Microsoft SSPI error
I have configuration of active directory 2003 r2 sp3 working with
I use SPNEGO for subversion.
When using Linux all work great!
When using Windows XP(and Windows 7) Firefox/IE/cifs client work great.
Problem is subversion which uses neon, it get the following:
Running post_send hooks
ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is Negotiate oYGfMIG
auth: SSPI challenge.
InitializeSecurityContext [fail] .
sspi: initializeSecurityContext [failed] .
At windows event log I see the following:
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40962
Time: 3:55:38 PM
The Security System was unable to authenticate to the server
HTTP/correlux-gentoo.correlsense.com because the server has completed
the authentication, but the client authentication protocol Kerberos
For more information, see Help and Support Center at
Had anyone seen this before?
I tried many configurations, but without success:
dev-libs/openssl-1.0.0e -> also downgraded to openssl-0.9.8f
www-apache/mod_auth_kerb-5.4 -> also downgraded to m...New IP or rename a kerberos server
Is it easy to change the IP or rename (move) a kerberos server?
Obviously config files need adjustment, but the realm remains the
same. But has the hostname/IP the server was installed and set up
with somehow been salted into the keytab?
Or is it time to tear down, reinstall, and set up, again?
...Trouble authenticating with Kerberos & LDAP
I've been very frustrated trying to get this to work. We are trying to
use a windows 2003 server as our Kerberos server, along with our
openldap on solaris as our directory server. The machines we want to
authenticate on are all Solaris 9.
The ldap tree is fully populated, and working properly. With our
current nsswitch.conf, logins work using the ldap directory (with
posixAccount & shadowAccount records), as does a getent passwd
Also, we have our Windows 2003 server's directory setup with named
users, and with our current pam.conf, we can authenticate aga...MIT Kerberos or Heimdal Kerberos?
How do I know the server install in the system is MIT Kerberos or Heimdal?
I m using FreeBSD 5.2.1
...Exchange Server and Campus Kerberos server ?
I hope this is the right place to post this query - if not, I apologize.
Does anyone have any experience with Exchange Server and Kerberos who might be
willing to talk to someone from another University. I have no experience with
either kerberos or exchange and would be unable to answer their questions. If
you are interested, please contact BK directly.
--------- attached email ----------
I've been contacted my a Director of Network Security at a
Mid-Atlantic-based University who is looking to speak with a peer
that has experience syncing up an Exchange server to a campus-wide
Do you think the folks on IT Partners would know themselves or of
someone who migh have such experience?
Feel free to have them contact me directly.
Dir. of Partner Member Services & Research
Institute for Applied Network Security
15 Court Square, Suite 1100
Boston, MA 02108
----- End forwarded message -----
...Kerberos Web Server to file Server
Is Kerberos delegation needed to write a file from a web app to a
file server within the same network? If so, I will be setting up
constrained delegation. The problem is what is the service on the file
server that I will let the web service be delegated for?
could you help me where i can find and download
a Kerberos SERVER please.
thanks a lot.
<email@example.com> wrote in message
> could you help me where i can find and download
> a Kerberos SERVER please.
> thanks a lot.
ever heard of Google ?
...Changing master key (Kerberos authentication server+LDAP database)
Is it possible to change the master key of a realm when LDAP is used
as the database server? The stash file is not present since LDAP is
used. Appreciate any help on this.
...Kerberos master/master sync using OpenLDAP N-Way Multi-Master
I haven=B9t seen this idea posted anywhere. The new version of OpenLDAP (I=B9m
using 2.4.15) has the ability to run in a multi-master mode. I was able to
set up two servers that each ran a Kerberos instance as well as an OpenLDAP
instance that had ldap and kerberos failover. I now don=B9t need to worry
about doing any sync with Kerberos, as LDAP does it all. I can also run
kadmin against either of the kerberos servers. Some tests I did that were
pretty successful were:
kdc =3D kdc01.security.lab.comcast.net:88
kdc =3D kdc02.security.lab.comcast.net:88
Turn off kdc on kdc01 -> successfully authenticated with kdc02
Turn on kdc but turn off ldap on kdc01 -> successfully authenticated with
The failover works exactly as a expected.
...Once a week Kerberos failure between IIS6 web server and SQL Server 2000 db server
Regularly once a week we get problems with a Kerberos failure on
ouintranet application. Kerberos is set up with Constrained Delegation
and Protocol Transition.
...Can one install MIT Kerberos master server on PC with dynamic IP assigned?
I have a headless powerpc box on which I'm running Debian GNU/Linux 7.5
(wheezy) operating system.
These box get IP address from my ISP dynamically with dhcp.
Can I install and setup MIT Kerberos master server on this box, or must
I request a fix IP address for this purpose?
Regards from Paul
...AD Server returning server not found kerberos database
I am using MIT Kerberos to mutually authenticate with other user
(Kerberos Server: AD Server),
It is working fine with my newly installed active directory .But
when I try to work with my Company AD
Server to get service ticket for particular user I am getting "Server not
found in Kerberos Database",
But that user is there in AD . any option can change to get it work .
I want to to know which option in ad makes mutual authentication between
user and user makes fail.
Do I need to use setspn to add service principle??
Please help me
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
...migration from Kerberos 4 to Kerberos 5
I have a few questions about migration to a new Kerberos version. In
fact, the goal is to migrate a network with Kerberos 4 to the Kerberos
1) Do I have to reinstall Kerberos from the scratch or are there
packages that allow to update the version?
2) What about the users that I created, are they still valid or will
user information be lost. Part of the network uses already an LDAP
directory, do I suppose this will not be a problem for this part, but
in general, how can I migrate my user-accounts to the new version?
3) What about the clients, do I have to re-install the Kerberos-client
on each workstation or can I use the "old" Kerberos clients?
Could anybody answer my questions and perhaps give me some good hints
for the migration respectively point me to some good documents?
...FTP and Kerberos
I get the following Kerberos related error
when i do FTP from another machine(redhat 9.0)
to my machine(redhat 9.0).
How to solve this problem ?
Should i Need to start/stop some daemons ?
here is what happens when i do FTP !!! --------->>>>>>>>> Here is it .....>>>>
Connected to 188.8.131.52.
220 localhost.localdomain FTP server (Version 5.60)
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI error major: Miscellaneous failure
GSSAPI error minor: No credentials cache found
GSSAPI error: in...MIT Kerberos and Solaris 10 Kerberos
We run a number of Solaris 8 systems using Sun's SEAM PAM implementation
and MIT's Kerberos (which we're up to date on). We are starting to look
at Solaris 10, and are hoping to move towards Sun's implementation of
Kerberos. We are having a bit of trouble getting the two to talk
If we SSH (from production to test, for example) to a Solaris 8 machine,
then we can rlogin (Kerberized) to the Solaris 10 machine and, from
there, rlogin to a Sol8 machine again. If, however, we SSH directly to
the Solaris 10 machine, we cannot rlogin to a Solaris 8 machine. Doing
various experiments (for example, trying to ksu on the Sol 10 machine),
the only error we ever get is:
WARNING: Your password may be exposed if you enter it here and are
in remotely using an unsecure (non-encrypted) channel.
Kerberos password for ux5p@ATCOTEST.CA: :
ksu: Server not found in Kerberos database while geting credentials from
Doing an rlogin to a Sol 8 machine gives no errors at all; it just
The above error seems to indicate that the Solaris 10 Kerberos isn't
passing the tickets to the Sol 8/MIT Kerberos servers (which, based upon
certain differences, would not be a big surprise). Has anyone gotten
this to work? The Sol 10 system is using the default Solaris 10 PAM
implementation as well; not sure if this is part of the problem, but the
configuration files are significantly different. Th...Kerberos Administration Protocol
I'm looking for an open source Java implementation for the Kerberos
administration protocol, for changing password, getprinc,
delete_principal and so on. The main goals for kadmin, for
the MIT implementation.
Are there any libraries?
If no, I would try to do an adHoc implementation. Are there
documents? The only draft that I can see is
> Date: Tue, 02 Jun 2009 15:28:32 +0200
> To: firstname.lastname@example.org
> From: "email@example.com" <firstname.lastname@example.org>
> Subject: Kerberos Administration Protocol
> I'm looking for an open source Java implementation for the Kerberos
> administration protocol, for changing password, getprinc,
> delete_principal and so on. The main goals for kadmin, for
> the MIT implementation.
> Are there any libraries?
> If no, I would try to do an adHoc implementation. Are there
> documents? The only draft that I can see is
As it happens, I do have something that might be the start at this.
It could stand a bit more "polishing" before being released,
and at the moment, it's not on our priority list. If this is
something of interest to you, we should certainly talk.
You won't be at afsbpw 2009, by any chance?
What I have ...Replacing the system Kerberos with MIT Kerberos (from ports)
Is there a way to replace the Heimdal Kerberos libraries included in the FreeBSD
base system with the MIT Kerberos libraries installed from the security/krb5
port? I know about the KRB5_HOME make option. I'm concerned about other
"Kerberized" applications not working properly because they use the wrong client
libraries, hence my desire to completely replace Heimdal with MIT Kerberos.
The Heimdal Kerberos libraries shipped with the FreeBSD base system don't
support TCP, so when a KDC replies to a client request with a response larger
than the maximum UDP packet size, the Kerberos libraries return an error to the
client instead of switching to TCP (which can handle large responses). I
routinely encounter this problem when integrating FreeBSD servers and
workstations into Windows Active Directory domains, where the KDC responses
include additional authorization data derived from a security principal's group
memberships: Samba's "net ads join" command fails with a "response too big for
for UDP, retry with TCP" error when linked against Heimdal, but it succeeds (and
everything else works properly) when linked against MIT Kerberos.
(Note that I'm not willing to debate the semi-standard/non-standard inclusion of
authorization data in a Kerberos ticket's PAC, nor am I willing to argue the
applicability of the aforementioned operating systems to their assigned tasks.)
I've seen a number of posts regarding similar issues, but none with
maybe i'll be lucky...
Trying to join a Linux samba box to a Win2k Domain via ADS..
Have used 'net join -U administrator%password'
then get a list of errors about 20 lines long similar to this.
"kerberos_knit_password email@example.com failed: Client not found in
But, it *does* join the domain and I can see and use the share....
Is there anything to worry about??
I have kerberos server setup, and it works fine with
iseries navigator, I have to create a AS400 object now
using Java and kerberos ticket, has any one done it
successfully, does anyone have any code sample
"polilop" <fmatosicSKINI@inet.hr> burped up warm pablum in
> I have kerberos server setup, and it works fine with
> iseries navigator, I have to create a AS400 object now
> using Java and kerberos ticket, has any one done it
> successfully, does anyone have any code sample
You should read: http://publib.boulder...Monitoring your Kerberos servers?
I'm a bit surprised to find (or rather not finding) that there
doesn't seem to exist much in a way of monitoring software for
Kerberos servers/services... What _are_ people using to make sure
that their KDC's are up and running, *and* containing valid data?
I've now experienced a couple of times confusing system behaviour
due to KDC's not running or KDC slaves containing old/stale data...
The last such occurance was fun - the primary KDC server had due
to some unknown even shut down the "kdc" service. However the
"kadmin" service was still running.
So I would use 'kadmin' to add new principals to the database,
and/or ktadd updated ones to hosts keytabs and then get very
confusing errors since the remaning slave KDC would use the
old data (since it couldn't contact the master KDC to get
the updated database records)...
Specifically I'd like to see a Nagios plugin that can be
directed to talk to a *specific* KDC (not just the first one that
answers from the list in krb5.conf) to check that the KDC service
I'd also like some Nagios plugin that can check that slave
KDC's contain valid up-to-date data by comparing things with
the master KDC...
(I've solved the second part with a special hack for Solaris
Kerberos that has a "kproplog" utility)
Peter Eriksson <firstname.lastname@example.org> Phone: +46 13 28 2786
Computer Systems Manager/BOFH Cell/G...OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
Rather then implementing kafs in MIT Kerberos, I would like to
suggest an alternative which has advantages to all parties.
The OpenSSH sshd needs to do two things:
(1) sets a PAG in the kernel,
(2) obtains an AFS token storing it in the kernel.
It can use the Kerberos credentials either obtained via GSSAPI
delegation, PAM or other kerberos login code in the sshd.
The above two actions can be accomplished by a separate process,
which can be forked and execd by the sshd and passed the environment
which may have a KREB5CCNAME pointing at the Kerberos ticket cache
Other parameters ...New features for kerberos
I'm an Italian student of the polytechnic university Marche(faculty of engineering). I'm working on the kerberos5 for an university project.
I would want some information on the future developments of the kerberos and on his use for new applications.
Scegli infostrada: ADSL gratis per tutta l�estate e telefoni senza canone Telecom
...RE: MIT Kerberos and Solaris 10 Kerberos
Greetings, and thanks for the response.
> > We run a number of Solaris 8 systems using Sun's SEAM PAM
> > and MIT's Kerberos (which we're up to date on). We are
> starting to look
> > at Solaris 10, and are hoping to move towards Sun's
> implementation of
> > Kerberos. We are having a bit of trouble getting the two to talk
> > properly, however.
> I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos.
> It is linked directly with the Solaris Kerberos libraries (private).
I am trying to get the Solaris Kerberos (SEAM) on the Sol 10 system to
talk to the MIT Kerberos on the KDC and other Solaris 8/MIT systems.
> Solaris 10 Kerberos interops very well with MIT, Heimdal, and
> It has support for all of the enctypes (AES, RC4, 3DES, DES) finally.
But I can't seem to get it to work.
> > If we SSH (from production to test, for example) to a
> Solaris 8 machine,
> > then we can rlogin (Kerberized) to the Solaris 10 machine and, from
> > there, rlogin to a Sol8 machine again. If, however, we SSH
> directly to
> > the Solaris 10 machine, we cannot rlogin to a Solaris 8
> machine. Doing
> > various experiments (for example, trying to ksu on the Sol
> 10 machine),
> > the only error we ever get is:
> > ksu
> > WARNING: Your password may be exposed if you enter it here and are
&g...Moving Kerberos to the Cloud?
The higher ups asked: Feasibility of moving the University=92s MIT =
Kerberos authentication critical service infrastructures to the Cloud?
Has any of the Higher-Education institutions out there done or thought =
about doing this, and how feasible was it.
I have my own personal view regarding this question, I am sure you can =
guess it, but was curious what others thought.
Apologies if this topic has been covered before.
ITS Middleware - 10900 Euclid Avenue, Crawford 422
Cleveland, OH 44106-7072 U.S.A.