f



Microsoft SSPI error - Security System was unable to authenticate to the server HTTP/host because the server has completed the authentication, but the client authentication protocol Kerberos has not

Hello,

I have configuration of active directory 2003 r2 sp3 working with
linux mod_auth_kerb.
I use SPNEGO for subversion.
When using Linux all work great!
When using Windows XP(and Windows 7) Firefox/IE/cifs client work great.

Problem is subversion which uses neon, it get the following:
---
Running post_send hooks
ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is Negotiate oYGfMIG
coAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqA
DAgEXolsEWTLvPLmZvxBgaMEmPDDTIeG9bdJ5rmfTEtsj6Cv9eF9s9Z8sBWhVhPXYzIVsm/sw0hqR+1u
DM9frpOeV2Y0YGtDk2flN5iOM/HdEujj0GXAYEWHvPp/3kSc2
auth: SSPI challenge.
InitializeSecurityContext [fail] [80090304].
sspi: initializeSecurityContext [failed] [80090304].
---

At windows event log I see the following:
---
Event Type:	Warning
Event Source:	LSASRV
Event Category:	SPNEGO (Negotiator)
Event ID:	40962
Date:		10/3/2011
Time:		3:55:38 PM
User:		N/A
Computer:	VALON
Description:
The Security System was unable to authenticate to the server
HTTP/correlux-gentoo.correlsense.com because the server has completed
the authentication, but the client authentication protocol Kerberos
has not.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
---

Had anyone seen this before?
I tried many configurations, but without success:
---
Gentoo
---
dev-libs/openssl-1.0.0e -> also downgraded to openssl-0.9.8f
www-servers/apache-2.2.21
www-apache/mod_auth_kerb-5.4 -> also downgraded to mod_auth_kerb-5.1
net-fs/samba-3.5.11
app-crypt/mit-krb5-1.9.1 -> also downgraded to 1.6.3
---

The strange thing is that I have centos server on the same network
with *MUCH* older packages and it does work...
---
CentOS
---
openssl-0.9.8e-20.el5
httpd-2.2.3-53.el5.centos.1
mod_ssl-2.2.3-53.el5.centos.1
mod_auth_kerb-5.1-3.el5
samba-3.0.33-3.29.el5_7.4
krb5-workstation-1.6.1-62.el5
---

I cannot reach this old state at Gentoo, but I cannot explain the
difference between the two machines, I use the same procedure to add
them to the domain:
<edit smb.conf>
net ads join
net ads keytab create
net ads keytab add HTTP cifs

The same configuration for both.

I don't know how to activate logs at Microsoft end...
I tried to add Lsa\Kerberos\Parameters debug and logging keys but
nothing is generated.

Any clue?

Thanks,
Alon.
0
10/3/2011 2:12:30 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
1622 Views

Similar Articles

[PageSpeed] 49

Reply:

Similar Artilces:

Session management error: Authentication Rejected, reason : None of the authentication protocols specified are supported and host-based authentication failed
Can someone explain the exact meaning and reasons of this message: Session management error: Authentication Rejected, reason : None of the authentication protocols specified are supported and host-based authentication failed I usually see it when i have a terminal opened in x-window (i use gnome terminal), in which i did su to launch an app with root priviledges. ...

Client does not support authentication protocol requested by server, consider upgrading MySQL client.
Hi, I try to use the mysqltcl library but.... What can be this error: mysqlconnect/db server: Client does not support authentication protocol requested by server, consider upgrading MySQL client. My source code is the following: package require mysqltcl 2.31 global mysqlstatus set h [mysqlconnect -h $host -u $user -password $password] Can anybody help me, please? Thanks!! van wrote: > Hi, I try to use the mysqltcl library but.... > What can be this error: > > mysqlconnect/db server: Client does not support authentication > protocol requested by server, consider upgra...

Token-based authentication (was http.server.BaseHTTPRequestHandler basic auth logout? Django authentication system for REST interface?)
--089e013c6b4ce3f0d804fb433f47 Content-Type: text/plain; charset=UTF-8 On Jun 6, 2014 6:30 PM, "Roy Smith" <roy@panix.com> wrote: > We would have to keep state on the server side about every extant valid > token (but then again, we need to do that now, for each session). If you didn't want to have to manage such state server side, you could opt to use JWTs (http://datatracker.ietf.org/wg/jose/). A number of auth providers (including Microsoft and Google) are moving to using these as well. Of course, /some/ server side state would have to be managed to d...

Client does not support authentication protocol requested by server;
I get this when from my perl script i try to connect to my database from within my index.pl script; Software error: Client does not support authentication protocol requested by server; consider upgrading MySQL client at D:\www\cgi-bin\index.pl line 16. For help, please send mail to the webmaster (admin@lan), giving this error message and the time and date of the error. Iam using Perl v5.8 an i downloaded DBD::mysql from cpan. must i download a new DBD::mysql? Iam on XP and i have downloaded mysql5.msi Nikos wrote: > I get this when from my perl script i try to connect to my databa...

"Client does not support authentication protocol requested by server; consider upgrading MySQL client"
I have a problem: PHP function mysqli_connect_errno() returns 1251 (Client does not support authentication protocol requested by server; consider upgrading MySQL client). The problem occurs only in Eclipse PDT while debugging; when I open my website in a browser, everything is OK. I use: PHP Version 5.2.6-2ubuntu4.1 mysql Ver 14.12 Distrib 5.0.67, for debian-linux-gnu (i486) using readline 5.2 mysqli Client API library version 5.0.67 mysqli Client API header version 5.0.67 What should I do? (I didn't receive any answer at PHP newsgroup). Jivanmukta wrote: > I have a probl...

Faliure: "Client does not support authentication protocol requested by server; consider upgrading MySQL client"
Hi, When I press the "Test Data Source" button on MySQL Driver 3.51 window in ODBC Control Panel I get the following message: "Client does not support authentication protocol requested by server; consider upgrading MySQL client" Upon searching Google for this message, lots of web pages talk about older 4.X versions of MySQL. Unfortunately, I am running all 5.0 for both the Driver and the RDBMS and I am still getting this message. My business partner is running the same version of XP with SP 2 and we are both running the same RDBMS and ODBC Driver and he is not getting ...

RSA authentication thru a Perle 833AS RAS server
Having trouble getting a Perle 833AS RAS server to authenticate on RSA Securemote 5.0. Right now I am getting a "no authentication server available" msg when I try to RAS in from DUN on windows 2000 pro. The way this all is supposed to work is you setup an agent host on the RSA server that points to the Perle RAS server. On the Perle you set up SecurID for security and point it to the RSA server. Make sense so far? Then from the dial-up PC you have to enable the terminal window. After dial-up the terminal window comes up. I hit enter and wait. Eventually I get the no authentication server available msg. If it is meaningful, we are not using Radius. We are trying to go in straight SecurID. So has anyone out there got the hookup between Perle and RSA to work? Any help is appreciated. Thanks, Eric ...

Trouble authenticating with Kerberos & LDAP
I've been very frustrated trying to get this to work. We are trying to use a windows 2003 server as our Kerberos server, along with our openldap on solaris as our directory server. The machines we want to authenticate on are all Solaris 9. The ldap tree is fully populated, and working properly. With our current nsswitch.conf, logins work using the ldap directory (with posixAccount & shadowAccount records), as does a getent passwd <ldapusername>. Also, we have our Windows 2003 server's directory setup with named users, and with our current pam.conf, we can authenticate aga...

SSL Server authentication, SSL client authentication, SSL connection and SSL session
Can someone please define these terms as I am struggling to find anything on the internet about them? SSL Server authentication SSL client authentication SSL connection SSL session. Thank you, Johnny. "Johnny" <John@adventnoSpam.com> wrote > Can someone please define these terms as I am struggling to find anything > on the internet about them? > > SSL Server authentication > SSL client authentication and how the above two are performed. Thanks, Johnny. "Johnny" <John@adventnoSpam.com> writes: >Can someone please define these terms as I am struggling to find anything on >the internet about them? >SSL Server authentication >SSL client authentication >SSL connection >SSL session. http://en.wikipedia.org/wiki/Secure_Sockets_Layer On Mon, 14 Aug 2006 17:09:56 +0000, Johnny wrote: > > "Johnny" <John@adventnoSpam.com> wrote >> Can someone please define these terms as I am struggling to find anything >> on the internet about them? >> >> SSL Server authentication >> SSL client authentication > > and how the above two are performed. http://www.rfc-editor.org/rfc/rfc2246.txt HTH Will. In comp.security.misc Johnny <John@adventnospam.com> wrote: > Can someone please define these terms as I am struggling to find anything on > the internet about them? Please learn how to use a search engine. Yours, VB. -- Ich w�rde sch�t...

Error sending: Can not authenticate to SMTP server: 535 Incorrect authentication data
Hello, I tried to change pine from direct mail transport using my localhost to use the mail server of my domain-provider (gets necessary because of the MX-record based mail checking) and found an problem: I always get the error message: Error sending: Can not authenticate to SMTP server: 535 Incorrect authentication data The general way works, as I us this for 5 other servers as well and all is fine. smtp.1und1.com/user="XXXXXXXXX-1"/novalidate-cert (username changed :-) I tried adding the keywords /tls and /notls but this did not change anything, except that the login met...

Kerberos authentication between XP and 2000 server
Hi, I am trying to use Windows 2000 server as KDC for an XP machine.I read that, by default if the 2000 server is configured as DC,kerberos is used as authentication method by default.I am not able to authenticate using Kerberos. Steps done: I have configured the windows 2000 server as DC and added the XP as computer to it and also added a user. I am able to login to the DC. I have downloaded the ktray tools from the microsoft site. On DC, when I use the ktray tool,I can see the client name: Administrator@MYDOMAIN.COM service name: krbtgt/MYDOMAIN.COM@MYDOMAIN.COM taget name : krbtgt/MYDOMAIN.COM@MYDOMAIN.COM On XP, I see nothing :( Can any body please say what could be the problem ? Thanks. The very first thing to check is DNS. You must have valid fully qualified domain names for your XP and 2000 Server machines or the Kerberos authentication will fail and the workstation will fallback to NTLM. mdj_frend@yahoo.com wrote: > Hi, > > I am trying to use Windows 2000 server as KDC for an XP machine.I read > that, by default if the 2000 server is configured as DC,kerberos is > used as authentication method by default.I am not able to authenticate > using Kerberos. > > Steps done: > I have configured the windows 2000 server as DC and added the XP > as computer to it and also added a user. I am able to login to the DC. > I have downloaded the ktray tools from the microsoft site. > > On DC, when I use the ktray tool,I can see the...

setup kerberos authentication for SQL Server 2000
Hi, I need some help to setup Kerberos Authentication for SQL Server 2000. I believe by default Window authentication in SQL Server is Kerberos. But I don't know enough and have not come across any documentation that confirm this. I believe if both the server and client are on the same domain, when the client workstation connect to the server using windows security, this is consider kerberos. Is this true? Have any done this? Or is there a query that I can run to confirm what authentication I am using, like Kerberos? My workstation and server are both Windows 2000 and I believe by ...

Forcing HTTP server to authenticate from the client side?
Is there a reliable way for a client to initiate HTTP authentication? For example, a server might allow unauthenticated access to /status to show public status info, but if it might also show user-specific status if the request is authenticated. I can think of hacks that might work, such as adding an "Authorization" header with bad info, hoping that the server will send me back a 401 Unauthorized response with a nonce, etc. so I can authorize. But that doesn't seem very good. I didn't see anything in reading RFC 2617, but maybe I missed something. In article &l...

Kerberos authentication error
Hello, I get the following error when trying to run a remote command, ex: rsh <hostname> "df -k" rshd: 0826-813 Permission is denied. spk4rsh: 0041-011 Kerberos V4 rcmd was unsuccessful: :rcmd: bad connection with remote host This happens even if I have a new ticket created (k4init) I have a /.klogin file like: rcmd.<qualified hostname> AIX level 5.1 and PSSP 3.5 on the CWS. On the SP nodes some are AIX level 4.3.3 and PSSP 3.1. The error occurs independently if i run rsh from the CWS to a node or between nodes. Doesn't Kerberos V4 work in AIX 5 ? Am I missing something ..? Thanks for any input :-) nicke.berglund@scomp.se (Nicke Berglund) wrote in message news:<763ecf9b.0311240451.5ab367a1@posting.google.com>... > Hello, > > I get the following error when trying to run a remote command, ex: > rsh <hostname> "df -k" > > rshd: 0826-813 Permission is denied. > spk4rsh: 0041-011 Kerberos V4 rcmd was unsuccessful: :rcmd: bad > connection with remote host > > > This happens even if I have a new ticket created (k4init) > I have a /.klogin file like: > rcmd.<qualified hostname> > > AIX level 5.1 and PSSP 3.5 on the CWS. > On the SP nodes some are AIX level 4.3.3 and PSSP 3.1. > > > The error occurs independently if i run rsh from the CWS to a node or > between nodes. > > Doesn't Kerberos V4 work in AIX 5 ? Am I missing something ..? > &...

Authenticating clients and servers
I am writing a distributed server system using Python. I need to support authentication and was wondering what approaches are available under Python and what are the best practices. Thanks in advance Chaz Chaz Ginger schrieb: > I am writing a distributed server system using Python. I need to support > authentication and was wondering what approaches are available under > Python and what are the best practices. Well, there are many ways of client authentication. To narrow it down it would be nice if your tell us something about the protocol you are planning to use. Many protocols s...

Kerberos authentication against W2K server with native chars in password
I have a working JAAS Kerberos program that can authenticate against a W2K Domain Controller, but W2K allows the user to have native chars in the username and password (like the Danish letters ���), and this does not seem to work from Java! I found out that W2K uses UTF-8 encoding while MIT and Heimdal uses 8-bit ISO-Latin1. Is there any way to get Java to use UTF-8, or is it something different that is wrong? Tested on SuSE Linux 9.0 (kernel 2.4.21) and Windows 2000 with Java 1.4.2_03 Program created from this example: http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/AcnO...

Server to server = Server client to server?
For a server to server connection, is the connecting server considered as a client of the accepting server or is it not? I have the following classes: Connection <--- base class of the following two ClientConnection <--- client ServerConnection <--- server ServerClientConnection <--- server as a client of another server. But then I came across something that states "A client is anything connected to a server that is not another client". Comments please... Just remember! Server ( programm ) is always listening a connections!!! - wrote: &g...

is that common to use kerberos authentication for SUN iplanet LDAP server?
Hi guys, Does anyone have experience on this to share? I've set up a SUN LDAP server and it's running fine by using simple authentication so far. Of course I want to make it more secure (to protect the password while binding to LDAP server) so I'm thinking either MD5-Digest or Kerberos. However looks like SUN LDAP itself doesn't have kerberos abilities and I have to install SEAM (Sun Enterprise Authentication Mechanism) separately to enable Kerberos..... So I was thinking that if I can easily configure SUN LDAP to use MD5-digest then that should be the easiest however it seems that I have to store the password as plain-text in LDAP server to enable MD5-digest and I don't want to do that (Let me know if there are other easier ways to enable MD5-digest). So my question is that is it pretty easy to enable Kerberos for SUN LDAP after installing SEAM? Or can SUN LDAP use other KDC as well? Thanks a lot in advance ! P.S, I know LDAPS (LDAP over SSL) can easily achieve my goal however I kinda think it's an overkill since I don't really need to protect all the LDAP transactions except for the password part... -Kent ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kent Wu wrote: > > So my question is that is it pretty easy to enable Kerberos > for SUN LDAP after installing SEAM? Or can SUN LDAP use other > KDC a...

Changing master key (Kerberos authentication server+LDAP database)
Is it possible to change the master key of a realm when LDAP is used as the database server? The stash file is not present since LDAP is used. Appreciate any help on this. Thanks, Anubha ...

RE: is that common to use kerberos authentication for SUN iplanet LDAP server?
Whether a directory can do SASL/GSSAPI data privacy and/or integrity is directory server specific. Some directories (AD) support privacy and/or integrity protection. Others (Sun) don't, so you must use SSL. One other thing to be aware of is that clients and downgrade the privacy and integrity protection. If clients can do downgrade the data protection, it makes me wonder if an attacker can downgrade the session. I haven't looked into it enough. -dan -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Markus Moeller Sent: Thursday, September 01, 2005 1:24 PM To: kerberos@mit.edu Subject: Re: is that common to use kerberos authentication for SUN iplanet LDAP server? Craig, you say you use SASL + SSL. As far as I know SASL/GSSAPI can do encryption too. What was the reason not to use SASL/GSSAPI with encryption. And example is AD, which can be accessed via SASL/GSSAPI with encryption. Thanks Markus "Craig Huckabee" <huck@spawar.navy.mil> wrote in message news:4316DEC8.5060809@spawar.navy.mil... > Kent Wu wrote: >> >> So my question is that is it pretty easy to enable Kerberos for SUN >> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well? > > We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy > against MIT Kerberos 1.3.x and use MIT KDCs. I think the binary versions > they sold previously also use MIT Kerber...

RE: is that common to use kerberos authentication for SUN iplanet LDAP server?
You can use Sun's Directory server with non Sun kdc, you just have to have SEAM (Sun's Kerberos) setup on the director server (ie - it needs the client libs). If you have an install on Solaris 9 or 10 I don't even then you need to install anything - the Kerberos libs are already there. (You will have to run the directory server on a Solaris box). See http://docs.sun.com/source/817-7613/ssl.html -dan -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Kent Wu Sent: Wednesday, August 31, 2005 3:29 PM To: kerberos@mit.edu Subject: is that common to use kerberos authentication for SUN iplanet LDAP server? Hi guys, Does anyone have experience on this to share? I've set up a SUN LDAP server and it's running fine by using simple authentication so far. Of course I want to make it more secure (to protect the password while binding to LDAP server) so I'm thinking either MD5-Digest or Kerberos. However looks like SUN LDAP itself doesn't have kerberos abilities and I have to install SEAM (Sun Enterprise Authentication Mechanism) separately to enable Kerberos..... So I was thinking that if I can easily configure SUN LDAP to use MD5-digest then that should be the easiest however it seems that I have to store the password as plain-text in LDAP server to enable MD5-digest and I don't want to do that (Let me know if there are other easier ways to enable MD5-digest). So my question is th...

Working Kerberos application SAP/Unix server authenticating to Win2k AD?
Hi, is somebody using the above scenario? I want to use MIT Kerberos to implement SNC for a SAP server on Linux. Then this server and the GUI clients should be able to authenticate (using single sign-on) against a Win2k AD DC. I'm mainly interested in the configuration details, like the used principal names when authenticating to the win2k ad, in order to make sure I understand the principle. Could you send me your SNC configuration (especially the SAPgui, SAPlogon SNC part and snc/identity/as in the *.PFL files)? I slightly modified the sources of the GSS-API implementation of MI...

RE: is that common to use kerberos authentication for SUN iplanet LDAP server? #2
Markus, I know SASL/GSSAPI can do encryption according to the document however I tried a while back to enable the encryption against AD while doing kerberos authentication in my C program but failed. Did you really enable the encryption successfully in the program? If so then I must have missing something then.... Thanks. -Kent -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Markus Moeller Sent: Thursday, September 01, 2005 12:24 PM To: kerberos@mit.edu Subject: Re: is that common to use kerberos authentication for SUN iplanet LDAP server? Craig, you say you use SASL + SSL. As far as I know SASL/GSSAPI can do encryption too. What was the reason not to use SASL/GSSAPI with encryption. And example is AD, which can be accessed via SASL/GSSAPI with encryption. Thanks Markus "Craig Huckabee" <huck@spawar.navy.mil> wrote in message news:4316DEC8.5060809@spawar.navy.mil... > Kent Wu wrote: >> >> So my question is that is it pretty easy to enable Kerberos for SUN >> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well? > > We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy > against MIT Kerberos 1.3.x and use MIT KDCs. I think the binary versions > they sold previously also use MIT Kerberos. > > We now have several processes that regularly use only GSSAPI/SASL over > SSL to authenticate and communicate wi...

Working Kerberos application SAP/Unix server authenticating to Wi ndows AD
We currently have Kerberos running on a Solaris 9 Unix server communicating with a W2K3 Active Directory. When we attempt to pass through to SAP via the SAP GUI, the ticket appears to be generating, but we are getting an error message indicating that the versions of the ticket are different. Can you advise as to why we would be getting this error? We are trying to get this into a production environment in the next 2 days. So any quick advisement is appreciated. Thank you, Kim Wineland, PMP ACS, AMS Project Manager 623-322-6750 - Office 602-738-8113 - Cell kaw1195 - AOL IM kwineland@bluestarsolutions.com ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Hi, I had once similar problems. Check, if someone has changed password of the user, which represents SAP instance in AD after you executed ktpass. Best regards, vadim tarassov On Thursday 31 August 2006 01:04, Kimberley Wineland wrote: > We currently have Kerberos running on a Solaris 9 Unix server communicating > with a W2K3 Active Directory. When we attempt to pass through to SAP via > the SAP GUI, the ticket appears to be generating, but we are getting an > error message indicating that the versions of the ticket are different. > > > > Can you advise as to why we would be getting this error? We are trying to > get this into a production environment in the next 2 days. So...

http.server.BaseHTTPRequestHandler basic auth logout? Django authentication system for REST interface?
I have some code for a web server. Right now, it uses BaseHTTPRequestHandler with Basic Auth, but we want to be able to log out, and there doesn't appear to be a general way to log out of something using Basic Auth, short of turning to unportable JavaScript. And this needs first and foremost to be machine-callable, so JavaScript probably isn't a great solution for us. Does BaseHTTPRequestHandler add a way of dealing with Basic Auth logout by any chance? I googled about it, and didn't find anything. I could rewrite to work with Django's authentication system I sup...

Web resources about - Microsoft SSPI error - Security System was unable to authenticate to the server HTTP/host because the server has completed the authentication, but the client authentication protocol Kerberos has not - comp.protocols.kerberos

Resources last updated: 3/10/2016 9:31:12 PM