Windows 2000 Authentication

Hi. I've tested the sample JAAS authentication code below and it works. I have two questions: 1) How do I modify this to authenticate a Windows 2000 user and 2) how do I get it to run as a Java Servlet? Thanks for any suggestions.
Using:
java -Djava.security.auth.login.config==jaas.config JAASSampleApp testuser sasquatch
jaas.config:
Sample {
PasswordLoginModule required;
import javax.security.auth.*;
import javax.security.auth.login.*;
import java.security.*;
public class JAASSampleApp extends Object {
     public static void main(String[] args)
     throws Exception {
          if (args.length != 2) {
               System.err.println
                    ("Usage: java JAASSampleApp username password");
               System.exit(1);
          String username = args[0];
          char[] password = args[1].toCharArray();
          LoginContext loginContext = new LoginContext(
               "Sample", new UsernamePasswordCallbackHandler
                    (username, password));
          loginContext.login();
          // Now we're logged in, so we can get the current subject.
          Subject subject = loginContext.getSubject();
          // Display the subject
          System.out.println(subject);

User Authentification in servlets has 2 purposes:
1) You want to be shure that the incoming user is a "true" one (user-password verification)
2) You want to use the user's object authorities inside of your servlet.
So, if you want to do the user-password verification, you have to do it youself - you have to write some JAVA class with a native method (the DLL, that was menthioned in Reply from nort_de). Inside of this DLL you have to do the user-password verification, for example, throw the LogonUser function from Windows SDK. You can do it without any using of JAAS.
If you want to use the user's object authorities inside of your JAVA code, you have to use JAAS.
Regards,
Oleg

Similar Messages

ACS External Windows Authentication: Pre-Windows 2000 name only works

Hello. I have attempted to map ACS to Windows AD 2003 as an External Database. That works, but only if I authenticate using the Pre-Windows 2000 name (sometimes called the "down-level" name).
If I use the Windows 2003 login name, I get a 529 error in the event viewer, stating the username/password is incorrect. This error appears on the Windows 2003 SP1 server running ACS.
Curiously, if I authenticate using the down-level name, the successful event shows the same authentication package (MICROSOFT_AUTHENTICATION_PACKAGE_V1_0) and "Workstation" and "Login Process" name (CISCO).
I cannot determine if this is an ACS or Windows problem. Any one have a clue?

Win2003 logon name: [email protected]
A Pre-Windows2000 name: [email protected]
Interestingly, the down-level name will authenticate, but the "up-level" name will not.
Here are excerpts from AUTH.log:
Failed up-level name:
AUTH 01/19/2006 07:52:04 I 4817 3604 Attempting authentication for Unknown User '[email protected]'
AUTH 01/19/2006 07:52:04 I 0365 3604 External DB [NTAuthenDLL.dll]: Starting authentication for user [[email protected]]
AUTH 01/19/2006 07:52:04 I 0365 3604 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user bob.smith
AUTH 01/19/2006 07:52:04 E 0365 3604 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
AUTH 01/19/2006 07:52:04 I 0365 3604 External DB [NTAuthenDLL.dll]: Reattempting authentication at domain COMPANY
AUTH 01/19/2006 07:52:04 I 0365 3604 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user bob.smith
AUTH 01/19/2006 07:52:04 E 0365 3604 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
AUTH 01/19/2006 07:52:04 I 2124 3604 Unknown User '[email protected]' was not authenticated
Passed down-level name:
AUTH 01/19/2006 07:52:23 I 0365 3604 External DB [NTAuthenDLL.dll]: Starting authentication for user [[email protected]]
AUTH 01/19/2006 07:52:23 I 0365 3604 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user bsmith
AUTH 01/19/2006 07:52:23 I 0365 3604 External DB [NTAuthenDLL.dll]: Windows authentication SUCCESSFUL (by WINDC02)
AUTH 01/19/2006 07:52:23 I 0365 3604 External DB [NTAuthenDLL.dll]: Obtaining RAS information for user bsmith from WINDC02

OS authentication w/ 10.2 database and Windows 2000

Not a new issue - but still not too easy for me...
Got a Windows 2000 domain, a 10g enterprise database server on Windows 2003 as part of this domain and a client machine running a 10.2 client on Windows 2000 in the same domain.
remote_os_authent is FALSE.
OS_AUTH_PREFIX_DOMAIN is not set.
On both sides sqlnet.ora contains the line SQLNET.AUTHENTICATION_SERVICES= (NTS)
A database account exists as <domainname>\<username> with create session priviledge granted. <domainname> is the same as Windows' %USERDOMAIN%. <username> is the ID to which one logs into that domain on the client machine.
But still "sqlplus /" raises exception 01017. Password authenticated connects do work. What am I missing?
Thanks a lot..

Assuming it still doesn't work: sorry no, as I recall this info from a Metalink note, and the Metalink note worked for me. The only thing I can remember right now is one needs to enclose the Oracle account in double quotes, or it wouldn't work, due to the \. If that also doesn't help, I'm stuck.
Sybrand Bakker
Senior Oracle DBA

Authentication EAS and PLanning/Windows 2000

Hi, I’m trying to Configure Business Rules. But, before this, isnecessary to configure External Authentication for Planning andEAS. I don’t know how to do this because I’m installall things in my machine (Windows 2000 Server), then I don’tknow what kind of authentication I have to use, how to configurethis on my machine. Anyone knows something about it, please? Thanks! 

What version of planning and essbase you are using..if you areusing pre-system 9 then HBR comes along with planning and you needto configure repository for both HBR and GHBR(graphical) ..you needto to give EAS user id and passord for HBR setting and Essbase userid and password for GHBR setting ... If you are using system 9 then HBR comes along withEAS ...You need to register EAS to shared services beforegenerating peropeties file..So when you generate peroperties fileit would generate HBR.properties and send notification to HBRserver and you would be able to work on HBR ..

SQL 2000 Authentication Error

Post Author: triley142
CA Forum: Authentication
Relatively knew at this... Using Crystal Report XI Client, I have developed several reports using dynamic parameters. I develop them logged in to a workstation running Windows XP as a domain admin on a closed network running Windows 2000 Server. The DB server uses the same log on credentials as the WS. I copy these reports to another WS on the network into the "My Documents" folder of an Windows Username with less privileges than my admin account. So when he goes to run the report, a prompt with just the dynamic parameter's field name appears, but instead of prompting for values of that field, the prompt asks for Server Name, Database Name, User Name, and Password. The Server Name input box is already populated with an incorrect Server Name and is uneditable (grayed out). The Database Name is present, uneditable, but correct. Sometimes after putting in usernames and passwords I know won't work, I get this error: Prompting failed with the following error message: 'List of Values failure: fail to get values. [Cause of error: Failed to open the connection. UNKNOWN.RPT]'.Error source: prompt.dll Error code 0x8004380D.Anyone have any ideas on what could be the problem here? Keep in mind that the reports run fine when I am logged in as admin. Thanks in advance!

Post Author: TAZ
CA Forum: Authentication
You may want to search KB's for that error code and post this in the Crystal Reports forum as well. Authentication is for 3rd party auth AD/LDAP and probably not a lot of expertise to help with your issue.
Regards,
Tim

Need to migrate oracle database 10.1.0.4.0(windows 2000 32bit) to 64bit

Hi all,
could you please send me the steps of 10G migration from 32 bit 2000 to 64 bit 2003. i have my prod server which is in hazerds because i have some operating system level problems ,
*(source)*
OS                      database
windows 2000(32 bit)       10.1.0.4.0
Target
OS
Windows 2003 (64bit)     10.1.0.4.0
both the servers are on remote sites
thanks and regards

G.7 Database Migration from a 32-bit Windows Computer
This section contains these topics:
Backing Up a 32-Bit Oracle Database
Migrating an Oracle Database 10g Release 1 (10.1) Database
Migrating an Oracle9i or Older Database
See Also:
Oracle Database Upgrade Guide
G.7.1 Backing Up a 32-Bit Oracle Database
To back up a 32-bit Oracle home database:
Start SQL*Plus:
C:\> sqlplus /NOLOG
Connect to the database instance as SYSDBA:
SQL> CONNECT / AS SYSDBA;
Create a .trc file to use as a template to re-create the control files on the 64-bit computer:
SQL> ALTER DATABASE BACKUP CONTROLFILE TO TRACE;
Shut down the database:
SQL> SHUTDOWN IMMEDIATE;
Perform a full offline backup of the database.
See Also:
Oracle Database Recovery Manager Quick Start Guide
G.7.2 Migrating an Oracle Database 10g Release 1 (10.1) Database
To migrate an Oracle Database 10g Release 1 (10.1) database for 32-bit Windows to an Oracle Database 10g Release 1 (10.1) database for 64-bit Windows:
Install Oracle Database 10g Release 1 (10.1) for 64-bit Windows.
See Also:
Oracle Database Installation Guide for Windows
Create the new Oracle Database 10g Release 1 (10.1) service at the command prompt:
C:\> ORADIM -NEW -SID SID [-INTPWD PASSWORD ]-MAXUSERS USERS
-STARTMODE AUTO -PFILE ORACLE_HOME\DATABASE\INITSID.ORA
The following table provides more information on the values you must supply.
Parameter      Description
SID     SID of the database you are upgrading
PASSWORD     Password for the new Oracle Database 10g Release 1 (10.1) for 64-bit Windows database. This is the password for the user connected with SYSDBA privileges. The -INTPWD option is not required. If you do not specify it, then operating system authentication is used, and no password is required.
USERS     Maximum number of users who can be granted SYSDBA and SYSOPER privileges
ORACLE_HOME     Oracle home directory. Ensure that you specify the full path name with the -PFILE option, including drive letter of the Oracle home directory.
Copy the 32-bit datafiles to the new 64-bit Oracle home.
Copy the 32-bit configuration files to the 64-bit Oracle home.
If your 32-bit initialization parameter file has an IFILE (include file) entry, then copy the file specified by the IFILE entry to the 64-bit Oracle home and edit the IFILE entry in the initialization parameter file to point to its new location.
If you have a password file that resides in the 32-bit Oracle home, then copy the password file to the 64-bit Oracle home. The default 32-bit password file is located in ORACLE_BASE\ORACLE_HOME\database\pwdSID.ora., where SID is your Oracle instance ID.
In the 64-bit Oracle home, add the _SYSTEM_TRIG_ENABLED = false parameter to the ORACLE_HOME\database\ORACLE_SID \init.ora file before changing the word size.
Remove this parameter from the initialization file after the word size change is complete.
See Also:
Oracle Database Upgrade Guide for more information on changing word size
Go to the 64-bit ORACLE_HOME\rdbms\admin directory from the command prompt.
Start SQL*Plus:
C:\> sqlplus /NOLOG
Connect to the database instance as SYSDBA:
SQL> CONNECT / AS SYSDBA;
Re-create the 64-bit control files using the CREATE CONTROLFILE command. Edit the trace file created in "Backing Up a 32-Bit Oracle Database" to change the paths to the datafiles, log files and control files to point to the Oracle home on the 64-bit computer. This creates the new control file in ORACLE_HOME\database.
Here is an example of a database named "orcl32" on a 32-bit computer migrating to "orcl64" on a 64-bit computer:
CREATE CONTROLFILE REUSE DATABASE "T1" NORESETLOGS NOARCHIVELOG
    MAXLOGFILES 32
    MAXLOGMEMBERS 2
    MAXDATAFILES 32
    MAXINSTANCES 16
    MAXLOGHISTORY 1815
LOGFILE
    GROUP 1 'C:\oracle\product\10.1.0\oradata\orcl64\REDO03.LOG' SIZE 1M,
    # was   'C:\oracle\product\10.1.0\oradata\orcl32\...LOG'
    # on the 32-bit computer
    GROUP 2 'C:\oracle\product\10.1.0\oradata\orcl64\REDO02.LOG' SIZE 1M,
    GROUP 3 'C:\oracle\product\10.1.0\oradata\orcl64\REDO01.LOG' SIZE 1M
DATAFILE
   'C:\oracle\product\10.1.0\oradata\orcl64\SYSTEM01.DBF',
    # was 'C:\oracle\product\10.1.0\oradata\orcl32\...DBF'
    # on the 32-bit computer
   'C:\oracle\product\10.1.0\oradata\orcl64\RBS01.DBF',
   'C:\oracle\product\10.1.0\oradata\orcl64\USERS01.DBF',
   'C:\oracle\product\10.1.0\oradata\orcl64\TEMP01.DBF',
   'C:\oracle\product\10.1.0\oradata\orcl64\TOOLS01.DBF',
   'C:\oracle\product\10.1.0\oradata\orcl64\INDX01.DBF',
   'C:\oracle\product\10.1.0\oradata\orcl64\DR01.DBF'
CHARACTER SET WE8ISO8859P1;
Alter the init file from the 32-bit computer to include the new control file generated in the preceding step.
Start the database in RESTRICT mode:
SQL> STARTUP RESTRICT;
You might need to use the PFILE option to specify the location of your initialization parameter file.
Set the system to spool results to a log file for later verification of success. For example:
SQL> SPOOL catoutw.log
Enter the following command to view the output of the script on-screen:
SQL> SET ECHO ON;
Recompile existing PL/SQL modules in the format required by the 64-bit Oracle9i database:
SQL> @utlirp.sql;
Turn off the spooling of script results to the log file:
SQL> SPOOL OFF;
Check the spool file and verify that the packages and procedures compiled successfully. Correct any problems you find in this file.
If you were viewing the output of catoutw.log on-screen, disable viewing now:
SQL> SET ECHO OFF;
Exit the RESTRICT database mode:
SQL> ALTER SYSTEM DISABLE RESTRICTED SESSION;
The word size of the 64-bit Oracle Database 10g Release 1 (10.1) database is changed. You can open the database for normal use.This is from the link

ISE with per-windows 2000 domain

Hi
I am experiencing a problem with AD authentication.
I have joined the ISE appliance to the windows AD and I can browse the groups and attributes.
But the problem I am experincing is that the users logon to the domain using the pre-windows 2000 domain name.
FQDN format : ab.cdef.com - ISE is joined to this
pre-windows 2000 name : abcd - Users logon with this
So wen the users authenticate I get the following error : 22056 Subject not found in the applicable identity store.
Also tried to logon with [email protected] with no luck.
Does someone have any suggestions?
Thanks

The 802.11 Mac Layer is a bit longer than the ethernet mac layer. This sometimes cause problem with domain login because they are done using UDP by default. The frame are sometime drop. To test if this is your problem, I recomand changing the MTU on the 2000server(DC) and the host to something lesser than the actuel MTU on the interface. (configure the DC and host @1300 leaving the network @1500)
A Windows 2003 server as a default mtu of 13?? something to get around this problem. I usaully tell my users to install the cisco vpn client if they want to use domain in wireless because the installation of this client lower the MTU of every interface to 1300.
Another path you can look into is forcing kerberos to use TCP insted of UDP. (look on MS TechNet for method)

ACS and Windows 2000 user database communication port

Could my Windows 2000 SP4 + ACS v3.23 can install any new Windows 2000 service pack ?
I'm affraid to infect ACS Service.
So, I want to install firewall on this server to block malicious traffic.
However, my ACS used external user database Windows 2000 for authentication.
Who can tell me What protocols or port list they are communication?
I have to avoid these traffic on my firewall.

Hi cheng
I think you can install any servie pack without problem and the SP4 is the latest one for WIN2000 and you server already has this SP
For your second question you need to specify many protocols according to your active directory config in this link you can find a list of this protocols and the best way is to make debug or logging or use a siniffer to know the exactly protocols flow between your ACS and AD server
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx
Best Regards

LOGIN PROBLEM THROUGH APPS SERVICE 11.5.9 ON WINDOWS 2000

HI
I HAVE SUCCESSFULLY INSTALLED ORACLE APPS 11.5.9 ( ALL THE TESTS WERE PASSED SUCCESSFULLY) ON WINDOWS 2000 SERVER , NOW I AM ABLE TO LOGON TO THE APPLICATION USING FORMS , BUT WHEN I M TRYING TO CONNECT THROUGH APPLICATION SERVICE IT IS GIVING AN ERROR BUT IF YOU CHECKED THE DETAILS OF THE ERROR , THERE IS NOTHING . PLS ADVISE WHAT COULD BE THE REASON.
THX/RDS
DARA

I have the same issue while installing 11.5.9 on my test machine.
Installation is fine. No errors. But while trying to login to oracle e-business suite as abcd\pqr, it gives error saying Authentication failed. It is perfect because I have never created user abcd.
But when trying to connect as sysadmin\syadmin it says
"You have encountered an unexpected error. Please contact the System Adminstrator for assistance. Click here for exception details." When I cleck on the link nothing is listed in Exception Details.
Your input will be highly appriciated...
Thanks,

JAAS, JGSS Kerberos and windows 2000 newbie question

Hi
I have setup a Kerberos server on windows 2000, now i want to write code in java to authenticate and authorize user using Kerberos , I know I have to use JAAS, JGSS,
is there a how to document to setup a client machine, like setup krb4.ini file and other security files so i can use java to authorize and authenticate, i am using j2sdk1.4.2
I have following code
GSSManager manager = GSSManager.getInstance();
 Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
 Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
 // Identify who the client wishes to be
 GSSName userName = manager.createName("test02EIM", GSSName.NT_USER_NAME);
 // Identify the name of the server. This uses a Kerberos specific
 // name format.
 GSSName serverName = manager.createName("krbsvr400/[email protected]",
 krb5PrincipalNameType);
 System.out.println("server name " +serverName.getStringNameType());
 // Acquire credentials for the user
 GSSCredential userCreds = manager.createCredential(userName,
 GSSCredential.DEFAULT_LIFETIME,
 krb5Mechanism,
 GSSCredential.INITIATE_ONLY);
 // Instantiate and initialize a security context that will be
 // established with the server
 GSSContext context = manager.createContext(serverName,
 krb5Mechanism,
 userCreds,
 GSSContext.DEFAULT_LIFETIME);
and krb5.ini file looks like below
[libdefaults]
default_realm = GL1AMR.PFIZER1.TEST
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
forwardable = true
proxiable = true
[realms]
GL1AMR.PFIZER1.TEST= {
kdc = gl1mopsamrdc01.gl1amr.pfizer1.test:88
admin_server = gl1mopsamrdc03.gl1amr.pfizer1.test
default_domain = gl1amr.pfizer1.test
[domain_realm]
.gl1amr.pfizer1.test = GL1AMR.PFIZER1.TEST
gl1amr.pfizer1.testm = GL1AMR.PFIZER1.TEST
[login]
krb4_convert = true
krb4_get_tickets = true
i get following error
SSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
 at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:143)
 at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:70)
 at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
 at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
 at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
 at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
 at com.pfizer.maps.sso.TestGSS.useGSS(TestGSS.java:41)
 at com.pfizer.maps.sso.TestGSS.main(TestGSS.java:59)
what am i missing

My JAVA FILE having the code as follows , when i run this code iam geeting the Folowing error
Error
D:\Ramesh_Dump\KerbersTools>java GSSAPI
GSSException: No valid credentials provided (Mechanism level: Failed to find any
Kerberos Ticket)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredent
ial.java:133)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechF
actory.java:72)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.
java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:37)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java
:96)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
78)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:1
58)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5
Client.java:155)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2637)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.ja
va:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.jav
a:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:6
67)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:1
34)
at GSSAPI.main(GSSAPI.java:34)
Problem searching directory: javax.naming.AuthenticationException: GSSAPI [Root
exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by G
SSException: No valid credentials provided]]
JAVA CODE
import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
import java.util.*;
import java.util.Calendar.*;
import java.text.*;
public class GSSAPI {
 * @param args
 public static void main(String[] args) {
 Hashtable env = new Hashtable();
 String adminName = "[email protected]";//"[email protected]";
 String adminPassword = "Password12";
 String ldapURL = "ldap://172.20.55.97:389/";
 env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
 //set security credentials, note using simple cleartext authentication
 env.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
 //env.put(Context.SECURITY_PRINCIPAL,adminName);
 //env.put(Context.SECURITY_CREDENTIALS,adminPassword);
 //env.put("javax.security.sasl.server.authentication","true");
 //connect to my domain controller
 env.put(Context.PROVIDER_URL,ldapURL);
 try {
 //Create the initial directory context
 LdapContext ctx = new InitialLdapContext(env,null);
 //lets get the domain lockout duration policy
 Attributes attrs = ctx.getAttributes("dc=globalv,dc=com");
 //System.out.println("test arttr"+attrs.get(""));
 System.out.println("Lockout policy for " + attrs.get("distinguishedName").get());
 System.out.println("Duration: " + attrs.get("lockoutDuration").get());
 System.out.println("Threshold: " + attrs.get("lockoutThreshold").get());
 long lockoutDuration = Long.parseLong(attrs.get("lockoutDuration").get().toString());
 //Create the search controls
 SearchControls searchCtls = new SearchControls();
 //Specify the attributes to return
 String returnedAtts[]={"sn","givenName","mail","lockoutTime"};
 searchCtls.setReturningAttributes(returnedAtts);
 //Specify the search scope
 searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
 //Create the correct LDAP search filter
 //Win32 file time is based from 1/1/1601
 //Java date/time is based from 1/1/1970
 /*GregorianCalendar Win32Epoch = new GregorianCalendar(1601,Calendar.JANUARY,1);
 GregorianCalendar Today = new GregorianCalendar();
 long Win32Date = Win32Epoch.getTimeInMillis();
 long TodaysDate = Today.getTimeInMillis();
 long TimeSinceWin32Epoch = TodaysDate - Win32Date;
 long lockoutDate = (TimeSinceWin32Epoch * 10000) + lockoutDuration;
 System.out.println("Lockout (Long): " + lockoutDate);*/
 //System.out.println("Lockout (Date): " + DisplayWin32Date(lockoutDate));
 //String searchFilter = "(&(objectClass=user)(lockoutTime>=" + lockoutDate + "))";
 String searchFilter = "(objectclass=user)";
 //Specify the Base for the search
 String searchBase = "dc=globalv,dc=com";
 //initialize counter to total the results
 int totalResults = 0;
 //Search for objects using the filter
 NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
 //Loop through the search results
 while (answer.hasMoreElements()) {
 SearchResult sr = (SearchResult)answer.next();
 totalResults++;
 System.out.println(">>>" + sr.getName());
 // Print out some of the attributes, catch the exception if the attributes have no values
 attrs = sr.getAttributes();
 if (attrs != null) {
 try {
 System.out.println(" name: " + attrs.get("givenName").get() + " " + attrs.get("sn").get());
 System.out.println(" mail: " + attrs.get("mail").get());
 System.out.println(" locked: " + attrs.get("lockoutTime").get().toString());
 //System.out.println(" locked: " + DisplayWin32Date(attrs.get("lockoutTime").get().toString()));
 catch (NullPointerException e) {
 System.err.println("Problem listing attributes: " + e);
// System.out.println("Total results: " + totalResults);
 ctx.close();
 catch (NamingException e) {
 System.err.println("Problem searching directory: " + e);
import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
import java.util.*;
import java.util.Calendar.*;
import java.text.*;
public class GSSAPI {
 * @param args
 public static void main(String[] args) {
 Hashtable env = new Hashtable();
 String adminName = "[email protected]";//"[email protected]";
 String adminPassword = "Password12";
 String ldapURL = "ldap://172.20.55.97:389/";
 env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
 //set security credentials, note using simple cleartext authentication
 env.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
 //env.put(Context.SECURITY_PRINCIPAL,adminName);
 //env.put(Context.SECURITY_CREDENTIALS,adminPassword);
 //env.put("javax.security.sasl.server.authentication","true");
 //connect to my domain controller
 env.put(Context.PROVIDER_URL,ldapURL);
 try {
 //Create the initial directory context
 LdapContext ctx = new InitialLdapContext(env,null);
 //lets get the domain lockout duration policy
 Attributes attrs = ctx.getAttributes("dc=globalv,dc=com");
 //System.out.println("test arttr"+attrs.get(""));
 System.out.println("Lockout policy for " + attrs.get("distinguishedName").get());
 System.out.println("Duration: " + attrs.get("lockoutDuration").get());
 System.out.println("Threshold: " + attrs.get("lockoutThreshold").get());
 long lockoutDuration = Long.parseLong(attrs.get("lockoutDuration").get().toString());
 //Create the search controls
 SearchControls searchCtls = new SearchControls();
 //Specify the attributes to return
 String returnedAtts[]={"sn","givenName","mail","lockoutTime"};
 searchCtls.setReturningAttributes(returnedAtts);
 //Specify the search scope
 searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
 //Create the correct LDAP search filter
 //Win32 file time is based from 1/1/1601
 //Java date/time is based from 1/1/1970
 /*GregorianCalendar Win32Epoch = new GregorianCalendar(1601,Calendar.JANUARY,1);
 GregorianCalendar Today = new GregorianCalendar();
 long Win32Date = Win32Epoch.getTimeInMillis();
 long TodaysDate = Today.getTimeInMillis();
 long TimeSinceWin32Epoch = TodaysDate - Win32Date;
 long lockoutDate = (TimeSinceWin32Epoch * 10000) + lockoutDuration;
 System.out.println("Lockout (Long): " + lockoutDate);*/
 //System.out.println("Lockout (Date): " + DisplayWin32Date(lockoutDate));
 //String searchFilter = "(&(objectClass=user)(lockoutTime>=" + lockoutDate + "))";
 String searchFilter = "(objectclass=user)";
 //Specify the Base for the search
 String searchBase = "dc=globalv,dc=com";
 //initialize counter to total the results
 int totalResults = 0;
 //Search for objects using the filter
 NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
 //Loop through the search results
 while (answer.hasMoreElements()) {
 SearchResult sr = (SearchResult)answer.next();
 totalResults++;
 System.out.println(">>>" + sr.getName());
 // Print out some of the attributes, catch the exception if the attributes have no values
 attrs = sr.getAttributes();
 if (attrs != null) {
 try {
 System.out.println(" name: " + attrs.get("givenName").get() + " " + attrs.get("sn").get());
 System.out.println(" mail: " + attrs.get("mail").get());
 System.out.println(" locked: " + attrs.get("lockoutTime").get().toString());
 //System.out.println(" locked: " + DisplayWin32Date(attrs.get("lockoutTime").get().toString()));
 catch (NullPointerException e) {
 System.err.println("Problem listing attributes: " + e);
// System.out.println("Total results: " + totalResults);
 ctx.close();
 catch (NamingException e) {
 System.err.println("Problem searching directory: " + e);
}

Migrating BO from Windows 2000 to 2003 Server

Post Author: Eric Van Steenbergen
CA Forum: Older Products
Hello,We're planning migration of our Windows 2000 Server to a Windows 2003 Server. Can anyone advice how to proceed regarding following issues:- repository is running on different server than that on which BO is installed.- authentication is still running on the server where repository was installed at first (later moved to current server).To make it clearer:Server1 = applicationServer2 = repository (authentication)Server3 = database (universe)With migration to the new server (server2 will be replaced) we'll have to change the authentication to point to the database server (universe). What do we have to change at the application level on server1?Any advice is greatly appreciated.Kind regards, Eric Van SteenbergenBTC [email protected]

FRM-40039 is a Forms error, and Forms doesnt use ODBC. You'll probably get better help posting in the forum appropriate for that product. Unfortunately I'm not sure exactly what the forum is :(
Greg

Windows NT Authentication

Michael,
I have 2 questions for you.
#1 - Has NT Domain authentication been added as of yet (January 2001)?
#2 - I am trying to connect to SQL Server 2000 with the MSSQLServer4 (version7) driver. Will this work using SQLServer Authenication or do I need the 2000 version driver (which I don't believe has been released yet?
TIA
Jason
"Michael Girdley" <[email protected]> wrote:
Hi Brian,
For now, you must use SQLServer authentication. We are planning to add NT
Domain authentication, but have not scheduled a release date yet.
Thanks!
Michael
Brian DeCamp <[email protected]> wrote in message
news:7ml409$97p$[email protected]..
Using the jdbcKona/MSSQLServer4 driver, can I connect to SQLServer 7.0with
my database setup for Windows NT Authentication, or must I connect using
SQLServer authentication?
-Brian

Windows 7 Client with Windows 2000 server

Hi ,
We are having an application developed in Delphi 6 and hosted in Windows 2000 server(sp4) .Recently we have migrated all our clients to windows 7 from XP. Since then we are getting Access Violation error whenever we are using the application.
We are accessing the application through RDP (Remote Desktop ) from Win 7 Clients to Windows 2000 server.
Could any body help me how to resolve this issue as this is stopping the business.
Regds
Vignesh Krishnan B

Hi,
As Windows 7 uses NTLM2 by default, please try to set it to “Send LM & NTLM – Use NTLMv2 session security if negotiated”
How to:
Open secpol.msc -> local policies -> security options -> Network security: LAN Manager authentication level.
Best Regards.
Jeremy Wu
TechNet Community Support

GSSAPI JNDI and Windows 2000

Hello,
I'm trying to use JNDI to access ActiveDirectory on Windows 2000. I am currently successful when providing a username and password using simple authentication, but I want to be able to use the Windows account information that the program is running under.
I've tried to do this by creating a login conf file (using the NTLoginModule) and creating a LoginContext, logging in (I can then view the Principals associated with the Subject).
try
LoginContext lc = new LoginContext (this.getClass ().getName (), null);
lc.login ();
Subject.doAs (lc.getSubject (), new SimpleAction ());
lc.logout ();
catch (LoginException e)
System.err.println (e.getMessage ());
public class SimpleAction implements java.security.PrivilegedAction
public java.lang.Object run ()
Hashtable h = new Hashtable ();
h.put (Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
h.put (Context.PROVIDER_URL, "OU=foo,DC=b,DC=a,DC=r");
h.put (Context.SECURITY_AUTHENTICATION, "GSSAPI");
DirContext ctx = new InitialDirContext (env);
do something interesting
ctx.close ();
Then using JNDI in a Subject.doAs call I set the Context.SECURITY_AUTHENTICATION to "GSSAPI". This throws the following error:
GSSAPI
Error connecting to 'OU=foo,DC=b,DC=a,DC=r' on '<server>'. Please ensure that the LDAP Server is running and that the configuration parameters are correct.
I followed (I thought) the examples based on http://java.sun.com/products/jndi/tutorial/ldap/security/src/GssExample.java
and it works fine if I use "simple" authentication.
Any ideas as to why AD throws it back?
Regards

I hope that this helps. Now I am on to seeing about
GSSYes, how did you go with the GSS? I cannot get it to work.
I followed your suggestions as before and my authentication works, now I'm trying to use GSS authentication to my Active Directory through LDAP and I get errors. My JAAS Authentication works fine.
I'm using the following example URL http://java.sun.com/products/jndi/tutorial/ldap/security/gssapi.html
My errors start as follows:
... [authentication info before this]
Credentials acquireServiceCreds: same realm
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.DesCbcMd5ETypejavax.naming.AuthenticationException: GSSAPI. Root exception is com.sun.securit
y.sasl.preview.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: _kerberos._udp.OBJADS.OBJECTIVE: _kerberos._udp.OBJADS.OBJECTIVE)]
at com.sun.security.sasl.gsskerb.GssKerberosV5.evaluateChallenge(GssKerberosV5.java:180)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:113)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.sun.jndi.ldap.LdapClient.saslBind(LdapClient.java:399)
at com.sun.jndi.ldap.LdapClient.authenticateLdapClient.java:215)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2597)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:275)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLLdapCtxFactory.java:173)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:191
... and so on
Thanks, Philip

EAP with Windows 2000 client and IAS server

Several messages on this site point to peole using EAP on a Windows 2000 client and authenticating against an IAS server. I am running an Aironet 350 AP and trying to setup my Windows 2000 clients to use EAP only and authenticate against a Windows 2000 AD forest via IAS. The access point and client are on the latest firmware and drivers (12.0 for AP). I have two basic questions.
1. It is my understanding that by enabling Network-EAP as the only authenticaiton type that users will authenticate and then dynamic WEP keys will be used, greatly reducing the risks of compromised WEP keys while at the same time keeping the data encrypted.
2. Does anyone have a quick HOW-TO or point-by-point list of how to configure the Windows 2000 client to authentication using the Network-EAP method? I am currently running into a situation where no matter what I configure on the client, the IAS server reports and error with "Reason: The authentication type is not supported on this system." I also noticed that the "Authentication-Type" and "EAP-Type" fields shown in the IAS messages in the Windows 2000 Event Viewer log have the value "<undetermined>". Has anyone else run into this?

I'm having a similar problem. I'm trying to do PEAP and it appears that IAS is not handling the request properly. It keeps trying to log the user PEAP-##### in instead of setting up the TLS and then asking for Username, Pass, Domain. The IAS error message I'm getting is:
User PEAP-00097CFCD901 was denied access.
Fully-Qualified-User-Name = APPLY\PEAP-00097CFCD901
NAS-IP-Address = 172.16.200.31
NAS-Identifier = AP1
Called-Station-Identifier = 004096570d87
Calling-Station-Identifier = 00097cfcd901
Client-Friendly-Name = WirelessAP
Client-IP-Address = 172.16.200.31
NAS-Port-Type = 19
NAS-Port = 37
Policy-Name =
Authentication-Type = EAP
EAP-Type =
Reason-Code = 8
Reason = The specified user does not exist.
So if anybody has the needed settings for Win2k (SP3 and 802.1x patch) IAS it would be much appreciated.
Ben
Note: if I had PEAP-####### as a user in Win2k I get:
User PEAP-00097CFCD901 was denied access.
Fully-Qualified-User-Name = apply.org/Users/PEAP TEST
NAS-IP-Address = 172.16.200.31
NAS-Identifier = AP1
Called-Station-Identifier = 004096570d87
Calling-Station-Identifier = 00097cfcd901
Client-Friendly-Name = WirelessAP
Client-IP-Address = 172.16.200.31
NAS-Port-Type = 19
NAS-Port = 37
Policy-Name = Wireless Policy
Authentication-Type = EAP
EAP-Type =
Reason-Code = 16
Reason = There was an authentication failure because of an unknown user name or a bad password.

Windows 2000 Authentication

Similar Messages

Maybe you are looking for