E.M.P. Kerberos Weblogic
Hello
Any suggestion on the implementation of EPM-Kerberos-Weblogic? Is this feasible?
Any suggestion on the link environment, etc.?
-John
Try this
http://www.Oracle.com/technetwork/middleware/bi-Foundation/config-EPM-Foundation-Kerberos-303841.PDF
I did it on my single server environment (which was based on the 9 documentation) enable Kerberos with Workspace 11.1.1.3, Weblogic 9.2 MP3 & Apache ~ Oracle - Hyperion Labs...
Concerning
Celvin
Tags: Business Intelligence
Similar Questions
-
IPM. The weblogic user does not exist in the policy store
We cannot connect to the MPI with the error: the weblogic user does not exist in the policy store.
I updated COE field to add the Capture and Imaging.
We have 11.1.1.8 patched with more late installed environment
Related to the AD and SSO configured (kerberos)
Providers are:
SSO - provider WebLogic negotiate identity Assertion
OrangeAD - provider that performs LDAP authentication
DefaultAuthenticator - WebLogic authentication provider
DefaultIdentityAsserter - provider of assertion of identity WebLogic
Control for OrangeAD and DefaultAuthenticator flag is SUFFICIENT
There is no problem with Capture (include SSO)
Refreshment of the IPM security not solved the problem
In the discussion that I found said that weblogic user must be added to the provider (AD in my case):
https://community.Oracle.com/thread/2615536
Should I do this?
Is that it can be cause of problems for rest UCM, Capture, Admin servers?
Thank you
Leon
Let me explain here:
The link that you pointed out only responds by me
By default, the WebCenter JpsProvider calls / user role API to retrieve a list of roles that a user is a member. API/user role Gets a list of roles from the leading provider of authentication and ignores other authentication providers.
The Weblogic jps can be configured so that the user/role API goes against all configured authentication providers. This by adding a property, virtualize and it's true
From the Enterprise Manager domain
1. in a browser, go to the page of Weblogic Enterprise Manager
The URL will usually be something like: http://YourDomainSystem:7001 / em
2 expand Weblogic domain
3 right-click the field, and then select security--> security provider Configuration
4. click on the box to extend the identity store provider.
5. click on the button set up
6. in the custom properties, click the Add button.
7. in the name of property filed enter: virtualize
8. in the value field, enter: true
9. click on the OK button
10 restart the Weblogic Admin Server and the server managed by WCC
Please find below the Agency's response all risks
Thank you
Ranjan
-
WebLogic with Active Directory SSO using the Ondaaah
Hello
I tried to configure Ondaaah for Weblogic, but it does not work.
I followed exactly the Oracle documentation: Configuration Single Sign-On with Microsoft Clients
Also I tried other resources, but without success.
Example: How to set up a SINGLE Kerberos/SPNEGO with Oracle WebLogic Server browser-based authentication
My main problem is that I can not really why it does not debugging.
Can someone help me to direct me in the log file I can investigate the problem?
Some info:
KDC is a win2k8r2
krb5.ini
[libdefaults] default_realm = EXAMPLE.COM default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc ticket_lifetime = 600 [realms] EXAMPLE.COM = { kdc = 192.168.0.94 admin_server = vs-w8kr2-dc1 default_domain = EXAMPLE.COM } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [appdefaults] autologin = true forward = true forwardable = true encrypt = truegeneration of key file
ktpass -princ HTTP/[email protected] -mapuser wlsuser -ptype KRB5_NT_PRINCIPAL -pass Welcome1 -out wlsuser.keytab -kvno 0 -crypto DES-CBC-CRC
kinit result
java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t wlsuser.keytab HTTP/[email protected] >>>KinitOptions cache name is C:\Users\Administrator.EXAMPLE\krb5cc_Administrat or Principal is HTTP/[email protected] >>> Kinit using keytab >>> Kinit keytab file name: wlsuser.keytab >>> KeyTabInputStream, readName(): EXAMPLE.COM >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): vs-ucm-cs-pro.example.com >>> KeyTab: load() entry length: 69; type: 1 Added key: 1version: 0 Ordering keys wrt default_tkt_enctypes list Config name: C:\Windows\krb5.ini default etypes for default_tkt_enctypes: 1. 0: EncryptionKey: keyType=1 kvno=0 keyValue (hex dump)= 0000: D3 E6 AB F1 91 B3 B0 D3 >>> Kinit realm name is EXAMPLE.COM >>> Creating KrbAsReq >>> KrbKdcReq local addresses for VS-UCM-CS-PRO are: VS-UCM-CS-PRO/192.168.0.161 IPv4 address VS-UCM-CS-PRO/fe80:0:0:0:48c0:4405:c018:7969%11 IPv6 address VS-UCM-CS-PRO/fe80:0:0:0:383e:e3d:3f57:ff5e%13 IPv6 address VS-UCM-CS-PRO/2001:0:5ef5:79fb:383e:e3d:3f57:ff5e IPv6 address >>> KdcAccessibility: reset default etypes for default_tkt_enctypes: 1. >>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> Kinit: sending as_req to realm EXAMPLE.COM >>> KrbKdcReq send: kdc=192.168.0.94 UDP:88, timeout=30000, number of retries =3 , #bytes=261 >>> KDCCommunication: kdc=192.168.0.94 UDP:88, timeout=30000,Attempt =1, #bytes= 261 >>> KrbKdcReq send: #bytes read=268 >>> KrbKdcReq send: #bytes read=268 >>> KdcAccessibility: remove 192.168.0.94 >>> reading response from kdc >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Mon Aug 05 10:55:20 CEST 2013 1375692920000 suSec is 298089 error code is 25 error Message is Additional pre-authentication required realm is EXAMPLE.COM sname is krbtgt/EXAMPLE.COM eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 1 PA-ETYPE-INFO2 salt = EXAMPLE.COMHTTPvs-ucm-cs-pro.example.com PA-ETYPE-INFO2 s2kparams = null Kinit: PREAUTH FAILED/REQ, re-send AS-REQ Updated salt from pre-auth = EXAMPLE.COMHTTPvs-ucm-cs-pro.example.com >>>KrbAsReq salt is EXAMPLE.COMHTTPvs-ucm-cs-pro.example.com default etypes for default_tkt_enctypes: 1. Pre-Authenticaton: find key for etype = 1 AS-REQ: Add PA_ENC_TIMESTAMP now >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType >>>crc32: cf91be86 >>>crc32: 11001111100100011011111010000110 >>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> Kinit: sending as_req to realm EXAMPLE.COM >>> KrbKdcReq send: kdc=192.168.0.94 UDP:88, timeout=30000, number of retries =3 , #bytes=341 >>> KDCCommunication: kdc=192.168.0.94 UDP:88, timeout=30000,Attempt =1, #bytes= 341 >>> KrbKdcReq send: #bytes read=94 >>> KrbKdcReq send: #bytes read=94 >>> KdcAccessibility: remove 192.168.0.94 >>> reading response from kdc >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Mon Aug 05 10:55:21 CEST 2013 1375692921000 suSec is 548089 error code is 52 error Message is Response too big for UDP, retry with TCP realm is EXAMPLE.COM sname is krbtgt/EXAMPLE.COM msgType is 30 >>> KrbKdcReq send: kdc=192.168.0.94 TCP:88, timeout=30000, number of retries =3 , #bytes=341 >>> KDCCommunication: kdc=192.168.0.94 TCP:88, timeout=30000,Attempt =1, #bytes= 341 >>>DEBUG: TCPClient reading 1592 bytes >>> KrbKdcReq send: #bytes read=1592 >>> KrbKdcReq send: #bytes read=1592 >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType >>>crc32: 3d4ff0db >>>crc32: 111101010011111111000011011011 >>> KrbAsRep cons in KrbAsReq.getReply HTTP/vs-ucm-cs-pro.example.com New ticket is stored in cache file C:\Users\Administrator.EXAMPLE\krb5cc_Admini strator
krb5login.conf
com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/[email protected]" useKeyTab="true" keyTab="d:/admin/kerberos/wlsuser.keytab" storeKey="true" debug="true"; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required principal="HTTP/[email protected]" useKeyTab="true" keyTab="d:/admin/kerberos/wlsuser.keytab" storeKey="true" debug="true"; };setspn-L wlsuser
Registered (SPN) for CN=wlsuser,CN=Users,DC=example,DC=com: HTTP/vs-ucm-cs-pro.example.com
Post edited by: 2ec502e6-de7d-4cb9-a5b2-5b8f18f80881 Added setspn - L...
Hi, it works!
Thanks to your debugging indicators and a new machine!
The SSO works perfectly on another machine. So please do not test SSO on weblogic machine...
-
Kerberos for Signon Office header problem
Hello
As I following the PeopleBook for Office Signon Singal of Kerberos protocol, here are a few questions while using the FUNCLIB_LDAP. LDAPAUTH signon peoplecode to authenticate the user to NT domain during indexing.
The Peoplebook Peoplecode seeks the names KRB_USER and Authorization header in the Kerberos the Kerberos token ticket. But always the PIA connection as the PUBLIC user any user NT domain, I logged.
Then I tried to look on the HeaderName & his pair of value as below: (Note: has very well to any name of KRB_USER or authorization header in the request list)
Name: Accept - image/gif, image/jpeg, image/pjpeg, application / vnd.ms - excel, application / vnd.ms - powerpoint, application/msword, * / *.
Name: Accept-Language-en
Name: User-Agent-Mozilla/4.0 (...)
Name: Host - www.mydoamin.com
Name: Connection - Keep-Alive
Name: Cookie - SignonDefault = PUBLIC. http 3% a % 2f % 2f...
Above is the header name in the query list. No header name like KRB_USER or authorization.
Here is the log from the log PIA_weblogic monitor:
# < 26 April 2012 12:18:44 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '11' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421124992 > < BEA-000000 > < KerberosSSOFilter: requesting Kerberos token. (Connection is NOT safe) >
# < 26 April 2012 12:18:50 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '20' to queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421130924 > < BEA-000000 > < KerberosSSOFilter: received the invalid token. >
# < 26 April 2012 12:18:50 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '20' to queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421130949 > < BEA-000000 > < KerberosSSOFilter: received the invalid token. >
# < 26 April 2012 12:18:50 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '20' to queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421130997 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '20' to queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131071 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '0' for the queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131117 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '16' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131078 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '16' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131084 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '19' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131094 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '16' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131102 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '16' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131106 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '13' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131112 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: "14" for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131081 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '12' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131115 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '8' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131116 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '0' for the queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131136 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '13' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131138 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '0' for the queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131137 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '16' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131139 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '18' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131140 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: "14" for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131140 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '18' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131157 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '5' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131164 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '0' for the queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131158 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '13' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131159 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '6' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131161 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '12' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131161 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: "14" for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131162 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '7' for the queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131165 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '20' to queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131166 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '11' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131167 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '12' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131169 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:18:51 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '6' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421131172 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:27:52 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: "14" for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421672310 > < BEA-000000 > < KerberosSSOFilter: requesting Kerberos token. (Connection is NOT safe) >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: "14" for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690236 > < BEA-000000 > < KerberosSSOFilter: received the invalid token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: "14" for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690276 > < BEA-000000 > < KerberosSSOFilter: received the invalid token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: "14" for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690345 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: "14" for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690420 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '7' for the queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690436 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '6' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690426 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '20' to queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690428 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '13' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690430 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '0' for the queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690432 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '13' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690447 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '20' to queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690461 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '6' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690471 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '7' for the queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690449 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '18' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690474 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '6' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690482 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '13' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690485 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '7' for the queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690486 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '7' for the queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690487 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '7' for the queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690488 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '6' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690489 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: "14" for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690490 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '6' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690492 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '13' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690493 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '20' to queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690494 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '20' to queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690495 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '6' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690496 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '18' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690497 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '12' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690497 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '18' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690510 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '6' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690512 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '13' for queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690513 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
# < 26 April 2012 12:28:10 PM CST > < opinion > < Stdout > < kcpl > < PIA > < ExecuteThread [ASSET]: '0' for the queue: '(self-adjusting) weblogic.kernel.Default' > < < WLS Kernel > > <><>< 1335421690513 > < BEA-000000 > < KerberosSSOFilter: valid session id. Request not Kerberos token. >
The Kerberos Desktopsso class exists of sub folders PIA_HOME/.../classes/.../kerberos/ and PS_HOME/class/.../kerberos/ records
6 classes under corresponding folder PIA_HOME, while 2 classes under corresponding folder PS_HOME.
Due to the header name KRB_USER and not found permission, Kerberos is not correctly switch to corresponding desktop user.
Here is my configuration:
1. follow the PeopleBook guide to create the Kerberos keytab file and related conf file, web.xml file user realm
2. create an identifier PUBLIC PIA with only Mobile Client to access user role page home of PeopleSoft.
3. follow all the information regarding kerberos configuration in the section Office singal signon PeopleBook.
While I type the URI such as: http://www.mydomain.com/psp/ < SITENAME >/EMPLOYEE/ERP/h /? tab = DEFAULT, the IE login Windows Security prompt calls for the domain user and password entry, after you try any domain with the valid password user, page redirected ONLY to the PUBLIC user.
Is there someone implemented successfully the signon Kerberos from the desktop? And how to solve the KRB_USER, Authorization headers not in the Kerberos token ticket request header?
Thank you
IF the table
Published by: Saxon IF there April 26, 2012 14:57Hello
I don't see that the browser sends a Kerberos ticket, in the trace of http or watch tickets. If she sends certainly not any what ticket then I think the next step is to talk to your network of people.
In our case, I see a form Kerberos ticket ' Server: HTTP/servername.domain.com @ DOMAIN.COM '-I don't know if www using would have implications (for example the treatment as well as public space so not show token Kerberos or hiding the www of the URI part instead of display the full). It can be interesting to try using a name server - for example peoplesoft.domain.com to see if it works.
It might be useful to everything that you purge tickets (ktlist purge) and then retry the URL. Immediately after the purge check ktlist and you should see some tickets. Try just the ktlist URL of PeopleSoft and check again - in my case is has two tickets, one for the field "Server: krbtgt/DOMAIN.COM @ DOMAIN.COM ' and one for the server as described above.
Except that I have no suggestions more otherwise (as you do) is studying newspapers at every stage.
Good luck
Henry
-
Applying the SSO for several Weblogic servers on the same Windows domain
I have several Weblogic servers (developer machines, test servers, testing of clusters, clusters and etc.) on my windows domain name.
I'm going to set up SSO for each of them. However, I would like to ask a question about service principal names.
For stand-alone machines (which are not grouped, developer and test machine parts):
Do I have to create a new user in Active Directory as "wlskerberos" for each machine on my domain?
For the machines in the cluster
Do I have to create more than one user account Active Directory for each Member of the cluster as "wlskerberos"?
For clusters, les utilisateurs users don't see HTTP address of the managed servers that are behind the Oracle HTTP Server.
So I'll add as an SPN and map it to the Oracle HTTP Server address?
Finally for the keytab files, need enogh to create a single file keytab for all machines?Do I have to create a new user in Active Directory as "wlskerberos" for each machine on my domain?
Yes, and you enter the spn with this user
For the other question, please see this link
http://WebLogic-wonders.com/WebLogic/2010/03/05/Kerberos-in-a-proxyload-balancer-WebLogic-cluster/
I hope that answers!
-
Kerberos authentication problem
I followed the step of the configuration of http://weblogic-wonders.com/weblogic/2009/11/15/configuring-kerberos-with-weblogic-server/ published by Faisal Khan.
When I try to access my application running in weblogic, I faced following problem (famous error 401 - no) authorized
Suppose that the main user is "* main-user *', and my windows account is ' * windows-user *'.
(1) the Kerberos authentication looks very good, I had successful following information:
Found the key for [email protected] (1)
Entry Krb5Context.acceptSecContext = STATE_NEW stateful
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Using builtin default ETYPE for permitted_enctypes
default ETYPE for permitted_enctypes: 3 1 23 16 17.
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Reset config by default kdc XXX.COM
cache of proofreading for windows-user@XXX is null.
object 0: 1282932038000/154
object 0: 1282932038000/154
* > > > KrbApReq: authenticate reussir.*
Krb5Context setting peerSeqNumber to: 1113985206
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Krb5Context setting mySeqNumber to: 792726776
(2) but after that, seems weblogic wants to do another authenticates with my windows account:
< user name were found, implemented callbackhandler >
< com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ ChallengeIdentityAsserterV2Adapter$ ChallengeContextV2Impl.constructor >
< com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl$ ChallengeContextImpl.constructor >
< com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl$ ChallengeContextImpl.constructor >
< com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl$ ChallengeContextImpl.hasChallengeIdentityCompleted >
< com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl$ ChallengeContextImpl.hasChallengeIdentityCompleted >
< com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ ChallengeIdentityAsserterV2Adapter$ ChallengeContextV2Impl.hasChallengeIdentityCompleted >
< com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl$ ChallengeContextImpl.getCallbackHandler >
< com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl$ ChallengeContextImpl.hasChallengeIdentityCompleted >
< com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ ChallengeIdentityAsserterV2Adapter$ ChallengeContextV2Impl.hasChallengeIdentityCompleted >
< com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ ChallengeIdentityAsserterV2Adapter$ ChallengeContextV2Impl.getCallbackHandler >
< com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ ChallengeIdentityAsserterV2Adapter$ ChallengeContextV2Impl.hasChallengeIdentityCompleted >
< com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity >
< com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity >
< com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity return windows-user >
* < com.bea.common.security.internal.service.IdentityCacheServiceImpl.getCachedIdentity(windows-user) > *.
* < com.bea.common.security.internal.service.IdentityCacheServiceImpl.getCachedIdentity(windows-user) return null > *.
* < com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity did not find a cached identity. > *.
< com.bea.common.security.internal.service.CallbackHandlerWrapper.constructor >
.... (do a LDAP search)
< delegated com.bea.common.security.internal.service.LoginModuleWrapper.commit, returning false >
* < weblogic.security.service.internal.WLSJAASLoginServiceImpl$ ServiceImpl.authenticate authentication failed for windows user > *.
I don't know after Kerberos authentication, why the weblogic using my windows account to another?
and if I create the user "windows" as a user weblogic, then authentication would succeed and can access my application.
but this is not the so-called "SSO" - there is no point to create all users as users weblogic domain.
I think I might make a mistake in my env weblogic, any idea?
Thank you very much.Hi Victor,
I have observed the following in your server logs
<[Security:090300]Identity assertion="" failed:="" user="" windows.user="" does="" not="" exist="">
We need to create a user in Weblogic Server (whether in DefaulAuthenticator or ActiveDirectoryAuthenticator) which tries to connect to the application for kerberos based authentication to work.
Single sign-on means that the customer (end user) doesn't have to provide the creadentials all over again and its domain credentials are substituted.
Put simply, a kerberos token is passed to WLS and WLS Decrpts token, retrieves the user name and try to check it against some stores. So, the user must present b and in accordance with the Kerberos protocol.Hope that help.
Let me know if you have any other questions!
Thank you
Faisal -
Hello
I'm trying to enable Kerberos with Weblogic 9.2 MP3 and Hyperion 11.1.1.3 and I managed to do it. However when I try to access the link to the workspace. A pop up will appear asking to connect to my domain.
Is there something wrong? My understanding is that if you enable Kerberos, then you won't get any login screen.
I tried two settings for internet expolrer
1 automatic logon to intranet sites
2. automatic connection using current user name and password.
But even the pop-up appears after that.I tried to activate the workspace with Kerberos and then every time I log in as a user he's asking me username and password. What it should not.
The problem was with Active Directory authenticator that I created in the Weblogic... then I added the user as cn attribute where, as it should be sAMAccountName. I created a document on the same and you can check it at http://cvkattookaran.blogspot.com
concerning
CK
-
ALUI 6.5 on Weblogic 10 - Single Sign-On Options
We have 6.5 ALUI portal running on Windows 2003 in a Weblogic 10.0 MP1 environment. The portal is configured with Active Directory authentication Source. Opening a session with credentials of the AD to the auth Source. works very well. What are our options to implement single sign - on in this environment? We need to use kerberos for Weblogic identification? If so, how WL passes this on to ALUI?
All information in this area is very much appreciated.Hi guys,.
Here are the changes of PortalConfig.xml I did. It will be useful.
a. set the field of the cookie to the following:
. blah.com/results.htm
b. set the SSO provider to 50 who is BasicSSO for the ALUI portal.
50
d. define the section headers custom configuration of the portal (SSOVendor). The Weblogic Plugin sends the user name in a custom header named Remote-Proxy-User. This header was found by
ptSPy and Fiddlers. This custom XML parameter indicates the SSOHandler portal to search for and remove the custom for the username header
Type = "http://www.plumtree.com/config/component/types/portal/ssovendor" >
User-remote-proxy
I only uncomment the header value because that's all that is needed. Good luck!!
See you soon
Sanjay
-
Problems with java weblogic. WLST - HELP!
Hi all,
I am failry new to the Weblogic Server and tried to fill with the obe as part of my training. I came across a problem that you may be able to help me with. In OBE - 4 Administration servers managed by using the Node Manager - in the part where 'Configuration' using WLST tool coming up on a problem
I am following the instructions to the letter, i.e. Add the Jrockit on my road and set the setWLSEnv.sh. Something I noticed in the Setup is the Jrockit House seems to be different in the example. In the example, the Jrockit House is/u01/app/oracle/product/Jrockit/bin. Presumably it's the original of Jrockit installation like the Jrockit House in my case is/u01/app/oracle/product/Middleware/jrockit_160_05/bin. Is this correct?
Thus, when you try to call 'java weblogic. WLST' I get the error message "Exception in thread"Main Thread"java.lang.NoClassDefFoundError: weblogic/WLST.
That tells me that it is impossible to find the weblogic. WLST java class to run the environment.
Any help or advice are welcome
It is the commmand of path of export and the environment set print (look, look as if for some reason, the class path is much to short, all explanantions?):
[oracle@seremban ~] $ export PATH = / u03/app/oracle/product/Middleware/jrockit_160_05/bin /: $PATH
[oracle@seremban ~] $ cd /u03/app/oracle/product/Middleware/wlserver_10.3/server/bin/
[oracle@seremban bin] $./setWLSEnv.sh
CLASSPATH=/U03/app/Oracle/product/middleware/patch_wls1030/profiles/default/sys_manifest_classpath/weblogic_patch.jar:
/U03/app/Oracle/product/middleware/patch_cie660/profiles/default/sys_manifest_classpath/weblogic_patch.jar:
/U03/app/Oracle/product/middleware/jrockit_160_05/lib/tools.jar:/U03/app/Oracle/product/middleware/wlserver_10.3/server/lib/weblogic_sp.jar:
/U03/app/Oracle/product/middleware/wlserver_10.3/server/lib/WebLogic.jar:
/U03/app/Oracle/product/middleware/modules/features/WebLogic.Server.modules_10.3.0.0.jar:
/U03/app/Oracle/product/middleware/wlserver_10.3/server/lib/webservices.jar:
/ U03/app/oracle/product/middleware/modules/org. Apache.ant_1.6.5/lib/Ant-all.jar:
/ U03/app/oracle/product/middleware/modules/net. SF.antcontrib_1.0.0.0_1-0b2/lib/ant-contrib.jar:
Path=/U03/app/Oracle/product/middleware/wlserver_10.3/Server/bin:/U03/app/Oracle/product/middleware/modules/org. Apache.ant_1.6.5/bin:
/ U03/app/oracle/product/middleware/jrockit_160_05/JRE/bin: / u03/app/oracle/product/Middleware/jrockit_160_05/bin:
/U03/app/Oracle/product/middleware/jrockit_160_05/bin/:/usr/lib64/Qt-3.3/bin:/usr/Kerberos/bin:/usr/local/bin:/bin:/usr/bin:/Home/Oracle/bin
Your environment has been defined.
[oracle@seremban bin] $ java weblogic. WLST
Exception in thread "Main Thread" java.lang.NoClassDefFoundError: weblogic/WLST
Published by: Jamie Gadong on March 17, 2009 04:38Hello
1. go to wlserver_10.3/common/bin/ cd
2 executer./wlst.sh
3.execfile(/xx/xx/xx/bea_xx/XX/yourscipt.py)
4. you're done.Thank you
RR -
To authenticate with Kerberos for TimeMachine on OSX Server
Hello
Someone has an idea, how I can use Kerberos to authenticate with the TimeMachine service hosted by a server OSX?
We use Mac clients in an Active Directory environment. Rules of procedure requires users to change their password after a few weeks. The problem: advertising knows the password, so the OSX Server knows the password, but the customers still have the old password stored in the keychain. So they try to connect to the service time machine with the old and evil, and that powers won't work. With Kerberos, this could be resolved.
Any ideas?
We use Mac OS X on the clients and server OSX 5.0.15 10.11.2
Thank you!
How to set up Time Machine? System preferences or via a Configuration profile? I'm guessing the system preferences.
Try this command on one of your customers:
tmutil destinationinfo
If the value of the URL looks like this:
AFP://user@host._afpovertcp._tcp.local./TM_Staff/
Then you connect using Hello and so you're outside the Kerberos realm. You can try to change the destination of a fully qualified host name or use configuration profiles. What is the server bound to AD?
Reid
Apple Consultants Network
'El Capitan Server - Foundation Services.
«El Capitan Server - Collaboration & control»
'El Capitan Server - Advanced Services '.
: IBooks exclusively available in Apple store
-
I had a windows 2008 r2 domain 1 DC everything worked fine, I added a second windows of DC 2012 now Kerberos does not work for the RDP, Hyper V replication is nothing below a couple of samples of what I see I do not know where to begin finding the problem
+ System
-Supplier
[Name] Microsoft-Windows-Security-Kerberos
[Guid] {98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}
[EventSourceName] Kerberos
-EventID 3[Qualification] 32768
Version 0
Level 2
Task 0
Opcode 0
Keywords 0 x 80000000000000
-TimeCreated[SystemTime] 2016-01 - 03 T 01: 34:27.000000000Z
2991 EventRecordID
Correlation
-Execution[ProcessID] 0
[ThreadID] 0
Channel system
Computer DC02.xxxxxxonline.com
Security-EventData
LogonSession xxxxxxONLINE.COM\xxxxxx
ClientTime
1:34:27.0000 03/01/2016 Z ServerTime
Error code 0 x 19
ErrorMessage KDC_ERR_PREAUTH_REQUIRED
ExtendedError
ClientRealm
CustomerName
ServerRealm xxxxxxONLINE.COM
ServerName krbtgt/xxxxxxONLINE.COM
TargetName krbtgt / * address email is removed from the privacy *
ErrorText
E file
Line d3f
30773054A103020113A24D044B3049301FA003020112A1181B16524F434B45594F4E4C494E452E434F4D726F636B65793005A003020117301FA003020103A1181B16524F434B45594F4E4C494E452E434F4D726F636B65793009A103020102A20204003009A103020110A20204003009A10302010FA2020400--------------------------------------------------------------------------------
Binary data:
In the words
0000: 54307730 010203A 1 044DA213 3049304B
0008: 0203A01F 18A 11201 4F52161B 59454B 43
0010: 494C4E4F 432E454E 6F724D4F 79656B 63
0018: 03A 00530 30170102 0203A01F 18A 10301
0020: 4F52161B 59454B 43 494C4E4F 432E454E
0028: 6F724D4F 79656B 63 03 HAS 10930 A2020102
0030: 30000402 0203 HAS 109 02A 21001 09300004
0038: 010203 A 1 0402A20F 00In bytes
0000: 30 77 30 54 A1 03 02 01 0w0T¡...
0008: 13 4 04 4 B 30 49 30 A2. ¢ M.K0I0
0010: A0 03 02 01 12 A1 18 1F. ....¡.
0018: 1 16 52 4F 43 4 B 45 59 B... XXXXXX
0020: 4F 4 49 4F 4E 45 2ND 43 ONLINE. C
0028: 4 72 6F 63 6 b 65 79 OMxxxxxx 4F
0030:30 05 A0 03 02 01 17 30 0. .... 0
0038: A0 03 02 01 03 A1 18 1F. ....¡.
0040: 1 16 52 4F 43 4 B 45 59 B... XXXXXX
0048: 4F 4 49 4F 4E 45 2ND 43 ONLINE. C
0050: 4 72 6F 63 6 b 65 79 OMxxxxxx 4F
0058:30 09 03 02 01 02 A2 A1 0... ¡¢
0060: 02 04 09 03 02 A1 00 30... 0.¡..
0068:01 A2 02 04 00 30 09 10... ¢... 0.
0070: A1 03 02 01 0F A2 02 04... ¢...
0078: 00 .+ System
-Supplier
[Name] Microsoft-Windows-Security-Kerberos
[Guid] {98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}
[EventSourceName] Kerberos
-EventID 3[Qualification] 32768
Version 0
Level 2
Task 0
Opcode 0
Keywords 0 x 80000000000000
-TimeCreated[SystemTime] 2016-01 - 02 T 16: 52:38.000000000Z
2943 EventRecordID
Correlation
-Execution[ProcessID] 0
[ThreadID] 0
Channel system
Computer DC02.xxxxxxonline.com
Security-EventData
LogonSession xxxxxxONLINE.COM\xxxxxx
ClientTime
16:52:38.0000 02/01/2016 Z ServerTime
Error code 0 x 19
ErrorMessage KDC_ERR_PREAUTH_REQUIRED
ExtendedError
ClientRealm
CustomerName
ServerRealm xxxxxxONLINE.COM
ServerName krbtgt/xxxxxxONLINE.COM
TargetName krbtgt / * address email is removed from the privacy *
ErrorText
E file
Line d3f
30773054A103020113A24D044B3049301FA003020112A1181B16524F434B45594F4E4C494E452E434F4D726F636B65793005A003020117301FA003020103A1181B16524F434B45594F4E4C494E452E434F4D726F636B65793009A103020102A20204003009A103020110A20204003009A10302010FA2020400--------------------------------------------------------------------------------
Binary data:
In the words
0000: 54307730 010203A 1 044DA213 3049304B
0008: 0203A01F 18A 11201 4F52161B 59454B 43
0010: 494C4E4F 432E454E 6F724D4F 79656B 63
0018: 03A 00530 30170102 0203A01F 18A 10301
0020: 4F52161B 59454B 43 494C4E4F 432E454E
0028: 6F724D4F 79656B 63 03 HAS 10930 A2020102
0030: 30000402 0203 HAS 109 02A 21001 09300004
0038: 010203 A 1 0402A20F 00In bytes
0000: 30 77 30 54 A1 03 02 01 0w0T¡...
0008: 13 4 04 4 B 30 49 30 A2. ¢ M.K0I0
0010: A0 03 02 01 12 A1 18 1F. ....¡.
0018: 1 16 52 4F 43 4 B 45 59 B... XXXXXX
0020: 4F 4 49 4F 4E 45 2ND 43 ONLINE. C
0028: 4 72 6F 63 6 b 65 79 OMxxxxxx 4F
0030:30 05 A0 03 02 01 17 30 0. .... 0
0038: A0 03 02 01 03 A1 18 1F. ....¡.
0040: 1 16 52 4F 43 4 B 45 59 B... XXXXXX
0048: 4F 4 49 4F 4E 45 2ND 43 ONLINE. C
0050: 4 72 6F 63 6 b 65 79 OMxxxxxx 4F
0058:30 09 03 02 01 02 A2 A1 0... ¡¢
0060: 02 04 09 03 02 A1 00 30... 0.¡..
0068:01 A2 02 04 00 30 09 10... ¢... 0.
0070: A1 03 02 01 0F A2 02 04... ¢...
0078: 00 .This issue is beyond the scope of this site which is for the consumer to related issues.
To ensure that you get a proper answer, ask either on the Technet site, if it is a type of Pro problem, or MSDN if it's related to the developer
http://social.technet.Microsoft.com/forums/en-us/homes/en-us/home
http://social.msdn.Microsoft.com/Forum
-
Strategy of Kerberos WinServer2008r2 Active Directory group
Hi all
Need help bad in this. I'm trying to implement kerberos on my active directory. What I understand is kerberos is the default and the primary authentication protocol used when connected to a domain, but where and how do I configure kerberos settings in group policy? I managed to find configurations of kerberos in the "Local Group Policy Editor", but this would not push configurations to my clients right?
I want to disable NTLM authentication as well and once again I can found under local policies > security options, but they are all local policies right? Is it possible that I can disable NTLM on my active directory and ensure that these settings are applied to my both client computers?
Thank you so much in advance!
PS: Sorry if I got some of my facts wrong, I'm a student performs internship and my understanding in active directory is not as strong.Server forums are more on the side the web site of Microsoft TechNet,
This is where you find people who know. -
Problems with Server 2008 R2 Kerberos with Mac and CentOS machines? Need to re - join domain
We are having a problem with our Mac and Linux / CentOS machines constantly having to be re-attached to our AD domain.
We are able to join machines to the domain successfully, but after a few weeks or if authentication is broken and we again join them to the domain.
I see Security event logs on our domain controller when kerberos authentication fails.
On the linux server - I see this message in the logs
-binding failed: server not found in the kerberos database.I'm guessing this has to do with Server 2008 R2 and incompatible mac / linux versions.
Any ideas?
Hello
I suggest you try to post the question in the forums and check them off below if it helps:
http://social.technet.Microsoft.com/forums/en-us/windowsserver2008r2general/threads
It will be useful.
-
WebLogic Instrumentation field to start the Weblogic Console
Hi people,
I have a question on the instrument WebLogic domain with two groups on two servers that the application servers are instrumented when they are started from the Weblogic console (I'm not terribly familiar with Weblogic so go easy on me)
The manual is 'almost' clear for stand-alone Weblogic Server instrumentation or using Weblogic node Manager, but does not mention anything on Weblogic instrumentation so that instrumentation is picked up when the Console is used for stop/start server
The environment includes:
-A server for the executed on server1 and started Weblogic domain administrator but this script:
/bin/startWebLogic.sh -NodeManagers two, one on each server1 and server2, started by these scripts on each server:
/bin/startNodeManager.sh -Also has two startup scripts Weblogic server on each server:
/bin/startManagedWebLogic.sh /bin/start_server1.sh So far we've instrumented the /bin/startManagedWebLogic.sh with:
QUEST_DEPLOYMENT_DIRECTORY = / foglight/Quest_Software/Foglight_Agent_Manager/agents/JavaEE
If [f ' $QUEST_DEPLOYMENT_DIRECTORY/integrate.sh ']
then
QUEST_JAVA_ENV_OPTS = WEBLOGIC:SERVER
. "$QUEST_DEPLOYMENT_DIRECTORY/integrate.sh".
on the other
echo agent Java EE not activated
FIand instrumented the /bin/startNodeManager.sh with:
QUEST_DEPLOYMENT_DIRECTORY = / foglight/Quest_Software/Foglight_Agent_Manager/agents/JavaEE
If [f ' $QUEST_DEPLOYMENT_DIRECTORY/integrate.sh ']
then
QUEST_JAVA_ENV_OPTS = WEBLOGIC:NODEAGENT
. "$QUEST_DEPLOYMENT_DIRECTORY/integrate.sh".
on the other
echo agent Java EE not activated
FIThis set works fine as long as the node and the server are started from the command line but it not instrument anything if they are handed over to walk through the Weblogic Console
Issues related to the:
-the scripts above (or all) of which have to be modified (and how) so that Weblogic Server starts instrumented to start the Console
-what I'm missing? everything that needs to be done so that the Console is restarted with start the instrumented servers?
Thank you
Ovi,
When you're setting switch servers using the console are not be started by the Manager of nodes? If they are, the instrumentation on Node Manager should do the trick. If they are NOT started using the node Manager then how they get the JVM settings?
I saw the case in which settings for the boot server were not going through the Manager of knots, they were taken in the FMV of the options in the welogic server administration console. If you can find this place (pretty good the region where you set your memroy settins), you can manually add the flags that get the agent running. You can see the parameters when you start weblogic from script, Xbootclasspath-... - javaagent..., you can just copy paste these lines and hardcode them into the admin console with settings java (jvm) for these servers.
It will be useful.
Golan
-
WebLogic integration - using startWebLogic.sh
Hello
I need to get some servers from Weblogic instrumented in our test environment and need help to better understand the methods of automatic integration.
We start our Weblogic - (Version 10.3 on Solaris) servers using 3 custom scripts under the DOMAIN_HOME - startManagedArx.sh, startManagedDDSServer.sh and startManagedIntDDServer.sh
These scripts call DOMAIN_HOME/startWebLogic.sh
When I run the FMS integration to point to the startWebLogic.sh and provide the field, he joined under DOMAIN_HOME/bin scripts. He also created 2 backups of the original startWebLogic.sh under DOMAIN_HOME/bin.
I have to manually copy these scripts to integration in the real startWebLogic.sh used under the DOMAIN_HOME? If I do, is there any necessary changes to the configuration of FMS? Can someone guide me on how to proceed?
Also in order to restore this configuration are there additional proceedings other than re reinstating the original script for startWebLogic.sh.
Just to be safe.
Have the startweblogic directly under DOMAIN_HOME scripts are probably not standard, a default installation has some startup scripts under
DOMAIN_HOME\bin\. Corresponds to the script in DOMAIN_HOME\startweblogic.sh a copy of the script in DOMAIN_HOME\bin\?
My problem with the manual copy is that it leaves this as process semi automatic (without papers with room for error), I guess if the scripts DOMAIN_HOME and DOMAIN_HOME\bin are the same you can do technically (copy the script), it means simply that if there is someone else who needs to do that they can miss this non-standard step (not knowing what you know and what) you did).
In the interests of maintaining the structure of default installation it could have better for your startup scripts customized to actually use DOMAIN_HOME\bin\startweblogic.sh instead of DOMAIN_HOME\startweblogic.sh (while they follow the location of weblogic standard installation script). BUT if there was a specific decision which required changes and the startweblogic under DOMAIN_HOME and DOMAIN_HOME\bin are the same, you can try to copy the new script or changed from DOMAIN_HOME\bin to DOMAIN_HOME and see if it works.
Here, there is another alternative which is keeping installation and standardized instructions and making integration manual http://edocs.quest.com/foglight/5610/doc/Cartridge-APM/JavaEECartridge-install/ManuallyIntegrating.5.php#424838
This way you are creating a generic configuration and then adding the lines manually to the startweblogic you use.
What is the advantage of this way? He is always in standard and always documented, this way if someone should follow your work, they can always read the documentation and follow a path standard and documented to do things.
As far as roll back configuration, this is the reason why we have these backups - you can just rename (and then later remove) new or modified startweblogic.sh and rename the backup/original to be startweblogic.sh.
I hope this helps.
Golan
Maybe you are looking for
-
Hello I would like to know if the date specified in each email in the list content of mailbox messaging App, refers to the creation or the last modification date. As in the example attached. Thank you.
-
After restart some apps not full screen more
Hello Why did after a reboot and by selecting the check box which says reopened windows after restart open before restarting applications are open, but many of them have lost being mode full screen, even if they were before the reboot. Any ideas?
-
I had this about 2 weeks ago, but don't remember how I got it, it came with the download of 7.0 I think.
-
problems using a HP Photo smart C7280 attach scanned the document to send
I'm trying to understand why I can't grant a documents scanned to send an attahment (Outlook) any ideas would be appreciated.
-
Re: Windows 7 on Satellite U300
I installed it and it works fine. Device Manager shows all devices ok B-) Once the installation is finished, there was some devices without drivers in Device Manager (Controller bluetooth, Ricoh memory stick-mmc-xD). I didn't install the last battery