kerberos

TomcatKerberos setup error

I've been able to setup Kerberos authentication in Tomcat utilizing a custom Realm that extends JAASRealm and overrides 'authenticate' by following the TomcatKerberos wiki. Got it working fine in Ubuntu but keep getting the following error when trying to set it up in Windows XP. SEVERE: Cannot find message associated with key jaasRealm...

Is this a possible way to get Drupal AD SSO?

I'm currently building a Drupal website in an Active Directory environment. One of the site's requirements is Single Sign On, which to date seems to be impossible because there is no Kerberos SPNEGO/GSSAPI auth module for drupal. I've come up with an idea on how SSO could be attempted on IIS. Since IIS has the option to require Kerberos ...

Log a user in to an ASP.net application using Windows Authentication without using Windows Authentication?

I have an ASP.net application I'm developing authentication for. I am using an existing cookie-based log on system to log users in to the system. The application runs as an anonymous account and then checks the cookie when the user wants to do something restricted. This is working fine. However, there is one caveat: I've been told th...

How to force BitmapImage to use NTLM Authentication for HTTP download of Image

The following code worked nicely until our admins enabled KERBEROS on our servers: var image = new BitmapImage(new Uri("http://sharepoint/sites/Symbols/Symbols/ABCD.png")); The server is in the local intranet zone and requires windows authentication. After our admins also enabled KERBEROS in this domain, http downloads and webservice ...

How to authorize a user/application combination in Oracle?

I'd like to authorize the user/application combination, not only the user. The scenario is that we've built an app that guides the user to safe updates of some data. If the same user installs PL/SQL Dev, Toad, or any other Oracle management tool, she can edit the data in ways that the app prohibits. ...

End-to-end kerberos delegated authentication in ASP.NET

I'm trying to setup an internal website that will contact another backend service within the network on behalf of the user using a HttpWebRequest. I have to use Integrated Windows Authentication on the ASP.NET application as the backend system only supports this type of authentication. I'm able to setup IWA on the ASP.NET application, a...

"Defective Token Deteced" error (NTLM not Kerberos) with Kerberos/Spring Security/IE/Active Directory

We are having trouble getting Spring Security/Kerberos/AD to work for our web app. Our diagnosis is that our AD server sending an NTLM token (we can tell as it starts with "TlRMTVNT.....") to IE and IE is then sending this to our application and it's failing. Our AD server should be sending a Kerberos/SPNEGO token to IE. The "moving par...

Using Kerberos authentication for SQL Server 2008

I am trying to configure my SQL Server to use Kerberos authentication. My setup is like this - My setup is like this- I have 2 virtual PCs in a Windows XP Pro SP3 host. Both VPCs are Windows Server 2003 R2. One VPC acts as the DC, DNS Server, DHCP server, has Active Directory installed and the SQL Server default instance is also runni...

commons http client - kerberos token while negotiating has \r\n (carriage return line feed) characters

I am trying to use jakarta commons http client. Doing kerberos authentication to communicate with a server. Authentication always fails. On digging deeper I found out that the kerberos token header has carriage return line feed characters in it which is the root cause of the issue. Why does it have \r\n characters and why is that an issu...

BITS, TakeOwnership, and Kerberos / Windows Integrated Authentication

We're using BITS to upload files from machines in our retail locations to our servers. BITS will stop transferring a file if the user who owns the BITS job logs off. Therefore, we're using a Windows Service running as LocalSystem to submit the jobs to BITS and be the job owner. This allows transfers to continue 24/7. However, it raises ...

domainless kerberos authentication in .NET

I have a client application written in .NET which needs to use a credential cache of the current user to authenticate with a KDC/Directory outside of the domain before continuing execution. In Java there is a library called JAAS that handles this, I am trying to find a good .NET solution for this problem but everything seems to use the ...

Passing Kerberos token of the authenticated user from IIS 7 to REST web services

I have a web site running on IIS7 configured to use Windows authentication. I'd like to make a call from the site to a REST web service and pass the Kerberos token of the user (authenticated while accessing the web site) in Authorization header (or any HTTP header). I want REST service to extract additional info like user groups, etc. ...

Java SSO: Kerberos authentication against Active Directory

I'm still trying to find a Java based solution for SSO (running on *nix), which I can use on JBoss to authorize against an Active Directory/domain controller. I initially tried to do this via NTLM, but gave up because it will be not supported on Windows Server >= 2008. Therefore I'm trying to implement this using Kerberos, but it seems ...

Exchange web services Kerberos Authentication

I need to consume exchange web services through JAVA Proxies generated by JAX-WS. I have a few doubts : 1) Can we connect to the exchange server with kerberos authentication 2) If yes help needed.. ...

python: validate kerberos ticket

I'm wondering if anyone has an elegant solution to checking for a valid kerberos ticket using python. I'm not seeing anyway with kinit or klist that will show if a ticket is expired with a return code. I could run klist and use a regex for the output but... Thanks much! ...

Kerberos Timestamp

Could anyone please explain how timestamps in Kerberos protect from Replay attacks? Thanks ...

How does client browser know which KDC to send request to get ticket?

Hi, Environment: SharePoint & Kerberos Can someone explain how does client browser know which KDC to send request to get ticket in step 3 below: 1. The user types in a URL in the Internet Explorer (e. g. http://intranet.domain.local) 2. The client browser constructs the SPN, which contains a name of the host and the service type (SPN: ...

Do I need to configure SPNs for all services running on the same test SharePoint server?

If I have single SharePoint server with no header (for testing) and my client app only needs to only access the web app with Kerberos configured, I already configured the app pool for that web app with domain user (SPN), do I really need to configure domain users (SPNs) for all services (e.g. SQL server, MOSS admin, farm, etc.) even thou...

[.NET 2.0] NegotiateStream can't work with Kerberos/NTLM/GSSAPI over SASL (POP3/IMAP/SMTP)?

Hi everyone! I'm trying to get Integrated Windows Authentication (using default credentials of the currently logged Windows user) to log in Exchange 2007 account (SMTP/POP3/IMAP). I already have working implementation for this but it uses SSPI functions and thus needs unmanagedcode permissions (no good). I tried to make use of Negotiat...

SharePoint web part access to file share using Kerberos from Extranet via ISA doesn't work.

I have the following scenario: A web part on Sharepoint Web Server accesses a file share on another server Kerberos authentication is set up and INTERNALLY files on the share can be successfully accessed Our SharePoint site is published externally via ISA with forms based login for authentication Kerberos authentication is working from...