On Thu, 10 Feb 2005 23:20:37 -0500, Fredrik Tolf wrote:
> I have to admit that I don't know a lot about Windows and Kerberos.
> However, as I've understood it, the only thing that really prevents you
> from using a MIT KDC for Windows clients is the authorization data they
> ship in the ticket, ri
Hi,
Is there any documentation on the keytab file format? From scanning
the code the rules are not clear and leaves me wanting of definitive
documentation.
I want to write an encoder (and I suppose decoder) in plain C for
inclusion in the pwdump2 [1] program for exporting Kerberos keys from a
MS
On Mon, 1 May 2006 22:32:44 +0100
"Tim Alsop" <[EMAIL PROTECTED]> wrote:
> * 0 2 keytype
> * 2 2 keylen
> * 4 keylen keydata
> * }
> * POSSIBLE if length left {
> * xxx 4vno
> * }
> */
>
> Is the "keytype" actually the key type, or is it the etype ? I ask this
> because I ha
On Mon, 01 May 2006 17:13:13 -0400
Sam Hartman <[EMAIL PROTECTED]> wrote:
> We'd really prefer you just call into a krb5_32.dll. That will
> continue to work if the keytab format changes in the future.
I don't think asking people to installing an MIT kerberos dll on a Windows
KDC would go over w
ilities/Windows/pwdump2_readme.cfm
--8<--
ktexport.exe - export Kerberos keys from Active Directory
Michael B Allen
Tue May 2 21:02:02 EDT 2006
This version of pwdump2 has been modified to export Kerberos ARCFOUR
keys from a Windows domain controller.
INSTALLATION / RUNNING:
There is no n
or no service,
2 with service?
4) Have I missed anything?
If people would like to try this on their keytab files the test1.c test
decodes, encodes a copy, and then decodes the copy. Please let me know
what you find.
Thanks,
Mike
--8<--
The Kerberos Keytab Binary File Format
Michael B Allen
Last
I have made significant changes to the text and it's pretty short so
I'll just inline the whole thing again. Thanks for your feedback.
Mike
--8<--
The Kerberos Keytab Binary File Format
Michael B Allen
Last updated: Wed May 3 12:56:26 EDT 2006
The MIT keytab binary format is n
On Wed, 03 May 2006 18:53:12 +0200
Love Hörnquist Åstrand <[EMAIL PROTECTED]> wrote:
>
> Michael B Allen <[EMAIL PROTECTED]> writes:
>
> > 2) What codeset are strings? Are they UTF-8 or locale dependant?
>
> "kerberos codeset", today, basicly ascii.
s only decoded if there are exactly 4 bytes left. Should
that not be >= 4 bytes in anticipation of further expansion?
Thanks for your feedback. You're welcome to use the text (or modify it
however you like) in your documentation although I would appreciate an
attribution if you keep track o
Whoops, I forgot to update the part about the components array. I also
ran ispell on it.
http://www.ioplex.com/utilities/keytab.txt
Mike
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Sat, 6 May 2006 16:02:50 +0100
"Markus Moeller" <[EMAIL PROTECTED]> wrote:
> As I have seen in the past people asking about how to create a keytab with a
> Computer account I put some details together:
>
> 1) The ktpass version I used is from Windows2003 R2 File Version:
> 5.2.3790.1830 (srv
On 11 May 2006 11:11:05 -0700
[EMAIL PROTECTED] wrote:
> I have a website in IIS which has been configured to run with Windows
> Authentication and I have in my
> web.config.
>
> I know that my configuration works correctly as when I look at the
> identity under which the thread is running I can
On Fri, 12 May 2006 00:15:23 +0100
"Markus Moeller" <[EMAIL PROTECTED]> wrote:
> Which information does a w2k3(active directory) server use to identify a
> user [EMAIL PROTECTED] when using kinit [EMAIL PROTECTED] ? Is it the
> samAccountName fred together with the Domain name DOMAIN.COM of the
On Fri, 12 May 2006 13:19:17 +1000
Luke Howard <[EMAIL PROTECTED]> wrote:
> I can't think of any examples where the mapping
> between short (NetBIOS) and long (DNS) realms is not 1:1. OK, maybe you
> can come up with a case for W2K3 domain renames but not in the general
> case.
>
> Windows uses t
I have some code that runs on a web server and authenticates clients using
GSSAPI via WWW-Authenticate: Negotiate. This works with Firefox and IE.
I have some client code that authenticates with a file server using
Kerberos. That works ok too.
Now I want the code on the web server to run the code
On 25 May 2006 00:33:49 -0400
"Richard E. Silverman" <[EMAIL PROTECTED]> wrote:
> MBA> 1) Configure the HTTP service principal a OK-AS-DELEGATE. When
> MBA> the web client connects, gss_accept_sec_context will emit a TGT
> MBA> that can then be used to acquire the desired ticket.
>
>
On Thu, 25 May 2006 22:13:32 -0400
Michael B Allen <[EMAIL PROTECTED]> wrote:
> failing with KRB5KDC_ERR_BADOPTION. From looking at an Ethereal trace
> I can see the only option set is 'forwarded' (NOT 'forwardable'). The
> KDC is W2K3.
Actually I don't k
On Mon, 29 May 2006 15:26:01 +0600
"Aruna Lakmal" <[EMAIL PROTECTED]> wrote:
> Hey guys,
> I need to configure apache server authentications using kerberos and
> user authorization with ldap.
> do u how to do that..
You can use mod_auth_kerb to do authentication and you can use
mod_auth_ldap to d
Can someone recommend a method for providing an unpriviledged child
process with a gss_cred_id_t derived from a keytab but without exposing
the key to the child?
Specifically, I have a service that starts out as root and forks a
child. The child then changes it's uid/gid to an unpriviledged user,
lookup and then
gives up. If it had tried a standard lookup it would have found the name.
Any ideas?
Mike
--
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/
Kerberos mailing list Kerbero
On 15 Jun 2006 14:07:26 +0200
Noses <[EMAIL PROTECTED]> wrote:
> Watakushi no kioku ga tashika naraba, Michael B Allen <[EMAIL PROTECTED]>
> wrote:
> > What do you have to do to get sshd to do Kerberos on Mac OSX?
> >
> > The log messages are
>
> not
On Fri, 16 Jun 2006 01:41:53 -0500
"Christopher D. Clausen" <[EMAIL PROTECTED]> wrote:
> Michael B Allen <[EMAIL PROTECTED]> wrote:
> > No. Where is that button exactly? This is just a mini with 10.3 BTW.
>
> Mac OS 10.3 only supports the "gssapi"
How can I get krb5kdc to listen on loopback?
How can I get krb5kdc to NOT listen on kerberos-iv ports?
Thanks,
Mike
--
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/
Kerberos mailing list
r can run in that causes all clients not
to do Kerberos at all? Can anyone recommend a diagnostic?
Thanks,
Mike
--
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit
)? I've been through all the usual
> reasons but we just can't get it to work. Is there some kind of mode that
> a Windows domain controller can run in that causes all clients not to do
> Kerberos at all? Can anyone recommend a diagnostic?
>
> Thanks,
On Thu, 29 Jun 2006 16:12:22 -0500
"Christopher D. Clausen" <[EMAIL PROTECTED]> wrote:
> Michael B Allen <[EMAIL PROTECTED]> wrote:
> > I'm testing a Windows -> Apache Kerberos SSO product (see sig) with a
> > customer and it's not working for
On Thu, 29 Jun 2006 21:04:29 -0400
Jeffrey Hutzelman <[EMAIL PROTECTED]> wrote:
> On Thursday, June 29, 2006 07:12:53 PM -0400 Michael B Allen
> <[EMAIL PROTECTED]> wrote:
>
> > I have confirmed with a packet capture that the client never tries
> > Kerberos. It
On Fri, 30 Jun 2006 04:10:35 GMT
Jeffrey Altman <[EMAIL PROTECTED]> wrote:
> Michael B Allen wrote:
>
> > It could be (2). But it's not specific to IE because the wsh script
> > generates the same error and it just uses the WinHttpRequest interface. So
> > it w
teresting (although I only tried the standard
log level of 0xc043).
Apparently there is a netcap.exe packet capture program shipped on the
XP CD as part of the Support Tools package [1]. I have tested installing
and getting a capture and asked the customer to try it.
Mike
[1] http://support.micr
XP is caching KRB5KDC_ERR_UNKNOWN_PRINCIPAL results. Does anyone know
how to purge that cache without rebooting?
Thanks,
Mike
--
Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization
http://www.ioplex.com/
Kerberos mailing list
On Wed, 19 Jul 2006 15:01:08 -0400
Michael B Allen <[EMAIL PROTECTED]> wrote:
> XP is caching KRB5KDC_ERR_UNKNOWN_PRINCIPAL results. Does anyone know
> how to purge that cache without rebooting?
Looks like kerbtray can do it. Right click on the systray icon and select
purge tickets.
482 --with-ldap-sasl \ < add this line
483 $*
484 if test $? != 0; then
Then I rebuilt with:
$ rpmbuild -bb SPECS/php.spec
[you'll need to take a long nap here]
and upgraded just the php-ldap rpm.
Otherwise, if you want C, use OpenLDAP's client API.
t spam protection around
> http://mail.yahoo.com
> ____________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ing at a capture I can see it trying a TXT _kerberos.foo.net
lookup but even if I add a record for this with "WIN.NET" I see no
communication with the KDC.
Obviously I don't know what I'm doing. Can someone enlighten me?
Mike
--
Michael B Allen
PHP Active Directo
ng.
And I thought I was good at Linux stuff.
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ECTED]
> GSS-API error acquiring credentials: An invalid name was supplied
> GSS-API error acquiring credentials: Hostname cannot be canonicalized
>
> I guess I used the service name in an improper way. So what service name
> should I use? Thank you for any help!
>
>
>
On Mon, 21 Aug 2006 10:39:13 -0400
Jeffrey Hutzelman <[EMAIL PROTECTED]> wrote:
>
>
> On Sunday, August 20, 2006 11:19:13 PM -0400 Michael B Allen
> <[EMAIL PROTECTED]> wrote:
>
> > I was just trying pam_krb5 for kicks but it can't find my KDC. My
>
cket for ALICESVC/[EMAIL PROTECTED] then
even if Bob is [EMAIL PROTECTED] he should have no problem looking up the
KDC for AI-AG.DE using DNS and getting a ticket per usual. But a trust
relationship would be required between AI-AG.DE and AI-AG.US.
Mike
--
ere is anything outstanding. Otherwise, JGSS should be fully
compatible with MIT, Heimdal, Microsoft, ...
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Tue, 22 Aug 2006 03:25:42 +0200
Fredrik Tolf <[EMAIL PROTECTED]> wrote:
> On Mon, 2006-08-21 at 18:29 -0400, Michael B Allen wrote:
> > On Mon, 21 Aug 2006 21:48:30 +0200
> > Fredrik Tolf <[EMAIL PROTECTED]> wrote:
> >
> > > So, I'm wondering, a
he type 4.
> >
> > Thanks,
> > Preetam
>
> Microsoft does not support FILE based credential caches.
> Instead Microsoft stores Kerberos credentials within the LSA.
> The credentials are accessible via the Lsa APIs.
Really? The raw RC4 keys? What functions?
Mik
beros?
Does iTunes do Kerberos authentication? If so and you have access to
systems that exhibit the desired behavior then get a packet capture
using Ethereal, tcpdump or netcap.exe. Then look at it under Ethereal
to see what it's doing e
I'm trying to get delegation to work from a Java servlet running on a
Windows IIS machine but Credential.acquireTGTFromCache() is returning
'null'. Is this because Java 1.5 doesn't support RC4-HMAC? I cannot
require all regular user accounts to be set for "DES only". Is there
anything I can do?
Th
Upgrading to Java 1.5 update 8 fixed this particular issue for me (but
I still haven't quite seen delegation working).
Mike
On Fri, 1 Sep 2006 12:37:12 -0400 (EDT)
"Michael B Allen" <[EMAIL PROTECTED]> wrote:
> So the TGT is 'null'.
>
> If I use Java&#x
ent machine does have a tgt.
> Any hints on how to debug, or has anyone had a similar
> experience??
> I have gone through all of the basic documented steps:
> creation of AD user for WL box, keytabfiles, JAAS
> config files... and the various changes on client
> browsers.
Soun
types to RC4-HMAC? Do they
just allow the client to report an error in the event DES is used?
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
to check all the necessary settings, try
to get a service ticket, and do a simple authenticated HTTP request as
a diagnostic.
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Tue, 05 Sep 2006 21:37:03 -0400
Evan Vittitow <[EMAIL PROTECTED]> wrote:
> The capabilities of FireFox and IE are different. IE has to use NTLM.
> (with Apache's mod_auth_ntlm FireFox uses mod_auth_kerb with spnego.
IE and Firefox each support both NTLM and Kerberos.
--
Mi
r FF have knowledge of the
enctype until they actually try to get a ticket. It also shouldn't make
any difference what the enctype is. I suspect the client was in fact
trying to get a ticket but was failing and resetting the password /
regenerating the key resolved the problem.
Mike
--
Michael B
T
present and ship it over to the Tomcat worker so Java can get to it. A
lot of shops are MS SSO only and don't want a separate container for Java.
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos
.1 structures.
>
> Even for this you will have troubles to find meaningfull API unless you can
> use IAIK. If you have to stay "opensource" you may probably want to try
> www.bouncycastle.org, they claim to have library to work with ASN.1
> structures.
>
> Bes
ing look like it's working in a small environment but it's
unlikely to be correct and it doesn't scale.
Also, NTLM is not ideal for Web SSO as it requires communication with
the domain controller and multiple messages to authenticate. Kebreros is
much better. Same LDAP limitations
. This stuff is deep enough that
you could talk about factoring algorithms and prime numbers for 10 pages
(Although that would be incredibly boring. It's much better to discuss
stories about people like how Thompson and Pike came up with UTF-8 in
a New Jersey diner).
Mike
--
Michael B Allen
d it still always worked.
I know about the knvo problem with Windows 2000. Perhaps you mean that
the kvno option must be used with the Windows 2000 ktpass to set the
proper kvno?
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
cContext.
In short, add a 1 byte flags field and make sure the length field is
encoded using the same endianess. Then it will work.
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
her or not mod_auth_kerb
can do it I have no idea.
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Thu, 05 Oct 2006 10:13:53 -0700
Russ Allbery <[EMAIL PROTECTED]> wrote:
> Michael B Allen <[EMAIL PROTECTED]> writes:
> > "Djihangiroff, Matthias (KC-DD)" <[EMAIL PROTECTED]> wrote:
>
> >> Anyone out there whos running an Apache with mod_aut
On Thu, 05 Oct 2006 11:10:27 -0700
Russ Allbery <[EMAIL PROTECTED]> wrote:
> Michael B Allen <[EMAIL PROTECTED]> writes:
> > Russ Allbery <[EMAIL PROTECTED]> wrote:
>
> >> mod_auth_kerb can (via BasicAuth), but you need to have the passwords
> >>
s an option for you, drop me a mail. I
> know I'd really appreciate comment/criticism so that I can improve the docs.
Incedentally MS has a driver that supports IWA (ie Kerberos). It's type
4 but I cannot help but wonder if it actually works anywere but on Windows.
Mike
--
Michael
to use their correct konzern.intern domain
3) Rebuild your entire domain to use persona.de instead of konzern.inter
4) Setup a KDC for persona.de with a trust to konzern.intern
Note I know more about Negotiate auth than I do Kerberos in general so
hopefully someone will chime in if I'm wrong.
--
s the "authorization identity"? Is it a UPN or ...?
Also, RFC and others claim the data must be padded to a multiple of
8 but I don't see that padding using ldapsearch with cyrus-sasl. Is
there supposed to be padding or not?
Mike
--
Michael B Allen
PHP Active
ver that I will let the web service be delegated for?
[EMAIL PROTECTED]
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
On Tue, 24 Oct 2006 17:12:01 -0400
Michael B Allen <[EMAIL PROTECTED]> wrote:
> On 24 Oct 2006 08:51:56 -0700
> [EMAIL PROTECTED] wrote:
>
> > Hello,
> > Is Kerberos delegation needed to write a file from a web app to a
> > file server within the same netw
keytabs into
the Wireshark packet sniffer). The Samba guys have "vampire" code that
I think can do what you want but I don't know much about it.
Also, note that SPNs are mapped to accounts and you really want the keys
associated with accounts. So keytab entries for cifs and rpc wo
not have the session key and will not be able to
decrypt any data encrypted with it.
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
don't know the name of windows keytab file & how to merger keytab on
> window(WIN XP).
> Is it practical scenario to use LINUX KDC in windows domain ?
You can't. There's no way to set the key on an account explicitly. You
can only set a password string.
Mike
I wrote an SPNEGO Java Servlet Filter that decodes the SPNEGO token,
plucks out the krb5 mechToken and passes it to acceptSecContext. Works
great on Linux/Jetty. Tomcat on Windows gives me the following exception.
Basically it looks like it's failing to decrypt the ticket as if the
password was wro
ot; all yield a "not supported"
exceptions.
Thanks,
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
includes support for SPNEGO starting from Java SE 6.
>
> Has the SPN been setup correctly ?
>
> Seema
>
> Michael B Allen wrote On 11/06/06 11:26,:
>
> >I wrote an SPNEGO Java Servlet Filter that decodes the SPNEGO token,
> >plucks out the krb5 mechToken and p
e please.
Mike
On Tue, 7 Nov 2006 17:54:50 -0500
Michael B Allen <[EMAIL PROTECTED]> wrote:
> Hi Seema,
>
> I have narrowed things down quite a bit. If I use Firefox which uses
> raw kerberos tokens I still get the same error which means that this
> has nothing to do with
berosKey in Subject method should work?
Mike
On Tue, 7 Nov 2006 23:48:03 -0500
Michael B Allen <[EMAIL PROTECTED]> wrote:
> I believe this problem must be a bug in Java for Windows.
>
> All of the GSS examples use the default credentials of the user running
> the server. I do no
> >
> > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)
> >
> > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
> >
> > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
> > co
03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 20 |... |
00010: 00 00 00 a3 82 03 b4 61 82 03 b0 30 82 03 ac a0 |...a...0|
00020: 03 02 01 05 a1 09 1b 07 46 4f 4f 2e 4e 45 54 a2 |FOO.NET.|
00030: 20 30 1e a0 03 02 01 02 a1 17 30 15 1b 04 48 54 | 00...HT|
Is Wireshark lieing
PHP script with the data (maybe, shrug).
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
On Mon, 04 Dec 2006 17:45:53 +
Dave Gudgeon <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I am currently developing a web application for a windows 2003 server
> runnin
/estagiario6.sso.com.br/ to access the site. Any
deviation from that will not work.
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
SAPI and CLI (e.g. do HTTP SSO and use
delegated cred with Kerberos aware clients like curl, ldap, pgsql, etc).
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
0.exe
Just curious but why do you need kfw at all?
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ports des-cbc-md5 and des-cbc-crc.
And arcfour-hmac-md5 of course (which ktpass.exe lists as RC4-HMAC-NT).
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
erberos work in progress
Xref: number1.nntp.dca.giganews.com comp.protocols.kerberos:23003
Are you using giganews?
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mai
e taking it under their wing though. You might
want to ask there.
Note that the most popular Java SSO solution (free or otherwise) is
the NTLM filter from jcifs (regular jcifs, not jcifs-ext). It doesn't
support delegation but it's mind numbingly easy to use and scales throu
-krb5 are supported by The
JCIFS Team (at least not by me).
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
would be ok in the wireshark.org
wiki. Historical/theoretical stuff would be ok at wikipedia. Heimdal was
talking about setting one up but I think it will be for Heimdal oriented
stuff.
Mike
--
Michael B Allen
PHP Active Directory SSO
http:/
didn't have the "Use DES encryption types for this account"
flag on. The result was the "Failed to find ... in keytab" error because
the enctypes didn't match. That is the level of detail you need to make
your wiki worthwhile.
Mike
> Michael B Allen wrote:
> > O
iki on it if that's the will of the community. but no ads,
> plz, other than pointers to products if that's a legit part of an entry. ok?
If done right I might contribute. I know a lot about HTTP SSO
scenarios. And the small bit o
capture and look at it in Ethereal:
http://support.microsoft.com/kb/306794/EN-US/
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
HTTPAUTH, CURLAUTH_GSSNEGOTIATE);
curl_setopt($ch, CURLOPT_USERPWD, "[EMAIL PROTECTED]:"); // why?
curl_exec($ch);
curl_close($ch);
fclose($fp);
?>
You can also use the keytab credential to initate with the second teir
as well.
Let me know if you&
sure you have the latest ticket. Otherwise
get a packet capture paying particular attention to the the principal
names being used.
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
> fine to me.
Wireshark (formerly Ethereal) will decode the tickets (and some of
the encrypted blocks if you capture the AS-REQ) so there is no need to
read ASN.1.
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos ma
ot copy this verbatim into your presentation or your instructor
may give you an F- for plagorizing wikipedia (I'm not plagorizing since
I wrote the wikipedia article this came from :-).
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
_
orts SPNEGO. I haven't tried it but
all you should have to do is base64 decode that blob feed it to
GSSContext.acceptSecContext().
Mike
--
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
ject, ...) etc.
>
> Using the jcifs-ext code as a guide it was pretty easy for us to create
> exactly what we needed.
Yes, the peculiararities of the jcifs-ext SPNEGO classes using reflextion
has made it difficult for me to accept it into the stock distro. And
thus jcifs-krb5 (which
f you're interested, it's called Plexcel and is available for download
here (no registration required):
http://www.ioplex.com/plexcel.html
Again, it's free for 25 user's so a little PHP script used by a few
admins isn't going to trip up the limit.
Mike
--
Michael B Allen
PHP A
problems that you let us know so that we can
make the product better for the paying customers.
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
t password changes from
a bridge script in the old infrastructure. After some time, when you
feel most or all of the passwords are set in both stores, migrate your
applications to the new Kerberos infrastructure.
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
_
wal policies - you
need a new employer ;-)
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
L version I have here is 5.1.2600.2698. Which is higher than
> whats mentioned on the article.
This sounds like a simple domain controller availability issue. Perhaps
mod_auth_kerb or libkrb5 could benifit from some retry capability.
Mike
> -Original Message-
> From: Michael B
I were you
I would ask MS to give you an explaination. Either there's something
wrong with your network or it's a bug in IE. Either way, I'd want to
fix it rather than add some feature that just masks the problem.
Mike
--
Michael B Allen
ate the keytab file. I'm sure you know this but I
thought I'd make sure.
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Good job Sriram. I'm cc-ing the mod_auth_kerb list. They were talking about
this issue a while back.
Mike
On Tue, 1 May 2007 19:08:05 -0700 (PDT)
SriramG <[EMAIL PROTECTED]> wrote:
> Just wanted to update back, if anyone ends up with this issue.
>
> We contacted MS they provided a hotfix as men
7:33:55 [EMAIL PROTECTED]
The signature in the SMB response packet is identical to the one
in the request packet (i.e. it was echo'd).
Any ideas?
Do I need to do anything special with DNS?
Mike
--
Michael B Allen
PHP Active Directory Kerb
1 - 100 of 219 matches
Mail list logo
