Ticket vs Domain

Similar Messages

• Business Objects Enterprise - domain user

  As mentioned in blog at /people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-1-of-2 the SNC interface can be used to provide SSO with Business Objects Enterprise.
  The SSO works if the Windows services are started using a domain account, because the SNC session between BO server and SAP server is initiated using these domain credentials. We have found though, after 1 week the users credentials expire (due to ticket lifetime configuration in Active Directory) so BO server needs to be restarted every week. To solve this we are aware that SAP RFC library requires an SNC_MYNAME parameter, and we have put domain credentials on BO server in a key table file. I am wondering if you know how we can configure the SNC_MYNAME parameter in the RFC connection string used by BO software ?

  Ingo,
  I am referring to client side SNC, as described in part 1 of your blog. As you know, a domain account is needed and the Windows services need to be changed to start as this domain account, instead of as system. When this change is made, and the WIndows services are started, they will request a Kerberos TGT from the domain, which has a lifetime associated with it - all domain users tickets have liftetime, determined by a domain policy. The liftetime of a TGT is normally about 8 hours.
  When an RFC request is made by one of the Windows services, and the SNC library is invoked, it will get a service ticket from domain and store in same credentials cache that holds the TGT (inside LSA on Windows). This service ticket will expire at same time as the TGT used to request it.
  If the SNC library gets a Kerberos service ticket, and the TGT has expired, but is still within the Renew Until period (normally 1 week after TGT was issued because of policy configuration) then a new TGT is issued, and the service ticket will be issued with the new TGT.
  So, from above you can see that using SNC with Kerberos, means that the tickets only last for 1 week because of domain policy configuraiton of Kerberos ticket lifetime and because of renew period for tickets issued by AD. The only way that the Kerberos tickets could be used for longer, is if:
  a) The service is restarted, thereby causing it to get a new TGT and the renew until date/time for this new TGT will be 1 week after the TGT was issued.
  b) The TGT could be issued when an RFC call is made, and this TGT cached in a separate memory cache, instead of in MS LSA cache normally used by Windows.
  Our product supports opiton b) but to make it work we need to understand how the BO software constructs the RFC connection string, and we need to add SNC_MYNAME parameter to this string. I can explain how this works in more detail if you like, but all I need is to know where the RFC parameters are stored. For example, is there an saprfc.ini file which we can edit and add the SNC_MYNAME parameter to this file ?

• Reading Kerberos5 ticket on JAAS

  Hi,
  I am developing an JAAS Login module and stuck on a problem. I want to read kerberos ticket and domain user, sent by Microsoft Internet Explorer or FireFox. At the first attempt, I generate 304 error and reply to browser. Then browser is sending some cookies to me, but I cannot read domainuser. How can I read it?
  Thank you

  hi
  this will give some idea
  http://help.sap.com/saphelp_nw2004s/helpdata/en/2b/23e4407211732ae10000000a155106/content.htm
  http://docs.sun.com/app/docs/doc/820-4801/gbyuw?a=view
  Re: Deploying a custom login module to the J2EE engine
  bvr
  Edited by: bvr on May 7, 2009 12:53 PM

• Issuing Multiple MYSAPSSO2 tickets for Multiple Domains

  Hi,
  I am having a problem understanding the SAP documentation on how to go about issuing SAP login tickets in multiple domains. In the documentation it states that in order to do so, you require either a IRJ or the SAP ISAPI Web Filter installed in on a server in the target Domain. I have now setup the IIS_SSO.dll ISAPI filter in the domain I require the SSO ticket to be issued in however when I make a request to that webserver I do not see the MYSAPSSO2 cookie being created in my browser, I do see in the ISAPI logs that the request has been filtered and the portal username extracted and set to the configured HTTP Header, but no new Cookie created in the DOMAIN.
  Can anyone help? Has anyone done something like this before?
  Basically I have a portal in the domain <b>myportal.subdomain.domain.com</b> and an ITS in the domain <b>myits.domain.com</b>. With this configuration the MYSAPSSO2 cookie is not sent to the ITS server as it is in a Super Domain. So what I want is to configure the portal to issue a Cookie in the super domain (domain.com) rather then subdomain.domain.com. I thought I could do this with the parameter login.ticket_recieving_hosts in the usermanagment.properties file (EP5) and the IIS ISAPI filter to SSO (IIS_SSO.dll) configured on a website in the super domain (domain.com).
  Any help would be greatly appriciated.
  Simon.

  I believe we had to set the domain relax level (ume.logon.security.relax_domain.level) but needed to make sure this was secure since it changes the domain scope of cookies that are valid for the system.
  See the following:
  http://scn.sap.com/thread/1534863
  http://help.sap.com/saphelp_nw70ehp3/helpdata/en/5e/473d4124b08739e10000000a1550b0/frameset.htm
  Hope this helps.

• Configure portal to issue ticket (MYSAPPSSO2 cookie) for "higher" domain

  Hello all,
  we have an EP 7.00 (SP 22) which can be accessed using the following (faked) fully qualified URL:
  https://host.sd1.sd2.mycompany.de:[HTTPS-port]/irj/portal
  When logging on to the portal with username and password, the portal issues a logon ticket. In the browser, I can see the MYSAPSSO2 cookie and it is for the following domain:
  .sd1.sd2.mycompany.de
  From the portal, we call some BI report applications, which run on WebFocus. The WebFocus server is in the following domain:
  .sd3.sd4.mycompany.de
  Single sign-on does not work. It only works, if we modify the domain of the MYSAPSSO2 cookie (this we achieved with a firefox-addon) and "cut off" the two subdomains .sd3.sd4
  My question: is it possible, to configure the portal in such a way, that the MYSAPSSO2 cookie is issued for domain
  .mycompany.de ?
  I have read some hints on domain relaxing. But I am not sure, if setting the parameter ume.logon.security.relax_domain.level would help us. If I understood it correctly, we would need to set the value to 3.
  Best regards,
  Philipp Hinnah

  Hi Philipp,
  yes, relax_domain is the correct parameter. By the way - use the search function in SDN and you will find a lot of threads around this issue. And also you would have found the answer.
  Anja

• Submitting tickets with using a single domains user set.

  Hi,  
  We have service manager 2012 sp1 UR4.  We have connectors to 3 different active directory sets in 3 different domains.
  We would like to have all of our incident management tickets only use 1 of the domains set of users but as it sits now, we might show the user in all  3 domains domain1\lance_lyons, domain2\lance_lyons and domain3.  We only want domain1's set of
  users to be selectable (reporter, assigned to, etc, etc).
  How do we do this in Service Manager?  Do i have to shutdown the 2 AD connectors that we dont want to use? 
  Thanks
  Lance
  Thanks Lance

  Hi,
  For any user picker target towards IT, you can scope those user pickers using the Global Operators Group. (This Group is pre-created by default and is located under Library -> Groups. You just need to configure it). Using the Global Operators Group you
  can scope the User Pickers targeting IT to only show users from Domain1 (User Pickers targeted IT are for example, Assigned To, Primary User)
  There is no easy way to scope any of the other User Pickers on the forms (those targeted the End Users). But here's a couple of workarounds:
  1. Remove the user CIs from the other domains (as you wrote)
  2. Create a new Group only containing users in Domain1, then make sure to only give your analysts access to that particular Group in your User Role.
  3. Create your own Custom Control using Visual Studio and replace the original User Picker on the forms with this custom made.
  Regards
  //Anders
  Anders Asp | Lumagate | www.lumagate.com | Sweden | My blog: www.scsm.se

• Ktutil get vnc/host.local adds expired tickets to krb5.keytab.  kinit -k vnc/host.local - krb5_get_init_creds: Client (vnc/host.local@domain) expired.  Any ideas?

  After upgrading Server, the LocalKDC was gone.  I recreated with 'admin -l init LKDC:SHA1.HASH'.  However, the entries for vnc/host.local are missing from /etc/krb5.keytab.  I can use 'ktutil get vnc/host.local' to add the entries, but trying to use them says they are expired.
  kinit -k vnc/host.local
  kinit: krb5_get_init_creds: Client (vnc/host.local@REALM) expired
  bash-3.2# kadmin -l
  kadmin> get vnc/host.local
              Principal: vnc/host.local@REALM
      Principal expires: never
       Password expires: never
  Last password change: never
        Max ticket life: unlimited
     Max renewable life: unlimited
                   Kvno: 1
                  Mkvno: unknown
  Last successful login: never
      Last failed login: never
     Failed login count: 0
          Last modified: 2014-10-24 03:21:02 UTC
               Modifier: hdb/od@WELL-KNOWN:OD-BACKEND
             Attributes:
               Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[1], aes128-cts-hmac-sha1-96(pw-salt)[1], des3-cbc-sha1(pw-salt)[1]
            PK-INIT ACL:
                Aliases:
  The created principal looks ok.  The entries for vnc/realm@realm are ok.  But vnc/host.local are expired.  Any ideas how to get non-expired tickets?

• Multiple (but separate) domain problem & Apple's slow and useless response

  I am having problem with multiple (but separate) domain. I opened a ticket.
  Here is Apple's slow and useless response and my follow up.
  This follow up is not going to resolve the issues I am having. The sites are not in one domain file. I have split them into separate domains. I found that the simplest change to any page made the publishing process extremely and reasonably slow. If I updated a single site, iWeb republishes the whole conglomeration; hardly the most efficient way.
  I have several directories under the ~/Library/Application Support/iWeb/ directory with separate Domain.sites2 files for each site:
  consultingAM.com
  DarkAssassinMovie.com
  Fuzzy Llama Junior Optimist Club
  GulfportOptimist.com
  OptimistView
  pAwesomeProductions.com
  www.nfdoi.com
  With the previous version of iWeb, I navigated to a specific ~/Library/Application Support/iWeb/ directory, selected the Domain.site file, and opened it. This would open iWeb with the selected domain. Several of the sites have their blog page with the RSS subscribe option.
  Once I made the update, all I usually had to do was publish site and all was well. Occasionally, I would have to do a publish all if I changed domains. All in all, I had no problems with publishing once I found the right steps to be able to maintain multiple domains.
  Now, using the default publish or publish all process, all I get is the last site I published. In order to get things semi-functional, I published a site, then I would go to iDisk/Web/Sites/ directory, select the folder name for the site I had just published, then copy it or move it to iDisk/Web/Sites/iWeb directory. This was rather slow and I suspect it is not an approved solution, but it semi-worked. My sites are back up, but they are not fully functional.
  Is there anyway to get back to using the ~/Library/Application Support/iWeb/ directory (separate Domain.sites file for each site) process to publish multiple sites? If not, is there any way to suck in the various domains back into one? If that is possible, will it take hours to publish the combined 2-3GB like it did with the previous version?
  How do I reverse the 'personal domain' process? I do not want to do this at this time. I just wanted to see what the steps were. I have done the first step, but not the second.
  I was glad to see some of the changes made in the upgrade (web widgets, maps, html snippets, theme switching), but I am too happy about the changes made by the upgrade process. In the past, I upgraded my Apple related stuff as soon as it came out. Based on this upgrade, that won't happen again.
  It took you guys 5 days to get back to me (during which time several of my sites were down) and I do not believe the information you provided is going to solve my specific problems. I am very disappointed with the results of this upgrade. Clearly there was inadequate testing of this product before it was released. I cannot recall seeing the Apple discussion forums with hundreds of topics and thousands of posts within a week or two of a new release. Apple had to upgrade iWeb in the first week, another poor sign.
  Apple is beginning to slip back to the pack; all vendors all below average. Apple is getting more like Microsoft everyday. First Apple delays the release of an OS upgrade so they can concentrate on a freaking phone, now you release software that is so buggy it should be classified as beta at best.
  Some of the changes/problem I am seeing since the upgrade (in addition to the problems mentioned previously) are:
  layout changes; some of my pages no longer look the same; same of the changes are so bad the pages are unreadable
  broken photo pages; some of my photo pages no longer work; some of them have no text or pictures
  file/page name changes; why would Apple change the location of the files; now my domains are not pointing right location; special characters (like spaces, ampersands, etc.) are handled differently in this version; specifically, I see that spaces are changed to underscores (_); iWeb used to use '%20' for spaces; what was Apple thinking?
  broken 3rd party themes; I know Apple is not responsible for 3rd party themes, but you should certainly be aware that they exist
  Based on what I am seeing online, most of the people who are complaining about major iWeb issues are not newbies; based on the technical details in the threads, there are clearly some experienced people who are trying to figure things outw. I have lost many hours trying to figure this mess out. I now have to review hundreds of pages to try get things to look and work the way they did before the upgrade. I have had to handle dozens of phone calls and emails from my viewers and subscribers trying to explain the situation.
  I googled 'iweb 08 *****' and got nearly 50,000 hits! I think Apple better get in front of this train before it gets run over.
  On Aug 19, 2007, at 11:09 AM, .Mac Support wrote:
  Dear David,
  I understand that you are experiencing an issue viewing some of your websites published in iWeb:
  I have examined all of the published pages and they appear to load and function as expected. If you published your website to .Mac, you can visit it either of these ways:
  - In iWeb, click the Visit button in the lower-left corner.
  - Enter the following URL into a web browser:
  http://web.mac.com/daviddawley/
  If you have published more than one website, the URL above will take you to the default website, which is the first website listed in iWeb. To visit another website you have created in iWeb, use the following URL format:
  http://web.mac.com/daviddawley/iWeb/YourSiteName
  Using this form, the web addresses for the two sites you mentioned would be:
  http://web.mac.com/daviddawley/iWeb/FuzzyLlamaJuniorOptimist.com
  http://web.mac.com/daviddawley/iWeb/pAwesomeProductions.com
  To change the default website, simply open iWeb, and in the Site Organizer, drag the desired default website to the top and republish to .Mac.
  NOTE: Be sure to give each website a unique name. This will help prevent one website from overwriting another. For further information, refer to the following article:
  iWeb: Do not use similar names for your sites
  http://www.info.apple.com/kbnum/n303042
  If you still experience issues with the website, try the following troubleshooting steps:
  WAIT SEVERAL MINUTES
  If your website has movies, you may need to wait several minutes after going to the website before the movies are ready to play. The QuickTime Player icon indicates that a movie is still loading.
  CLEAR YOUR BROWSER CACHE
  If you use Safari, you can clear your browser cache by choosing Empty Cache from the Safari menu. If you use another browser, consult that browser’s documentation if you need assistance in clearing your browser cache.
  UPDATE YOUR BROWSER
  Make sure you are using the latest available version of your web browser when viewing pages published in iWeb. If you use Safari, you can check for updates by choosing Software Update from the Apple menu. If there are any available Safari, Security, or Mac OS X updates, install those updates and try looking at your website again.
  If you use another browser, consult that browser’s documentation if you need assistance in updating the browser.
  TRY ANOTHER BROWSER
  If you use a Mac, try viewing your website with Safari or Firefox. If you use Windows, try Internet Explorer 6 or Firefox. Firefox is a free download available here: http://getfirefox.com
  TRY ANOTHER NETWORK
  If possible, try viewing your website from another network or Internet connection. If you can successfully view the website from another network, please consult your network administrator or Internet service provider (ISP) to resolve this issue.
  Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance, or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website.
  Sincerely,
  Mel
  .Mac Support
  http://www.apple.com/support/dotmac
  http://www.mac.com/learningcenter
  Support Subject : iWeb
  Sub Issue : I can't publish to .Mac from iWeb
  Comments : I was interested in forwarding one of several iWeb based sites to one of my domains. I wanted to see what the steps were. I believe I inadvertently started the process for moving the site to www.nfdoi.com site. I have several sub directories under the ~/Library/Application Support/iWeb directory with separate domain.sites files (now domain.sites2).
  I was going through all of my domain.sites files and opening them in iWeb08; then publishing them. Somewhere along the line everything blew up. Most of my iWeb sites no longer function, It appears that every other iweb site other www.nfdoi.com is down EXCEPT the last one I published. I have made a mess of things and would appreciate any help.
  Don't work:
  http://web.mac.com/daviddawley/FuzzyLlamaJuniorOptimist.com
  http://web.mac.com/daviddawley/pAwesomeProductions.com
  Works:
  http://web.mac.com/daviddawley/Optimist_View/OptimistView.com/OptimistView.com.h tml
  ========= PLEASE USE THE SPACE ABOVE TO DESCRIBE THE ISSUE BASED ON THE QUESTIONS BELOW =========
  1. What version of iWeb are you using to publish to .Mac? iLife 08
  2. When did you first notice this issue? After publishing a few sites.
  3. What happens, including any error messages, when you try to publish your site?
  --------------------- Additional Info -------------------------
  Alternate email address : [email protected]
  OS Version : Mac OS X 10.4.10
  Browser Type : Safari 2.x
  Category : I can't publish to .Mac from iWeb
  Connection Type :Other
  TrackID: 4154168

  Just got off the phone with Apple Support.  There procedure was the following:
  1.  Go to the Apple TV, select settings, general and scroll down to reset.
  2.  Select reset and then select reset all
  Apple TV will go through a restart after the reset and you will have to select your network then log in with your network or Airport Express password.  You will then have to turn on home sharing and It will then ask you for your Apple ID for the iTunes store and then the password.  At this point you may not see your library, because the Apple TV wants you to turn on home sharing on your home computer that is hosting the movie library.  Turn off home sharing on that computer, restart iTunes and turn on home sharing again.  After this is done you should be able to see you library listed under the computer.
  After going through these steps, when I select an HD movie from my iTunes library the movie comes up after about a 5 second delay.
  Hope this helps!  I am back up for business.

• SSO logon tickets not working in two different OS

  HI All,
  We have sucessfully implemented SSO logon tickets concept to access a j2ee application through portal on windows OS.
  We could able to do the samething on two j2ee instances installed on two different machines on same domain. I mean, deploying our application in one j2ee instance and accessing the application thru portal of another j2ee instance thru SSO logon ticket by adding some configuration steps in Visual administrator given in help.sap.com. This also we did in same OS windows.
  But now the problem is, when we try to implement the above scenario in two different OS, say application is deployed on HPUX machine, and accessing that application through Portal from Solaris machine, SSO logontickets is failing. Means we couldnt able to access the application. Both the OS are in same domain only.
  What extra configuration steps need to be done in VA, to get work with two different OS?
  Please share ur ideas.
  Regards,
  Satish.

  Hi..
  I guess probabaly the internet explorer doesnot accept the sso ticket.
  What you can probably check is that the compatability of explorer for the solaris and HP UX os with Windows OS.
  Also,please check whether the SSO ticket is getting populated and What error are you getting exactly when the SSO fails and that will give some idea to proceed further
  <u>deploying our application in one j2ee instance and accessing the application thru portal of another j2ee instance[/u
  What the above mean...how are you deploying ?? what tool ?? which J2EE instance out of the two ??
  Thanks
  Gopal

• SSO with Logon Ticket to non-SAP Unix based application

  Hi all,
  Anyone has implemented SSO with Logon Ticket to a Unix box ?
  We need to achieve Single Sign On between our EP5.0 SP5 Portal and a third-party web application with a front-end on a Unix AIX machine with Apache.
  We achieved SSO with non-SAP applications with Logon Tickets, but one was to an IIS system in another domain (we therefore used the standard Web Filter for IIS and declared it in usermanagement for cross-domain support) and another one running on Windows platform (we used the C libraries provided in the "Logon Ticket Toolkit": NT or Linux only).
  From what we understand and found on the web sites, we cannot reuse any standard web filter (none for Unix, am I correct ???) and want to implement custom code using SAP libraries, if possible using Java
  -> Are there any Java libraries that are available to both:
  . verify the logon ticket with the deployed Portal public key
  . decrypt/extract the authenticated username from this ticket ??
  I've seen a mention of Java libraries, and Unix, in a SAP EP 6.0 document but I'm not sure where to find them...
  Is the SAP Logon Ticket issued the same way in EP 5.0 and EP 6.0 ?
  I managed to find something called SAPSSOEXT, for AIX, which contains some partial library and a sample, but it is dated 2000 !! Anyone has more information about this ?
  Any hint is very much appreciated.
  Thanks a lot
  Olivier

  Check these links for reference regarding AIX and Apache using X.509 certificates:
  http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm
  And just using cookies -
  http://forums.devshed.com/archive/t-105611 (perl based)
  You can also use mod_ssl built into your Apache to facilitate both certificate based authentication as well as encryption.
  The mod_ssl route is most secure (because of the encryption), the IBM link is comprehensive but requires extra infrastructure (LDAP).
  Nick
  Nick

• How to implement SSO to non-SAP systems using SAP logon ticket?

  Hello,
  We would like to implement Single Sign On between our SAP Netweaver system and a Siebel which is a non-SAP system using SAP logon tickets.
  Can anyone please give me some leads on this, in particular:
  1. Is there a JAVA API or an SAP plug-in that can be implemented on the Siebel machine to extract the SAP logon ticket?
  2. As the other machine might seat on a complete different domain, is it possible to implement SAP logon ticket without using cookies (perhaps through the HTTP header?
  3. In case you think using SAP logon tickets is not the best solution here I would be happy to hear any other suggestions you might have.
  Roy

  Hi,
  I'm currently using SAML as well. Unfortunately the SAP J2EE cannot work as authority (identity provider) but what you can do is using an open implementation of SAML such as opensso which is an open version of SUNs Java System access manager.
  There are a couple of other projects such as opensaml, apache's wss4j or shibboleth that might be interesting in this context.
  I just installed opensso and got it working with SAP J2EE 7.0 using SAPs JAAS SAMLLoginModule to authenticate users within SAP J2EE.
  In this scenario opensso serves as identity provider just as you need! There are a couple of Policy agents available on SUNs Download site you can use with Apache, Tomcat, JBOSS, WebSphere, Bea Web Logic etc. in order to authenticate! Otherwise you just directly authenticate against opensso. When installing opensso you can configure the type of user store you want  to use! By default it uses LDAP but you can also use different types of user store using JDBC or other mechanisms. Since you have a Directory Service you could easily connect it to your existing directory.
  There is also a way to map user ids directly in opensso by adding a uid mapping class. I created some documentation with lots of screenshots about using opensso with SAP J2EE. You can easily use opensso with any other system that supports SAML. In the case of SAP the usage is currently limited to SAML versions 1.0 and 1.1. Version 2.0 is not yet supported but should be in one of the following versions.
  Here are some links you might want to check:
  OpenSAML: https://spaces.internet2.edu/display/OpenSAML/Home
  wss4j: http://ws.apache.org/wss4j/
  shibboleth: http://shibboleth.internet2.edu/
  opensso: https://opensso.dev.java.net/
  On SDN you will find a documentation on how to connect SUN Java System Access Manager to SAP J2EE (see https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/906d9fc6-31b9-2910-1385-90edad7d7570). As I said opensso is based on the SUN Access Manager code and looks quite the same. So you can adapt this documentation in order to configure opensso or you can just ask me for the documentation.
  Hope this is helpful...
  Let me know if you need further assistance on this topic
  Cheers

• SSO with SAP logon tickets to non-SAP web app

  I am trying to implement SSO to an oracle portal based web application using SAP logon tickets, but can't seem to find a way for it to work.  I thought maybe it would be a web server filter, but am unsure if this would work for oracle portal.  Anyone tried similar?
  Cindy

  Hi Cindy,
  If it is EP6 SP2 probably you can checkout the following document.
  http://service.sap.com/ep60
  Go to Documentation Help>How-To-Guides>Current How To Guides section.
  checkout the following how to guide.
  Perform Cross Domain SSO with SAP Logon tickets zip file.
  If you want the zip file please send an e-mail to
  [email protected]
  Regards
  -Venkat Malempati

• Cannot Login to Read Only Domain Controller

  One of my Read Only Domain Controller Servers shut down unexpectedly due to a power outage and now I cannot login to it anymore. When the server powered on again, it came up with an error regarding on of the hard drives failing (RAID1)
  I get a message Access is Denied when I try to login with one of my domain admin accounts. As it is a RODC, there are no local accounts for me to use. The RODC is running on Windows Server 2008 R2. The server is also running as a DHCP/Print/File server for
  the office so these are not working as well.
  I checked my PDC and it is coming up with the following error in the event viewer
  Log Name: System
  Source: Security-Kerberos
  Event ID: 4
  Level: Error
  The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server rodc01$. The target name used was domain/rodc01.domain.local. This indicates that the target server failed to decrypt
  the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account
  used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the
  server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (domain.local) is different from the client domain (domain.local), check if there are identically named server accounts in these
  two domains, or use the fully-qualified name to identify the server.
  I have tried to reset the computer password with netdom but I get the following error
  netdom resetpwd /server:rodc01 /userd:administrator /passwordd:*
  The machine account password for the local machine could not be reset.
  Logon Failure: The target account name is incorrect.
  The command failed to complete successfully.
  If I try to reset the password using the IP address instead, I get the following error
  netdom resetpwd /server:192.168.10.1 /userd:administrator /passwordd:*
  The machine account password for the local machine could not be reset.
  Access is denied.
  The command failed to complete successfully.
  I checked my AD and DNS and the rodc object  is present
  If I run repadmin /replsum on the PDC I get the message for the faulty RODC server
  Experienced the following operational errors trying to retrieve replication information:
          8341 – rodc01.domain.local
  Any advice is appreciated
  Thanks

  Logon to the server in Directory Services Restore Mode (DSRM) using the password you supplied during DCPROMO and verify that the Active Directory database isn't corrupted on the RODC - You will most likely see indications on this in the Directory
  Services log.
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• Maintain access to network(shared folders) resources if the site loses access to a Domain Controller?

  Scenario
  Windows 7 users log on to workstations at a site. Domain Controller is up and does the domain authentication for those users across the WAN. Users are then accessing a local(same building) Shared directory on a Windows 2008r2 server, in order to open, modify,
  save new files, etc.
  Then, the site loses access to the Domain Controller due to a WAN outage.
  Question
  Will those users that have already logged onto their Windows 7 workstations continue to have access to the shared resources on the local Windows 2008r2 server with their cached credentials(assuming they don't logoff or restart their machines)?? This has
  been the case in the past, but wondering if anything has changed with Windows 2008??
  Thanks

  Hi,
  The duration that you can access the server depends on when the server requires re-authentication.
  In Windows implementation, SMB session expiration is enforced based upon the client’s support of dynamic re-authentication capability [MS-SMB].
  If the client enables the CAP_DYNAMIC_REAUTH capability bit, the server will enforce session expiration. If a client does not set CAP_DYNAMIC_REAUTH, the Windows server does not return STATUS_NETWORK_SESSION_EXPIRED. 
  The SMB dynamic re-authentication feature was introduced in Windows XP. From there, Windows-based clients set the CAP_DYNAMIC_REAUTH capability bit to indicate to the server that the client supports re-authentication when the Kerberos service ticket for
  the session expires.
  Windows servers do check CAP_DYNAMIC_REAUTH:
  If clientCapabilities sets CAP_DYNAMIC_REAUTH, the server will set Server. Session.AuthenticationExpirationTime to the expiry time returned by AcceptSecuirtyContext.
  If clientCapabilities does not set CAP_DYNAMIC_REAUTH, the server will not set Server. Session.AuthenticationExpirationTime, basically a CAP_DYNAMIC_REAUTH capability bit not set by the client means the session will not expire on the server side.
  To configure Maximum lifetime for service ticket, you can use grouppolicy. The default value of
  Maximum lifetime for service ticket
  in Default Domain Policy is 600 minutes.
  Note:This setting is applied to DC, not clients.
  For detailed information, please view the link below
  CIFS and SMB Timeouts in Windows
  http://blogs.msdn.com/b/openspecification/archive/2013/03/19/cifs-and-smb-timeouts-in-windows.aspx
  Maximum lifetime for service ticket
  http://technet.microsoft.com/en-us/library/jj852188.aspx
  Hope this helps.
  Steven Lee
  TechNet Community Support

• Windows machines can't join domain after 10.5.4 upgrade

  Howdy folks,
  I have a ticket open with Apple on this but am posting here in hopes that someone might have an idea for me.
  I upgraded our Mac OS X Server 10.5.3 to 10.5.4 on Sunday, and this morning several users reported that their PCs running Windows XP SP2 were unable to login to the Windows domain hosted on this machine. It's the primary domain controller for the Windows users.
  One thing to note is that I had to reinstall the server completely because the 10.5.4 patcher crashed, creating all kinds of mayhem. I did a fresh install of OS X Server 10.5 and immediately applied the 10.5.4 combo updater to it. I had to restore the Open Directory from an archival copy, and the SMB was created fresh. Not sure why but the SMB services weren't preserved by the Server settings export command in Server Admin.
  I thought unbinding the PC from the Windows domain and then rebinding it with a new name would help, but I've been completely unable to add older computers to the domain, even after removing the old computer records first.
  I've got a reproducible failure mode for this problem on a Windows XP virtual machine running on VMware Fusion on my Mac. Here's the method I've been using to create the failure:
  1. Change Windows XP System name to something new that doesn't already have a computer record on the Mac OS X Server and reboot.
  2. After the reboot, run "NewSID" program on Windows to globally change my Windows machine's SID to a new, random value, and reboot again.
  3. Attempt to use the Network ID wizard in the Windows Control Panel to re-add the machine to the domain under a new name so there's no conflict with any old computer records floating around in Open Directory. After it prompts me to enter the username, password and domain name for a user who's authorized to add machines to the domain, I get a dialog box that displays this error:
  "Your computer could not be joined to the domain because the following error has occurred:
  An internal error occurred."
  Not too informative.
  Here are the error messages I see in /var/log/samba/log.smbd (searching for the new computer name in the search field):
  netbios connect: name1=BIGMAC name2=JEFFVM6
  netbios connect: local=bigmac remote=jeffvm6, name type = 0
  opendirectorysamsearchname gave -14136 [eDSRecordNotFound]: no dsRecTypeStandard:Computers record for account 'JEFFVM6$'
  odssam_getgrnam gave -14136 [eDSRecordNotFound]: no dsRecTypeStandard:Groups record for 'JEFFVM6$'!
  opendirectorysamsearchname gave -14136 [eDSRecordNotFound]: no dsRecTypeStandard:Computers record for account 'JEFFVM6$'
  kDSStdAuthNewUser was successful for account "jeffvm6$"
  At that point it's impossible to join the computer to the domain no matter what. The most puzzling thing is that SOME of our users were able to login without any problems whatever. The ones that were either physically off or somewhere else when the 10.5.4 upgrade was applied are the only PCs that seem to be having problems.
  Any help at all is appreciated. I suspect this is some kind of a SID conflict because the SMB server had to be recreated from scratch, but have no idea how to fix the client, the server, or both to make the computer account creation process work.

  The problem is fixed.
  The issue boils down to an argument between the Open Directory server on bigmac (the OS X Server machine) and the SMB server on bigmac. The crucial information I needed to solve this problem was located here: http://www.radiotope.com/node/61
  The Open Directory database had to be restored from a backup following this weekend's problematic upgrade, and it had a different value for the SID for the Windows domain than the one used by the SMB server software itself. Even stranger was that the Open Directory database actually had the wrong domain name! The It was listed as "BIGMAC" in Open Directory, even though it was set to the correct Windows domain name in the SMB server.
  The solution was to demote the SMB server from a Primary Domain Controller to a Standalone Machine, and then repromote it. Although I changed no values in the settings, and did not modify the plist containing the SID in the Open Directory via the Inspector in Workgroup Admin, after the SMB PDC was repromoted, the SIDs and the domain names in Open Directory and the SMB config agreed with each othe. Now new machines can join the domain and users can login just as they did before. No client-side modifications are necessary.
  Hope this is helpful to someone else. It was quite the hair-pulling experience for a while there.
  Jeff Kirk