Re: Unable to bind to ADAM using windows account
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 14 Dec 2007 12:52:07 -0600
It looks to me from the stack trace here that your Java code is trying to
use Kerberos for authentication and doesn't use SPNEGO to negotiate down to
NTLM auth. As such, you need to make Kerberos work.
To do that, the account running ADAM must be a domain account (either a
service account or the machine account for the computer if you are using
Network Service or System) AND the SPN for ADAM must be registered only once
and on that account. Otherwise, Kerberos will be broken.
You don't really want Kerb to be broken anyway as that is likely to bite you
somewhere else like with replication.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"choukse" <choukse.31lafc@xxxxxxxxxxxxx> wrote in message
news:choukse.31lafc@xxxxxxxxxxxxxxxx
Hi Lee/Joe,
I agree with your point Joe that the problem is in decrypting the key
for ADAM service.
As you have suggested to use a non-admin domain account, I created a
new ADAM instance and passed the domain account as the security
context. Still got the same error.
I also checked that while using the domain accounts as security
context, the SPNs are registering properly to the account object only.
I also tried to authenticate ADAM on a member server, but got the
following error:
Code:
--------------------
Context initialization attempt failed
javax.naming.AuthenticationException : GSSAPI [Root exception is
javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Server not
found in Kerberos database (7))]]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate (Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx .<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext (Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at com.nortel.kerberos.action.JndiAction.performJndiOperation(
JndiAction.java:73)
at com.nortel.kerberos.action.JndiAction.run( JndiAction.java:27)
at java.security.AccessController.doPrivileged( Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at
com.nortel.kerberos.cli.KerberosAuthenticator.main(KerberosAuthenticator.java:49)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused
by GSSException: No valid credentials provided (Mechanism level: Server
not found in Kerberos database (7))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown
Source)
... 18 more
Caused by: GSSException: No valid credentials provided (Mechanism level:
Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext (Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
... 19 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply (Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown
Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown
Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
... 22 more
Caused by: KrbException : Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep .<init>(Unknown Source)
... 27 more
--------------------
In this case as well the SPNs are registering to the proper objects, ie
to the member computer in case of Network service account as security
context and to the domain account object in case of domain account as
security context.
I am not able to figure out, why the KDC is not able to find the ADAM
instance running on member server?
Thanks,
Sandeep
--
choukse
------------------------------------------------------------------------
choukse's Profile: http://forums.techarena.in/member.php?userid=34893
View this thread: http://forums.techarena.in/showthread.php?t=856741
http://forums.techarena.in
.
- References:
- Re: Unable to bind to ADAM using windows account
- From: choukse
- Re: Unable to bind to ADAM using windows account
- From: Lee Flight
- Re: Unable to bind to ADAM using windows account
- From: choukse
- Re: Unable to bind to ADAM using windows account
- Prev by Date: Re: Insufficient system resources exist to complete the requested
- Next by Date: Re: password issues with new Vista machines
- Previous by thread: Re: Unable to bind to ADAM using windows account
- Next by thread: Confused on DNS install when adding a second DC to the domain
- Index(es):
Relevant Pages
|
