Douglas E. Engert
2007-11-26 20:42:44 UTC
Hello,
I'm a Business Intelligence consultant working on Business Objects
products and the last one: BusinessObjects Enterprise XI Release 2 (BOE
XI-R2).
The BOE XI-R2 product allows to set up Active Directory, LDAP, NT
authentications mechanisms (and also additionally SSO).
I have to set up Single Sign On on BOE XI-R2 products and I did it
successfully several times (on LDAP, AD and NT).
On a specific project, the SSO (using Kerberos with Active Directory)
does not work and we have difficulties to identify why it is not
working...
The Kerberos authentication is done through a JVM (1.4.2) and we can
test it using "kinit" utility. We setup the krb5.ini and all files
correctly.
[logging]
default = CONSOLE
kdc = CONSOLE
admin_server = CONSOLE
[libdefaults]
default_realm = DBB.INT.DEXWIRED.NET
dns_lookup_kdc = true
dns_lookup_realm = true
kdc_timeout = 30000
[realms]
DBB.INT.DEXWIRED.NET = {
kdc = DLU0SINF001P.DBB.INT.DEXWIRED.NET
default_domain = DBB.INT.DEXWIRED.NET
}
Note: We try to use logging with this syntax : default =
FILE:C:/WINNT/default.log, but no logs were generated ! And CONSOLE
outputs nothing on Windows.
If we use kinit with a SAM account, we get an error code 24 (pre
authentication failed).
If we use kinit with an UPN account (for the same user account), we
succeed to authenticate a user.
Can you give me some information about how is done the authentication
mechanism.
This sounds like the problem with Java 1.4 assuming it knowI'm a Business Intelligence consultant working on Business Objects
products and the last one: BusinessObjects Enterprise XI Release 2 (BOE
XI-R2).
The BOE XI-R2 product allows to set up Active Directory, LDAP, NT
authentications mechanisms (and also additionally SSO).
I have to set up Single Sign On on BOE XI-R2 products and I did it
successfully several times (on LDAP, AD and NT).
On a specific project, the SSO (using Kerberos with Active Directory)
does not work and we have difficulties to identify why it is not
working...
The Kerberos authentication is done through a JVM (1.4.2) and we can
test it using "kinit" utility. We setup the krb5.ini and all files
correctly.
[logging]
default = CONSOLE
kdc = CONSOLE
admin_server = CONSOLE
[libdefaults]
default_realm = DBB.INT.DEXWIRED.NET
dns_lookup_kdc = true
dns_lookup_realm = true
kdc_timeout = 30000
[realms]
DBB.INT.DEXWIRED.NET = {
kdc = DLU0SINF001P.DBB.INT.DEXWIRED.NET
default_domain = DBB.INT.DEXWIRED.NET
}
Note: We try to use logging with this syntax : default =
FILE:C:/WINNT/default.log, but no logs were generated ! And CONSOLE
outputs nothing on Windows.
If we use kinit with a SAM account, we get an error code 24 (pre
authentication failed).
If we use kinit with an UPN account (for the same user account), we
succeed to authenticate a user.
Can you give me some information about how is done the authentication
mechanism.
the "salt" to use for a user, and taking a short cut with the
Kerberos protocol, skipping the first step of asking the KDC for
any pre-auth parameters including the salt assuming it knew the salt.
The salt for DES is the realm concatenated with the principle name
components as of the last time the password was changed. The salt is
concatenated with the password as input to a string-to-key function
to get a key. The client and server do need to use the same salt.
Google for java pre-auth
http://www.webservertalk.com/archive213-2005-8-1171299.html
Is that possible to specify to the JVM that we want to authenticate
users with SAM rather UPN, and How ?
Have you any idea and suggestions, please ?
I believe it is fixed in 1.6users with SAM rather UPN, and How ?
Have you any idea and suggestions, please ?
Thanks for your help.
Regards,
Bruno.
--------------------------------------
http://www.dexia.be/maildisclaimer.htm
--------------------------------------
________________________________________________
https://mailman.mit.edu/mailman/listinfo/kerberos
Regards,
Bruno.
--------------------------------------
http://www.dexia.be/maildisclaimer.htm
--------------------------------------
________________________________________________
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <***@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Douglas E. Engert <***@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444