Stuck with kerberos authentication to Sharepoint

October 10, 2012, 3:03 pm

≫ Next: problem of vastool user checklogin

≪ Previous: mod_vas_auth, Apache2, svn and AD groups

I have to connect to MS IIS server using SPNEGO token with Kerberos ticket inside, exactly as Internet Explorer does it.

If I use java GSSManager.initiateContext() it does request tickets with incorrect KDCOptions, dates and some other params I cannot control.

I tried com.dstc.security lib, and was able to get tickets axactly as Internet Explorer with couple of lines:

prepare required KDCOptions;
Credential tgt = kerberos.requestTicketGrantingTicket(new KerberosPassword(password.getBytes()), kdo, new Date(), d, new InetAddress[] {InetAddress.getByName("somename")}, null);
Credential srvt = kerberos.requestServiceTicket(TGT, new PrincipalName(2, "HTTP/server.domain.net"), REALM, kdo);

But how can I use these credentials or tickets inside to create SPNEGO token same as I can get with GSSManager.initiateContext()?

↧

problem of vastool user checklogin

March 16, 2009, 3:24 am

≫ Next: Could not resolve KDC from DNS SRV record

≪ Previous: Stuck with kerberos authentication to Sharepoint

Hi experts!

I am newbie for VAS.

After installation of VAS 3.5 on both server(windows server 2003) and client(redhat5.2) according to the manual,

I failed to login the linux client using a Unix enabled domain user :test

I try to run some troubleshooting commands, and get some information as below:

[root@redhat-head ~]# /opt/quest/bin/vastool user checklogin test
WARNING: NSS lookup (getpwnam) for user test failed, this will almost
certainly mean that you will be unable to log in with a username of test.
This should be fixed before worrying about any other failures.
##I checked /etc/nsswith.conf, and found everything is ok.

[root@redhat-head ~]# /opt/quest/bin/vastool nss getpwnam test
ERROR: Could not look up user for name: test, error = 2.

[root@redhat-head ~]# /opt/quest/bin/vastool info domain
test.com

[root@redhat-head ~]#/opt/quest/bin/vastool -u host/ attrs test uidnumber gidnumber unixhomedirectory loginshell userprincipalname DistinguishedName
ginshell userprincipalname DistinguishedName
distinguishedName: CN=test,OU=Unix,DC=pera-test,DC=com
userPrincipalName: test@test.com
uidNumber: 1000
gidNumber: 1000
unixHomeDirectory: /home/test
loginShell: /bin/bash

I can't find where the problem is.

Any advise?

Thank in advance!

↧

Could not resolve KDC from DNS SRV record

September 28, 2010, 1:35 pm

≫ Next: IBM DB2 LDAP Plugin and Vintela DB2 Security Plugin

≪ Previous: problem of vastool user checklogin

Using BusinessObjects with Tomcat 5.5 on Windows. We have it configured for Java AD SSO. The BusinessObjects product is using vsj 3.3. We are using a keytab file and when Tomcat starts we get the following error in Tomcat's stdout.log:

com.wedgetail.idm.sso.ConfigException: Could not validate keytab
[caused by: GSSException: Failure unspecified at GSS-API level
(Mechanism level: com.dstc.security.kerberos.KerberosConfigException:
Could not resolve KDC from DNS SRV record:
java.net.UnknownHostException:
au-elitepdc.domain.com)]

↧

IBM DB2 LDAP Plugin and Vintela DB2 Security Plugin

June 29, 2009, 11:38 am

≫ Next: MAV and cross-forest authentication problems

≪ Previous: Could not resolve KDC from DNS SRV record

What is the difference between the DB2 LDAP Plug in provided by IBM and DB2 Security Plug in for LDAP from Vintela? Are they the same product? We just converted our IBM SP MPP server from NIS to VAS and have been experiencing randomADM13001E errors during heavy usage on AIX 5.3 with UDB 9.5 (see DB2 log below).

2009-06-23-00.04.31.104862-240 I1220A477 LEVEL: ErrorPID : 4776414 TID : 4884 PROC : db2sysc 3INSTANCE: udbcdwp NODE : 003 DB : CDWPDBAPPHDL : 3-2246EDUID : 4884 EDUNAME: db2agent (CDWP) 3FUNCTION: DB2 Common, Security, Users and Groups, secValidatePasswordPlugin, probe:20DATA #1 : String, 94 bytesdb2ldapGetUserDN:LDAP search failed with ldap rc=81 (Can't contact LDAP server)user='cdwmgr' and 2009-06-23-00.50.36.538464-240 E155194A727 LEVEL: SeverePID : 4309120 TID : 772 PROC : db2acd 8INSTANCE: udbcdwp NODE : 008EDUID : 772 EDUNAME: db2acd 8FUNCTION: DB2 UDB, bsu security, sqlexGetDefaultLoginContext, probe:150MESSAGE : ADM13001E Plug-in "IBMLDAPauthclient" received error code "-1" from the DB2 security plug-in API "db2secGetDefaultLoginContext" with the error message "LDAP WhoAmI: can't determine LDAP user associated with OS user 'udbcdwp': LDAP error while searching for AuthID. Userid attribute='cn' AuthID attribute='cn' user objectClass='user' user base DN='dc=fhlmc,dc=com'".

Message was edited by: kgathmann

↧

MAV and cross-forest authentication problems

November 2, 2009, 9:40 pm

≫ Next: Putty 0.62 session menu with Windows 7

≪ Previous: IBM DB2 LDAP Plugin and Vintela DB2 Security Plugin

Our setup is as follows:

====
2 Windows 2003 functional-level forests, FOO.COM and BAR.COM, that mutually (two-way) trust each other.
FOO.COM <-- forest trust --> BAR.COM

Furthermore, there's a domain A.FOO.COM that belongs to the FOO.COM forest. There's another domain B.BAR.COM belonging to the BAR.COM forest. There's a one-way outgoing external trust from A.FOO.COM to B.BAR.COM.
A.FOO.COM -- external trust --> B.BAR.COM
====

The behavior we're seeing is when a user from B.BAR.COM attempts to access a website on A.FOO.COM, the user gets a basic auth challenge for their id/password. The user would enter the credentials they have from B.BAR.COM and they would get successfully authenticated. This seems to indicate the proper trust relationships are in place.

What we're trying to understand is why SPNEGO/Kerberos is not taking place. Can MAV (or rather VAS) handle AD referrals? Do we need to raise the trust level between our domains?

Any thoughts appreciated. Thanks.

P.S. The underlying VAS version we're using is: 3.3.1.101

↧

Putty 0.62 session menu with Windows 7

June 17, 2013, 8:18 am

≫ Next: Auth Services and Domain Trusts

≪ Previous: MAV and cross-forest authentication problems

I've recently upgraded to Windows 7, and am enjoying the menu of open putty sessions displayed when I hover my mouse over the putty icon in my toolbar. HOWEVER, one aspect which bothers me is how the menu displays. Initially it displays a horizontal list of icons for each session, expanding the list up to 10 sessions, after which it tranforms that list to a vertical list of lines in a single window, one line for each session. My issue is that once the horizontal list exceeds 6 sessions, the session names contained in the icons get truncated from the right to the point that they are no longer unique, rendering them useless. Consequently, once I open a 7th session, I proceed to open another 4 simply to maintain the usability of my session menu. Does anyone know a way to customize either the point at which the menu transfers to a horizontal list, or the session name truncation so that it truncates from the left instead of the right?

↧

Auth Services and Domain Trusts

August 1, 2013, 2:53 am

≫ Next: Authentication failing for user

≪ Previous: Putty 0.62 session menu with Windows 7

Hi,

Looking for some help and advice.

I have a Active Directory that I administer and can install Auth Services into. Within this AD I have some admin users that need access to Redhat machines, all no problem with Auth Services. However, my question is this.

If the AD at the other end of the Trust has users that I need to "Unix Enable", so they can also access the RedHat machines using their AD accounts, is that possible?

Note - the other AD is managed by another company and I have no possibility of getting anything installed or changed other than a trust established.

Can anyone help/suggest if this is possible?

Thanks,

Steve

↧

Authentication failing for user

September 7, 2010, 3:20 am

≫ Next: Configuring VSJ for multiple domains for a web/stand alone JAVA client.

≪ Previous: Auth Services and Domain Trusts

Hi all,

Recently we have migrated our environment from weblogic 8.1 to weblogic 10.3 and from sun java to JRockit 6 provided by oracle.

After migrating our code in new environment, user authentication on VSJ is failing. I am seeing below errors in my logs for failures:

Error Message:Successfully got TGT forrajeev_yadav@amer.dell.combut failed to do GSSAPI toHTTP/salesedge.dell.com@AMER.DELL.COM[caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Message not sent, max time exceeded.)]

Any urgent help on this issue is appreciated.

↧

Configuring VSJ for multiple domains for a web/stand alone JAVA client.

February 7, 2012, 2:28 am

≫ Next: VAS GSSAPI Error 851968 (gss_init_sec_context)

≪ Previous: Authentication failing for user

Back Ground:

We have an existing Kerberos utility (developed using sun GSS API), which can be used by either web application/a standalone java based application to accept service ticket for a specific service or delegate GSS credentials to fetch a service ticket for another service.

Requirement:

Since our utility was developed using sun GSS API, it only works if all the services exists in single domain as the sun GSS API cannot understand reference tickets generated for cross domain authentication.

We now have a plan to develop this utility that allows to communicate services exist in multiple domains, for this purpose we are planning to use VSJ. We still wanted the client remain the same(either web application or a standalone application) for this utility.

1. Is there a way to integrate VSJ with the existing Kerberos utility(just by providing the VSJ security provider), so that without changing the existing utility code the cross domain authentication is successful?

2. If step1 is not possible, What configuration steps/additional VSJ APIs need to be used to achieve cross functionality. If any specific guide/documentation/any pointers available please point me to the same.

Thanks,
Naga

↧

VAS GSSAPI Error 851968 (gss_init_sec_context)

March 28, 2011, 6:50 am

≫ Next: Netgroups using AD native groups

≪ Previous: Configuring VSJ for multiple domains for a web/stand alone JAVA client.

We are getting the major error code 851968 (& minor code 0) while using the GSS API flavor of the VAS API's on Linux x64.

Our Linux machine is has vas installed (including vasdev) and is joined to our AD domain. We are able to compile and execute the two samples provided with the SDK sucessfully and are now trying to get the GSS API style token from the VAS API's. The sequence of calls leading to init security context are as follows:

vas_ctx_alloc
vas_id_alloc
vas_id_establish_cred_password
vas_gss_initialize
vas_gss_acquire_cred
gss_import_name
gss_init_sec_context

Is there something we're missing?

↧

Netgroups using AD native groups

November 1, 2006, 12:49 am

≫ Next: using vastool to perform LDAP queries

≪ Previous: VAS GSSAPI Error 851968 (gss_init_sec_context)

I have posed this to VAS product management (Eyes, Wilson) but interested to see other interest in supporting netgroups from native AD groups, i.e. a netgroup triple exposed from NSS but data held in native AD groups rather than rfc2307 netgroup objects.

Any potential gotchas with this solution (apart from fact that AD becomes one "NIS" domain and a flat name space for netgroups)? Do any platforms not support netgroups through NSS for anything other than NIS? I am not talking of using NIS ypdaemon but equivalent of nss_ldap.

Since netgroups are the UNIX equivalent of AD distribution groups and do not impact gid security group limits this appears to be an interesting option.

↧

using vastool to perform LDAP queries

March 31, 2010, 3:00 pm

≫ Next: Support for apache httpd 2.4?

≪ Previous: Netgroups using AD native groups

Pardon me if there is another subject related to this question already./

I am a recent QAS/VAS customer, and am performing discovery and preperation to convert all AIX/Linux boxes in our environment to leverage AD with QAS.

We have about 1200 users across several hundred servers, and i have created a de-duplicated list of all users across all UNIX boxes.

I want to know if theres a way with vastool or some other tool to query the Domain Controller and find out which users are "disabled" in AD. And also find out which users are do not have a match in AD.

Some users will have the same unix username as they do SAM account name in AD, some will not, this will help me to find out which ones i need to have special cases for, and which are valid users that i need to Unix enable in AD. Identifying the Disabled users would allow me remove potentially hundreds of users from my master user list and also clean them off locally on all the UNIX boxes.

I'm not very experienced but it seems like some form of "vastool search" might be able to provide such information?

↧

Support for apache httpd 2.4?

March 1, 2012, 4:18 am

≫ Next: Stuck with kerberos authentication to Sharepoint

≪ Previous: using vastool to perform LDAP queries

Do you know if mod_auth_vas will work with Apache httpd 2.4? Or if there is any intention to support this, and if so what time frame this version is likely to be supported in?

Thanks,
Paul

↧

Stuck with kerberos authentication to Sharepoint

October 10, 2012, 3:03 pm

≫ Next: Not seeing correct AD group membership using vastool

≪ Previous: Support for apache httpd 2.4?

↧

Not seeing correct AD group membership using vastool

May 22, 2013, 8:55 am

≫ Next: Using VAS Apache Module on Multiple Apache instances

≪ Previous: Stuck with kerberos authentication to Sharepoint

We have an AD group 'foo'. User Abe is added to it using AD tools.

I cannot see this user in the group using vastool on Solaris. And of course the user cannot login.

$ vastool list groups | grep foo

foo:VAS:2010:john.doe@na.company.com,harry.who@na.company.com

I've executed vastool flush to no affect.

What am I doing wrong?

↧

Using VAS Apache Module on Multiple Apache instances

May 31, 2013, 8:10 am

≫ Next: VAS AD account administration

≪ Previous: Not seeing correct AD group membership using vastool

Hi all,

- I have a Web Server configured with 2 Apache Instances, each instance running as different user and port.

- I configured the VAS module for Active Directory Authentication on both instances

- So, now, the problem, is that in one instance the VAS authentication is working really good, and in the otherone,

we're having problems. It's always requesting Credentials when you try to access any websites hosted on this second instances.

The strange thing is that in the first instance, every website is working correctly and it's taking credentials automatically from browser.

Have anyone seen this kind of behavior?

Thanks in advance,

Obed N Munoz

↧

VAS AD account administration

January 16, 2007, 7:16 am

≫ Next: problem of vastool user checklogin

≪ Previous: Using VAS Apache Module on Multiple Apache instances

Hi

At one of the VAS sites that I work at, I will be creating web-scripts for unix/AD account administration. I plan on using vastool, uptool and old NIS utils on a Solaris webserver/NIS Server.

What approach do you recommend?

One of the issues right now, is that unix users lock them self out and then we have to manually unlock them from the Win AD/DC tool. Is there a way to unlock them from the unix commandline? or remotly via rpc/samba?

↧

problem of vastool user checklogin

March 16, 2009, 3:24 am

≫ Next: Error in Service Module

≪ Previous: VAS AD account administration

↧

Error in Service Module

October 3, 2011, 1:16 pm

≫ Next: QAS 4.1 Pre-release testing

≪ Previous: problem of vastool user checklogin

RHEL 6.1

Machine is joined to domain, AD account is able to login to other QAS machines.

Whenever I attempt to login from main screen I just get the error "Error in Service Module"

Any thoughts?

↧

QAS 4.1 Pre-release testing

March 11, 2013, 8:52 am

≫ Next: vasd won't stop

≪ Previous: Error in Service Module

If there are any other customers that would like to test out the 4.1 pre-release, please email glen.davis@quest.com for more information. You can

test by putting the new agents on some Servers, or using the updated management tools, or both.

Thanks,

Glen Davis

Product Manager

↧