Search Results

Search found 392 results on 16 pages for 'kerberos keytab'.

Page 3/16 | < Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >

  • Relative security of SAML vs Kerberos

    - by Robert Gowland
    Does anyone have any info/links on the relative security of SAML vs Kerberos. I believe I grasp the differences between the two, and what they mean for my particular application, but to decided between the two, knowing which is more secure, if either, would be a valuable bit of info.

    Read the article

  • Windows Vista and 7 crossrealm authentication MIT Kerberos

    - by fox8
    I'm using Windows Server 2008 and Windows Vista and 7 for cross realm authentication using MIT Kerberos 1.6 but when i try to login with a user the KDC answers: (wireshark output) error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14) ... e-text: BAD_ENCRYPTION_TYPE I want to know how can I change the encryption type method to be compatible with the KDC (i tried a XP client and it worked fine). Many thanks!

    Read the article

  • Windows Vista and 7 crossrealm authentication MIT Kerberos

    - by fox8
    I'm using Windows Server 2008 and Windows Vista and 7 for cross realm authentication using MIT Kerberos 1.6 but when i try to login with a user the KDC answers: (wireshark output) error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14) ... e-text: BAD_ENCRYPTION_TYPE I want to know how can I change the encryption type method to be compatible with the KDC (i tried a XP client and it worked fine). (posted this yesterday on superuser, but I guess this is more a serverfault question) Can anyone help me on this ? Many thanks!

    Read the article

  • Getting Squid to authenticate with kerberos and Windows 2008/2003/7/XP

    - by Harley
    This is something I setup recently and was quite a big pain. My environment was getting squid to authenticate a Windows 7 client against a Windows 2008 Server invisibly. NTLM is not really an option, as using it requires a registry change on each client. MS have been recommending Kerberos since Windows 2000, so it's finally time to get with the program. Many, many thanks to Markus Moeller of the Squid mailing lists for helping to get this working.

    Read the article

  • Domain authentication used for kerberos based authentication of users on my server

    - by J G
    Suppose a user process has authenticated itself against domain's directory server via kerberos, and then attempts opens a network socket to my server application. My server application has a white-list of users from the domain directory server. How does my server app authenticate the user from the directory based on this socket opening attempt? (To keep things simple - let's say my server is written in Java, and the directory server is Active Directory) EDIT My question is about how the client asks for an authentication token.

    Read the article

  • Terse, documented, correct way to create Kerberos-backed user shares in Greyhole

    - by MrGomez
    As a migration strategy away from Windows Home Server (which is currently out of support and intractable for our needs, for a variety of reasons), our little cloister of nerds has targeted Greyhole for our shared use at home. Despite the documentation's terseness, getting the system set up for simple, single-user operation isn't especially difficult, but this scenario fails to service our needs. Among other highlights of the system, we're attempting to emulate Integrated Windows Authentication (with Kerberos) and single-user shares to keep the Windows users in the house happy and well-supported. I'm aware of the underlying systems that go into Greyhole and understand how to set up per-user shares in Samba, but the documentation doesn't seem to support cases for Greyhole to sop up these directories as separate landing zones for replication. Enter my question: are both of these cases (IWA user authentication and user-partitioned personal shares) supported by Greyhole? If so, please cite or link the supporting documentation if it exists.

    Read the article

  • SSH Kerberos Auth in Mac OSX 10.7

    - by deemstone
    I just upgrade my Mac OS to 10.7 Lion. It has worked well before. But , Only kinit working normally now, can't ssh to my server. After reinstall the "Mac OS X Kerberos Extras" , nothing better. Anyone give me a help? Thanks a lot!! my command line : Myname$ ssh [email protected] -v ...... debug1: Authentications that can continue: gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: Miscellaneous failure (see text) UNKNOWN_SERVER while looking up 'host/[email protected]' (cached result, timeout in 1200 sec) debug1: An invalid name was supplied unknown mech-code 0 for mech 1 2 752 43 14 2 debug1: Miscellaneous failure (see text) unknown mech-code 0 for mech 1 3 6 1 5 5 14 debug1: Authentications that can continue: gssapi-with-mic,password debug1: An unsupported mechanism was requested unknown mech-code 0 for mech 1 3 5 1 5 2 7 debug1: Miscellaneous failure (see text) unknown mech-code 0 for mech 1 3 6 1 5 2 5 debug1: Next authentication method: password [email protected]'s password:

    Read the article

  • Which kerberos flavor?

    - by Michael Lowman
    So I'm setting up a small network with all the standard stuff (files, email, etc.) and I've decided to go with a Kerberos+LDAP solution. Any ideas or recommendations on Heimdal vs. MIT? I've used MIT before, and tangentially Heimdal, but I don't really know of any real reason for using one over the other. I just know that I'd prefer not to realize I'd rather be running MIT after getting the whole Heimdal up and running with a full user database. If any other info'd be useful, I'm happy to provide.

    Read the article

  • Kerberos: connection from win app running from IIS to SQL failed

    - by Mikhail Kislitsyn
    I have an IIS web-application with Windows authentication and impersonation. This application connects to SQL server. In this case Kerberos works fine. But there is a problem. Web-application runs windows application (not .NET), which also connects to the SQL server. Windows application runs with IIS app user credentials and impersonates current site user to connect to SQL server. scheme: http://i.stack.imgur.com/2cgv7.png When delegation for IIS user is set to "Trust this computer for delegation to any service" everything works fine. But I can't use this type of delegation according to security requirements. When I set delegation to "Specific services" and choose MSSQLSvc SPN, connection from windows application fails with "ANONIMOUS" fault. WireShark shows "KRB5KDC_ERR_BADOPTION" packet. What I'm doing wrong?

    Read the article

  • Google Chrome and kerberos authentication against Apache

    - by Lars
    I've managed to get kerberos authentication to work now with Apache and Likewise Open but so far, Google Chrome doesn't seem to play fair. Unless I start it with chrome.exe --auth-server-whitelist="*company.com" it does only pop-up a login window but will not accept any credentials at all. As far as I know, the --auth-server-whitelist option should only be used when trying to get Single-Sign-On (SSO) to work, but if you are fine with a log-in window it should work directly out of the box, but so far it doesn't. This is the error I get in the apache logs. [Tue Dec 13 08:49:04 2011] [error] [client 192.168.1.15] failed to verify krb5 credentials: Unknown code krb5 7

    Read the article

  • Automate setup of constrained kerberos delegation in AD

    - by Grhm
    I have a web app that uses some backend servers (UNC, HTTP and SQL). To get this working I need to configure ServicePrincipalNames for the account running the IIS AppPool and then allow kerberos delegation to the backend services. I know how to configure this through the "Delegation" tab of the AD Users and Computers tool. However, the application is going to be deployed to a number of Active Directory environments. Configuring delegation manually has proved to be error prone and debugging the issues misconfiguration causes is time consuming. I'd like to create an installation script or program that can do this for me. Does anyone know how to script or programmatically set constrained delegation within AD? Failing that how can I script reading the allowed services for a user to validate that it has been setup correctly?

    Read the article

  • SQL Server service accounts and SPNs

    - by simonsabin
    Service Principal Names (SPNs) are a must for kerberos authentication which is a must when using sharepoint, reporting services and sql server where you access one server that then needs to access another resource, this is called the double hop. The reason this is a complex problem is that the second hop has to be done with impersonation/delegation. For this to work there needs to be a way for the security system to make sure that the service in the middle is allowed to impersonate you, after all you are not giving the service your password. To do this you need to be using kerberos. The following is my simple interpretation of how kerberos works. I find the Kerberos documentation rediculously complex so the following might be sligthly wrong but I think its close enough. Keberos works on a ticketing system, the prinicipal is that you get a security token from AD and then you can pass that to the service in the middle which can then use that token to impersonate you. For that to work AD has to be able to identify who is allowed to use the token, in this case the service account.But how do you as a client know what service account the service in the middle is configured with. The answer is SPNs. The SPN is the mapping between your logical connection to the service account. One type of SPN is for the DNS name for the server and the port. i.e. MySQL.mydomain.com and 1433. You can see how this maps to SQL Server on that server, but how does it map to the account. Well it can be done in two ways, either you can have a mapping defined in AD or AD can use a default mapping (this is something I didn't know about). To map the SPN in AD then you have to add the SPN to the user account, this is documented in the first link below either directly or using a tool called SetSPN. You might say that is complex, well it is and thats why SQL Server tries to do it for you, at start up it tries to connect to AD and set the SPN on the account it is running as, clearly that can only happen IF SQL is running as a domain account AND importantly it has permission to do so. By default a normal domain user account doesn't have the correct permission, and is why so many people have this problem. If the account is a domain admin then it will have permission, but non of us run SQL using domain admin accounts do we. You might also note that the SPN contains the port number (this isn't a requirement now in sql 2008 but I won't go into that), so if you set it manually and you are using dynamic ports (the default for a named instance) what do you do, well every time the port changes you need to change the SPN allocated to the account. Thats why its advised to let SQL Server register the SPN itself. You may also have thought, well what happens if I change my service account, won't that lead to two accounts with the same SPN. Possibly. Having two accounts with the same SPN is definitely a problem. Why? Well because if there are two accounts Kerberos can't identify the exact account that the service is running as, it could be either account, and so your security falls back to NTLM. SETSPN is useful for finding duplicate SPNs Reading this you will probably be thinking Oh my goodness this is really difficult. It is however I've found today in investigating something else that there is an easy option. Use Network Service as your service account. Network Service is a special account and is tied to the computer. It appears that Network Service has the update rights to AD to set an SPN mapping for the computer account. This then allows the SPN mapping to work. I believe this also works for the local system account. To get all the SPNs in your AD run the following, it could be a large file, so you might want to restrict it to a specific OU, or CN ldifde -d "DC=<domain>" -l servicePrincipalName -F spn.txt You will read in the links below that you need SQL to register the SPN this is done how to use Kerberos authenticaiton in SQL Server - http://support.microsoft.com/kb/319723 Using Kerberos with SQL Server - http://blogs.msdn.com/sql_protocols/archive/2005/10/12/479871.aspx Understanding Kerberos and NTLM authentication in SQL Server Connections - http://blogs.msdn.com/sql_protocols/archive/2006/12/02/understanding-kerberos-and-ntlm-authentication-in-sql-server-connections.aspx Summary The only reason I personally know to use a domain account is when you can't get kerberos to work and you want to do BULK INSERT or other network service that requires access to a a remote server. In this case you have to resort to using SQL authentication and the SQL Server uses its service account to access the remote service, and thus you need a domain account. You migth need this if using some forms of replication. I've always found Kerberos awkward to setup and so fallen back to this domain account approach. So in summary to get Kerberos to work try using the network service or local system accounts. For a great post from the Adam Saxton of the SQL Server support team go to http://blogs.msdn.com/psssql/archive/2010/03/09/what-spn-do-i-use-and-how-does-it-get-there.aspx 

    Read the article

  • Confusion about Kerberos, delegation and SPNs.

    - by Vilx-
    I already posted this question on SO, but the nature of it is between programming and server configuration, so I'll re-post it here as well. I'm trying to write a proof-of-concept application that performs Kerberos delegation. I've written all the code, and it seems to working (I'm authenticating fine), but the resulting security context doesn't have the ISC_REQ_DELEGATE flag set. So I'm thinking that maybe one of the endpoints (client or server) is forbidden to delegate. However I'm not authenticating against an SPN. Just one domain user against another domain user. As the SPN for InitializeSecurityContext() I'm passing "[email protected]" (which is the user account under which the server application is running). As I understand, domain users have delegation enabled by default. Anyway, I asked the admin to check, and the "account is sensitive and cannot be delegated" checkbox is off. I know that if my server was running as a NETWORK SERVICE and I used an SPN to connect to it, then I'd need the computer account in AD to have the "Trust computer for delegation" checkbox checked (off by default), but... this is not the case, right? Or is it? Also - when the checkbox in the computer account is set, do the changes take place immediately, or must I reboot the server PC or wait for a while?

    Read the article

  • Active directory Kerberos OSX problems

    - by Temotodochi
    I'll try to keep this short, but informative. I'm currently unable to bind OSX lion (10.7.4) machines to our AD. OSX kerberos (heimdal) is unable to locate the KDC service. However i can bind linux & windows machines to the AD without any problems in the same network AD controls the domain DNS and all the relevant _kerberos._tcp.x.domain.com and _kpasswd SRV DNS records are there and resolve fine when tried from OSX machines. Defined ports are open for service and manually accessible from OSX. When i try kinit in the OSX, i can get the first auth through (wrong passwords fail instantly), but when supplied with correct password, kinit fails after some waiting with "unable to reach KDC". All machines run NTP and have correct time. During testing, network is not firewalled between the machines Linux and windows machines have no problems whatsoever I have tried with and without /etc/krb5.conf - OSX by default does not need it in the krb5.conf i used a working config from one of our linux machines. dsconfigad fails with simple "connection failed to the directory server" I'm a bit baffled with this. OSX is like the KDC is nowhere to be found and at the same time my test machines with windows 7 and some linux (centos 6 & debian 6) machines have no problems whatsoever. Same network, same configurations. I'm missing some vital piece of configuration somewhere, and i can't find out what it is.

    Read the article

  • NTLM, Kerberos and F5 switch issues

    - by G33kKahuna
    I'm supporting an IIS based application that is scaled out into web and application servers. Both web and applications run behind IIS. The application is NTLM capable when IIS is configured to authenticate via Kerberos. It's been working so far without a glitch. Now, I'm trying to bring in 2 F5 switches, 1 in front of the web and another in front of the application servers. 2 F5 instances (say ips 185 & 186) are sitting on a LINUX host. F5 to F5 looks for a NAT IP (say ips 194, 195 and 196). Created a DNS entry for all IPs including NAT and ran a SETSPN command to register the IIS service account to be trusted at HTTP, HOST and domain level. With the Web F5 turned on and with eachweb server connecting to a cardinal app server, when the user connects to the Web F5 domain name, trust works and user authenticates without a problem. However, when app load balancer is turned on and web servers are pointed to the new F5 app domain name, user gets 401. IIS log shows no authenticated username and shows a 401 status. Wireshark does show negotiate ticket header passed into the system. Any ideas or suggestions are much appreciated. Please advice.

    Read the article

  • mount.nfs: access denied by server while mounting (Kerberos authentication)

    - by Nick
    There's plenty of references to this error on Goggle, and even a question here with the same title, but it seems that "access denied by server while mounting" is a catch-all error. I've tried suggestions that others have used to fix this problem, but they did not work in my case. I'm trying to set-up a Kerberos-based NFS file server with shared homes for a Linux network. I'm using Ubuntu 11.04 Servers and clients. When trying to mount a share using: mount 192.168.1.115:/export/home/ /media/tmp I get: mount.nfs: access denied by server while mounting 192.168.1.115:/export/home/ This is the same if I mount it from a client machine or from the server itself. On the server, in /var/log/syslog I get: Aug 25 06:22:37 nfs mountd[1580]: authenticated mount request from 192.168.1.115:835 for /export/home (/export/home) Aug 25 06:22:37 nfs mountd[1580]: authenticated unmount request from 192.168.1.115:766 for /export/home (/export/home) Which is odd, since it says it's authenticated the request, not denying it. /etc/exports: /export *(rw,fsid=0,crossmnt,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5) /export/home *(rw,insecure,async,no_subtree_check,sec=krb5p:krb5i:krb5) On client: me@dt1:/$ rpcinfo -p 192.168.1.115 program vers proto port 100000 2 tcp 111 portmapper 100024 1 udp 37320 status 100024 1 tcp 48460 status 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100227 2 tcp 2049 100227 3 tcp 2049 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 4 udp 2049 nfs 100227 2 udp 2049 100227 3 udp 2049 100021 1 udp 58625 nlockmgr 100021 3 udp 58625 nlockmgr 100021 4 udp 58625 nlockmgr 100021 1 tcp 49616 nlockmgr 100021 3 tcp 49616 nlockmgr 100021 4 tcp 49616 nlockmgr 100005 1 udp 45627 mountd 100005 1 tcp 60265 mountd 100005 2 udp 45627 mountd 100005 2 tcp 60265 mountd 100005 3 udp 45627 mountd 100005 3 tcp 60265 mountd Any suggestions I could try?

    Read the article

  • Authenticating Windows 7 against MIT Kerberos 5

    - by tommed
    Hi There, I've been wracking my brains trying to get Windows 7 authenticating against a MIT Kerberos 5 Realm (which is running on an Arch Linux server). I've done the following on the server (aka dc1): Installed and configured a NTP time server Installed and configured DHCP and DNS (setup for the domain tnet.loc) Installed Kerberos from source Setup the database Configured the keytab Setup the ACL file with: *@TNET.LOC * Added a policy for my user and my machine: addpol users addpol admin addpol hosts ank -policy users [email protected] ank -policy admin tom/[email protected] ank -policy hosts host/wdesk3.tnet.loc -pw MYPASSWORDHERE I then did the following to the windows 7 client (aka wdesk3): Made sure the ip address was supplied by my DHCP server and dc1.tnet.loc pings ok Set the internet time server to my linux server (aka dc1.tnet.loc) Used ksetup to configure the realm: ksetup /SetRealm TNET.LOC ksetup /AddKdc dc1.tnet.loc ksetip /SetComputerPassword MYPASSWORDHERE ksetip /MapUser * * After some googl-ing I found that DES encryption was disabled by Windows 7 by default and I turned the policy on to support DES encryption over Kerberos Then I rebooted the windows client However after doing all that I still cannot login from my Windows client. :( Looking at the logs on the server; the request looks fine and everything works great, I think the issue is that the response from the KDC is not recognized by the Windows Client and a generic login error appears: "Login Failure: User name or password is invalid". The log file for the server looks like this (I tail'ed this so I know it's happening when the Windows machine attempts the login): If I supply an invalid realm in the login window I get a completely different error message, so I don't think it's a connection problem from the client to the server? But I can't find any error logs on the Windows machine? (anyone know where these are?) If I try: runas /netonly /user:[email protected] cmd.exe everything works (although I don't get anything appear in the server logs, so I'm wondering if it's not touching the server for this??), but if I run: runas /user:[email protected] cmd.exe I get the same authentication error. Any Kerberos Gurus out there who can give me some ideas as to what to try next? pretty please?

    Read the article

  • "Checksum failed" during Kerberos SSO

    - by Buddy Casino
    This is an error that occurs when a mod_auth_kerb protected webapp is being accessed, and I have no idea what the cause might be. Can anyone give hints as into which direction I should look? Thankful for any help! Search Subject for Kerberos V5 ACCEPT cred (HTTP/[email protected], sun.security.jgss.krb5.Krb5AcceptCredential) Found key for HTTP/[email protected](23) Entered Krb5Context.acceptSecContext with state=STATE_NEW >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType Checksum failed ! 16:36:30,248 TP-Processor31 WARN [site.servlet.KerberosSessionSetupPrivilegedAction] Caught GSS Error GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) at org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction.run(KerberosSessionSetupPrivilegedAction.java:95) at org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction.run(KerberosSessionSetupPrivilegedAction.java:44) at org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction.run(KerberosSessionSetupPrivilegedAction.java:44) at java.security.AccessController.doPrivileged(Native Method) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:337) at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doKerberosLogon(SSOAuthenticationFilter.java:994) at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doKerberosLogon(SSOAuthenticationFilter.java:994) at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:438) at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:438) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:555) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:774) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703) at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:896) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) at java.lang.Thread.run(Thread.java:662) Caused by: KrbException: Checksum failed at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85) at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77) at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168) at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:268) at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134) at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724) ... 24 more Caused by: java.security.GeneralSecurityException: Checksum failed at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388) at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74) at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83) ... 30 more

    Read the article

  • SQL Server 2008, Kerberos and SPN

    - by andrew007
    Hi, I installed SQL Server 2008 on a Win XP SP2 workstation in a AD domain and configured to run with the "Network Service" account. In my error log I have the following message (Event ID:26037): The SQL Server Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. **Error: 0xd, state: 13**. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies. The strange thing is that I have another SQL Server 2008 installation in a Win 2003 server configured in the same way and there I do not have this message. My questions are: Does anybody know if there are limitations with Kerberos on Windows XP and SQL Server? Why the SPN is not automatically registered on Win XP when I use the "Network Service" but it works on Windows 2003 server? THANKS!

    Read the article

  • SQL Server Analysis Services, DNS, AD, Kerberos, Connection Issues

    - by ScaleOvenStove
    Running into a very weird issue. Converting servers to Windows 2008/SQL 2008. Have a server, SERVER_A, brand new, setup with Win2k8,Sql2k8 - works. Have a Server SERVER_B, running Windows2003/SQL2005. I want to migrate from SERVER_B to SERVER_A. I have all db's, cubes, etc setup on SERVER_A and it is mimicking functionality. Since users are using Excel to connect to SSAS, they connection string has SERVER_B in it. What I want to do, is, change DNS on the network to point SERVER_B (by name) at the ip of SERVER_A. I have successfully done this with another server, SERVER_C, but I need to do it with SERVER_B. What I have found is that with SERVER_C, after changing DNS, had to remove SERVER_C from AD and then it worked. I could connect to SERVER_C (DB), SERVER_C (SSAS Default Instance) and SERVER_C (SSAS Named instance) and it all was actually connecting to SERVER_A I tried to do the same with with SERVER_B, and no luck. Changed DNS, removed from AD, and it wouldn't connect. Found out that there were some SPN's in AD set up, so removed those and tried again. I then could connect to SERVER_B (DB), SERVER_B (SSAS Named Instance), but not SERVER_B (SSAS Default Instance). I could connect to SERVER_B (SSAS Default Intance WITH the Port #), but I need to be able to connect without the port number. I am at a loss to as why I can't connect to the default instance without a port #. Not sure if it is SPN's in AD, or another AD issue, or something else. Pretty sure it isnt something on the server (because SERVER_C works!) Any insight or suggestions would be greatly helpful!!

    Read the article

  • Kerberos: Running an app with a parameter using krenew

    - by Mihai Todor
    I need to run an application with krenew, but the application also needs to receive a parameter via command line and I need to send its output to a file. From the documentation, it looks like this should do the trick: krenew -t -- sh -c 'compute-job > /afs/local/data/output' but, unfortunately, when I run the command below: krenew -s -- sh -c './my_app config.xml > results/test.txt &' the application just dies after a while and I can see from the output of ps aux that krenew is not running along with my_app. I am not sure what the parameter -t does, and as far as I can see, if I run krenew -s ./my_app, it works properly. I hope someone can clarify this.

    Read the article

  • Why does Kerberos need Ticket Granting Server?

    - by Narsil
    It's probably something fundamental but I can't find a certain statement. Why can't KDC authenticate then provide the service ticket directly. Is it about security or performance or some other thing? Since users don't log in each time they request a service and assumably they will keep logged in for a long time, AS doesn't seem so busy. Why do they have to be seperated?

    Read the article

  • BITS, TakeOwnership, and Kerberos / Windows Integrated Authentication

    - by Charlie Flowers
    We're using BITS to upload files from machines in our retail locations to our servers. BITS will stop transferring a file if the user who owns the BITS job logs off. Therefore, we're using a Windows Service running as LocalSystem to submit the jobs to BITS and be the job owner. This allows transfers to continue 24/7. However, it raises a question about authentication. We want the BITS server extensions in IIS to use Kerberos to authenticate the client machine. As far as I can tell, that leaves us with only 2 options, both of which are not ideal: Either we create an "ImageUploader" account and store its username/password in a config file that the Windows Service uses as credentials for the BITS job, or we ask the logged on user who creates the BITS job for his password, and then use his credentials for the BITS job. I guess the third option is not to use Kerberos, and maybe go with Basic Auth plus SSL. I'm sure I'm wrong and there's a better option. Is there? Thanks in advance.

    Read the article

< Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >