Wildcards in principal names
I need to be able to use wildcards in some principal names in the policy file.
I tried to solve it with the equal() method in my Principal class, but it does not work. Where is the principal names (values) in the policy file compared to the names of the principals of the same type in the subject?
I see two possible solutions, but I would prefere another solution. What do you think? These are my solutions:
1) Let my principal class implement com.sun.security.auth.PrincipalComparator in addition to java.security.Principal.
2) Some how solve it with the implies() method in the Permission classes. (How?)
Pleas help!
The comparison is done inside the sun.security.provider.PolicyFile implementation (the default implementation of java.security.Policy).
PolicyFile calls Principal.getClass().getName() along with Principal.getName(), and then compares those values to the class name and principal name listed in the policy file. Note that these are simply String comparisons (they are not done using Principal.equals).
That means you are left with the following choices. You can implement PrincipalComparator, as you mentioned, or you can extend and replace the PolicyFile implementation.
Alternatively, there is one obscure feature in PolicyFile that is not well documented. It supports a minimal amount of wildcarding. Specifically:
grant Principal com.foo.Principal * {
grant Principal * * {
If the principal class is wildcarded, then the principal name must also be wildcarded (this is the second example above). Unfortunately this may not give you the level of wildcarding that you desire.
If the permissions you want to grant are all custom permissions (you have control over the implementation), then it may be possible to design them in a way to achieve what you want. Look at javax.security.auth.PrivateCredentialPermission. That permission encapsulates principals inside of its target name. You would have to design your custom permission class to have a similar syntax, and then the implies method could perform the correct logic for principal name wildcarding.
In this particular case, since the policy file grant statement does not contain principal information (see the example in the PrivateCredentialPermission javadocs), the String comparison that I described above does not occur. Instead, Permission.implies is called, and you have control over that behavior.
Hope that helps.
Similar Messages
-
Limitation on principal name length due to propagation?
Is there a limitation on the java.security.Principal name length due to the underlying
implementation of the security context propagation, even though it is a java.lang.String?
Thanks,
Guillaume BedardIs there a limitation on the java.security.Principal name length due to the underlying
implementation of the security context propagation, even though it is a java.lang.String?
Thanks,
Guillaume Bedard -
Hi Experts,
We had a task to migrate SQL Server all the components to another server, the migration went well and had no issues at all. but We can login to SSAS service locally wihtout any issues. when we are connecting the analysis services from the other machines(servers)
it is givng the below error.
Authentication failed. (Microsoft.AnalysisServices.AdomdClient)
The target principal name is incorrect (Microsoft.AnalysisServices.AdomdClient)
1) it is a stand alone server
2) it is connecting to default instance but not to a named instance
3) SPN's were set correctly. Double checked with the tool(MS Kerberos configuration Tool).
4) The SQL server analysis start account has domain admin privileges.
5) we can connect to Database services from the other machine remotely.
6) none of the analysis services are connecting.
Thank you in advance.Hi Ramu,
According to your description, you migrated SQL Server to another server, everything works fine except that cannot connect to SSAS remotely with the error, right?
Authentication failed. (Microsoft.AnalysisServices.AdomdClient)
The target principal name is incorrect (Microsoft.AnalysisServices.AdomdClient)
Based on my research, this issue is caused by that the SPN for account that run the Analysis Services is corrupt. You said that the SPN were set correctly, however the error message indicate that the problem is related to SPN. So in your scenario, you can
delete the SPN under the service account, and register SPN for Analysis Services instance. Please refer to the link below to see the details.
http://msdn.microsoft.com/en-IN/library/dn194200.aspx
Besides, here is a blog which describe the similar issue.
http://www.wolfsoftwaresystems.com/code/sql/the-target-principal-name-is-incorrect-microsoft-analysisservices-adomdclient/
Regards,
Charlie Liao
TechNet Community Support -
On all of my SQL Server instances, I can find SQL server error logs that have the same 3 entries below, so while I already know it can, I need a Microsoft document that says "sqlservr.exe" can so I can convince the network guys to grant the service
account for SQL "Write servicePrincipalName: Allow" in AD.
63 2014-06-26 20:24:02.980 Server The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/DFW-MSSQLDW.PathologyPartners.intranet:1433
] for the SQL Server service. Windows return code: 0x2098, state: 20. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication
is required by authentication policies and if the SPN has not been manually registered.
61 2014-06-26 20:24:02.970 Server The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/DFW-MSSQLDW.PathologyPartners.intranet:DW
] for the SQL Server service. Windows return code: 0x2098, state: 20. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication
is required by authentication policies and if the SPN has not been manually registered.
38 2014-06-26 20:24:02.840 Server SQL Server is attempting to register a Service Principal Name (SPN) for the SQL Server service. Kerberos authentication will not
be possible until a SPN is registered for the SQL Server service. This is an informational message. No user action is required.
Duane LawrenceRefer the below article
http://blogs.msdn.com/b/psssql/archive/2010/03/09/what-spn-do-i-use-and-how-does-it-get-there.aspx
Automatic SPN Registration
When an instance of the SQL Server Database Engine starts, SQL Server tries to register the SPN for the SQL Server service. When the instance is stopped, SQL Server tries to unregister the SPN. For a TCP/IP connection the SPN is registered in the format MSSQLSvc/<FQDN>:<tcpport>.Both
named instances and the default instance are registered as MSSQLSvc, relying on the <tcpport> value to differentiate the instances.
--Prashanth -
Principal Name for Active Directory "Domain Users"
Hi,
I successufully integrated Weblogic & Active Directory Kerberos (SSO). I tested a web application and successifully logined it with authentication.
The system automatically recognized my Active Directory username. It worked.
For authentication in my weblogic.xml I used
<security-role-assignment>
<role-name>admin</role-name>
<principal-name>kursat</principal-name>
<principal-name>fenerbahce</principal-name>
</security-role-assignment>
Now I'm trying to allow all domain members to authenticate my application. For my application I only need the actice directory usernames for them.
For this purpose, I removed "kursat","fenerbahce" from my weblogic.xml
<principal-name>kursat</principal-name>
<principal-name>fenerbahce</principal-name>
I added
<principal-name>Domain Users</principal-name>
instead of writing all domain users.
However I couldn't authenticate. I got the "Error 403--Forbidden"
Is there anyone can help me?test by creating a groups under Domain Users and use it as your principal name in your weblogic.xml
-Faisal
http://www.weblogic-wonders.com -
InitialLdapContext can not be create with chinese principal name
We use JNDI to search Domino 7 directory. It works well when the principal name contains only ASCII characters, but failed when chinese charaters are used in the principal name.
This issue not occurrs when the same application is used to search Active Directory.
Can you please tell me what's wrong in my application?
Thanks for your help very much!Of course the problem does not arise with Active Directory :-) We're DBCS friendly !
Not wanting to help the opposition, I couldn't help but perform a search. Perhaps this is related to your problem: http://publib.boulder.ibm.com/infocenter/wasinfo/v4r0/index.jsp?topic=/com.ibm.support.was.doc/html/APARs/PQ61389.html -
Use principal name for email if blank in Active Directory
Hi all,
allthough I set "Use principal name for email if blank in Active Directory", Spiceworks asks me for an emailadress when i want to Login to the Portal with an AD user without emailadress.
This topic first appeared in the Spiceworks CommunityHi,
What if we change the user name of user account, will it have impact on roaming profiles.
Yes, it will affect roaming profiles. Please rename the roaming profile folder as the new user account name, in addition, change the profile path in ADUC.
Here is an related article below for you:
How to Rename a Windows 7 User Account and Related Profile Folder
http://social.technet.microsoft.com/wiki/contents/articles/19834.how-to-rename-a-windows-7-user-account-and-related-profile-folder.aspx
Best Regards,
Amy -
principal-name as a group or role
I can sucessfully restrict access to a servlet using declarative security
but is there any way to use a <principal-name> in weblogic.xml that is a
group or a role name?
Hard coding specific user names is hardly useful in a web application where
people can programmatically become new users
Thanks for your helpyes, you can use groups as principals in weblogic.xml. then permissions are
managed through the user-group relationship.
"Leonard Pham" <[email protected]> wrote in message
news:3b657f8a$[email protected]..
>
Let's say I define security constraints in the web.xml file for my webapplication
using the security-constraint,auth-constraint, and security-role tags.Does this
mean that in order to add a new user I must modify weblogic.xml andspecify a
new security-role-assignment? Can I specify a group name as a principal,or is
there a way to programatically add new users? Any help would be greatlyappreciated.
Thank you. -
We are getting this below alert message, while using SCOM 2012 R2. Anybody have any idea how to resolve this on the SQL box ?
Thx...
SQL Server cannot authenticate using Kerberos because the Service Principal Name (SPN) is missing, misplaced, or duplicated.
Service Account: NT Service\MSSQL$SQLEXPRESS
Missing SPNs:
Misplaced SPNs: MSSQLSvc/mysqlbox.com:SQLEXPRESS - sqldbadmin
Duplicate SPNs:To Fix this issue, You can check below links
http://support.microsoft.com/kb/2443457/EN-US
http://www.scomgod.com/?p=155
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"Mai Ali | My blog:
Technical | Twitter:
Mai Ali -
Hello,
I have DC1(fsmo role holder) and DC2 which were replicating. I ran windows update on DC1 and rebooted which it had not done in months. When it came back up I could run repadmin /showrepl successfully on DC1. However when running on
DC2 I get the "2146893022: target principal name is incorrect" message.
I understand you can run the "netdom resetpwd /s:server /ud:<var style="box-sizing:border-box;margin:0px;padding:0px;color:#333333;font-family:'Segoe
UI regular', 'Segoe UI', Arial, Tahoma, sans-serif;font-size:13px;font-weight:bold;line-height:16px;">mydomain</var>\administrator
/pd:*" command but I am unsure:
1. Where would I run this command
2. Which server goes in th"/s:server"? Would it be the DC1 or the DC2?How would this look with information below and what DC would I run it from?
netdom resetpwd /s:<var style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;font-weight:bold;line-height:normal;">server</var> /ud:<var
style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;font-weight:bold;line-height:normal;">domain</var>\<var
style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;font-weight:bold;line-height:normal;">User </var>/pd:*
Source DC FF-INFRA1 was requested for a manual security error check.
Diagnosing...
Authoritative attribute pwdLastSet on FF-INFRA1 (writeable)
usnLocalChange = 5860902
LastOriginatingDsa = FF-INFRA1
usnOriginatingChange = 5860902
timeLastOriginatingChange = 2014-12-08 20:44:05
VersionLastOriginatingChange = 12
Out-of-date attribute pwdLastSet on SERVER2 (writeable)
usnLocalChange = 8992092
LastOriginatingDsa = FF-INFRA1
usnOriginatingChange = 5163496
timeLastOriginatingChange = 2014-11-08 15:43:39
VersionLastOriginatingChange = 11
Unable to verify the convergence of this machine account
(CN=FF-INFRA1,OU=Domain Controllers,DC=COPHT,DC=local) on these
DC's (DC=COPHT,DC=local,☺). Does the machine account password
need resetting? Are the SPN's in sync?
[FF-INFRA1] Unable to diagnose problem for this source. See any
errors reported in attempting tests.
Authoritative attribute pwdLastSet on FF-INFRA1 (writeable)
usnLocalChange = 5860902
LastOriginatingDsa = FF-INFRA1
usnOriginatingChange = 5860902
timeLastOriginatingChange = 2014-12-08 20:44:05
VersionLastOriginatingChange = 12
Out-of-date attribute pwdLastSet on SERVER2 (writeable)
usnLocalChange = 8992092
LastOriginatingDsa = FF-INFRA1
usnOriginatingChange = 5163496
timeLastOriginatingChange = 2014-11-08 15:43:39
VersionLastOriginatingChange = 11
Unable to verify the convergence of this machine account
(CN=FF-INFRA1,OU=Domain Controllers,DC=COPHT,DC=local) on these DC's
(DC=COPHT,DC=local,☺). Does the machine account password need
resetting?
......................... FF-INFRA1 failed test CheckSecurityError -
Service principal names of user are not unique; check the active directory
Hello Experts,
My company had set up this service principal account to use with Kerberos and I am trying to configure the authentication template using SPNEGO wizzard. The format of the service account is not the same as SAP recommened (J2EE-SID-DOMAIN) but something like abc_de_portal. After trying to use that account with the wizzard I am getting this error "Service principal names of user abc_de_portal are not unique; check the active directory configuration." I am not sure what else in the AD attributes is causing the problem. Please let me know if you have ran into similar issue and how did you corrected. Points will be rewarded of course.
Thank you so much for any help that I can get.Hello Duy,
SPN of the service user for kerberos has to be unique as you would have made out from the message . There seems to be
someother user having the SPN as yours.
You would have to find the other AD user with the same SPN as yours and then de register that with
setspn u2013d <SPN> Username
Then this error should not come up after that .
There was a tool called Ldifde which you can use for this. We have our AD team do this for us. Would be better if you ask them to carry this out.
Rgds -
Principal name character set restriction ?
In weblogic.xml, principal-name is of type PCDATA in Weblogic 8.x and ealier, but is of type NMTOKEN in Weblogic 9.0 and later.
So a principal-name value like "id=manager,dc=pg&e,dc=com" works in 8.x but doesn't work in 9.x due to the '=', ',' and '&'.
(when you deploy your application with the above in weblogic.xml, the Weblogic 9.x will complain the value is not conformant to NMTOKEN type)
How to deal with this ?
Should there be some kind of backward compatibility here ?
If not, what is the best way to convert the value to NMTOKEN type that'll be accepted by 9.x.
Thanks for any hints.I am facing a very similar problem too. I had the principal name as DEFAULT ADMIN in WLS 8.x and it worked and it complains about not conforming to the NMTOKENTYPE in WLS 9.1 . Looks like NMTOKEN does not support white spaces. I have to make DEAFULT ADMIN as a single word to get it working on WLS9.1. Do let me know if there is another alternative for this
-
Service principal names of user j2ee- SID are not unique
Hi everyone,
I am trying to configure the SPNego, following the guide below Configuring and troubleshooting SPNego -- Part 1
but I'm getting an error that I have not been solved
then pictures of the developments so far:
[step 1|http://imageshack.us/photo/my-images/807/59238690.jpg/]
[Step 2|http://imageshack.us/photo/my-images/804/55731867.jpg/]
[Step 3|http://imageshack.us/photo/my-images/27/73007146.jpg/]
Test following and has not worked
http://help.sap.com/saphelp_em70/helpdata/en/45/59b55b943909cae10000000a114a6b/content.htm
thanks
ManuelHi, Manuel!
Check these threads for solution:
Service principal names of user are not unique; check the active directory
Service Principal Names of Users j2ee-MDS-tcsm3 not in unique-Check ADC
Regards, Mikhail. -
Target principal name is incorrect - cannot generate SSPI context
First off, yes, I've looked at numerous articles on this subject and haven't yet found someone with a similar situation and none of the resolutions I've found seem applicable.
My situation: Server 2008R2 Enterprise with SQL 2012 Standard. I have two instances running on this server, DEV and TEST. I do not have a default (unnamed) instance. This is one of the differences between my situation and every other
article I've looked at. I AM able to connect remotely to the DEV instance, but the TEST instance give me the SSPI error. To take it a step further, the SQL services aren't running under domain credentials; they're running under local credentials.
These two issues don't match anything I've found on the subject so far.
I ran "setspn -L" against the server's machine account (since the SQL services are local, not domain) and here's what I got:
MSSQLSvc/[server FQDN]:49592
MSSQLSvc/[server FQDN]:TEST
MSSQLSvc/[server FQDN]:49487
MSSQLSvc/[server FQDN]:DEV
WSMAN/[server]
WSMAN/[server FQDN]
TERMSERV/[server FQDN]
TERMSERV/[server]
RestrictedKrbHost/[server]
HOST/[server]
RestrictedKrbHost/[server FQDN]
HOST/[server FQDN]
The server is of course a domain member, and we only have a single domain, so there's no cross-domain/forest stuff going on.
Remotely, SA authentication works against both instances. Locally, both SA and Windows authentication work against both instances. Remotely, Windows authentication works against the DEV instance, but not against the TEST instance, returning the
error "The target principal name is incorrect. Cannot generate SSPI context."
Both database have identical settings in the SQL Config Mgr (Shared Memory and TCP/IP enabled). Both instances are set to allow remote logon.
The security for the various services:
SQL Server (DEV) = NT Service\MSSQL$DEV
SQL Server (TEST) = NT Service\MSSQL$TEST
SQL Server Agent (DEV) = NT Service\SQLAgent$DEV
SQL Server Agent (TEST) = NT Service\SQLAgent$TEST
SQL Server Browser = Local Service
On both instances, the query "exec xp_readerrorlog 0,1,'could not register the Service Principal Name',Null" comes back with two entries from when the system was installed, saying it was unable to register the SPN. That makes sense, because
SQL isn't running with domain credentials, although the SPNs ARE apparently in AD (see above).
On both instances, the query "select net_transport, auth_scheme from sys.dm_exec_connections where session_id=@@spid" returns the same thing - "shared memory", "NTLM". Basically, I can find no configuration difference
between the two instances.
Anyone got any ideas?Hi Todd,
According to your description, we need to make sure the typed server name is right, and verify if your windows account is valid when you connect to the test instance remotely by using Windows authentication. You can refer to the following steps for checking
the login name.
1.Log in the test instance remotely by using sa authentication.
2. Enter the security and check if the windows account is valid.
In addition, there is more details about how to troubleshoot the "Cannot generate SSPI context" error message, you can review the article.
http://support.microsoft.com/kb/811889
Thanks,
Sofiya Li
If you have any feedback on our support, please click here.
Sofiya Li
TechNet Community Support -
Demote Server and Remove AD DS Role fails with "the target principal name is incorrect"
Hi all,
I am attempting to demote a domain controller so i can remove the AD DS role and have the server just its own workstation.
This domain controller has never replicated the domain and DS services were/are not working. We didnt discover this until the other domain controller died and has since been rebuilt with a brand new domain. The old domain no longer exists whatsoever.
So as said, I'm trying to demote this server, there is no domain to tidy up afterwards. However even with force removal option I'm getting the DFS Replication error: "the target principal name is incorrect". I do not exactly require
it do this myself, there is nothing to replicate anymore, i just need the DC demoted or role completely removed. There are no other DC's to transfer FSMO's or anything like that as its to be completely stand-alone.
Does anyone have any ideas how this role can be forcibly removed other than using the " force removal option " in ADDS config wizard?
Any help will be gratefully appreciated.
Thanks in advance
PhillHi Phill,
You can try to use Ntdsutil.exe to perform metadata cleanup.
If this doesn’t work, then I agree with Ed that you would need to reinstall the machine.
More information for you:
Clean Up Server Metadata
http://technet.microsoft.com/en-us/library/cc816907(v=WS.10).aspx#bkmk_commandline
Best Regards,
Amy
Maybe you are looking for
-
How to install previously purchased CS5 products on a MacBook Pro w/out a CD drive?
I recently purchased a MacBook Pro with retina display that does not have a CD drive. I own the Adobe Premiere Pro CS5 & Adobe Photoshop CS5 Extended in CD form. Since the new MacBook Pro does not have a CD drive how would I install my previously pur
-
Itunes wont even come up!!!!
i just downloaded the new itunes 7 but i wont work every time i click on it it says, 'Quicktime Version 7.0d0 is installed, Itunes requires Quicktime version 7.1.3 or later plaease reinstall intunes' but i already did several times and i restarted my
-
oracle rac 환경에서 hotbackup 시에 정보를 구하고 있습니다. 싱글 모드에서는 begin backup 하고 !cp 하고 end backup 진행하면 되는데 rac 환경에서는 어떤 방식인지(dd??사용법) 어떤 것을 백업을 받아야 되는지 알고 싶어요
-
CK727 -Lot size cannot be passed on in combination with mixed costing
I get below error. We have KMAT materials and scenario is Non Valuated Sales Order Stock. in our PPC4 - we have below settings. (Both are SAP recommended) Qty Structure tab we have Pass on Lot size "1" with individual requirements (must of Non Valua
-
Junk folder is stuck in the trash
Somehow I accidentally moved my junk folder to the trash, and for the life of me cannot get it out.