SPNEGO vs NTLM issue

Similar Messages

• Using Basic or NTLM for PSC to PO communication

  Basic authentication is the easiest to get working, so we generally recommend that users start there, especially when setting up your first IAC environment.  Consider NTLM as a more secure advanced option.
  It can be diffcult to troubleshoot the NTLM issues described below, which is why we recommend basic for beginning users.
  Now the NTLM option is more secure than basic  authentication, which sends the password in clear text over the wire.   This may not be as much of an issue if you use SSL, but it is certainly  best practice to use both NTLM and SSL.  So in a customer environment,  it is best to work through these concerns to estanblish security.  We  are seeing more and more customers doing security audits, so we will  want to make customer environments use NTLM.
  A challenge with NTLM authentication is that the list of supported authentication schemes in the 2 products do not match.
  PO uses whatever version of NTLM the domain is using. You can’t actually select v1 or v2. In the future we will make a UI change to indicate that this is vvulnerable to the domain of the account you specify and what version of NTLM it is configured for, but for now you need to undersdtand that. At the end of the day, it’s in PSC where you specify the account which will determine which doimain is used. If you’re using anything newer than W2K8R2, you’re probably running v2, unless you’ve manually set the domain to downlevel (e.g. for legacy application compatibility). PO is at the whim of your authenticating domain as to which version of NTLM will be required.
  In PSC, one specifies exactly which NTLM version is to be used in the authentication.
  Also, when specifying the connection in IAC of PSC, NTLM is actually NTLM v1, while NTLM is v2. 
  So in the IAC configuration wizard, if you are going to use NTLM, you need to specify the NTLM version to match the domain of the user credential you use to connect to PO, specifying NTLM if it is v1 and NTLMv2 if it is v2.

  Basic authentication is the easiest to get working, so we generally recommend that users start there, especially when setting up your first IAC environment.  Consider NTLM as a more secure advanced option.
  It can be diffcult to troubleshoot the NTLM issues described below, which is why we recommend basic for beginning users.
  Now the NTLM option is more secure than basic  authentication, which sends the password in clear text over the wire.   This may not be as much of an issue if you use SSL, but it is certainly  best practice to use both NTLM and SSL.  So in a customer environment,  it is best to work through these concerns to estanblish security.  We  are seeing more and more customers doing security audits, so we will  want to make customer environments use NTLM.
  A challenge with NTLM authentication is that the list of supported authentication schemes in the 2 products do not match.
  PO uses whatever version of NTLM the domain is using. You can’t actually select v1 or v2. In the future we will make a UI change to indicate that this is vvulnerable to the domain of the account you specify and what version of NTLM it is configured for, but for now you need to undersdtand that. At the end of the day, it’s in PSC where you specify the account which will determine which doimain is used. If you’re using anything newer than W2K8R2, you’re probably running v2, unless you’ve manually set the domain to downlevel (e.g. for legacy application compatibility). PO is at the whim of your authenticating domain as to which version of NTLM will be required.
  In PSC, one specifies exactly which NTLM version is to be used in the authentication.
  Also, when specifying the connection in IAC of PSC, NTLM is actually NTLM v1, while NTLM is v2. 
  So in the IAC configuration wizard, if you are going to use NTLM, you need to specify the NTLM version to match the domain of the user credential you use to connect to PO, specifying NTLM if it is v1 and NTLMv2 if it is v2.

• Java SE Ver 7 Uxx locking out domain user account failing Kerberos PreAuth

  Java SE Ver 7 all updates are failing Kerberos Pre_Auth and locking domain user accounts because of truncated UDP packets.
  When a user opens a page that uses JavaScript their domain account gets a bad password, subsequent openings in the lockout threshold window (5 in 30 minutes for us) results in a domain account lockout.
  I have done extensive troubleshooting of this issue and have root caused and been able to prevent it with a less desirable solution. Oracle fixes for the bug below (basically same issue) do not work for me or i'm implementing them incorrectly.
  This effects XP\Win7 (32Bit browsers with IE 8 and 9).
  Java SE Ver 7 U21 and lesser updates are failing Kerberos Pre_Auth (KRB5KDC_ERR_PREAUTH_FAILED)due to the use of UDP instead of TCP. Starting with the SRV request, UDP exceeds MTU and gets truncated enroute to the KDC. This results in the eventual response from the KDC as bad credential and eventual account lockout if user repeats call for Java.
  We have been able to force TCP by blocking UDP 88 on a test station's windows firewall. This prevents the bad password, but injects a delay while kerberos times out UDP and fails to TCP.
  Java BUG 8009875 lists the "udp_preference_limit=1" value that forces Java to use TCP, but i can't get this working with a KRB5.config or KRB5.ini file in the c:\windows directory. Even utilizing an environment variable KRB5_CONFIG does not work.
  Our expected result is to force Java 7 to use TCP for Kerberos transactions and not UDP. This will be a stop gap until the release of Version 8 next year, which BUG 8009875 says corrects the default UDP call to TCP.

  I had this same issue. My fix was to create a custom jass config file that specific to not use the local tgt cache.
  If you would like I could provide you with this setup.  1.7 uses GSS/SPNEGO as the first method of auth, this will essentially disable this method of single-sign on.
  Http Authentication
  GSS/SPNEGO -> Digest -> NTLM -> Basic
  It looks like you got a fix so this post could be worthless

• Non-safari browsers on osx access to XI

  We have large number of researchers on Macs needing access to BO XI Rel 3 ( 12.1.0 ) with Tomcat as the server.
  We need them to be able to get via SSO however any browser used (Firefox, Opera, Safari) gets a 401 (authorization error).  This did not happen when we were using IIS as the server.  We upgraded in order to take advantage of certain features but got bit by this.
  We've altered Firefox's parameters
    network.automatic-ntlm-auth.trusted-uris
    network.negotiate-auth.delegation-uris
    network.negotiate-auth.trusted-uris
  which didn't do anything.
  An official support ticket yielded "We don't support non-IE browsers".
  This is probably an OS X setup and postings in other areas suggest this can be done but there are no directions.
  Given SAP / Bus Obj push into healthcare / biotech it seems that this has to have happened and been dealt with.
  Anyone have any ideas ?
  danke

  We do certainly support firefox and usually setting up SSO with the parameters you specified will work. The other browsers I'm not so sure. BO has absolutely no control here. Maybe understanding what SSO actually is will help....
  So when SSO is configured on BO(I'm assuming true SSO such as kerberos or NTLM). The website (virtual directory) will no longer allow anonymous access and will present a 401 (challenge to the browser). The trick you have to find out is if your browser supports spnego/NTLM and how to configure it. Typically on a windows server with IE the AD user logs in with their credentials. The browser hits the site and receives the 401 (like your error). The browser then checks its rules to see if it is allowed to send the user logged in credentials. If the rules permit (a common reason would be for intranet sites where IE SSO is enabled by default) then the browser will negotiate either NTLMSSP or spnego and the AD user will be authorized to access BO based on their mapped AD account permissions.
  Now I'm not sure you OS is supported, do you login to it with AD? Have you found steps for setting up spnego or NTLM SSP. As all of these components AD, the browsers, the OS are outside of our products there is very little our support engineers can do when it doesn't work other than goggling possible solutions. We do have documented solutions for IE and firefox on windows (which I have heard will work for firefox on Mac as well).
  Regards,
  Tim

• Need Help withAuthentication after password change.

  Hi
  I have to check always the user and his password against AD. the user would be using his email to login to the application. hence i need to get his principalName and then reauthenticate him. I am using a default user and password to search and get the principalName.
  This small piece of code achieve it.
  public static void main(String[] args) {
          // Identify service provider to use
          Control[] connCtls = null;
          Hashtable env = new Hashtable();
          env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
          env.put(Context.PROVIDER_URL, "ldap://192.168.0.18/dc=mydomain,dc=com");
          env.put(Context.SECURITY_AUTHENTICATION, "simple");
          env.put(Context.SECURITY_PRINCIPAL,"[email protected]");
          env.put(Context.SECURITY_CREDENTIALS,"p@ssw0rd");
          DirContext ctx1 = null;
          try
              // Create the initial directory context
              LdapContext ctx = new InitialLdapContext(env,connCtls);                  
              SearchControls constraints = new SearchControls();
              constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
              NamingEnumeration e2 = ctx.search("","[email protected]",constraints);
              while(e2.hasMoreElements())
                  System.out.println("LdapLookUp.main()-searched");
                  SearchResult nc = (SearchResult)e2.nextElement();
                  Attributes atrr = nc.getAttributes();
                  String userPrincipalName = (String)atrr.get("userPrincipalName").get();
                  System.out.println("main()-Atrr-"+userPrincipalName);
                      ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, atrr.get("userPrincipalName").get());
                  ctx.addToEnvironment(Context.SECURITY_CREDENTIALS,"testp@ssw0rd");
                  ctx.reconnect(null);
                      System.out.println("main()-Reconnected");
            catch(Exception e)
                 e.printStackTrace();
       }i run this class successfully, Now if the administrator resets the user password on AD and if i still run the same class using the old password it works fine... :(
  I have tried using closing the context and then opening a new context also. Any suggestions regarding this would be very helpful

  Thanks very much for the info... I used the registry fix method suggested and it worked successfully.
  But what i did not understand is the kb info is for change of password using NTLM but here the Administrator used the AD UI itself. and the program uses LdapContext (JNDI)... so it should have worked right.
  Oh one more thing how did you figure out the problem was NTLM issue? :)

• SPNEGO Login module Stack issue: Could not validate SPNEGO token

  Hello to all,
  We are deploying a SAP Netweavear 7.3 Enterprise Portal with SPNego login module activated.
  We are performing some tests (performances and concurrent accesses).
  During the tests we have found several times the folloiwing Issue linked to the spnego.
  Could not validate SPNEGO token.
  [EXCEPTION]
  java.lang.NumberFormatException: multiple points
  at sun.misc.FloatingDecimal.readJavaFormatString(FloatingDecimal.java:1082)
  at java.lang.Double.parseDouble(Double.java:510)
  at java.text.DigitList.getDouble(DigitList.java:151)
  at java.text.DecimalFormat.parse(DecimalFormat.java:1303)
  at java.text.SimpleDateFormat.subParse(SimpleDateFormat.java:1934)
  at java.text.SimpleDateFormat.parse(SimpleDateFormat.java:1312)
  at java.text.DateFormat.parse(DateFormat.java:335)
  at com.sap.security.core.server.jaas.spnego.util.Utils.generalizedTimeStringToData(Utils.java:167)
  at com.sap.security.core.server.jaas.spnego.krb5.KrbTicketEncryptedData.parseDecryptedData(KrbTicketEncryptedData.java:67)
  at com.sap.security.core.server.jaas.spnego.krb5.KrbEncryptedData.decrypt(KrbEncryptedData.java:94)
  at com.sap.security.core.server.jaas.spnego.krb5.KrbApReq.decrypt(KrbApReq.java:68)
  at com.sap.security.core.server.jaas.SPNegoLoginModule.parseAndValidateSPNEGOToken(SPNegoLoginModule.java:315)
  at com.sap.security.core.server.jaas.SPNegoLoginModule.processAuthorizationHeader(SPNegoLoginModule.java:474)
  at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:160)
  at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:254)
  at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:65)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:254)
  at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:352)
  at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.loginWithRequestCredentials(AuthenticationService.java:337)
  at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:321)
  at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:60)
  at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:163)
  at com.sap.portal.prt.dispatcher.DispatcherServlet.service(DispatcherServlet.java:132)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
  at com.sap.engine.services.servlets_jsp.server.Invokable.invoke(Invokable.java:152)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doCached(RequestDispatcherImpl.java:655)
  at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:488)
  at com.sap.portal.navigation.Gateway.service(Gateway.java:147)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
  at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.runServlet(FilterChainImpl.java:202)
  at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:103)
  at com.sap.portal.http.EnrichNavRequestFilter.doFilter(EnrichNavRequestFilter.java:49)
  at com.sap.engine.services.servlets_jsp.server.runtime.FilterChainImpl.doFilter(FilterChainImpl.java:79)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:432)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:210)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:441)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:430)
  at com.sap.engine.services.servlets_jsp.filters.DSRWebContainerFilter.process(DSRWebContainerFilter.java:38)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.servlets_jsp.filters.ServletSelector.process(ServletSelector.java:81)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.servlets_jsp.filters.ApplicationSelector.process(ApplicationSelector.java:276)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.WebContainerInvoker.process(WebContainerInvoker.java:81)
  at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.ResponseLogWriter.process(ResponseLogWriter.java:60)
  at com.sap.engine.services.httpserver.chain.HostFilter.process(HostFilter.java:9)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.DefineHostFilter.process(DefineHostFilter.java:27)
  at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.MonitoringFilter.process(MonitoringFilter.java:29)
  at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.SessionSizeFilter.process(SessionSizeFilter.java:26)
  at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.MemoryStatisticFilter.process(MemoryStatisticFilter.java:57)
  at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.filters.DSRHttpFilter.process(DSRHttpFilter.java:43)
  at com.sap.engine.services.httpserver.chain.ServerFilter.process(ServerFilter.java:12)
  at com.sap.engine.services.httpserver.chain.AbstractChain.process(AbstractChain.java:78)
  at com.sap.engine.services.httpserver.server.Processor.chainedRequest(Processor.java:475)
  at com.sap.engine.services.httpserver.server.Processor$FCAProcessorThread.process(Processor.java:269)
  at com.sap.engine.services.httpserver.server.rcm.RequestProcessorThread.run(RequestProcessorThread.java:56)
  at com.sap.engine.core.thread.execution.Executable.run(Executable.java:122)
  at com.sap.engine.core.thread.execution.Executable.run(Executable.java:101)
  at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:328)
  The user rlinked to this user is Guest.
  could you please advice us how to solve this reccuring issue?
  Kind regards
  Julien LEFEVRE

  Hello Cathal,
  Thank you for your answer.
  In fact the new spnego wizard of the SAP Enterprise Portal 7.3 is used to get the the two keys files. The SAP Jvm is used in fact with the 1.6.1.
  And in fact , it functions perfectly sometimes. but during the test of massive access ( More than 30 conurent users), I have this error that comes frequently.
  Best regards
  Julien LEFEVRE

• 4265 Audit Failure: NTLM Authentication Issue from constant Outlook Login Prompts

  Hello Technet!
  Last week I started running into a domain-wide issue where users could authenticate while connected to the domain, but would receive prompts to log in to our external host. The first prompt is for mail.domain.local, which works fine inside the office, and
  the second is owa.domain.com, which continually fails. 
  On the second prompt, the Exchange 2007 server (on Server 2008 R2) reports the following error:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 3/19/2015 9:10:19 AM
  Event ID: 4625
  Task Category: Logon
  Level: Information
  Keywords: Audit Failure
  User: N/A
  Computer: mail.domain.local
  Description:
  An account failed to log on.
  Subject:
  Security ID: NULL SID
  Account Name: -
  Account Domain: -
  Logon ID: 0x0
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name: user
  Account Domain: domain
  Failure Information:
  Failure Reason: An Error occured during Logon.
  Status: 0xc000006d
  Sub Status: 0x0
  Process Information:
  Caller Process ID: 0x0
  Caller Process Name: -
  Network Information:
  Workstation Name: DOMAIN-PC
  Source Network Address: 12.345.67.89
  Source Port: 56984
  Detailed Authentication Information:
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  I've gone through quite a few attempted fixes already, all to no effect:
  1. I've both added BackChannelHostName to the server's registry, as well as described here: https://support.microsoft.com/en-us/kb/896861
  2. Verified SSL Cert status
  3. Internal and External OWA URI is set to owa.domain.com in EWC
  4. Set up the IIS7 authentication and SSL settings to their defaults, as described here: http://msexchangeguru.com/2010/10/05/autodiscover/
  5. I added a SRV record for autodiscover on our DC to correct an EXPR auth issue: https://acbrownit.wordpress.com/2012/12/20/internal-dns-and-exchange-autodiscover/
  Despite all these things, I haven't yet seemed to scratch whatever itch Exchange is having. All of the client Outlooks will get the prompt for owa.domain.com, even though their mail is working because they're in the office or on VPN. For whatever reason,
  the Mac Outlook 2011 users cannot authenticate to the mail server at all, so they are the ones hit the hardest by this issue.
  Any insight everyone here at TechNet can offer would be appreciated. Every fix and workaround I've looked at has either changed nothing, or pointed to something that was already configured properly. If there are details missing that I could offer to provide
  a better idea of the problem, please let me know. Thank you.
  -- Brian Q.

  Hi,
  Yes, it may be caused by the security updates on March 10, 2015. Please refer to the known issue in the following KB:
  http://support.microsoft.com/en-us/kb/3002657
  Please remove the security patch on the DC and restart server to have a try. Additionally, here is a similar thread for your reference:
  https://social.technet.microsoft.com/Forums/exchange/en-US/1b2a24d9-3d77-49f6-9d0f-63c71da64827/password-prompt-after-exchange-server-windows-updates?forum=exchangesvrclientslegacy
  Regards, 
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Winnie Liang
  TechNet Community Support

• Anonymous and SPNego issue

  Hi ,
  We are using EP 7.0 EHP 1 portal for couple of purpose.
  1) Anonymous Webpage composer site for intranet information portal purpose
  2) SPNego SSO configured portal for ESS/MSS access.
  Now the problem is when the users are accessing the anonymous portal url (http:hostname:port/irj/portal/anonymous it is actually does SPNego to the user and they get logged on to portal to see ESS/MSS roles.
  I am not sure why launching the anonymous url does SPNego SSO. any clue on this?
  Thanks,
  Siva

  Hi Simon,
  Yes we have the default anonymous portal url as http://<portal_hostname>/irj/portal/anonymous.
  The KDC is configured to issue a token for <portal_hostname>. So you mean to say because of this, the use gets the token when they logon to network and even if they access the anonymous url, they would be logged on to portal automatically?
  Should i change the hostname for anonymous url like http://anonymous_hostname/irj/portal/anonymous ? will it would solve the problem.
  Thanks,
  Siva

• Changing Outlook Anywhere from NTLM to Basic Auth (remote users having issues)

  Hello All:
  We have a terrible vendor that is implementing our transition to Office 365. They told us we had to change the Client Auth method on the CAS to Basic (from NTLM) and all that might occur is for users to enter their creds and click "Remember my credentials".
  Not the case.
  We tested internally & on cell phones - everything went unnoticed. Then peeps from the outside started getting prompted for their UN/PW. Even when they put in their valid creds & check the box, no dice. Reboots, checking Outlook client for the proxy
  settings (which are now set to Basic) sometimes does, sometimes doesn't work. We are baffled as to where we force the setting (which they've received in Outlook), so the road warriors start working.
  Any feedback would be greatly appreciated.
  Thanks.

  Hi,
  Please confirm whether the issue only happens to your external Outlook Anywhere users in Exchange 2010.
  Please run the following command to check your Outlook Anywhere configuratioon:
  Get-OutlookAnywhere | fl
  Confirm that the ClientAuthenticationMethod parameter and IISAuthenticationMethod are both set to Basic. If this is any changes, please run:
  Set-OutlookAnywhere -Identity “E14-01\Rpc (Default Web Site)” -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName mail.domain.com -IISAuthenticationMethods Basic
  Then restart IIS service by using running IISReset from a command prompt window.
  Regards,
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Winnie Liang
  TechNet Community Support

• Issue using Flash IDE with Mac OS and Windows Web Service using NTLM authentication?

  I have an existing application that I developed on a Windows machine using CS5.  It uses a local intranet web service written in .NET using NTLM authentication.  The web service does multiple things such as read data from an SQL database, provide the user's username, and test for write/read access to a local company fileshare.  When my company upgraded, I went to a Mac with Flash CC which is great.  However, Mac's don't handle HTTP Authorization Challenge Blocks like Windows machines.  In Safari, Chrome, etc. it will pop up a little username and password box and proceed on without issue.  The issue is in Flash development.  When running the exact same application in Flash testing all script access fails with HTTP Status 401 errors.  I have searched the AS3 documentation, but the only thing built in to handle http challenge requests is in AIR not Flash.  The server admin's and I have tried all method's of cross domain policy files and access changes with no luck at all.  Does anyone have a solution to this issue?

  Did you check Apple Support Boot Camp article?
  iMac displays a black screen during installation of Windows 7
  http://www.apple.com/support/bootcamp/
  Installation Guide
  Instructions for all features and settings.
  Boot Camp FAQGet answers to commonly asked Boot Camp questions.
  Windows 7 FAQAnswers to commonly asked Windows 7 questions.

• Installation issue: Authentication: AWS for Windows NTLM returns error

  We are rebuilding our STG with Plumtree 5.0.4. After I installed Optional Enterprise Web Components, the Authentication: AWS for Windows NTLM returns error. I am wondering if anyone has the similar experience and could help to fix the issue. I have located error with the virtual directory but unable to fix it.
  <b>Symptons</b>
  When try to access
  http://servername/ntaws/RemoteSynchService.asp, got 404 page/folder not found error.
  <b>Log Error:</b>
  The message returned from the IIS creation of virtual directory ntaws on the Default Web Site
  web site for D:\Program Files\plumtree\ptntaws\5.0\webapp\ntaws\www is:
  <message>
  Error
  Error
  </message>
  <b>Solution Tried:</b>
  1. Manually Create the virtual directory - didn't work
  2. Reinstalled the Optionsal web service AWS portal, and re-migrate the ntaws.pte - didn't work.
  I appreciate your help.
  Hao Pan
  [email protected]

  from bi_server.out:
  default etypes for default_tkt_enctypes: 17 23 3 1 23.
  Pre-Authenticaton: find key for etype = 3
  AS-REQ: Add PA_ENC_TIMESTAMP now
  >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
  >>> KrbAsReq calling createMessage
  >>> KrbAsReq in createMessage
  >>> KrbKdcReq send: xxxx  timeout=30000, number of retries =3, #bytes=270
  >>> KDCCommunication: kdc=xxxx #bytes=270
  >>>DEBUG: TCPClient reading 106 bytes
  >>> KrbKdcReq send: #bytes read=106
  >>> KrbKdcReq send: #bytes read=106
  >>> KdcAccessibility: remove xxxxx
  >>> KDCRep: init() encoding tag is 126 req type is 11
  >>>KRBError:
           sTime is Wed Apr 15 13:32:41 EDT 2015 1429119161000
           suSec is 553936
           error code is 14
           error Message is KDC has no support for encryption type
           realm is xxxx
           sname is krbtgt/xxxxx
           msgType is 30
                  [Krb5LoginModule] authentication failed
  KDC has no support for encryption type (14)
  Any insight???

• Adobe Flash NTLM Authentication Issue

  This problem is having a major impact for many users in my account.
  The users are testing streaming course ware delivery over the Internet and also hitting the proxy re-login prompt.
  The problem with them is that after re-logging in the course restarts at the beginning.
  So it is not a fit for purpose environment for this application currently.
  The same problem occurs for companies webcast through Internet.
  Recent test with the users have confirm the issue occurs using the following version of flash:
  Adobe Flash Player ActiveX 11.1.102.55
  Adobe Flash Player ActiveX 11.1.102.62
  The Shockwave Flash NTLM authentication issue is characterised by the following packet sequence: WS sends Request to Server. Server closes the TCP connection without a response to the request. The WS establishes a new TCP connection and resend the request with previous NTLM Authentication details (ie does not go through the correct NTLM handshake for proxy authentication failure and the browser to pop for user credentials.
  When the above occurs,
  NTLM authentication screen popup up, entering credential again didn’t resume video. I had to reload the page to resume video from the beginning.
  No popup, but the video resumes from the beginning when there was a prolonged delay.
  The problem occurs on Windows XP SP3 with IE7 or IE8 with Flash Player 11.1.102.62
  Is the problem a known issue with Adobe Flash Player ?

  Hello,
  The bug report states can not reproduce. I understand the problem and am happy to help Adobe understand if they want to email me and organise a webex.
  The problem is associated with the way IE handles NTLM on a new connection. When performing a POST request, it will make two requests: the first contains a type1 NTLM token and no body, and the second will contain the type 3 token and the body. It does this because it expects to perform NTLM authentication as NTLM is connection not session based, and hence for efficiency, it doesn't send the POST body on the first request (knowing a second request will be required).
  The POST request initiated by the Flash application is only made once, so it presents a POST request and no body with the type 1 token to the web server (ie IIS, or some Java implementation such as SSO Plugin), and does not make a second request with a type 3 token and the body. It gives up and automatically prompts the user for a username/password, which is the wrong behaviour when the browser is in the Local Intranet zone and the web server responded with a type 2 token.
  I can reproduce this easily and it is a serious bug: it means that any Flash application that is accessed via Integrated Windows Authentication and IE will fail when trying to make a POST request, such as uploading a file from the user.
  John
  SSO Plugin for BMC, HP and more.
  http://www.javasystemsolutions.com/jss/ssoplugin

• HTTP/SPNEGO Authentication

  Hi,
  Having read in posting [http://forums.sun.com/thread.jspa?threadID=5362388&tstart=15|http://forums.sun.com/thread.jspa?threadID=5362388&tstart=15] that "Sun's GSSAPI implementation (a.k.a. JGSS) can only generate and consume raw Kerberos tokens and SPNEGO tokens containing Kerberos tokens" I' still wondering why the getPasswordAuthentication() in class MyAuthenticator of Sun's [HTTP/SPNEGO example (2nd case)|http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab/part6.html#Example] is not called upon starting the client without giving any arguments, i.e.
  java RunHttpSpnego http://www.ad.local/hello/hello.htmlFrom the server the client receives a
  WWW-Authenticate: Negotiateresponse, and the client should enter the HTTP/SPNEGO challenge/response protocol.
  To summarize, class MyAuthenticator looks like:
  class MyAuthenticator extends Authenticator {
          public PasswordAuthentication getPasswordAuthentication() {
              // I haven't checked getRequestingScheme() here, since for NTLM
              // and Negotiate, the usrname and password are all the same.
              System.err.println("Feeding username and password for "
                 + getRequestingScheme());
              return (new PasswordAuthentication(kuser, kpass.toCharArray()));
      }It should be called as a side effect of openConnection() upon executing the following code:
  Authenticator.setDefault(new MyAuthenticator());
  URL url = new URL(args[0]);
  InputStream ins = url.openConnection().getInputStream();
  ...My client environment is Windows Vista, Java 1.6.0_16, and the client is not a member of an Active Directory.

  Perhaps the issue is with this quote:
  "Sun's GSSAPI implementation (a.k.a. JGSS) can only generate and consume raw Kerberos tokens and SPNEGO tokens containing Kerberos tokens"
  I believe the HttpURLConnection class in JDK 1.6 can handle NTLM.
  Meaning, if you logon to your workstation as a domain user and run the java code, it is probably using NTLM.
  I recall noticing this when I put TCPMon between the workstation and the server.

• Having issues with getting SQL Server Express to start services and run.

  Good afternoon everyone,
  I have been working on a 2012 R2 server getting ready to move databases to new hardware.  I had SQL Server Express 2008 R2 running on this server with no issues.  I was handed another software package that ran SQL Express 2012 and had to for compatibility
  reasons.  I have had multiple versions run on Server 2012 before with no issues.  This time, not so lucky.  When the installer from the updated package put on SQL Express 2012 it completed with errors ( error log posted at the end of post) and
  would not allow me to run software.  I then tried the db that I had installed on 2008 R2 and it also gave the  same error as the 2012 version.  IN basic terms the required services attempted to start and shut back down again.  I have received
  Error 1068 about database handles and error %%945.   I know this db has plenty of space and the permissions were added for the Admin account to access both db's.  I then uninstalled both versions and tried again, with the same errors listed when
  I tried to start the services.     I am thinking that a clean install would fix the issue however I am not certain what files/folders/reg entries need to be deleted or modified.  I have researched all the errors I can find, however I am very
  new with SQL anything so I know I am missing something.   I also do not have an "E:" drive on this server (not sure why it is going there). Input would be very welcome as I am not certain where to go from here. 
  Thanks,
  Matt
  Error Log follows, server and domain names have been blacked out with ****.
  2015-04-15 11:57:55.16 Server      Microsoft SQL Server 2012 (SP1) - 11.0.3128.0 (X64) 
  Dec 28 2012 20:23:12 
  Copyright (c) Microsoft Corporation
  Express Edition (64-bit) on Windows NT 6.2 <X64> (Build 9200: ) (Hypervisor)
  2015-04-15 11:57:55.16 Server      (c) Microsoft Corporation.
  2015-04-15 11:57:55.16 Server      All rights reserved.
  2015-04-15 11:57:55.16 Server      Server process ID is 4104.
  2015-04-15 11:57:55.16 Server      System Manufacturer: 'HP', System Model: 'ProLiant ML350p Gen8'.
  2015-04-15 11:57:55.16 Server      Authentication mode is WINDOWS-ONLY.
  2015-04-15 11:57:55.16 Server      Logging SQL Server messages in file 'C:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Log\ERRORLOG'.
  2015-04-15 11:57:55.17 Server      The service account is 'NT AUTHORITY\LOCAL SERVICE'. This is an informational message; no user action is required.
  2015-04-15 11:57:55.17 Server      Registry startup parameters: 
  -d C:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\DATA\master.mdf
  -e C:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Log\ERRORLOG
  -l C:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\DATA\mastlog.ldf
  2015-04-15 11:57:55.17 Server      Command Line Startup Parameters:
  -s "SQLEXPRESS"
  2015-04-15 11:57:55.48 Server      SQL Server detected 1 sockets with 6 cores per socket and 12 logical processors per socket, 12 total logical processors; using 8 logical processors based on SQL Server licensing. This is an informational message;
  no user action is required.
  2015-04-15 11:57:55.48 Server      SQL Server is starting at normal priority base (=7). This is an informational message only. No user action is required.
  2015-04-15 11:57:55.48 Server      Detected 8157 MB of RAM. This is an informational message; no user action is required.
  2015-04-15 11:57:55.48 Server      Using conventional memory in the memory manager.
  2015-04-15 11:57:55.68 Server      This instance of SQL Server last reported using a process ID of 7840 at 4/15/2015 11:57:47 AM (local) 4/15/2015 3:57:47 PM (UTC). This is an informational message only; no user action is required.
  2015-04-15 11:57:55.68 Server      Node configuration: node 0: CPU mask: 0x00000000000000ff:0 Active CPU mask: 0x00000000000000ff:0. This message provides a description of the NUMA configuration for this computer. This is an informational message
  only. No user action is required.
  2015-04-15 11:57:55.69 Server      Using dynamic lock allocation.  Initial allocation of 2500 Lock blocks and 5000 Lock Owner blocks per node.  This is an informational message only.  No user action is required.
  2015-04-15 11:57:55.72 Server      Software Usage Metrics is disabled.
  2015-04-15 11:57:55.73 spid5s      Starting up database 'master'.
  2015-04-15 11:57:55.79 spid5s      20 transactions rolled forward in database 'master' (1:0). This is an informational message only. No user action is required.
  2015-04-15 11:57:55.79 spid5s      0 transactions rolled back in database 'master' (1:0). This is an informational message only. No user action is required.
  2015-04-15 11:57:55.80 Server      CLR version v4.0.30319 loaded.
  2015-04-15 11:57:55.86 spid5s      Service Master Key could not be decrypted using one of its encryptions. See sys.key_encryptions for details.
  2015-04-15 11:57:55.89 Server      Common language runtime (CLR) functionality initialized using CLR version v4.0.30319 from C:\Windows\Microsoft.NET\Framework64\v4.0.30319\.
  2015-04-15 11:57:55.91 spid5s      SQL Server Audit is starting the audits. This is an informational message. No user action is required.
  2015-04-15 11:57:55.91 spid5s      SQL Server Audit has started the audits. This is an informational message. No user action is required.
  2015-04-15 11:57:55.94 spid5s      SQL Trace ID 1 was started by login "sa".
  2015-04-15 11:57:55.94 spid5s      Server name is '********\SQLEXPRESS'. This is an informational message only. No user action is required.
  2015-04-15 11:57:55.96 spid5s      Failed to verify Authenticode signature on DLL 'C:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\ftimport.dll'.
  2015-04-15 11:57:55.96 spid5s      Starting up database 'msdb'.
  2015-04-15 11:57:55.96 spid9s      Starting up database 'mssqlsystemresource'.
  2015-04-15 11:57:55.96 spid5s      Error: 17204, Severity: 16, State: 1.
  2015-04-15 11:57:55.96 spid5s      FCB::Open failed: Could not open file e:\sql11_main_t.obj.x86release\sql\mkmastr\databases\objfre\i386\MSDBData.mdf for file number 1.  OS error: 3(The system cannot find the path specified.).
  2015-04-15 11:57:55.96 spid5s      Error: 5120, Severity: 16, State: 101.
  2015-04-15 11:57:55.96 spid5s      Unable to open the physical file "e:\sql11_main_t.obj.x86release\sql\mkmastr\databases\objfre\i386\MSDBData.mdf". Operating system error 3: "3(The system cannot find the path specified.)".
  2015-04-15 11:57:55.96 spid5s      Error: 17207, Severity: 16, State: 1.
  2015-04-15 11:57:55.96 spid5s      FileMgr::StartLogFiles: Operating system error 2(The system cannot find the file specified.) occurred while creating or opening file 'e:\sql11_main_t.obj.x86release\sql\mkmastr\databases\objfre\i386\MSDBLog.ldf'.
  Diagnose and correct the operating system error, and retry the operation.
  2015-04-15 11:57:55.96 spid5s      File activation failure. The physical file name "e:\sql11_main_t.obj.x86release\sql\mkmastr\databases\objfre\i386\MSDBLog.ldf" may be incorrect.
  2015-04-15 11:57:55.99 spid9s      The resource database build version is 11.00.3000. This is an informational message only. No user action is required.
  2015-04-15 11:57:56.02 spid12s     A self-generated certificate was successfully loaded for encryption.
  2015-04-15 11:57:56.03 spid12s     Server is listening on [ 'any' <ipv6> 53345].
  2015-04-15 11:57:56.03 spid12s     Server is listening on [ 'any' <ipv4> 53345].
  2015-04-15 11:57:56.03 spid12s     Server local connection provider is ready to accept connection on [ \\.\pipe\SQLLocal\SQLEXPRESS ].
  2015-04-15 11:57:56.03 spid12s     Server named pipe provider is ready to accept connection on [ \\.\pipe\MSSQL$SQLEXPRESS\sql\query ].
  2015-04-15 11:57:56.04 spid12s     Dedicated administrator connection support was not started because it is disabled on this edition of SQL Server. If you want to use a dedicated administrator connection, restart SQL Server using the trace flag 7806.
  This is an informational message only. No user action is required.
  2015-04-15 11:57:56.04 Server      SQL Server is attempting to register a Service Principal Name (SPN) for the SQL Server service. Kerberos authentication will not be possible until a SPN is registered for the SQL Server service. This is an informational
  message. No user action is required.
  2015-04-15 11:57:56.04 Server      The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/********.****.local:SQLEXPRESS ] for the SQL Server service. Windows return code: 0xffffffff, state: 53.
  Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies and if the SPN has not been
  manually registered.
  2015-04-15 11:57:56.04 Server      The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/********.****.local:53345 ] for the SQL Server service. Windows return code: 0xffffffff, state: 53. Failure
  to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies and if the SPN has not been manually
  registered.
  2015-04-15 11:57:56.09 spid9s      Starting up database 'model'.
  2015-04-15 11:57:56.10 spid9s      Error: 17204, Severity: 16, State: 1.
  2015-04-15 11:57:56.10 spid9s      FCB::Open failed: Could not open file e:\sql11_main_t.obj.x86release\sql\mkmastr\databases\objfre\i386\model.mdf for file number 1.  OS error: 3(The system cannot find the path specified.).
  2015-04-15 11:57:56.10 spid9s      Error: 5120, Severity: 16, State: 101.
  2015-04-15 11:57:56.10 spid9s      Unable to open the physical file "e:\sql11_main_t.obj.x86release\sql\mkmastr\databases\objfre\i386\model.mdf". Operating system error 3: "3(The system cannot find the path specified.)".
  2015-04-15 11:57:56.10 spid9s      Error: 17207, Severity: 16, State: 1.
  2015-04-15 11:57:56.10 spid9s      FileMgr::StartLogFiles: Operating system error 2(The system cannot find the file specified.) occurred while creating or opening file 'e:\sql11_main_t.obj.x86release\sql\mkmastr\databases\objfre\i386\modellog.ldf'.
  Diagnose and correct the operating system error, and retry the operation.
  2015-04-15 11:57:56.10 spid9s      File activation failure. The physical file name "e:\sql11_main_t.obj.x86release\sql\mkmastr\databases\objfre\i386\modellog.ldf" may be incorrect.
  2015-04-15 11:57:56.10 spid9s      Error: 945, Severity: 14, State: 2.
  2015-04-15 11:57:56.10 spid9s      Database 'model' cannot be opened due to inaccessible files or insufficient memory or disk space.  See the SQL Server errorlog for details.
  2015-04-15 11:57:56.10 spid9s      SQL Trace was stopped due to server shutdown. Trace ID = '1'. This is an informational message only; no user action is required.
  

  Hi HMLunger,
  Did you install the SQL Server instance successfully? If not, please help to post the summary and detail logs for analysis. By default, the logs can be found in: C:\Program Files\Microsoft SQL Server\110\Setup Bootstrap\Log.
  However, if you fail to start SQL Server Express service after successfully installing SQL Server,
  you might have to change the paths of the files by running the following scripts from the command prompt. For more details, please review this similar
  thread.
  NET START MSSQL$SQLEXPRESS /f /T3608
  SQLCMD -S .\SQLEXPRESS
  ALTER DATABASE model MODIFY FILE (NAME = logical_name , FILENAME = 'new_path\os_file_name');
  ALTER DATABASE model MODIFY FILE (NAME = logical_name , FILENAME = 'new_path\os_file_name');
  go
  exit;
  ALTER DATABASE msdb MODIFY FILE (NAME = logical_name , FILENAME = 'new_path\os_file_name');
  ALTER DATABASE msdb MODIFY FILE (NAME = logical_name , FILENAME = 'new_path\os_file_name');
  NET STOP MSSQL$SQLEXPRESS
  In addition, you can follow the steps in this KB article to uninstall SQL Server.
  Thanks,
  Lydia Zhang
  Lydia Zhang
  TechNet Community Support

• NTLM SSO is not working using IIS

  Hi,
  We have unable to login to the infoview using SSO getting u201C page canu2019t found u201C error.
  1. We can  login to the infoview using AD authentication when tomcat as the application server but we are  unable to login to the infoview using SSO when IIS as the application server.
  2. If we select  the option called u201Cintegrated windows Authenticationu201D under internet options then the  SSO is not working and if we  uncheck the u201Cintegrated windows Authenticationu201D in the internet options then we are  able to login to the infoview using SSO.We are  able to login to the infoview using SSO on another environments and the working and problematic environments we  Configured IIS6, XI2 SP4.
  4.We tried to login to the infoview using http://servername instead of entire URL however we are getting error.
  5.We restarted IIS but no use.
  6.Our admin follow the below options-
  Open a registry editor, such as Regedit.exe or Regedt32.exe.
  Navigate to:
  HKLM\System\CurrentControlSet\Services\HTTP\Parameters
  Right-click Parameters, select New | DWORD value, and then name the value MaxFieldLength.
  Right-click Parameters, select New | DWORD value, and then name the value MaxRequestBytes.
  In the right pane, double-click MaxFieldLength, and then set its value to 32768 (decimal).
  In the right pane, double-click MaxRequestBytes, and then set its value to 32768 (decimal).
  Close the registry editor and restart the IIS Admin service for the change to take effect.
  But we are getting same problem.
  7.We  tried  to login to the infoview using http://localhost but issue still persists.
  8.We installed jakarta redirector.Is this root cause of this issue?
  9.We selected  intigrated windows authentication under default websites and i am sure i gave all the options under internet information  manager.
  Any one please help on this.
  My environment is-
  BOXIR2 SP4,
  NTLM SSO,
  Windows 2003,
  IIS6.

  "We tried to login to the infoview using http://servername instead of entire URL however we are getting error"
  What's the error using the hostname for SSO with integrated windows authentication enabled on only the infoview virtual directory?
  Regards,
  Tim