Web Proxy Authentication using Kerberos or NTLM - ForeFront TMG

Similar Messages

• Mac Adobe Flash Player not supporting Web Proxy Authentication

  Anyone else got an enterprise network where you use web proxies with web authentication and no traffic allowed out except through the proxies?
  You may need to be in the UK for this, but try accessing BBC iPlayer content - http://www.bbc.co.uk/iplayer and you should discover that the content won't play. the error says "This content doesn't seem to be working. Try again later.". The content will never work as the Mac version of Flash (currently 10.1.53.64) is not able to respond to web proxy authentication requests. The BBC use various streaming server which are randomly selected when a user starts a stream and they have no DNS. Just IP addresses. They don't publish a list for security reasons. So it is almost impossible to exempt all their servers from authentication.
  I've logged a bug with Adobe. If you have this issue too, please add a comment and vote so that they can begin to grasp the impact of this problem:
  https://bugs.adobe.com/jira/browse/FP-5161

  I have the same issues in Australia trying to access flash content from the ABC website. The strange thing is the content will play if your leave the browser open for 5min.
  After several packet data captures we identified that it has to do with the amount of time it takes the Mac timeout from the proxy before it plays the video content.
  No solution yet.

• How to set proxy authentication using java properties at run time

  Hi All,
  How to set proxy authentication using java properties on the command line, or in Netbeans (Project => Properties
  => Run => Arguments). Below is a simple URL data extract program which works in absence of firewall:
  import java.io.*;
  import java.net.*;
  public class DnldURLWithoutUsingProxy {
     public static void main (String[] args) {
        URL u;
        InputStream is = null;
        DataInputStream dis;
        String s;
        try {
            u = new URL("http://www.yahoo.com.au/index.html");
           is = u.openStream();         // throws an IOException
           dis = new DataInputStream(new BufferedInputStream(is));
           BufferedReader br = new BufferedReader(new InputStreamReader(dis));
        String strLine;
        //Read File Line By Line
        while ((strLine = br.readLine()) != null)      {
        // Print the content on the console
            System.out.println (strLine);
        //Close the input stream
        dis.close();
        } catch (MalformedURLException mue) {
           System.out.println("Ouch - a MalformedURLException happened.");
           mue.printStackTrace();
           System.exit(1);
        } catch (IOException ioe) {
           System.out.println("Oops- an IOException happened.");
           ioe.printStackTrace();
           System.exit(1);
        } finally {
           try {
              is.close();
           } catch (IOException ioe) {
  }However, it generated the following message when run behind the firewall:
  cd C:\Documents and Settings\abc\DnldURL\build\classes
  java -cp . DnldURLWithoutUsingProxy
  Oops- an IOException happened.
  java.net.ConnectException: Connection refused
  at java.net.PlainSocketImpl.socketConnect(Native Method)
  at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:305)
  at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:171)
  at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:158)
  at java.net.Socket.connect(Socket.java:452)
  at java.net.Socket.connect(Socket.java:402)
  at sun.net.NetworkClient.doConnect(NetworkClient.java:139)
  at sun.net.www.http.HttpClient.openServer(HttpClient.java:402)
  at sun.net.www.http.HttpClient.openServer(HttpClient.java:618)
  at sun.net.www.http.HttpClient.<init>(HttpClient.java:306)
  at sun.net.www.http.HttpClient.<init>(HttpClient.java:267)
  at sun.net.www.http.HttpClient.New(HttpClient.java:339)
  at sun.net.www.http.HttpClient.New(HttpClient.java:320)
  at sun.net.www.http.HttpClient.New(HttpClient.java:315)
  at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:510)
  at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:487)
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:615) at java.net.URL.openStream(URL.java:913) at DnldURLWithoutUsingProxy.main(DnldURLWithoutUsingProxy.java:17)
  I have also tried the command without much luck either:
  java -cp . -Dhttp.proxyHost=wwwproxy -Dhttp.proxyPort=80 DnldURLWithoutUsingProxy
  Oops- an IOException happened.
  java.io.IOException: Server returned HTTP response code: 407 for URL: http://www.yahoo.com.au/index.html
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1245) at java.net.URL.openStream(URL.java:1009) at DnldURLWithoutUsingProxy.main(DnldURLWithoutUsingProxy.java:17)
  All outgoing traffic needs to use the proxy wwwproxy (alias to http://proxypac/proxy.pac) on port 80, where it will prompt for valid authentication before allowing to get through.
  There is no problem pinging www.yahoo.com from this system.
  I am running jdk1.6.0_03, Netbeans 6.0 on Windows XP platform.
  I have tried Greg Sporar's Blog on setting the JVM option in Sun Java System Application Server (GlassFish) and
  Java Control Panel - Use browser settings without success.
  Thanks,
  George

  Hi All,
  How to set proxy authentication using java properties on the command line, or in Netbeans (Project => Properties
  => Run => Arguments). Below is a simple URL data extract program which works in absence of firewall:
  import java.io.*;
  import java.net.*;
  public class DnldURLWithoutUsingProxy {
     public static void main (String[] args) {
        URL u;
        InputStream is = null;
        DataInputStream dis;
        String s;
        try {
            u = new URL("http://www.yahoo.com.au/index.html");
           is = u.openStream();         // throws an IOException
           dis = new DataInputStream(new BufferedInputStream(is));
           BufferedReader br = new BufferedReader(new InputStreamReader(dis));
        String strLine;
        //Read File Line By Line
        while ((strLine = br.readLine()) != null)      {
        // Print the content on the console
            System.out.println (strLine);
        //Close the input stream
        dis.close();
        } catch (MalformedURLException mue) {
           System.out.println("Ouch - a MalformedURLException happened.");
           mue.printStackTrace();
           System.exit(1);
        } catch (IOException ioe) {
           System.out.println("Oops- an IOException happened.");
           ioe.printStackTrace();
           System.exit(1);
        } finally {
           try {
              is.close();
           } catch (IOException ioe) {
  }However, it generated the following message when run behind the firewall:
  cd C:\Documents and Settings\abc\DnldURL\build\classes
  java -cp . DnldURLWithoutUsingProxy
  Oops- an IOException happened.
  java.net.ConnectException: Connection refused
  at java.net.PlainSocketImpl.socketConnect(Native Method)
  at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:305)
  at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:171)
  at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:158)
  at java.net.Socket.connect(Socket.java:452)
  at java.net.Socket.connect(Socket.java:402)
  at sun.net.NetworkClient.doConnect(NetworkClient.java:139)
  at sun.net.www.http.HttpClient.openServer(HttpClient.java:402)
  at sun.net.www.http.HttpClient.openServer(HttpClient.java:618)
  at sun.net.www.http.HttpClient.<init>(HttpClient.java:306)
  at sun.net.www.http.HttpClient.<init>(HttpClient.java:267)
  at sun.net.www.http.HttpClient.New(HttpClient.java:339)
  at sun.net.www.http.HttpClient.New(HttpClient.java:320)
  at sun.net.www.http.HttpClient.New(HttpClient.java:315)
  at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:510)
  at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:487)
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:615) at java.net.URL.openStream(URL.java:913) at DnldURLWithoutUsingProxy.main(DnldURLWithoutUsingProxy.java:17)
  I have also tried the command without much luck either:
  java -cp . -Dhttp.proxyHost=wwwproxy -Dhttp.proxyPort=80 DnldURLWithoutUsingProxy
  Oops- an IOException happened.
  java.io.IOException: Server returned HTTP response code: 407 for URL: http://www.yahoo.com.au/index.html
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1245) at java.net.URL.openStream(URL.java:1009) at DnldURLWithoutUsingProxy.main(DnldURLWithoutUsingProxy.java:17)
  All outgoing traffic needs to use the proxy wwwproxy (alias to http://proxypac/proxy.pac) on port 80, where it will prompt for valid authentication before allowing to get through.
  There is no problem pinging www.yahoo.com from this system.
  I am running jdk1.6.0_03, Netbeans 6.0 on Windows XP platform.
  I have tried Greg Sporar's Blog on setting the JVM option in Sun Java System Application Server (GlassFish) and
  Java Control Panel - Use browser settings without success.
  Thanks,
  George

• ForeFront TMG - Web Proxy Authentication

  Hi All! We have a Forefront TMG installed in single network adapter. We configure it as a WebProxy for the domain users. The proxy setting is distributed by GPO. So, we want to authenticate users to correctly set the web filtering (with websense ISA plugin).
  Well, the only way to have the correct authentication is to set "Require All user to Authenticate" (It's the correct behavior?). So, if we untick the switch all the users is recognized as "anonimous".  And if we have some user that
  it's not in our domain we want to permit the navigation with proxy. (for example with anonimous authentication..)
  Any help?

  On Wed, 9 Apr 2014 17:06:06 +0000, Michele Sandonini wrote:
  Hi All! We have a Forefront TMG installed in single network adapter
  TMG has a dedicated forum:
  https://social.technet.microsoft.com/Forums/forefront/en-US/home?forum=Forefrontedgegeneral
  Paul Adare - FIM CM MVP
  Lisp has all the visual appeal of oatmeal with fingernail clippings
  mixed in. -- Larry Wall

• Web Service Authentication using Microsoft Active Directory

  Hi
  Is there a way to create Oracle Java Web Services that requires authentication using Active Directory?
  Regards,
  Néstor Boscán

  If you use the SOA Suite the Oracle Web Service Manager is included in there. Using this you can add steps that will authenticate against an AD.
  cu
  Andreas

• Why doesn't Web Proxy Server use default route?

  After downloading Sun Java Web Proxy Server, I notice that the path to retrieve URLs from the internet does not go out the default route.
  However my pings, traceroutes, telnets, etc. to the same URLs do go out to the default route correctly.
  I have tried with both SP5 and SP6.
  Thanks

  I went to about:cache. It says 0 Kib offline cache.
  I went to the two links, but I can't understand what to do. I know I have to allow some storage in order for the Flash based cams to run. I have the one I use the most set to allow 100 KB but is says there is 0 being used.
  I'm attaching a few screen captures. There are many sites listed below where the last one is cut off. I don't even know what some of them are. I don't understand what to do. Sorry.
  EDIT. I may have found the area that is causing the problem. See last screenshot of Website Storage Settings panel. For some reason, that is now on 0. I don't remember changing it to that or ever seeing this section before. Should I move it to some other number?
  Another EDIT: I did move that slider over in the last screenshot, and I now have the cache and Clear works again. So you helped me solve this problem that was causing FF to crash all the time, I think. Thank you!
  But now that I've seen that list of places storing things, I'm worrried about the ones I've never heard of and don't remember visiting. Is it a good idea to click Delete all sites or am I over-reacting to all this malware scare? Maybe I picked them up from Pinterest. I do have Sophos Antivirus running, so I don't think I have a problem at this time.

• Proxy authentication using SAAJ

  Hi everybody,
  Is it possible do connect from a JAXM 1.1 (JWSDP 1.0, Java XML Pack Summer 02 Bundle) client that is behind a proxy/firewall that requires user authentication ?, should I use the Apache SOAP implementation ?, ideas ?, suggestions ?
  TIA,
  Pedro Mendoza

  hi ddossot,
  thanks for your prompt reply, i have tried http.proxyUserName and http.proxyPassword (both clear-text and BASE64 encoded) but unfortunately i still receiving "407 Proxy Authentication required" error message, i have tried to connect through the same proxy using the Apache SOAP (instead of Sun SAAJ RI) and everything was right
  perhaps i am missing something, i would apreciate further help on this issue since (if we need to migrate to Apache SOAP) it would mean a serious code rewrite
  if you prefer i could provide you the code-snippet so you could figure out what is happening
  TIA,
  Pedro

• Web proxy server using servlet

  Hello members,
  I want to develop a web proxy server like this [http://www.webproxyserver.net|http://www.webproxyserver.net] using servlet. anyone of you have any idea how to this, kindly suggest me. Thanks

  HttpProxyServlet's configuration properties are added as server init parameter in web.xml which one can configure at deployment time. Most of the properties have a default value which will take effect if it is not set in web.xml
  Refer to http://e-docs.bea.com/wls/docs100/plugins/http_proxy.html#wp115201 for more details.

• How to Identify the Network Topology being used for a running ForeFront TMG Stand Alone array?

  Hello Experts,
  My client has decided to move their datacenter  from one location to other including the ForeFront TMG servers which are being used as Reverse Proxy and TMG Gateway  in DMZ environment.
  I need to know the network topology used for this configuration so that I could chose the same topology when creating new TMG environment at new datacenter. Here are some details : 
  1. There are 2 TMG servers configured in a DMZ Workgroup in Stand Alone array.
  2. Both servers have 3 NIC attached to them. (one has all public IPs configured, another one has internal IP address and the third one has Management IP which is used to connect the server via RDP).
  3. There are more than 50 websites published via this standalone array.
  I am very new to Forefront TMG technology and need to know the Topology used to create such environment.
  Thanks 
  Lalit

  Hi,
  According to your description, you can use the 3-leg perimeter network template and choose which network adapter connects to the LAN, which network adapter connects to the external  network and which network adapter connects to the DMZ.
  Did you set up TCP/IP settings for the three NICs? If not, please refer to the link below:
  Recommended Network Adapter Configuration for Forefront TMG Enterprise Edition Servers
  More information:
  Microsoft Forefront TMG – How to use TMG network templates (Note:
  Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.)
  Best regards,
  Susie

• Error while creating a web proxy service using wsdl

  Hi folks,
  In my use case I should create a web service proxy using the wsdl. While I am creating the
  web service proxy I am getting some error like the binding method does not have the SOAP extension.
  I am giving the error below for more clarity
  Caused by: oracle.j2ee.ws.common.tools.api.WsdlValidationException: input message of binding operation "createReference" does not have a SOAP body extensionCaused by: oracle.j2ee.ws.common.tools.api.WsdlValidationException: input message of binding operation "createReference" does not have a SOAP body extension
  What could be the problem? Kindly help me on this.
  Thanks,
  Phani

  Hi,
  I guess wsdl URL for Data source is not working as expected
  See
  http://blogs.oracle.com/middleware/entry/calling_web_services_using_adf_11g
  http://st-curriculum.oracle.com/obe/jdev/obe11jdev/ps1/webservices/ws.html

• Calling web service -authentication using passwordtext

  Hi,
  My requirement is to call a web service . WS which I consume need password type as Passwordtext.
  I did following step
  1.From SE80 created Enterprise Services using WSDL file.
  2.In SOAMANAGER select my consumer proxy.
  3.Created Logical port ZXYZ by selecting WSDL based configuration and gave WSDL url.
  When I execute this proxy Iu2019m getting login error.
  I check the blog /people/wolfgang.bauer2/blog/2009/07/08/call-wcf-service-net-from-sap-with-usernametoken-and-ssl
  If use web.config file then I'm getting error in Method: IF_SIDL_DESERIALIZER~DESERIALIZE of program CL_SIDL_DESERIALIZER==========CP. Reason is this method check for url http://schemas.xmlsoap.org/wsdl/ in the file.
  When checked the soapui using the password type as passwordtext, Soap header is formed like below and it work fine without any issue.
  <soapenv:Header>
  <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsse:Username>USERNAME</wsse:Username>
  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD</wsse:Password>
  <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">5oHK2KjEop8a6OPsl3pw6Q==</wsse:Nonce>
  <wsu:Created>2011-08-17T17:58:50.068Z</wsu:Created>
  </wsse:UsernameToken>
  </wsse:Security>
  </soapenv:Header>
  Can any one help me how to pass password type as passwordtext. And also can you help me on custom binding.
  Thanks in advance

  Hi Pradeep,
  My Abap skills are really limited but I can offer a suggestion to start with, you will need to explicitly add these WS-Security nodes to the SOAP header before the consumer proxy initiates the runtime call.
  You do this by using the IF_WSPROTOCOL_WS_HEADER interface. Follow this thread (as well as the referenced thread where Thomas Jung gives a code example) for more detail on how to implement this in the consumer proxy:
  [External Web Service Requires - WS-Security Header (calling from ABAP);
  Regards, Trevor

• Procurve 2910al Web interface authentication using Radius

  I have a Procurve 2910al switch and I'm trying to use our radius server to authenticate when we access the web interface. Currently, I have am able to authenticate from our radius server using ssh so I know our radius server works. However, when I log into the web interface, it logs me in as an operation and not an admin. I have the following commands enabled: radius-server host x.x.x.xradius-server timeout 2aaa authentication ssh login radius localaaa authentication ssh enable radius localaaa authentication web login radius localaaa authentication web enable radius localno web-managementweb-management ssl what am I missing?  I'm on W.15.14.0012 ROM 14.06 Thanks,Jasper 

  Using the Web Authentication feature on a Cisco wireless LAN controller, we can authenticate a guest user on the wireless LAN controller, on an external web server or on an external database on a RADIUS server. We can configure the wireless LAN used for guest traffic to authenticate the user from an external RADIUS server.
  To enable an external RADIUS server to authenticate traffic using the GUI, follow this link.
  http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.1/GAccess_41.html#wp1001207

• Proxy authentication window

  I've installed Java Web Start and I'm experiencing the following behaviour.
  My web browser has a proxy configured and in the Java Web Start
  preferences it's specified to use the browser configuration (not
  manual).
  Now, sometimes the window asking for proxy authentication appears,
  even when I'm not launching a Java Web Start application.
  It seems to me that the proxy authentication window appears when a new Java Virtual Machine is invoked.
  Is it a known behaviour ? What's the reason for it ? How can we avoid
  it ?
  We think it would be very annoying for a user beeing asked repeatedly for proxy authentication, expecially when he/she doesn't understand the reason why it happens.
  My best regards
  Cristina Tomacelli
  Italy

  ... to tweak the config files ?
  If you are on Win32 and your proxy is using ? la NTLM authentication then the 1.4.2 should fix this...
  Tchao.
  Jean-Baptiste Bugeaud
  http://www.up2go.net - WebStart @ the MAX !

• Checksum failed while authenticating via Kerberos

  Hi All,
  I having a problem getting authentication using kerberos to work, I get the message checksum failed. The environment is Windows 2008 Server as DC and IE 8 as client and the application is running inside JBoss (in this case I am using the negotiation-toolkit) and the following trace is in the server.log. Can someone point me in the right direction for solving this problem, i've configured two local environments using w2k3 and w2k8 which are both working just fine but in the customers network it fails with the following trace:
  l
  2011-03-30 11:33:21,845 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8888-1) Setting threadlocal:{}
  2011-03-30 11:33:21,846 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8888-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
  2011-03-30 11:33:21,846 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (http-0.0.0.0-8888-1) Authenticating user
  2011-03-30 11:33:21,846 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (http-0.0.0.0-8888-1) Header - Negotiate 2011-03-30 11:33:21,847 TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Base64] (http-0.0.0.0-8888-1) 2011-03-30 11:33:21,847 TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Hex] (http-0.0.0.0-8888-1)2011-03-30 11:33:21,848 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (http-0.0.0.0-8888-1) associate 176127440
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) Begin isValid, principal:FFE8282EB0A470619839BBD7EDF16A5E, cache info: null
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) defaultLogin, principal=FFE8282EB0A470619839BBD7EDF16A5E
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) Begin getAppConfigurationEntry(SPNEGO), size=13
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) End getAppConfigurationEntry(SPNEGO), authInfo=AppConfigurationEntry[]:
  [0]
  LoginModule Class: org.jboss.security.negotiation.spnego.SPNEGOLoginModule
  ControlFlag: LoginModuleControlFlag: requisite
  Options:
  name=serverSecurityDomain, value=host
  name=password-stacking, value=useFirstPass
  [1]
  LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
  ControlFlag: LoginModuleControlFlag: required
  Options:
  name=usersProperties, value=props/spnego-users.properties
  name=rolesProperties, value=props/spnego-roles.properties
  name=password-stacking, value=useFirstPass
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) initialize
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Security domain: SPNEGO
  2011-03-30 11:33:21,850 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) serverSecurityDomain=host
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) login
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) Begin getAppConfigurationEntry(host), size=13
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) End getAppConfigurationEntry(host), authInfo=AppConfigurationEntry[]:
  [0]
  LoginModule Class: com.sun.security.auth.module.Krb5LoginModule
  ControlFlag: LoginModuleControlFlag: required
  Options:
  name=principal, value=host/[email protected]
  name=useKeyTab, value=true
  name=storeKey, value=true
  name=keyTab, value=/DATA/jbossserver.host.keytab
  name=debug, value=true
  name=doNotPrompt, value=true
  2011-03-30 11:33:21,850 INFO [STDOUT] (http-0.0.0.0-8888-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /DATA/jbossserver.host.keytab refreshKrb5Config is false principal is host/[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  2011-03-30 11:33:21,850 INFO [STDOUT] (http-0.0.0.0-8888-1) KeyTab instance already exists
  2011-03-30 11:33:21,850 INFO [STDOUT] (http-0.0.0.0-8888-1) Added key: 23version: 4
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Ordering keys wrt default_tkt_enctypes list
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Using builtin default etypes for default_tkt_enctypes
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) default etypes for default_tkt_enctypes:
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 3
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 1
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 23
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 16
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 17
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) .
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) principal's key obtained from the keytab
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Acquire TGT using AS Exchange
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Using builtin default etypes for default_tkt_enctypes
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) default etypes for default_tkt_enctypes:
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 3
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 1
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 23
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 16
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 17
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) .
  2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbAsReq calling createMessage
  2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbAsReq in createMessage
  2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbKdcReq send: kdc=rm-hq-dc1.shipyard.local UDP:88, timeout=30000, number of retries =3, #bytes=158
  2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KDCCommunication: kdc=rm-hq-dc1.shipyard.local UDP:88, timeout=30000,Attempt =1, #bytes=158
  2011-03-30 11:33:21,853 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbKdcReq send: #bytes read=633
  2011-03-30 11:33:21,854 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbKdcReq send: #bytes read=633
  2011-03-30 11:33:21,854 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
  2011-03-30 11:33:21,854 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbAsRep cons in KrbAsReq.getReply host/jbossserver
  2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) principal is host/[email protected]
  2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 4F C6 44 97 D0 B8 9C 96 A9 79 5B 87 EB 44 71 33 O.D......y[..Dq3
  2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) Added server's keyKerberos Principal host/[email protected] Version 4key EncryptionKey: keyType=23 keyBytes (hex dump)=
  0000: 4F C6 44 97 D0 B8 9C 96 A9 79 5B 87 EB 44 71 33 O.D......y[..Dq3
  2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1)           [Krb5LoginModule] added Krb5Principal host/[email protected] to Subject
  2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) Commit Succeeded
  2011-03-30 11:33:21,858 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Subject = Subject:
       Principal: host/[email protected]
       Private Credential: Ticket (hex) =
  0000: 61 82 01 1F 30 82 01 1B A0 03 02 01 05 A1 13 1B a...0...........
  0120: 9E 96 D4 ...
  Client Principal = host/[email protected]
  Server Principal = krbtgt/[email protected]
  Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
  0000: 81 5B 77 9E C3 74 46 AC 87 26 B0 00 5C B6 56 6E .[w..tF..&..\.Vn
  Forwardable Ticket false
  Forwarded Ticket false
  Proxiable Ticket false
  Proxy Ticket false
  Postdated Ticket false
  Renewable Ticket false
  Initial Ticket false
  Auth Time = Wed Mar 30 11:33:17 CEST 2011
  Start Time = Wed Mar 30 11:33:17 CEST 2011
  End Time = Wed Mar 30 21:33:17 CEST 2011
  Renew Till = null
  Client Addresses Null
       Private Credential: Kerberos Principal host/[email protected] Version 4key EncryptionKey: keyType=23 keyBytes (hex dump)=
  0000: 4F C6 44 97 D0 B8 9C 96 A9 79 5B 87 EB 44 71 33 O.D......y[..Dq3
  2011-03-30 11:33:21,858 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Logged in 'host' LoginContext
  2011-03-30 11:33:21,858 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Creating new GSSContext.
  2011-03-30 11:33:21,866 INFO [STDOUT] (http-0.0.0.0-8888-1) Found key for host/[email protected](23)
  2011-03-30 11:33:21,867 INFO [STDOUT] (http-0.0.0.0-8888-1) Entered Krb5Context.acceptSecContext with state=STATE_NEW
  2011-03-30 11:33:21,868 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
  2011-03-30 11:33:21,869 ERROR [STDERR] (http-0.0.0.0-8888-1) Checksum failed !
  2011-03-30 11:33:21,870 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Result - GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
  2011-03-30 11:33:21,870 ERROR [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Unable to authenticate
  GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
       at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
       at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAs(Subject.java:337)
       at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:118)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
       at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
       at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
       at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
       at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
       at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
       at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
       at java.lang.Thread.run(Thread.java:619)
  Caused by: KrbException: Checksum failed
       at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85)
       at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)
       at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
       at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
       at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
       at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
       at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
       ... 35 more
  Caused by: java.security.GeneralSecurityException: Checksum failed
       at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388)
       at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)
       at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)
       ... 41 more
  2011-03-30 11:33:21,871 INFO [STDOUT] (http-0.0.0.0-8888-1)           [Krb5LoginModule]: Entering logout
  2011-03-30 11:33:21,871 INFO [STDOUT] (http-0.0.0.0-8888-1)           [Krb5LoginModule]: logged out Subject
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) abort
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) initialize
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Security domain: SPNEGO
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) findResource: null
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Properties file=vfsfile:/DATA/jboss-5.1.0.GA/server/default/conf/props/spnego-users.properties, defaults=null
  2011-03-30 11:33:21,872 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Loaded properties, users=[]
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) findResource: null
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Properties file=vfsfile:/DATA/jboss-5.1.0.GA/server/default/conf/props/spnego-roles.properties, defaults=null
  2011-03-30 11:33:21,872 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Loaded properties, users=[[email protected], [email protected]]
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) abort
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) Login failure
  javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
       at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:141)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
       at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
       at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
       at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
       at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
       at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
       at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
       at java.lang.Thread.run(Thread.java:619)
  2011-03-30 11:33:21,873 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) End isValid, false
  2011-03-30 11:33:21,873 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (http-0.0.0.0-8888-1) clear 176127440
  2011-03-30 11:33:21,873 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8888-1) Setting threadlocal:null
  2011-03-30 11:33:21,873 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8888-1) Setting threadlocal:null

  Thanks! That did the trick.
  For those who aren't sure what we're talking about, here are the details. In the inspector tab of the user's record in Workgroup Manager, there's an item called AuthenticationAuthority. For servers that use Kerberos, it should have at least two attributes, one for ApplePasswordServer and one for Kerberos.
  The Kerberos entry should look something like this:
  ;Kerberosv5;0x4de7dafb19f92bf00000008b0000207c;[email protected];
  MYSERVER.MYDOMAIN.COM;1024 35 1501888096699469040706569854027123220425732604738787130135110270232071940183724 3
  78199029604219894640418726569868666187867257570714183982184166144733112632082318
  21356466533532379022305132046121848691642928615842396713606475071069113591094835
  025483043226511805720826544139932983788313141311383927555379596135211 [email protected]:123.45.67.89
  When you copy the attribute from a working user, there are two items that need to be changed (assuming you have only one kerberos realm). The first item is the long string of letters and numbers after ;Kerberosv5; in the first line. That's the user's UUID. The second is the user's short name ("fred" in the example above). The easiest way to make the changes is to paste the attribute into a text editor (TextEdit, or TextWrangler if you have it). Copy the user's UUID from the problematic account, and paste it over the one in the text you previously copied and pasted. Then change the short name to match the problematic user. Then copy the entire block from your text editor, select AuthenticationAuthority and click the New Value button. Click in the Text: field and paste. The Hex field will take care of itself. Click OK, then Save your changes.
  Of course before you start making changes like this to your directory, make sure you have a good back up to revert back to in case something gets messed up.

• Why doesn't Sun ONE Web Proxy Server support full replication?

  Sun believes caching on-demand is a much more appropriate model for either the World Wide Web or an intranet. Common indexes should be distributed, but data can (and should) be stored wherever is most appropriate on the network. If Proxy Servers are deployed, there will be a 50 percent to 75 percent chance that the document will be cached locally and no chance of getting stale data.
  Sun ONE Web Proxy Server uses sophisticated statistical analysis to store the documents most likely to be needed. It also manages document expiry and version control, and by default checks the home server every time a document is requested. Full replication like that performed by other softwares presumes that each document needs to be fully replicated on every server. (Imagine doing that on the Web!) This model limits the scalability of the infrastructure, and requires many more servers, more hardware, and more management complexity. More importantly, it increases the likelihood of getting stale data. A document checked in at one location may take a day or more to be fully replicated around the world.

  If you have a support contract, get in touch with a support engineer. We've run into a bug related to following referrals in the "off-the-shelf" version of the proxy server. I believe there is a hotfix that solves the issue.