Single Sign-On for Java 7 Not working

August 26, 2013, 5:36 am

≫ Next: Processing order of user-overrides if directory is used

≪ Previous: Getting error while initializing AuthFilter against MIT Kerb server

Hi,

We have been using winSSPI.dll on client side from 3.2 package. This dll is not working anymore in JDK 7.

The exception trace as follows :

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: [init]: OS name = 'Windows 7', version = '6.1'

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: [init]: isKerberosOS = true, isSessionKeySupported = true

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: initialize: calling native method ...

[winSSPI.dll] initialize

[winSSPI.dll] initialize: done

[INFO] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: initialize: Successfully initialized Windows SSPI

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: acquireCredentialsHandle: calling native method ...

[winSSPI.dll] acquireCredentialsHandle

[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: loadCredential: result = 0

Attempting initContext with principal: HTTP/appsec001.gaia.net.intra

initContext failed with principal: HTTP/appsec001.gaia.net.intra error: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

Attempting initContext with principal: HOST/appsec001.gaia.net.intra

initContext failed with principal: HOST/appsec001.gaia.net.intra error: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

initContext failed with all attempted principals

java.security.PrivilegedActionException: javax.security.auth.login.LoginException: LoginException: java.security.PrivilegedActionException: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:373)

at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)

at weblogic.security.Security.runAs(Security.java:61)

at security.role.TestKerberosEJBCall.main(TestKerberosEJBCall.java:32)

Caused by: javax.security.auth.login.LoginException: LoginException: java.security.PrivilegedActionException: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created

at com.quest.vsj.weblogic.login.EjbClientKerberosLoginModule.login(EjbClientKerberosLoginModule.java:107)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:606)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)

at javax.security.auth.login.LoginContext.login(LoginContext.java:594)

at security.role.TestKerberosEJBCall$1.run(TestKerberosEJBCall.java:35)

at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)

... 3 more

Any ideas if any newer version or patch is supporting both JDK 7 64 & 32 bit ?

Thanks in advance.

↧

Processing order of user-overrides if directory is used

September 4, 2013, 6:22 pm

≫ Next: Support for apache httpd 2.4?

≪ Previous: Single Sign-On for Java 7 Not working

I'm look at putting together a solution for a rather complex user-override situation - using the user-override-directory -

I've configured vasd to use the directory - and it appears to do so - however . . . there is no indication of what order the files in the directory are processed / searched ? I've tried experimenting with file names to see if it's alphanumeric based on file name - however that does not seem the case . . . .

The man pages seem to indicate that the files are processed until a match is reached - if it is . . . how can I determine the order of file searching ?

eg - If a user two differant overrides defined in two files in the directory - which one is used ?

Added log file showing wierd, unpredictable processing of files

TIA

↧

Support for apache httpd 2.4?

March 1, 2012, 4:18 am

≫ Next: Segmentation fault when mod_auth_vas finds no matches

≪ Previous: Processing order of user-overrides if directory is used

Do you know if mod_auth_vas will work with Apache httpd 2.4? Or if there is any intention to support this, and if so what time frame this version is likely to be supported in?

Thanks,
Paul

↧

Segmentation fault when mod_auth_vas finds no matches

June 1, 2012, 6:51 am

≫ Next: Not seeing correct AD group membership using vastool

≪ Previous: Support for apache httpd 2.4?

Hello,

We are using mod_auth_vas.so 3.6.7 with Oracle HTTP Server which is effectively Apache 2.0. Recently, we have noticed that an Apache process is terminated with a segmentation fault in case of mod_auth_vas trying to match the requestor's name to the list of allowed user names and but not finding it there. The client's browser receives 401 in this case. Could you please help with it?

Please find an excerpt from the error log

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1581: [mod_auth_vas] authenticated user: 'Dmitry_Donetskov@EMEA.DELL.COM'

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1037: [mod_auth_vas] auth_vas_auth_checker: user=Dmitry_Donetskov@EMEA.DELL.COM authtype=VAS

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1055: [mod_auth_vas] requires->nelts = 3

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:541: [mod_auth_vas] match_user: name=ServiceSFDCWPSIT@emea.dell.com RUSER=Dmitry_Donetskov@EMEA.DELL.COM

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1422: [mod_auth_vas] rnote_get: reusing existing rnote

[2012-06-01T14:14:38.8683+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:490: [mod_auth_vas] set_user_obj

[2012-06-01T14:14:38.8708+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:574: [mod_auth_vas] match_user: user does not match

[2012-06-01T14:14:38.8708+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:584: [mod_auth_vas] match_user: <CN=ServiceSFDCWPSIT,OU=Service Accounts,DC=emea,DC=dell,DC=com> <CN=dmitry_donetskov,OU=Users,OU=Moscow,DC=emea,DC=dell,DC=com> no-match

[2012-06-01T14:14:38.8709+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1100: [mod_auth_vas] require user "ServiceSFDCWPSIT@emea.dell.com" -> FAIL

...........

[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:584: [mod_auth_vas] match_user: <CN=Alexey_Lysak,OU=Users,OU=Non Dell,DC=emea,DC=dell,DC=com> <CN=dmitry_donetskov,OU=Users,OU=Moscow,DC=emea,DC=dell,DC=com> no-match

[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1100: [mod_auth_vas] require user "Alexey_Lysak@emea.dell.com" -> FAIL

[2012-06-01T14:14:38.9545+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_auth_vas.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [tid: 1144846656] [user: oracle] [ecid: 004kMZrRnhR6uHC_NDG7ye0003a7000007] [rid: 0] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_auth_vas.c:1422: [mod_auth_vas] rnote_get: reusing existing rnote

[2012-06-01T14:14:39.4014+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [mod_ssl.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] mod_ssl.c:633: Connection to child 0 established (server ausvmqtcdevap19.us.dell.com:8044)

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:720: inside shmcb_retrieve_session

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:732: id[0]=4, masked index=4

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1197: entering shmcb_lookup_session_id

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:983: entering shmcb_expire_division

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1207: loop=0, count=1, curr_pos=0

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1211: idx->s_id2=47, id[1]=47, offset=0

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1228: at index 0, found possible session match

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:1247: a match!

[2012-06-01T14:14:39.4016+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:748: leaving shmcb_retrieve_session

[2012-06-01T14:14:39.4017+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_scache_shmcb.c:435: shmcb_retrieve had a hit

[2012-06-01T14:14:39.4017+01:00] [OHS] [INCIDENT_ERROR:32] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 27201] [tid: 1099520320] [user: oracle] [VirtualHost: ausvmqtcdevap19.us.dell.com:8044] ssl_engine_kernel.c:2304: Inter-Process Session Cache: request=GET status=FOUND id=042F8428065947E3DA8D7A7B77690889 (session reuse)

[2012-06-01T14:14:39.6975+01:00] [OHS] [NOTIFICATION:16] [OHS-9999] [core.c] [host_id: ausvmqtcdevap19.us.dell.com] [host_addr: 10.166.44.87] [pid: 14727] [tid: 47292192636960] [user: oracle] [VirtualHost: main] mpm_common.c:475: child pid 27200 exit signal Segmentation fault (11), possible coredump in /u01/app/oracle/fusion/mw_1/Oracle_WT1/instances/instance1/config/OHS/ohs1

Message was edited by: dmitry_donetskov_265

↧

Not seeing correct AD group membership using vastool

May 22, 2013, 8:55 am

≫ Next: WinSSPI not supported on this platform

≪ Previous: Segmentation fault when mod_auth_vas finds no matches

We have an AD group 'foo'. User Abe is added to it using AD tools.

I cannot see this user in the group using vastool on Solaris. And of course the user cannot login.

$ vastool list groups | grep foo

foo:VAS:2010:john.doe@na.company.com,harry.who@na.company.com

I've executed vastool flush to no affect.

What am I doing wrong?

↧

WinSSPI not supported on this platform

May 24, 2013, 2:58 pm

≫ Next: Putty 0.62 session menu with Windows 7

≪ Previous: Not seeing correct AD group membership using vastool

I am new to Kerberos. When attempting to build a Kerberos credential, I call:

com.dstc.security.kerberos.winSSPI.WinSSPIGSSManager.getInstance();

For some people this causes:

Caused by: GSSException: Failure unspecified at GSS-API level

at com.dstc.security.kerberos.winSSPI.WinSSPIGSSManager.<init>(WinSSPIGSSManager.java:86)

at com.dstc.security.kerberos.winSSPI.WinSSPIGSSManager.getInstance(WinSSPIGSSManager.java:109)

... 33 more

Caused by: com.dstc.security.kerberos.winSSPI.SSPIException: WinSSPI not supported on this platform (Windows XP)

at com.dstc.security.kerberos.winSSPI.SSPI.initialize(SSPI.java:304)

at com.dstc.security.kerberos.winSSPI.WinSSPIGSSManager.<init>(WinSSPIGSSManager.java:84)

... 34 more

For others, it works fine. I have also seen "WinSSPI not supported on this platform (Windows 7)" on Windows 7 machines.

What does that error indicate? Where can I begin debugging?

↧

Putty 0.62 session menu with Windows 7

June 17, 2013, 8:18 am

≫ Next: Cannot run AdPrep on domain

≪ Previous: WinSSPI not supported on this platform

I've recently upgraded to Windows 7, and am enjoying the menu of open putty sessions displayed when I hover my mouse over the putty icon in my toolbar. HOWEVER, one aspect which bothers me is how the menu displays. Initially it displays a horizontal list of icons for each session, expanding the list up to 10 sessions, after which it tranforms that list to a vertical list of lines in a single window, one line for each session. My issue is that once the horizontal list exceeds 6 sessions, the session names contained in the icons get truncated from the right to the point that they are no longer unique, rendering them useless. Consequently, once I open a 7th session, I proceed to open another 4 simply to maintain the usability of my session menu. Does anyone know a way to customize either the point at which the menu transfers to a horizontal list, or the session name truncation so that it truncates from the left instead of the right?

↧

Cannot run AdPrep on domain

January 21, 2008, 7:44 pm

≫ Next: Using VAS Apache Module on Multiple Apache instances

≪ Previous: Putty 0.62 session menu with Windows 7

I hope this is the right community to post this in.

I have a domain that I need to run adprep on, but it errors out with numerous errors like below.

OID "1.3.6.1.1.1.1.0" defined for object CN=Vintela-uidNumber,CN=Schema,CN=Configuration,DC=xxx,DC=xxx,DC=xxx conflicts with the schema extensions needed for Windows 2003.

[Status/Consequence]

Adprep will not extend your existing schema.
[User Action]

Contact the vendor of the application that extended the schema with the OID value "1.3.6.1.1.1.1.0" and resolve this inconsistency. Then run adprep again.

This domain was 2000 and is now 2003 R2, but I cannot add a DC until I run adprep first.

Is there something that I can do to resolve this?

Mark

↧

Using VAS Apache Module on Multiple Apache instances

May 31, 2013, 8:10 am

≫ Next: Building mod_auth_vas-3,5,3.308 on AIX v5.3 fails

≪ Previous: Cannot run AdPrep on domain

Hi all,

- I have a Web Server configured with 2 Apache Instances, each instance running as different user and port.

- I configured the VAS module for Active Directory Authentication on both instances

- So, now, the problem, is that in one instance the VAS authentication is working really good, and in the otherone,

we're having problems. It's always requesting Credentials when you try to access any websites hosted on this second instances.

The strange thing is that in the first instance, every website is working correctly and it's taking credentials automatically from browser.

Have anyone seen this kind of behavior?

Thanks in advance,

Obed N Munoz

↧

Building mod_auth_vas-3,5,3.308 on AIX v5.3 fails

January 29, 2008, 8:48 am

≫ Next: problem of vastool user checklogin

≪ Previous: Using VAS Apache Module on Multiple Apache instances

I am working to build the mod_auth_vas module with IBM's IHS 2.0.47.0 version of Apache. I am using IBM's C compiler as this is the default of the IHS version. The configure succeeds, but the link fails with the following.

Making all in .
make[1]: Entering directory `/home/wpz1599/mod_auth_vas-3.5.3.308'
for f in mod_auth_vas.c compat.h; do \
cmp ./$f ./$f 2>/dev/null || \
    cp ./$f . ; \
done
/apps/IHS/bin/apxs -c -S CC='/usr/vac/bin/xlc_r' \
        -DHAVE_UNIX_SUEXEC -DMODAUTHVAS_DIAGNOSTIC -DMODAUTHVAS_VERBOSE \
        -DMODAUTHVAS_VERSION='\"3.5.3.308\"' \
        -Wc,-g -Wc,+DAportable \
        -Wc,-I/opt/quest/include \
        -Wl,-bexpall \
        -Wl,-bnolibpath -Wl,-blibpath:/opt/quest/lib:/usr/lib:/lib -Wl,-L/opt/quest/lib -Wl,-lvas -Wl,-L/opt/quest/lib/support -Wl,-lgcc_s \
        -o mod_auth_vas.so \
        -n auth_vas \
        mod_auth_vas.c
/apps/IHS/build/libtool --silent --mode=compile /usr/vac/bin/xlc_r -prefer-pic -O2 -qmaxmem=8192 -U__STR__ -D_THREAD_SAFE -D_USE_IRS -qHALT=E -I/apps/IHS/include -I/apps/IHS/include   -I/apps/IHS/include -g +DAportable -I/opt/quest/include -DHAVE_UNIX_SUEXEC -DMODAUTHVAS_DIAGNOSTIC -DMODAUTHVAS_VERBOSE -DMODAUTHVAS_VERSION=\"3.5.3.308\" -c -o mod_auth_vas.lo mod_auth_vas.c && touch mod_auth_vas.slo
/usr/vac/bin/xlc_r: 1501-228 input file +DAportable not found
"mod_auth_vas.c", line 280.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
"mod_auth_vas.c", line 284.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
"mod_auth_vas.c", line 288.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
"mod_auth_vas.c", line 292.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
"mod_auth_vas.c", line 296.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
"mod_auth_vas.c", line 300.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
"mod_auth_vas.c", line 304.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
"mod_auth_vas.c", line 308.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
"mod_auth_vas.c", line 312.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
"mod_auth_vas.c", line 316.17: 1506-196 (W) Initialization between types "void*" and "unsigned long" is not allowed.
/apps/IHS/build/libtool --silent --mode=link /usr/vac/bin/xlc_r -o mod_auth_vas.so -g +DAportable -I/opt/quest/include -DHAVE_UNIX_SUEXEC -DMODAUTHVAS_DIAGNOSTIC -DMODAUTHVAS_VERBOSE -DMODAUTHVAS_VERSION=\"3.5.3.308\" -bexpall -bnolibpath -blibpath:/opt/quest/lib:/usr/lib:/lib -L/opt/quest/lib -lvas -L/opt/quest/lib/support -lgcc_s -rpath /apps/IHS/modules -module -avoid-version -Wl,-brtl mod_auth_vas.lo
/usr/vac/bin/xlc_r: 1501-228 input file +DAportable not found
ld: 0711-317 ERROR: Undefined symbol: .main
ld: 0711-317 ERROR: Undefined symbol: .ap_log_perror
ld: 0711-317 ERROR: Undefined symbol: .ap_log_assert
ld: 0711-317 ERROR: Undefined symbol: .apr_sockaddr_info_get
ld: 0711-317 ERROR: Undefined symbol: .ap_log_rerror
ld: 0711-317 ERROR: Undefined symbol: .apr_table_do
ld: 0711-317 ERROR: Undefined symbol: .apr_ipsubnet_create
ld: 0711-317 ERROR: Undefined symbol: .apr_ipsubnet_test
ld: 0711-317 ERROR: Undefined symbol: .apr_thread_mutex_unlock
ld: 0711-317 ERROR: Undefined symbol: .apr_thread_mutex_lock
ld: 0711-317 ERROR: Undefined symbol: .apr_uid_get
ld: 0711-317 ERROR: Undefined symbol: .apr_uid_name_get
ld: 0711-317 ERROR: Undefined symbol: ap_set_flag_slot
ld: 0711-317 ERROR: Undefined symbol: ap_set_string_slot
ld: 0711-317 ERROR: Undefined symbol: .apr_pstrdup
ld: 0711-317 ERROR: Undefined symbol: .apr_psprintf
ld: 0711-317 ERROR: Undefined symbol: .ap_hook_post_config
ld: 0711-317 ERROR: Undefined symbol: .ap_hook_child_init
ld: 0711-317 ERROR: Undefined symbol: .ap_hook_auth_checker
ld: 0711-317 ERROR: Undefined symbol: .ap_hook_check_user_id
ld: 0711-317 ERROR: Undefined symbol: .ap_hook_get_suexec_identity
ld: 0711-317 ERROR: Undefined symbol: .ap_hook_fixups
ld: 0711-317 ERROR: Undefined symbol: .apr_thread_mutex_create
ld: 0711-317 ERROR: Undefined symbol: .ap_log_error
ld: 0711-317 ERROR: Undefined symbol: .ap_add_version_component
ld: 0711-317 ERROR: Undefined symbol: .apr_palloc
ld: 0711-317 ERROR: Undefined symbol: apr_pool_cleanup_null
ld: 0711-317 ERROR: Undefined symbol: .apr_pool_cleanup_register
ld: 0711-317 ERROR: Undefined symbol: .apr_table_setn
ld: 0711-317 ERROR: Undefined symbol: .ap_auth_type
ld: 0711-317 ERROR: Undefined symbol: .ap_requires
ld: 0711-317 ERROR: Undefined symbol: .apr_table_get
ld: 0711-317 ERROR: Undefined symbol: .ap_getword_white
ld: 0711-317 ERROR: Undefined symbol: .apr_base64_decode_len
ld: 0711-317 ERROR: Undefined symbol: .apr_base64_decode
ld: 0711-317 ERROR: Undefined symbol: .apr_table_add
ld: 0711-317 ERROR: Undefined symbol: .apr_pstrmemdup
ld: 0711-317 ERROR: Undefined symbol: .ap_custom_response
ld: 0711-317 ERROR: Undefined symbol: .ap_psignature
ld: 0711-317 ERROR: Undefined symbol: .apr_pstrcat
ld: 0711-317 ERROR: Undefined symbol: .apr_table_set
ld: 0711-317 ERROR: Undefined symbol: .ap_getword_conf
ld: 0711-317 ERROR: Undefined symbol: .apr_table_make
ld: 0711-317 ERROR: Undefined symbol: .ap_set_string_slot
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.
apxs:Error: Command failed with rc=524288
.
make[1]: *** [mod_auth_vas.so] Error 1
make[1]: Leaving directory `/home/wpz1599/mod_auth_vas-3.5.3.308'
make: *** [all-recursive] Error 1

I can fix the .apr_ prefixed symbols, but cannot locate the .ap_ prefixed symbols.

Has anyone else encountered this issue?

↧

problem of vastool user checklogin

March 16, 2009, 3:24 am

≫ Next: HTTP Status 500 - com.wedgetail.idm.sso.ntlm.NtlmException: NTLM token is T

≪ Previous: Building mod_auth_vas-3,5,3.308 on AIX v5.3 fails

Hi experts!

I am newbie for VAS.

After installation of VAS 3.5 on both server(windows server 2003) and client(redhat5.2) according to the manual,

I failed to login the linux client using a Unix enabled domain user :test

I try to run some troubleshooting commands, and get some information as below:

[root@redhat-head ~]# /opt/quest/bin/vastool user checklogin test
WARNING: NSS lookup (getpwnam) for user test failed, this will almost
certainly mean that you will be unable to log in with a username of test.
This should be fixed before worrying about any other failures.
##I checked /etc/nsswith.conf, and found everything is ok.

[root@redhat-head ~]# /opt/quest/bin/vastool nss getpwnam test
ERROR: Could not look up user for name: test, error = 2.

[root@redhat-head ~]# /opt/quest/bin/vastool info domain
test.com

[root@redhat-head ~]#/opt/quest/bin/vastool -u host/ attrs test uidnumber gidnumber unixhomedirectory loginshell userprincipalname DistinguishedName
ginshell userprincipalname DistinguishedName
distinguishedName: CN=test,OU=Unix,DC=pera-test,DC=com
userPrincipalName: test@test.com
uidNumber: 1000
gidNumber: 1000
unixHomeDirectory: /home/test
loginShell: /bin/bash

I can't find where the problem is.

Any advise?

Thank in advance!

↧

HTTP Status 500 - com.wedgetail.idm.sso.ntlm.NtlmException: NTLM token is T

April 12, 2010, 9:37 am

≫ Next: VSJ unable to find LoginModule class

≪ Previous: problem of vastool user checklogin

removed

Message was edited by: MarkBarc

↧

VSJ unable to find LoginModule class

August 6, 2008, 6:55 am

≫ Next: org.ietf.jgss.GSSException, Channel binding mismatch

≪ Previous: HTTP Status 500 - com.wedgetail.idm.sso.ntlm.NtlmException: NTLM token is T

We've been using VSJ successfully in a variety of Java applications, but have now encountered a situation where the VSJ library seems unable to find the the KerberosLoginModule class.

We have packaged our VSJ related code within some classes that we have added to a larger enterprise application. Our classes work fine in standalone Java programs, but when running as part of the larger application we always get the exception:

javax.security.auth.login.LoginException: unable to find LoginModule class: com/dstc/security/kerberos/jaas/KerberosLoginModule

We've tried changing the CLASSPATH, copying the VSJ libraries to numerous places, and many other experiments, but we always get the same error. We added the following to our code:

Class.forName("com.dstc.security.kerberos.jaas.KerberosLoginModule");

immediately before the lc.login() call and it always succeeds, but the lc.login() call immediately afterward still fails with the same error message.

Can you tell us how the VSJ library searches for the KerberosLoginModule, and what we should change to allow the login() method to find the VSJ jar file?

Thanks and regards,
- Joe

↧

org.ietf.jgss.GSSException, Channel binding mismatch

June 17, 2011, 3:02 am

≫ Next: NTLM SMB issue - Could not get valid NTLM challenge from ........

≪ Previous: VSJ unable to find LoginModule class

I am getting this Exception when I am trying to do SPNEGO on IE8 over HTTPS. It works fine for CHROME of FIREFOX.

com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: org.ietf.jgss.GSSException, major code: 1, minor code: 0
    major string: Channel binding mismatch
    minor string: None
    at com.wedgetail.idm.sso.AbstractAuthenticator.processSpnego(AbstractAuthenticator.java:1221)
    at com.wedgetail.idm.sso.MechChecker.authenticate(MechChecker.java:205)
    at com.wedgetail.idm.sso.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:1060)
    at com.wedgetail.idm.sso.AbstractAuthenticator.authenticateServiceTicket(AbstractAuthenticator.java:998)
    at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthentication(AbstractAuthenticator.java:953)
    at com.wedgetail.idm.sso.AuthFilter.doFilter(AuthFilter.java:122)

When I set this registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\SuppressExtendedProtection to 0x02 , SPNEGO starts working but the problem is that this key cannot be set for all the machines in the environment. I am using Vintella 3.3. Is there any other workaround to get the SPNEGO going.
Message was edited by: aamir

Message was edited by: aamir

↧

NTLM SMB issue - Could not get valid NTLM challenge from ........

July 27, 2012, 10:36 am

≫ Next: webpage cannot be found at login-action.vsj

≪ Previous: org.ietf.jgss.GSSException, Channel binding mismatch

I'm trying to debug an issue with NTLM failback, I have the filter configured correctly as per any other deployments.

I'm able to authenticate users correctly using Kerberos, but I have noticed in the logs an issue with NTLM.

This was discovered because of a Java Applet which is posting back to the server, the applet is not using kerberos but NTLM to authenticate the user.

The application server is Tomcat 5, using Quest VSJ "VSJ Standard Edition 3_3 Patch 3548"

From what can be seen within the server logs is that QuestSSO performs a DNS lookup and attempts to connect to all of the GCs which are returned.

Example:
- Starting Coyote HTTP/1.1 on http-80
- JK: ajp13 listening on /0.0.0.0:8009
- Jk running ID=0 time=0/47 config=null
- Host server1.domain.ltd/1.1.1.1:389 appears to be down
- Could not get valid NTLM challenge from server1.domain.ltd/1.1.1.1
Exception: com.wedgetail.idm.sso.ntlm.NtlmException: NTLM challenge was null
- Host server2.domain.ltd/1.1.1.2:389 appears to be down
- Could not get valid NTLM challenge from server2.domain.ltd/1.1.1.2
Exception: com.wedgetail.idm.sso.ntlm.NtlmException: NTLM challenge was null
- Host server3.domain.ltd/1.1.1.3:389 appears to be down
...
... etc

I have enabled the debug level and log4j configuration, but this is not showing any errors.

I have used PortQry.exe to scan the AD servers and they are accessible.

What can I do to move forward? Any ideas ?

↧

webpage cannot be found at login-action.vsj

August 7, 2012, 6:22 am

≫ Next: Not seeing correct AD group membership using vastool

≪ Previous: NTLM SMB issue - Could not get valid NTLM challenge from ........

Hello,

My scenario is
I have a login page.
If I put the correct username/password, I got the IamIn.jsp as expected.

If I put the incorrect username/password, it also kicked back to the login.jsp as expected. However, right after this, if I put the correct username/password, I got stuck at the login-action.vsj on URL and the "webpage cannot be found" is shown.

Is there anything I need to do to get the login-action.vsj to send me to IamIn.jsp on the second case?

Thanks

↧