Kerberos , how to fix "KDC cannot accommodate requested option." - alfresco

I am trying to configure alfresco 5.0d community to use kerberos and SSO via active directory.
My setup works fine when I login in the alfresco form login page (without SSO),
However, When enabling SSO, I see this exception in the alfresco logfile:
KrbException: KDC cannot accommodate requested option (13)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:259)
After looking at it with wireshark, it seems like the difference in the TGS-REQ message is that when using SSO, there is an option flag called request-anonymous that is enabled. This causes the KDC to answer with a KDC_ERR_BADOPTION message.
Is there a way to configure kerberos to not set the request-anonymous flag?
Or alternitavely, is there a way to tell the KDC server to deal with it properly?

Related

The authentication endpoint Kerberos was not found on the configured Secure Token Service

I've encountered a challenge regarding internet-facing deployment installation for CRM using a AD FS server. After the setup is complete, users are able to access the CRM server - but when trying to run custom pages the following error message is prompted:
"The authentication endpoint Kerberos was not found on the configured Secure Token Service!"
I've found several solutions on the internet for this issue:
First I found a KB article from Microsoft providing a possible
solution, this involves updating MEX endpoints by running a provided
PowerShell script.
(https://support.microsoft.com/en-us/help/2828015/configuring-ad-fs-2.1-with-microsoft-dynamics-crm-2011).
But this doesn't seem to be the issue.
Another solution could be to update the CRM rollup version (currently have version 14 installed, latest is version 18) - this is something that I want to avoid as it might lead to further issues.
Have anybody else encountered a similar issue, and in that case how did you solve it?
I have just spent last few days to figure this exact same error message and it turned out that it was the "Domain" attribute in crm connection string. Copied my answer to my own question at the Microsoft Dynamics CRM community forum here:
"Well, I found the culprit - it was the Domain attribute in the connection string:
For connecting from outside the domain, it does not like to have a Domain in the connection string:
Connection string format 1 (without Domain attribute): "Authentication Type=Passport;Server=https://devcrm.myco.com;Username=devuser#myco.com;Password=pwd" - this works both inside and outside the domain "myco.com"
Connection string format 2 (with Domain attribute): "Authentication Type=Passport;Server=https://devcrm.myco.com;Domain=myco;Username=devuser#myco.com;Password=pwd" - this only works inside the domain myco.com but NOT outside (exception: The authentication endpoint Kerberos was not found on the configured Secure Token Service!)

The key is in the Xrm.Client.CrmConnection.ClientCredential:
If Domain is NOT specified in the connection string, when connecting from outside domain, Xrm.Client.CrmConnection.ClientCredentials.UserName is populated whereas the ClientCredentials.Windows.ClientCredentials.UserName is empty.
But if the Domain is specified, Xrm.Client.CrmConnection.ClientCredentials.UserName becomes null and Xrm.Client.CrmConnection.ClientCredentials.Windows.ClientCredentials.UserName populated, which led to the service trying to authenticate user as a Windows AD user so of course it would fail when running app from outside Windows domain. And it explains why the same app works inside the domain even with Domain specified in the connection string.
For more detail, refer here for my original post asking for help in Dynamics CRM Forum

ADFS Passive Request = "There are no registered protocol handlers"

Im trying to configure ADFS to work as a Claim Provider (I suppose AD will be the identity provider in this case).
Just for simple testing, ive tried the following on windows server 2016 machine:
1) Setup AD and domain = t1.testdom (Its working cause im actually able to login with the domain)
2) Setup DNS. Added a host (A) for adfs as fs.t1.testdom
3) selfsigned certificate (https://technet.microsoft.com/library/hh848633):
powershell> New-SelfSignedCertificate -DnsName "*.t1.testdom"
4) created a dedicated service account for gMSA
5) setup ADFS.
Server name set as fs.t1.testdom
service>authentication method is enabled as form authentication
6) Also fixed the SPN via powershell to make sure all needed SPNs are there and given to the right user account and that no duplicates are found
--
However, when I try to access the login page on browser via https://fs.t1.testdom/adfs/ls I get the error. The log on server manager says the following:
`There are no registered protocol handlers on path /adfs/ls to process the incoming request`
So is there a way to reach at least the login screen? So I can move on to the next error.
this is what I get on the /ls screen:
Finally found the solution after a week of google, tries, server rebuilds etc!
(This guru answered it in a blink and no one knew it!
https://www.experts-exchange.com/questions/28994182/ADFS-Passive-Request-There-are-no-registered-protocol-handlers.html)
The IdP-Initiated SSO page (https://fs.t1.testdom/adfs/ls/idpinitiatedsignon.aspx). Note that if you are using Server 2016, this endpoint is disabled by default and you need to enable it first via the AD FS console or
Set-AdfsProperties -EnableIdPInitiatedSignonPage $true
--
My question is, if this endpoint is disabled, why isnt it listed in the endpoints section of ADFS Management console?!!

Not able to get nJupiter.DataAccess.Ldap work with our Internal LDAP (Lotus Domino)

I've tried everything possible, to setup nJupiter.DataAccess.Ldap as the membership provider on our intranet based web application built using asp.net 3.5.
Challenges I am facing:
Not able to authenticate the user using the default login webpart (says Your login attempt was not successful. Please try again)
I tried this code and I receive a COMException : "There is no such object on the server."
var ldapMembershipUser = System.Web.Security.Membership.GetUser("username") as LdapMembershipUser;
if (ldapMembershipUser != null)
{
var givenName = ldapMembershipUser.Attributes["givenName"];
}
I have placed my web.config and the nJupiter.DataAccess.Ldap.config here:
web.config : http://pastebin.com/9XdDnhUH
nJupiter.DataAccess.Ldap.config : http://pastebin.com/WsSEhi98
I have tried all possible permutations and combinations for different values in the XML and i am not able to take it forward. Please guide. I just am not able to connec to the LDAP and authenticate the user or even search for users.
Just looking at your config is unlikely to be enough since I don't know your Domino server's confguration, so my answer isn't an attempt to fix your problem. It's an attempt to teach you how I would approach it if it were my problem. Here's what I do to troubleshoot connections and queries from code to Domino LDAP:
Configure the Domino LDAP server for logging the highest level of debug information with the notes.ini setting LDAPDEBUG=7. See this IBM technote for more info.
Use an LDAP client and figure out how to successfully connect to the Domino LDAP server. I like the free Softerra client for this. Check the logs and save off the info from your successful connection.
Now run your code and compare what you see in the logs against the successful connection.
If the code is making it past authentication but failing on the query, then find the actual query in the log, go back to your LDAP client, figure out what the query should have been, and adjust your code's configuration appropriately.

OpenAM J2EE agent installation bringing down tomcat

OpenAM version -12 , Agent version 3.5 and 3.3 , tomcat version 7
I have tried to follow the link https://forums.alfresco.com/forum/installation-upgrades-configuration-integration/authentication-ldap-sso/sso-openam-06052012 to set up my J2EE Agent. Let me paste the steps after asking the question(see at the end)
but I am getting the error as asked below
Not able to configure J2ee agent on adding my customized data store for users
I have tried to use 3.5 version installed and uninstalled multiple times and tried previous version.
There is a nice discussion on this topic at http://database.developer-works.com/article/16009911/%22Cannot+obtain+Application+SSO+token%22+error
but it did not help me much.
I am using LDAP so I have used LDAP realm and subjects are showing up ok. Also I am observing that the policy tab has changed quite a bit from how it is described in the Blogs.
Now with the roadblock I am not sure how to proceed as the error is not giving me any clue what to do. I even added the file named AMConfig.properties in the classpath with username and password of the agent and tried the username and password of the OpenAM admin too as suggested in the discussion mentioned. but that too did not help.
The issue is the Tomcat now is not starting and giving error that AMConfig.properties properties are needed
I know the OpenAM Realm setup is good as I am able to login via this realm to another application (Liferay) where I just have to give the URL for use OpenAM integration. but after uninstallation of the agent the tomcat starts without any error and i am able to login to the application
-------------------Step copied from 1st link(modified)--------------------------
1. Configure your OpenAM agent (tried both 3.5 and 3.3 version on tomcat 7)
a. Log into OpenAM as the admin user and navigate to "Access Control -> (Your Realm) - where in my case LDAP Realm (other application using it without issue)
b. Select Policies -> New Policy
c. Enter Share as the policy name and then create 2 new URL Policy agent rules
d. 1st Resource Name = http://:/share/*
e. 2nd Resource Name = http://alfresco.domain.com:8080/share/*?*
f. Add a subjects - already part of LDAP Realm
g. Now select Agents -> J2EE - > (your J2EE agent)
h. Select the Application tab
i. Login Processing -> Login Form URI - add /share/page/dologin
j. Logout Processing -> Application Logout URL - add Map Key = share - Corresponding Map Value = /share/page/dologout
k. Not Enforced URI Processing - Add 2 entries - /share and /share/
l. Profile Attributes Processing - Select HTTP_HEADER and add Map Key = uid - Corresponding Map Value = SsoUserHeader (This is what I called my header in the alfresco-global.properties file - see below)
Auth chain
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm
alfresco.authentication.allowGuestLogin=true
SSO settings
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyUserName=
external.authentication.proxyHeader=SsoUserHeader
NOTE- It does not seem possible to configure SSO where the Guest login has been disabled. There are webscripts used on the Alfresco repository that need guest login.
That concludes the setup for Alfresco and OpenAM
For Share you need to have the following section uncommented in your share-config-custom.xml
alfresco/web-extension/alfresco-system.p12
pkcs12
alfresco-system
alfrescoCookie
Alfresco Connector
Connects to an Alfresco instance using cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
alfrescoHeader
Alfresco Connector
Connects to an Alfresco instance using header and cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
SsoUserHeader
alfresco
Alfresco - user access
Access to Alfresco Repository WebScripts that require user authentication
alfrescoHeader
http://alfreso.domain.com:8080/alfresco/wcs
user
true
Notice I am not using the SSL cert and in my alfrescoHeader connector I have used SsoUserHeader (as setup in OpenAM) and the endpoint uses the alfrescoHeader connector
Now you need to add the OpenAM filter to the Share web.xml file
Add the following filter just before the Share SSO authentication support filter
Agent
com.sun.identity.agents.filter.AmAgentFilter
Add the following filter mapping to the filter-mapping section
Agent
REQUEST
INCLUDE
FORWARD
ERROR
----- End ----------
The error message is a bit misleading: the Cannot obtain application SSO token in general means that the agent was unable to authenticate itself. When you install the agent, the agent asks for a profile name and a password file, those values need to correspond to the agent profile configured within OpenAM.
To test if you can authenticate as the user, you could simply try to authenticate as the agent by making the following request:
curl -d "username=profilename&password=password&uri=realm=/%26module=Application" http://aldaris.sch.bme.hu:8080/openam/identity/authenticate
In the above command the realm value needs to be the same as the value for the "com.sun.identity.agents.config.organization.name" property defined in OpenSSOAgentBootstrap.properties (under the agent's install directory).
Having bad username/password combination is only one of the possible root causes for this exception though. It is also possible that during startup the agent was unable to connect to OpenAM to authenticate itself. In those cases the problem could be:
network error, firewall issues preventing the agent from contacting OpenAM
SSL trust issues: agent's JVM does not trust the certificate of OpenAM's container (only problem if you've installed the agent by providing OpenAM's HTTPS URL and the certificate is self-signed or just simply not trusted by the JVM)

Published asp.net WebApp won't connect. 401.1 unauthorized

asp.net app (c#) worked fine in debug mode; published, getting 401.1 error (unauthorized).
When I put in the url, a dialog asks for username & password. Put it in 3x, error.
It's an internal app, using Windows authentication only.
IIS 7.5, using ApplicationPoolIdentity.
SQLServer Database
Specific Error Message from 401.1 page:
Module WindowsAuthenticationModule
Notification AuthenticateRequest
Handler ExtensionlessUrlHandler-Integrated-4.0
Error Code 0x8009030e
Requested URL http://smalltools.dbsvc.com:80/ Ap
Physical Path C:\inetpub\SmallTools
Logon Method Not yet determined
Logon User Not yet determined
The app has a users table to determine the "role" of that user. I put a method in the master page that queries the table based on authenticated user, and returns the role. This, in turns, determines which buttons are visible on the navigation bar.
Looked in the security log, and found the following 3 entries:
2012-07-20 14:55:11 10.0.1.38 GET / - 80 - 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 401 2 5 15
2012-07-20 14:55:20 10.0.1.38 GET / - 80 DE\cin.bro 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 500 0 0 125
2012-07-20 14:55:20 10.0.1.38 GET /favicon.ico - 80 DE\cin.bro 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 404 0 2 0
Any idea what might be causing the inability to log in? Any clues what I can fix to make it work? I've researched all day and haven't found what might be the problem.
Any information is gratefully received.
Thanks
Cindy
I've successfully solved the issue; I had to allow impersonation, and make an adjustment to the AD group.
The article in the following link helped a great deal:
http://msdn.microsoft.com/en-us/library/bsz5788z.aspx
If this is an external site, then Windows authentication isn't really the way to go. But you can still do it, here's some links I found that should help.
Q&A about similar issue
Microsoft guide on how to implement
Typically Windows Authentication is used with internal systems because the users are logged on directly to the system and all their credentials are right there. However for external apps this isn't always the case, since your home Windows account and work windows account aren't the same, in addition you may not even be using windows from the external location.
Another gotcha I came across is the local loopback address security check when you setup a DEV instance and modify hosts file to use Fully Qualified Domain Name (FQDN) or simply when you browse IIS site with custom headers and the name does not match the server hostname. While this is necessary for production servers it is a problem when setting up Developer environments.
"This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address"
There are two main methods to resolve the issue:
Specify host names (Preferred method if NTLM authentication is desired) by creating/updating the Multi-String value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Disable the loopback check (less-recommended method - do not use on production servers) by setting the following registry DWORD value to 1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\DisableLoopbackCheck
Please refer to this HTTP 401.1 - Unauthorized: Logon Failed - Microsoft Support article for detailed overview and registry settings.

Resources