Validating Kerberos Tickets

Similar Messages

• No valid credentials provided: Failed to find any Kerberos Ticket

  I'm running a java routine on a Windows 2000 workstation and trying to use JAAS to authenticate against a RedHat based kerberos server. When I do a login I get the following debug information:
  Debug is true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null KeyTab is null principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
            [Krb5LoginModule] user entered username: drrobison/admin
  principal is drrobison/[email protected]
  Added server's keyKerberos Principal drrobison/[email protected] Version 0key EncryptionKey: keyType=1 keyBytes (hex dump)=
  0000: 76 9B 32 9D 02 AB 23 4C
            [Krb5LoginModule] added Krb5Principal drrobison/[email protected] to Subject
  Commit Succeeded
  When I print out the returned subject I get
  Subject:
       Principal: drrobison/[email protected]
       Private Credential: Ticket (hex) =
  Client Principal = drrobison/[email protected]
  Server Principal = krbtgt/[email protected]
  Session Key = EncryptionKey: keyType=1 keyBytes (hex dump)=
  0000: 4F A7 BA 6D B0 E5 E5 6D
  Forwardable Ticket true
  Forwarded Ticket false
  Proxiable Ticket true
  Proxy Ticket false
  Postdated Ticket false
  Renewable Ticket false
  Initial Ticket false
  Auth Time = Mon Nov 25 17:16:35 EST 2002
  Start Time = Mon Nov 25 17:16:35 EST 2002
  End Time = Tue Nov 26 03:16:35 EST 2002
  Renew Till = Null
  Client Addresses Null
       Private Credential: Kerberos Principal drrobison/[email protected] Version 0key EncryptionKey: keyType=1 keyBytes (hex dump)=
  0000: 76 9B 32 9D 02 AB 23 4C
  THen when I try to use the GSSManager.createCredential I get the following error:
  GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
       at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:142)
       at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:70)
       at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
  GSSException No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket): No valid credentials provided: Failed to find any Kerberos Ticket
       at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
       at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
       at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
       at com.orci.OpenTMS.CctvGUI.SimpleNTSCApp.<init>(SimpleNTSCApp.java:115)
       at com.orci.OpenTMS.CctvGUI.SimpleNTSCApp.main(SimpleNTSCApp.java:227)
  Any ideas what the problem might be?
  Many thanks in advance...

  Hi ,
  I hope first that you solved your problem.
  In fact I'm using Tomcat on Windows 2000 and I try to get tickets for a Kerberos V installation on a Linux Box, using a Krb5LoginModule.
  To do so , I would like to know how do you tell your windows box where to find the destination realm (in your case OPENROADSCONSULTING.COM) .
  If it is in the jaas.config file , could you send yours to me please
  Thanx by advance
  Yann

• Initial Kerberos ticket only 10 minutes- how to fix?

  I have a 10.5.8 server with OD and AFP set up.
  I have an OD user account. I have two client machines, both bound to the OD server with Directory Utility.
  On client A (10.5.8), I have a local user account that is "Managed, Mobile" with the same username/password as my OD account, but I'm using my local home directory as my default and not syncing to my server home directory.
  On client B (also 10.5.8), which is a shared machine, I do not have a local account matching my OD account.
  On every startup of client A, I automatically get a Kerberos ticket for the server, as I'd expect, but it has a life of only 10 minutes and does not auto-renew. As long as the ticket is valid, I can connect to and mount sharepoints on the server (without new authentication). Once the ticket expires, I can't connect to the AFP server without manually renewing the ticket (I use the Kerberos client) or re-booting. (Otherwise, I get a login prompt but credentials are not accepted.) If I renew the ticket, it renews for 10 hours and then I can connect to the AFP server, but I have to do this manually. It doesn't appear to matter whether I've set client A to trusted binding. I've set Kerberos preferences on A to a minimum and maximum ticket life of 10 hours, but this doesn't help.
  On client B (also 10.5.8), with a similar setup in Directory Utility, I get a 10 hour ticket. (If I login at startup with my OD account, I get the Kerberos ticket immediately. If I login in with a local account, I'm prompted to authenticate when I attempt to connect to the AFP server and then can use my OD account to connect.) I've not waited to see if this ticket will auto-renew, but my Kerberos preferences (on both A and B) are set to a renewable life range of 7 days and I'm guessing that it will auto-renew on B.
  Client B behavior is what I expect. Client A behavior I don't understand. Can anyone help me figure out what's happening (keeping in mind that I'm an OD novice!), so that I can stop client A from creating a ticket with such a short life?
  Thanks in advance for any help.

  I am not really following what you have and what you want here.
  Each Sequence is unique, and has a Duration that is equal (or should be) to the total Duration of the Assets on that Sequence.
  It is not until one defines the output and delivery of those Sequences, that any concern needs to be made for the Duration, and then the TimeCode for that delivery will incorporate the Durations from all Sequences used.
  Let's take a DVD as an example. One edits in Sequences. Their Durations will be determined by Clips on each Sequence. While there are different workflows here, I am going to keep it very simple. I am also going to save typing, and just list the minutes of Duration for each Sequence.
  I have 4 Sequences, #1 thru #4. I Export each Sequence as an AV file (DV-AVI on PC, or MOV on a Mac). Sequence #1 is 20 mins. long. Sequence #2 is 10 mins. Sequence #3 is 10 mins. Sequence #4 is 20 mins. This will be a total of 60 mins., when Imported into Encore for authoring the DVD. I assemble my 4 Sequences, in whatever order I wish, or use a Playlist to navigate to each/all in whatever order I wish. The TimeCode in the Sequences (back in PrPro) make no difference. Each starts at 00;00;00;00, and only the total Duration of each really counts for anything in my authoring. I can choose to play any/all, and in any order that I wish.
  Now, if one wishes to Export to some other delivery scheme, say a MOV filed combined into one, you can Nest (in the manual, or Help file) all Sequences into a single additional Sequence, and in any order that you wish, say Sequence 4, Sequence 1, Sequence 3 and Sequence 2. Then, just Export that new, Nested Sequence as a MOV file. That Nested Sequence does not care what the starting TimeCode of each of the contributing Sequences was. Only the total Duration of all Sequences matters.
  Does that make sense? If not, can you articulate exactly what the problem with your Sequences is?
  Good luck,
  Hunt

• How do I create a kerberos ticket using coldfusion

  I have 3 apps on our intra net that require authentication and would like to use kerberos to accomplish this. This is my set up.
  users log in to the network and authenticate via active directory (all windows based) , Our web apps are on a box running solaris 10, weblogic app server, cf 9 and oracle 11g.  A group of our web apps on this sever require users to authenticate through oracle (not the web / app server).
  I can authenticate with kerberos via a putty session on the server with no problems.
  USEING COLDFUSION, how do i request a kerberos ticket and pass the necessary credentials to authenticate.?
  can this be done.?
  I am looking for a CODE SAMPLE OF HOW DO THIS IN A UNIX environment  NOT WINDOWS.
  I appologize for the frustrated tone of this post. However, after a week of reading documentation til my eyes bleed, to end up chasing my tail with no truly help info............
  TIA
  JB

  This is something your web server should do, not CF. Configure your web server to participate in the Kerberos realm. If WebLogic is the web server (and not just the application server) configure that:
  http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secmanage/sso.html
  If you have WebLogic configured to use Apache as a web server, configure that:
  http://modauthkerb.sourceforge.net/
  http://support.microsoft.com/kb/555092
  Dave Watts, CTO, Fig Leaf Software
  http://www.figleaf.com/
  http://training.figleaf.com/

• Mobile accounts are not being issued kerberos tickets

  Hi
  If I set mobile accounts to expire as soon as they log out, as soon as the user logs back into the same mac with the same account, it does not get issued another kerberos ticket at login.
  If I turn mobile accounts off, it works every time.
  running 10.6, 10.6 open directory server and the user accounts are AD accounts server 2003.
  I am pulling my hair our here. Is this something that is intentional?

  Other observations:
  *1. from /Library/Logs/DirectoryService/DirectoryService.error.log*
  2010-06-18 14:04:11 CEST - T[0xB0185000] - Misconfiguration detected in hash 'Global UID':
  2010-06-18 14:04:11 CEST - T[0xB0185000] - User 'user1' (/LDAPv3/macsrv1.disney.ch) - ID 1035 - UUID 80699B6C-A90E-4D2F-9B07-FB78F72E9709 - SID S-1-5-21-4063190502-2217233148-2094676766-3070
  *2. user IS showing up in the login window.*
  If I configure the login window to show all users (including network users), then user1 does indeed show up.
  *3. Logging into user1 via ssh works.*
  *4. dscl on macsrv1*
  dscl /LDAPv3/127.0.0.1 -list /Users
  does indeed show user1 (and any other user I create)
  So why can't I login/create user1 on the client mac without toggling the FULL PATH to /Network/Servers/macsrv1.disney.ch/users/user1 first? arghh!

• Can login, but can't get Kerberos ticket

  Hi,
  This is on OS X Server 10.5.8, all up to date, and an OS X Client 10.6.4, all up to date.
  One user in particular can login, however they can't get a kerberos ticket (iChat and other apps fail to login). They can use the Ticket Viewer app to see that there is no ticket, but then add an identity manually and it all works fine.
  If I change the password via Workgroup Manager they can login with that new password. I also ticked "change password at next login", however the client didn't pick that up (although they logged in with the new password).
  Also, when trying to change the password via System Prefs, it says the old (current) password is incorrect, even though its the same as they logged on with.
  I'm pretty sure the problems are to do with the Kerberos login check failing (as seen in the log below) - but why would the user be able to login, yet fail the kerberos authentication check?
  Output from password server log:
  Nov 2 2010 10:24:52 RSAVALIDATE: success.
  Nov 2 2010 10:24:52 AUTH2: {0x46ac8ee739c0ff000000000e0000000e, nhankey} DHX authentication succeeded.
  Nov 2 2010 10:24:52 KERBEROS-LOGIN-CHECK: user {0x46ac8ee739c0ff000000000e0000000e, nhankey} authentication failed.
  Nov 2 2010 10:24:52 GETPOLICY: user {0x46ac8ee739c0ff000000000e0000000e, nhankey}.
  Nov 2 2010 10:24:52 GETPOLICY: user {0x46ac8ee739c0ff000000000e0000000e, nhankey}.
  Nov 2 2010 10:24:55 RSAVALIDATE: success.
  Nov 2 2010 10:24:55 AUTH2: {0x46ac8ee739c0ff000000000e0000000e, nhankey} DIGEST-MD5 authentication succeeded.
  Nov 2 2010 10:24:56 RSAVALIDATE: success.
  Nov 2 2010 10:24:56 AUTH2: {0x46ac8ee739c0ff000000000e0000000e, nhankey} DHX authentication succeeded.
  Nov 2 2010 10:24:56 KERBEROS-LOGIN-CHECK: user {0x46ac8ee739c0ff000000000e0000000e, nhankey} authentication failed.
  Nov 2 2010 10:24:56 RSAVALIDATE: success.
  Nov 2 2010 10:24:56 AUTH2: {0x46ac8ee739c0ff000000000e0000000e, nhankey} DHX authentication succeeded.
  Nov 2 2010 10:24:56 KERBEROS-LOGIN-CHECK: user {0x46ac8ee739c0ff000000000e0000000e, nhankey} authentication failed.
  Is there a way to see which tickets have been issued on the server?
  Thanks for any help.
  Regards,
  Steve

  ... bump ...

• Shouldn't I be getting a Kerberos ticket when logging in to my Lion Server?

  I have a very small OS X network setup: one server, one client.  OD, DNS, etc. all working well.  One thing I noticed though is when I log into the server directly, I never have a Kerberos ticket and have to use kinit; when I log into the client, I always get a ticket automatically. 
  After logging in to the server (directly via console, not ssh), I open a terminal and klist shows:
  klist: krb5_cc_get_principal: No credentials cache file found
  I can 'kinit' at this point, provide my password and I will get a working ticket, but isn't this supposed to happen at login time the way it does on my client?
  I've made no modifications to /etc/pam.d/authorization:
  # authorization: auth account
  auth       optional       pam_krb5.so use_first_pass use_kcminit
  auth       optional       pam_ntlm.so use_first_pass
  auth       required       pam_opendirectory.so use_first_pass nullok
  account    required       pam_opendirectory.so
  What am I missing here?  Why woudn't I bet getting tickets at login on this system?
  Many thanks,
  -O

  @Strontium, not sure what the basis for your opinion is, the server login processes *is* a client of  OpenDirectory and Kerberos and subject to the same PAM authorization process and thus the creation of a Kerberos ticket.
  After nearly two days of digging, I found the issue was caused by the existance of user records for some of my network users in the /Local/Default directory on the server which had  an AuthenticationAuthority value pointing to an old, no longer used, Kerberos domain.  As these were OpenLDAP users, I hadn't even thought of examing the local directory until I noticed that the expected Kerberos ticket behavior was working properly for one of my accounts which was not a 'mobile' account.  I then realized only my 'mobile' accounts (which were nearly all of them) were the only accounts showing this problem. 
  I believe what happened is when I changed server's kerberos name at some point in the past (by backing up the OpenLDAP records, demoting the master, re-creating the master with the new Kerberos name, importing the records, and resetting passwords); I never thought to clean up any locally cached user records for my 'mobile' users.
  To fix: I used the Directory Utility to delete the users from the local cache.  On next login by a mobile user, a correct local user record was created reflecting the proper Kerberos authority and now I'm getting Kerberos tickets on login again. 

• Routing of emails with valid Service Ticket Tracking Text

  Hi Experts,
  System: SAP CRM 2007 (ERMS)
  If an email is send to the ERMS system with a valid Service Ticket Tracking Text, based on the rule:
  If
  Service Ticket Responsible Is Not Equal To ""
  Then
  Route to Service Ticket Responsible ( Route To (On Exception) = "" )
  The email can be routed to the Service Ticket Responsible of the Service Ticket or a default org.
  My requirement is to route the email with a valid Service ticket tracking text to the Responsible Org (Service Employee Group) of the Service Ticket.
  How can this be made possible. Can any one guide me with the Steps.
  Regards,
  Namita
  Edited by: Namita Singh on Jul 10, 2009 8:42 AM

  Hi Namita,
  I was trying to simulate your condition and i thought the following could be useful to you.
  You validate your tickets based on "Text" for them to be put into the ERMS --(Is it true?)
  and then you want the service ticket responsible org to be intimated about the ticket
  while selecting the action/parameters --> You will need to add the entry Route E-mail , this will give you the organization unit object .
  At the back end in the service manger profile the service id for this is -->AH_ROUTE and the class is CL_CRM_ERMS_AH_ROUTE
  There should be an enhancement written in this class for the identification of the Responsible org unit partner function org so that it gets identified as the org to be intimated about the ticket.
  The other way is to add the service FG_SVCTKT to your service manger profile(guess it should be the default one) so that then you can check for the Actions/parameters to assign the partner function holding the responsible org data.
  Hope this helps
  Regards
  Raj

• Mount CIFS / Windowsshare with Kerberos ticket

  Hi there!
  Uhm, I am trying to mount a Windows Share with
  mount -t cifs //SERVERNAME/SHARE /mnt -o krb5
  (Before that, I have requested a kerberos ticket with kinit username@DOMAIN which worked fine).
  I'm then asked to give a password, but I don't know which password it could be (tried my Domainuserpassword, also with "-o krb5,username=username, which didn't work).
  One of the other employees said that there's a package needed which is called key-request, so the kerberos ticket is forwarded to the server where it has to be compared.
  But I really didn't find the package.
  My questions are now:
  1. Do you know how to mount a Windows Share (Server 2008) with Kerberos tickets?
  2. Is the statement about the ticketforwarding true, and if yes, how can I do this on Arch?
  EDIT// The output I get after mount..
  1. "Password:
  Permission denied"
  2. "mount error(5): input/output error"
  3. Nothing happens
  Greetings
  Last edited by Kielo (2010-10-08 13:54:55)

  The Kerberos client code is unable to get a service ticket for your afp server & the afp client is trying to fall back and running out of options.
  You will need to check a couple of things on the afp server:
  1) check the principal name of the server: look in the file /Library/Preferences/com.apple.AppleFileServer.plist for the key "kerberosPrincipal"
  it should look like "afpserver/fqdn@REALM
  2) run:
  klist -k
  and verify that the principal name of the afp server is in the list.
  On the OD Master:
  run (as root):
  kadmin.local -q "listprincs"
  and verify that the principal name of the afp server is in the list.
  Hope that gets you started
  - Leland

• Is it possible to configure Safari to support Kerberos ticket forwarding?

  I work in an environment that authenticates with Kerberos.  I would like to be able to use Safari in this environemnt but I am forced to use other browsers that support ticket forwarding.  It seems that Safari does support Kerberos authentication according the to this support artical http://support.apple.com/kb/HT5385?viewlocale=en_US&locale=en_US.  However, it fails to explain how to enable ticket forwarding.

  rdar://6644527: Kerberos ticket forwarding doesn't work in Safari
  FirefoxAuth - User Guides Wiki

• How to delete kerberos tickets from client machine?

  Although i not having problems anymore with portable home directories reconnecting after a server reinstall on different domain name, i'd like to know where the client stores the kerberos ticket so i can just delete it next time. Does anybody know?

  Kerberos.app. Available from Keychain Access's Keychain Access menu or in /System/Library/CoreServices.

• Kerberos ticket not being created

  I have a user who authenticates to a 10.4.9 OpenDirectory server and is continualy having his account access turned off. He can log in to his computer but cannot mount a volume from a fileserver. If access is renabled in Workgroup Manager for his account he is able to mount a fileserver volume. It also seems that when he logs out and logs back into his computer no Kerberos ticket is created (or at least none shows up in the Kerberos app.
  The following is shows up in the kdc Log for this OD server:
  Nov 12 10:09:00 xserveod.ACMECORP.ca krb5kdc[284](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.10.95: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
  Nov 12 10:09:00 xserveod.ACMECORP.ca krb5kdc[284](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.10.95: PREAUTH_FAILED: [email protected] for krbtgt/[email protected], Decrypt integrity check failed
  I've checked the time on his workstation and on the OD server and they are consistent, or at least within half a second of each other, so I'm not sure what the problem might be.
  Any ideas?

  Hi
  Presumably you enable the account, the user attempts to log in and when you go back to WGM the account is disabled again. Is that what happens. Does it also disable itself if you click Refresh after enabling the account? Does this happen even if you delete the user and recreate it again? Does it also happen if you change the User ID number to something else? For example change it from 1025 or whatever to 1125. Try forcing the user to change his/her password at next logon (Advanced > Options). Make sure the user uses a completely new one and does not use a password that they have used in the past.
  I would also make preparations to demote to Standalone just in case. Make sure you also have an effective and up-to-date backup. If you do have to demote I would hesitate in archiving the LDAP database as you may restore a corruption or deep-seated problem that has caused the issue in the first place. In which case you will soon be back to where you were. Export Users and Groups, prepare for the non transfer of passwords hit and unshare the folder being used for automounting Home Directories. Restart the server, repairs privs/perms. Create a new folder to be used for automounting Home Directories, check that DNS is configured correctly and repromote. Re-import Users and Groups. Re-share the folder to be used for automounting Home Directories, create new Home Folders for each User and copy over from previous home folders relevant files and data. Make sure you propagate permissions for each user in turn. Yes I know its a 'lowerbodypartsache' especially if you have lots of users, but if you do this now you should save yourself a lot of heartache later on.
  I’ve had to do this at several sites lately that had exactly the same problem you’ve described. At two of the sites it all started from the Self Signed Certificate expiring. This might be something you should look at also.
  Tony

• Using SSH login to create Kerberos ticket?

  Hello everyone,
  Using a 10.5 server with Kerberos and GSSAPI, is it possible to get Leopard to take the passphrase used for a user to log in via SSH and have it use that to acquire a new Kerberos ticket?
  This would mean that you only have to type in your password once... and not twice (once for SSH and another for the kerberos ticket).
  I googled around a bit and I'm at a complete loss. Is this possible under Leopard?
  Thank you!

  If I understand correctly, you want your users to be able to login to ssh via Kerberos?
  Yes, but by default it is turned off in the client. You need to enable GSSAPIAuthentication with this configuration statement:
  GSSAPIAuthentication yes
  You can do it at a user level by entering this into ~/.ssh/config
  Or at a workstation level by entering it in /etc/ssh_config (NOT sshd_config)

• Afpserver kerberos ticket

  10.6.8 server doesn't appear to give kerberos tickets for afp to clients that use 10.7.2.  Anyone else run into this problem or find a workaround?
  EDIT:  I want to add that SMB will give cifs tickets like it's suppose to.  So the kerberos seems to be working correctly with other services, just not AFP.

  From the 10.7 client, are you connecting with fully qualified host name, such as afp://hostname.domain.tld?  Or are you referencing by the Bonjour or just hostname.  I've seen some situations in which the DHCP server does not hand out the proper search path so even though a hostname alone will get you to the machine, kerb auth does not work because the fqdn and the kerb principles do not match. 

• Kerberos Ticket Generated at Logon Sent Twice

  We have a situation where users are getting locked out after 2 logon attempts with bad passwords. Our policy is three bad passwords produces a lockout, but we've confirmed that it locks after only 2. In troubleshooting this, we found that every time a
  user send logon credentials, two kerberos tickets are generated. To AD, after the second attempt, four "bad" tickets have been sent. How in the world do we begin tracing this down?

  Or this : 
  http://www.microsoft.com/en-us/download/details.aspx?id=18465
  ALTools.exe includes:
  AcctInfo.dll. Helps isolate and troubleshoot account lockouts and to change a user's password on a domain controller in that user's site. It works by adding new property pages to user objects in the Active Directory Users and Computers Microsoft
  Management Console (MMC).
  ALockout.dll. On the client computer, helps determine a process or application that is sending wrong credentials.
  Caution: Do not use this tool on servers that host network applications or services. Also, you should not use ALockout.dll on Exchange servers, because it may prevent the Exchange store from starting.
  ALoInfo.exe. Displays all user account names and the age of their passwords.
  EnableKerbLog.vbs. Used as a startup script, allows Kerberos to log on to all your clients that run Windows 2000 and later.
  EventCombMT.exe. Gathers specific events from event logs of several different machines to one central location.
  LockoutStatus.exe. Determines all the domain controllers that are involved in a lockout of a user in order to assist in gathering the logs. LockoutStatus.exe uses the NLParse.exe tool to parse Netlogon logs for specific Netlogon return status
  codes. It directs the output to a comma-separated value (.csv) file that you can sort further, if needed.
  NLParse.exe. Used to extract and display desired entries from the Netlogon log files.
  Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading
  the thread.