Microsoft SSPI errorHello,
I have configuration of active directory 2003 r2 sp3 working with
linux mod_auth_kerb.
I use SPNEGO for subversion.
When using Linux all work great!
When using Windows XP(and Windows 7) Firefox/IE/cifs client work great.
Problem is subversion which uses neon, it get the following:
---
Running post_send hooks
ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is Negotiate oYGfMIG
coAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqA
DAgEXolsEWTLvPLmZvxBgaMEmPDDTIeG9bdJ5rmfTEtsj6Cv9eF9s9Z8sBWhVhPXYzIVsm/sw0hqR+1u
DM9frpOeV2Y0YGtDk2flN5iOM/HdEujj0GXAYEWHvPp/3kSc2
auth: SSPI challenge.
InitializeSecurityContext [fail] [80090304].
sspi: initializeSecurityContext [failed] [80090304].
---
At windows event log I see the following:
---
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40962
Date: 10/3/2011
Time: 3:55:38 PM
User: N/A
Computer: VALON
Description:
The Security System was unable to authenticate to the server
HTTP/correlux-gentoo.correlsense.com because the server has completed
the authentication, but the client authentication protocol Kerberos
has not.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
---
Had anyone seen this before?
I tried many configurations, but without success:
---
Gentoo
---
dev-libs/openssl-1.0.0e -> also downgraded to openssl-0.9.8f
www-servers/apache-2.2.21
www-apache/mod_auth_kerb-5.4 -> also downgraded to m...
setup kerberos authentication for SQL Server 2000Hi,
I need some help to setup Kerberos Authentication for SQL Server
2000. I believe by default Window authentication in SQL Server is
Kerberos. But I don't know enough and have not come across any
documentation that confirm this. I believe if both the server and
client are on the same domain, when the client workstation connect to
the server using windows security, this is consider kerberos. Is this
true? Have any done this? Or is there a query that I can run to
confirm what authentication I am using, like Kerberos?
My workstation and server are both Windows 2000 and I believe by
...
Trouble authenticating with Kerberos & LDAPI've been very frustrated trying to get this to work. We are trying to
use a windows 2003 server as our Kerberos server, along with our
openldap on solaris as our directory server. The machines we want to
authenticate on are all Solaris 9.
The ldap tree is fully populated, and working properly. With our
current nsswitch.conf, logins work using the ldap directory (with
posixAccount & shadowAccount records), as does a getent passwd
<ldapusername>.
Also, we have our Windows 2003 server's directory setup with named
users, and with our current pam.conf, we can authenticate aga...
Once a week Kerberos failure between IIS6 web server and SQL Server 2000 db serverHi,
Regularly once a week we get problems with a Kerberos failure on
ouintranet application. Kerberos is set up with Constrained Delegation
and Protocol Transition.
Configuration:
S3
...
Kerberos v5 and Windows 2000 server
I have recently seen info on the latest advisories for MIT Kerberos v5
(8/31/04). I am new to Kerberos and know that windows uses it for its
authentication. How does these advisories affect Window 2000 server?
Thanks for any info!
Bill
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
BNail@doc.gov wrote:
>
>
>
> I have recently seen info on the latest advisories for MIT Kerberos v5
> (8/31/04). I am new to Kerberos and know that windows uses it for its
> authentication. How does these advisories affect Window 2000 server?
>
> Thanks for any info!
> Bill
It does not affect Microsoft's implementation. The advisories are
specific to the MIT implementation of Kerberos as specified in the
advisories. It is unfortunate that the IT press failed to make the
distinction between a weakness in one implementation vs a weakness in
the protocol.
Jeffrey Altman
--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
...
authentication on windows xp thru kerberosHi, i have a problem , i can't get to authenticate myself on windows XP thru
kerberos database, located on another pc using linux.
what should i do?
thx in advance
_________________________________________________________________
Quale attrice a 31 anni ha gi� ottenuto 5 nomination agli oscar?
http://search.live.com/results.aspx?q=kate+winslet&form=QBRE&lf=1&go.x=14&go.y=8
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Wed, 06 Jun 2007 15:58:38 +0200
"Luca Lauretta" <patrickroy@hotmail.it> wrote:
> Hi, i have a problem , i can't get to authenticate myself on windows XP thru
> kerberos database, located on another pc using linux.
>
> what should i do?
Hi Luca,
What you should do is find a document that describes the scenario
you're interested in [1][2]. Then, when you find that the result is
not consistent with what the document says, you should look carefully
at the error message and do an analysis of the problem. If you cannot
decipher the error and the error is related to the Kerberos protocol,
then you might post the exact error text here.
Mike
[1] http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EVCAC
[2] http://www.h5l.se/manual/heimdal-0-7-branch/info/heimdal.html#Configuring-Windows-2000-to-use-a-Heimdal-KDC
--
Michael B Allen
PHP Active Directory Kerberos SSO
htt...
How to setup kerberos server on OS:windows 2000I am new to Kerberos and do not have access to Unix boxes.
I would like to set up a Kerbose Server on my PC which is running
Windows 2000 Professional.
The MIT documentation is gear to Unix systems. I could not find the same
commands for windows that the documentation talks about for Unix.
Is there a good guide that explains how to set up the server on windows 2000?
Thanks in advance
Huatuo
����
Sincerely,
huatuo
2005-05-20
----------------------------
�� ��
Hitron Technologies Wuhan R&D office
China
Tel:+86-27-85721301 ext 45
Fax:+86-27-85768332
mailto:huatuo@hitronwh.com
----------------------------
������������
�������������������� ��
����������������������������
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
...
Kerberos V5 refuses authentication because Kerberos checksum verification failed: Bad encryption typeColleagues,
What could be the reason that I cannot telnet from FreeBSD to Solaris 10
with the following error:
Connected to oracle.sibptus.tomsk.ru.
Escape character is '^]'.
[ Trying mutual KERBEROS5 (host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU)... ]
[ Kerberos V5 refuses authentication because Kerberos checksum verification failed: Bad encryption type ]
[ Trying KERBEROS5 (host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU)... ]
[ Kerberos V5 refuses authentication because Kerberos checksum verification failed: Bad encryption type ]
Password:
Kerberized telnet and ssh work fine between FreeBSD systems, but
Solaris is a problem.
The kdc is Heimdal running on FreeBSD. The keytab for the host
principal was exported on FreeBSD and then transferred to Solaris and
imported there.
Thank you in advance for any input.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
I believe that solaris (as as solaris 9) only supports
des-cbc-crc encrypion.
Hope that helps,
Steven
--- Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su>
wrote:
> Colleagues,
>
> What could be the reason that I cannot telnet from
> FreeBSD to Solaris 10
> with the following error:
>
> Connected to oracle.sibptus.tomsk.ru.
> Escape character is '^]'.
> [ Trying mutual KERBEROS5
> (host/oracle.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU)... ]
> [ Kerberos V5 refuses authentication because
> Kerberos checksum verification failed: Ba...
Kerberos authentication against W2K server with native chars in passwordI have a working JAAS Kerberos program that can authenticate against a
W2K Domain Controller, but W2K allows the user to have native chars in
the username and password (like the Danish letters ���), and this does
not seem to work from Java!
I found out that W2K uses UTF-8 encoding while MIT and Heimdal uses
8-bit ISO-Latin1.
Is there any way to get Java to use UTF-8, or is it something
different that is wrong?
Tested on SuSE Linux 9.0 (kernel 2.4.21) and Windows 2000 with Java
1.4.2_03
Program created from this example:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/AcnO...
Exchange Server and Campus Kerberos server ?Hi -
I hope this is the right place to post this query - if not, I apologize.
Does anyone have any experience with Exchange Server and Kerberos who might be
willing to talk to someone from another University. I have no experience with
either kerberos or exchange and would be unable to answer their questions. If
you are interested, please contact BK directly.
Thanks,
Kirky
--------- attached email ----------
Kirky -
I've been contacted my a Director of Network Security at a
Mid-Atlantic-based University who is looking to speak with a peer
that has experience syncing up an Exchange server to a campus-wide
Kerberos server.
Do you think the folks on IT Partners would know themselves or of
someone who migh have such experience?
Feel free to have them contact me directly.
Best Regards,
B.K. DeLong
Dir. of Partner Member Services & Research
Institute for Applied Network Security
15 Court Square, Suite 1100
Boston, MA 02108
617.399.8100
617.399.8101 facsimile
www.ianetsec.com[1]
Links:
------
[1] http://www.ianetsec.com/
----- End forwarded message -----
...
MIT Kerberos or Heimdal Kerberos?Hi,
How do I know the server install in the system is MIT Kerberos or Heimdal?
I m using FreeBSD 5.2.1
Thanks
sam
...
kerberos SERVERHello.
could you help me where i can find and download
a Kerberos SERVER please.
thanks a lot.
<ali.mohammadi62@gmail.com> wrote in message
news:1115458379.334742.266760@o13g2000cwo.googlegroups.com...
> Hello.
> could you help me where i can find and download
> a Kerberos SERVER please.
> thanks a lot.
>
ever heard of Google ?
...
Kerberos Web Server to file ServerHello,
Is Kerberos delegation needed to write a file from a web app to a
file server within the same network? If so, I will be setting up
constrained delegation. The problem is what is the service on the file
server that I will let the web service be delegated for?
...
Changing master key (Kerberos authentication server+LDAP database)Is it possible to change the master key of a realm when LDAP is used
as the database server? The stash file is not present since LDAP is
used. Appreciate any help on this.
Thanks,
Anubha
...
is that common to use kerberos authentication for SUN iplanet LDAP server?Hi guys,
Does anyone have experience on this to share?
I've set up a SUN LDAP server and it's running fine by
using simple authentication so far. Of course I want to
make it more secure (to protect the password while binding
to LDAP server) so I'm thinking either MD5-Digest or Kerberos.
However looks like SUN LDAP itself doesn't have kerberos
abilities and I have to install SEAM (Sun Enterprise Authentication
Mechanism) separately to enable Kerberos.....
So I was thinking that if I can easily configure SUN LDAP to
use MD5-digest then that should be the easiest however it seems
that I have to store the password as plain-text in LDAP
server to enable MD5-digest and I don't want to do that (Let
me know if there are other easier ways to enable MD5-digest).
So my question is that is it pretty easy to enable Kerberos
for SUN LDAP after installing SEAM? Or can SUN LDAP use other
KDC as well?
Thanks a lot in advance !
P.S, I know LDAPS (LDAP over SSL) can easily achieve my goal
however I kinda think it's an overkill since I don't really
need to protect all the LDAP transactions except for the
password part...
-Kent
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Kent Wu wrote:
>
> So my question is that is it pretty easy to enable Kerberos
> for SUN LDAP after installing SEAM? Or can SUN LDAP use other
> KDC a...
Authenticating to KerberosHi,
I've had a quick look but cannot find a module that will let me authenticate
against Kerberos. There appears to be a krb5 module that hasn't been
updated for a long time and I can't find much on it except the pages at
starship.python.net.
I don't need to do anything except authenticate and gain the correct
credentials.
Are there any modules that I could use to authenticate against Kerberos
(perhaps there is another module will do just the auth, e.g. for LDAP?).
Cheers.
David wrote:
> I don't need to do anything except authenticate and gain the correct
> cred...
Authenticating Windows XP & 7 Against Kerberos Help-Plea!Hi Guys,
I'm trying to get 2 Windows Clients (1x Windows XP Pro SP3, 1x Windows 7
Enterprise) configured so they logon via Kerberos 5-1.8 (Arch Linux Server,
Kerberos 5 build from source), and I'm soooo close I can smell it! but...
When I login I get the error message:
*"The username or password is incorrect"* on the Windows client.
The log file krb5kdc.log shows the following for each attempt:
*"dc1 krb5kdc[5372](info): AS_REQ (6 etypes {18 17 23 24 - 135 3}) 10.0.0.3:
ISSUE: authtime 1270166763, etypes {rep=23 tkt=16 ses=23}, tom@TNET.LOC for
krbtgt/TNET.LOC@TNET.LOC
dc1 krb5kdc[5372](info): TGS_REQ (5 etypes {18 17 23 24 - 135}) 10.0.0.3:
ISSUE: authtime 1270166763, etypes {rep=23 tkt16 ses23}, tom@TNET.LOC for
host/wdesk3.tnet.loc@TNET.LOC"*
Is there an error hidden somewhere in this krb5kdc.log output? Or should I
be looking elsewhere?
I have done the following:
1. Synced the time with a ntp server (on the same box) using *w32tm
/config ...
*
2. Added this machine to the list of hosts (via *
/usr/local/sbin/kadmin.local*):
1. kadmin.local> ank -e rc4-hmac:normal -policy host/wdesk3.tnet.loc
2. kadmin.local> ktadd -k /usr/local/var/krb5kdc/kadm5.keytab
3. Added the Windows machine to the realm, added the kdc server, and
mapped the users:
1. > ksetup /addkdc TNET.LOC dc1.tnet.loc
2. > ksetup /addkpasswd TNET.LOC dc1.tnet.loc
3. > ksetup /setrealm TNET.LOC
4. REBOOT WIN...
ssh from windows xp (putty with kerberos) using NetIDMgr 1.1.8.0 (Kerberos for windows 3.1)Has anyone got a version of putty to work with the Kerberos for
Windows release 3.1?
I'm running win xp and am able to get my kerberos 5 tokens fine (from
CSAIL.MIT.EDU) in NetIDMgr, but I've tried various supposedly
kerberos-aware versions of putty with no luck.
Thanks.
-- Greg
--
Greg Sullivan
gregs@csail.mit.edu
(617)417-4746 (cell)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
...
RE: is that common to use kerberos authentication for SUN iplanet LDAP server?You can use Sun's Directory server with non Sun kdc, you just have to
have SEAM (Sun's Kerberos) setup on the director server (ie - it needs
the client libs). If you have an install on Solaris 9 or 10 I don't
even then you need to install anything - the Kerberos libs are already
there. (You will have to run the directory server on a Solaris box).
See http://docs.sun.com/source/817-7613/ssl.html
-dan
-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
Behalf Of Kent Wu
Sent: Wednesday, August 31, 2005 3:29 PM
To: kerberos@mit.edu
Subject: is that common to use kerberos authentication for SUN iplanet
LDAP server?
Hi guys,
Does anyone have experience on this to share?
I've set up a SUN LDAP server and it's running fine by
using simple authentication so far. Of course I want to
make it more secure (to protect the password while binding
to LDAP server) so I'm thinking either MD5-Digest or Kerberos.
However looks like SUN LDAP itself doesn't have kerberos
abilities and I have to install SEAM (Sun Enterprise Authentication
Mechanism) separately to enable Kerberos.....
So I was thinking that if I can easily configure SUN LDAP to
use MD5-digest then that should be the easiest however it seems
that I have to store the password as plain-text in LDAP
server to enable MD5-digest and I don't want to do that (Let
me know if there are other easier ways to enable MD5-digest).
So my question is th...
RE: is that common to use kerberos authentication for SUN iplanet LDAP server?Whether a directory can do SASL/GSSAPI data privacy and/or integrity is
directory server specific. Some directories (AD) support privacy and/or
integrity protection. Others (Sun) don't, so you must use SSL.
One other thing to be aware of is that clients and downgrade the privacy
and integrity protection. If clients can do downgrade the data
protection, it makes me wonder if an attacker can downgrade the session.
I haven't looked into it enough.
-dan
-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
Behalf Of Markus Moeller
Sent: Thursday, September 01, 2005 1:24 PM
To: kerberos@mit.edu
Subject: Re: is that common to use kerberos authentication for SUN
iplanet LDAP server?
Craig,
you say you use SASL + SSL. As far as I know SASL/GSSAPI can do
encryption
too. What was the reason not to use SASL/GSSAPI with encryption. And
example
is AD, which can be accessed via SASL/GSSAPI with encryption.
Thanks
Markus
"Craig Huckabee" <huck@spawar.navy.mil> wrote in message
news:4316DEC8.5060809@spawar.navy.mil...
> Kent Wu wrote:
>>
>> So my question is that is it pretty easy to enable Kerberos for
SUN
>> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>
> We use Sun's LDAP server with PADL's GSSAPI plugin - we built our
copy
> against MIT Kerberos 1.3.x and use MIT KDCs. I think the binary
versions
> they sold previously also use MIT Kerber...
Working Kerberos application SAP/Unix server authenticating to Win2k AD?Hi,
is somebody using the above scenario? I want to use MIT Kerberos to
implement SNC for a SAP server on Linux.
Then this server and the GUI clients should be able to authenticate
(using single sign-on) against a Win2k AD DC.
I'm mainly interested in the configuration details, like the used
principal names when authenticating to the win2k ad, in order to make
sure I understand the principle. Could you send me your SNC
configuration (especially the SAPgui, SAPlogon SNC part and
snc/identity/as in the *.PFL files)?
I slightly modified the sources of the GSS-API implementation of MIT
Kerberos 1.2.8 to make it return only the rfc1964 compliant mechanism
and now it passes a certification test program from SAP: gsstest-1.26.
In addition I made the SNC-Adapter (a GSS-API wrapper, with minor
additions; available by download from the SAP website) from SAP work on
Linux and pass the same test. BTW: The pre-rfc1964 mechanism also passes
the test.
(Note however: Tests can only show the presence of bugs but never their
absence.)
When I use my snckrb5.so adapter together with SAP R/3 (on Linux), I get
the following error message, when trying to establish the security context:
N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI [sncxxall.c 3423]
N GSS-API(maj): A token was invalid
N GSS-API(min): Mechanism is incorrect
N Unable to establish the security context
N <<- SncProcessInput()==SNCERR_GSSAPI
M *** ERROR => ThSncIn: SncProc...
RE: is that common to use kerberos authentication for SUN iplanet LDAP server? #2Markus,
I know SASL/GSSAPI can do encryption according to the document
however I tried a while back to enable the encryption against AD while
doing kerberos authentication in my C program but failed. Did you really
enable the encryption successfully in the program? If so then I must
have missing something then....
Thanks.
-Kent
-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
Behalf Of Markus Moeller
Sent: Thursday, September 01, 2005 12:24 PM
To: kerberos@mit.edu
Subject: Re: is that common to use kerberos authentication for SUN
iplanet LDAP server?
Craig,
you say you use SASL + SSL. As far as I know SASL/GSSAPI can do
encryption
too. What was the reason not to use SASL/GSSAPI with encryption. And
example
is AD, which can be accessed via SASL/GSSAPI with encryption.
Thanks
Markus
"Craig Huckabee" <huck@spawar.navy.mil> wrote in message
news:4316DEC8.5060809@spawar.navy.mil...
> Kent Wu wrote:
>>
>> So my question is that is it pretty easy to enable Kerberos for
SUN
>> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>
> We use Sun's LDAP server with PADL's GSSAPI plugin - we built our
copy
> against MIT Kerberos 1.3.x and use MIT KDCs. I think the binary
versions
> they sold previously also use MIT Kerberos.
>
> We now have several processes that regularly use only GSSAPI/SASL
over
> SSL to authenticate and communicate wi...
Working Kerberos application SAP/Unix server authenticating to Wi ndows ADWe currently have Kerberos running on a Solaris 9 Unix server communicating
with a W2K3 Active Directory. When we attempt to pass through to SAP via
the SAP GUI, the ticket appears to be generating, but we are getting an
error message indicating that the versions of the ticket are different.
Can you advise as to why we would be getting this error? We are trying to
get this into a production environment in the next 2 days. So any quick
advisement is appreciated.
Thank you,
Kim Wineland, PMP
ACS, AMS Project Manager
623-322-6750 - Office
602-738-8113 - Cell
kaw1195 - AOL IM
kwineland@bluestarsolutions.com
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Hi,
I had once similar problems. Check, if someone has changed password of the
user, which represents SAP instance in AD after you executed ktpass.
Best regards, vadim tarassov
On Thursday 31 August 2006 01:04, Kimberley Wineland wrote:
> We currently have Kerberos running on a Solaris 9 Unix server communicating
> with a W2K3 Active Directory. When we attempt to pass through to SAP via
> the SAP GUI, the ticket appears to be generating, but we are getting an
> error message indicating that the versions of the ticket are different.
>
>
>
> Can you advise as to why we would be getting this error? We are trying to
> get this into a production environment in the next 2 days. So...
JOB OPENING IN MASS. *** QA / Security Certification / Kerberos authentication protocol / Perm. position ****
My client, a software product development company based in the
Boston area, has an opening for a Quality Assurance Software
Engineer that has specific experiences with security certifications.
The position requires some experiences with Common Criteria
certification methodology, terminology, and formats. Knowledge with
Kerberos authentication protocol is also required.
This is an established, profitable, company with leading edge product
offerings. We are looking for a top performer for this outstanding
company.
Mandatory Requirements include:
- QA experiences with security certifications is required
- Experiences with Common Criteria certification methodology is
required
- Experiences with Kerberos authentication protocol is required.
- Experiences with UNIX and Windows required
- Experiences with any of the major database: Oracle, Sybase,
SQL Server, DB2 would be preferred
- BS technical degree required from a top technical university
- US Citizen or Permanent Residency required
Competitive starting base salary + bonus + full benefits package.
YOUR RESUME WILL NOT BE DISCLOSED TO ANYONE WITHOUT YOUR PERMISSION.
Please EMAIL your resume as a WORD attachment to: tfi@ix.netcom.com
Ben Oifer
Technical Futures, Inc.
18 Washington Street, #205
Canton, MA 02021
Phone: (781) 793-9292
Email: tfi@ix.netcom.com
...