizations, it is your
; own responsibility to verify that they work correctly with the supported
; configuration tools.
[global]
debug pid = yes
log level = 1
server string = Mac OS X
printcap name = cups
printing = cups
encrypt passwords = yes
use spnego = yes
passdb backend = odsam
idmap domains = default
idmap config default: default = yes
idmap config default: backend = odsam
idmap alloc backend = odsam
idmap negative cache time = 5
map to guest = Bad User
guest account = nobody
unix charset = UTF-8-MAC
display charset = UTF-8-MAC
dos charset = 437
vfs objects = darwinacl,darwin_streams
; Don't become a master browser unless absolutely necessary.
os level = 2
domain master = no
; For performance reasons, set the transmit buffer size
; to the maximum and enable sendfile support.
max xmit = 131072
use sendfile = yes
; The darwin_streams module gives us named streams support.
stream support = yes
ea support = yes
; Enable locking coherency with AFP.
darwin_streams:brlm = yes
; Core files are invariably disabled system-wide, but attempting to
; dump core will trigger a crash report, so we still want to try.
enable core files = yes
; Configure usershares for use by the synchronize-shares tool.
usershare max shares = 1000
usershare path = /var/samba/shares
usershare owner only = no
usershare allow guests = yes
usershare allow full config = yes
; Filter inaccessible shares from the browse list.
com.apple:filter shares by access = yes
; Check in with PAM to enforce SACL access policy.
obey pam restrictions = yes
; Make sure that we resolve unqualified names as NetBIOS before DNS.
name resolve order = lmhosts wins bcast host
; Pull in system-wide preference settings. These are managed by
; synchronize-preferences tool.
include = /var/db/smb.conf
[printers]
comment = All Printers
path = /tmp
printable = yes
guest ok = no
create mode = 0700
writeable = no
browseable = no
; Site-specific parameters can be added below this comment.
; END required configuration.
/var/db/smb.conf
# Configuration options for smbd(8), nmbd(8) and winbindd(8).
# This file is automatically generated, DO NOT EDIT!
# Defaults signature: a13310200e774008e7f854700000293c480000
# Preferences signature: 200e4bd28a0b1e026490000552000000
# Configuration rules: $Id: rules.cpp 32909 2007-08-17 23:07:40Z jpeach $
# Server role: Standalone
# Guest access: never
# NetBIOS browsing: not a master browser
# Services required: org.samba.smbd org.samba.nmbd
[global]
security = USER
auth methods = odsam
netbios name = Azriel
workgroup = group
dos charset = 437
server string = Azriel
ntlm auth = yes
lanman auth = no
max smbd processes = 10
log level = 1
use kerberos keytab = yes
com.apple: lkdc realm = LKDC:SHA1.5587265F45481D473800CE75CE481F5A07475F59
realm = LKDC:SHA1.5587265F45481D473800CE75CE481F5A07475F59
map to guest = Never
domain master = no
preferred master = no
enable disk services = yes
enable print services = no
wins support = no
[homes]
comment = User Home Directories
browseable = no
read only = no
create mode = 0750
guest ok = no
com.apple: show admin all volumes = yes
[global]
thanks for ANY help!

somebody? something? anyhing? please! =)

SPNEGO Problem

Similar Messages

Maybe you are looking for