Hello,
I am using following config for Active Directory.
.AuthenticationService {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE debug=FALSE useTicketCache=FALSE;
}
When I use Universal Principle Name, the login return success, however when I use samAccountName I get login exception.
My questions is how can I or what modification I need to do on above config to look for samAccountName.
Thank you,
Balaji
I wnat to give some more information, The User Principal name is joe.smith and samaccountname is jsmith. Using Krb5LoginModule for authentication. If i use joe.smith and password, mylogin is success, however if I use jsmith, iget follwoing error message.
principal is jsmith@ABC.COM
[Krb5LoginModule] authentication failed
Client not found in Kerberos database (6)
2/13/06 9:04 AM class adbeans.session.adauthentication.ADAuthenticationSession_kxgg40_Impl: Client not found in Kerberos database (6) jsmith
b
javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:585)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at adbeans.session.adauthentication.ADAuthenticationSessionBean.authenticateToActiveDirectory(ADAuthenticationSessionBean.java:107)
at adbeans.session.adauthentication.ADAuthenticationSessionBean.login(ADAuthenticationSessionBean.java:62)
at adbeans.session.adauthentication.ADAuthenticationSession_kxgg40_EOImpl.login(ADAuthenticationSession_kxgg40_EOImpl.java:98)
at adbeans.session.adauthentication.ADAuthenticationSession_kxgg40_EOImpl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:492)
at weblogic.rmi.cluster.ReplicaAwareServerRef.invoke(ReplicaAwareServerRef.java:108)
at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:435)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:147)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:430)
at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:35)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)
Caused by: KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:67)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315)
at sun.security.krb5.Credentials.acquireTGT(DashoA12275:361)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:576)
... 24 more
My question is can I use Krb5LoginModule to authenticate with samaccountname rather universal principal name?, if so please advise on how to do.
Thank you
You need to ensure the required attributes used by Active Directory
have been setup and mapped correctly. Check out the Windows AD docs.
You should be able to use "userPrincipalName" or "sAMAccountName"
for Kerberos, provided these attributes have been setup correctly, and
these accounts exist in the Kerberos database.
"userPrincipalName" should map to an account in the Kerberos database.
It stores login-id and its domain name. And "sAMAccountName" attribute stores the login id.
Seema
The sAMAccountName attribute must be unique in the domain, and userPrincipalName must be unique in the W2K forest.
In your case, you have setup UserPrincipalName to be joe.smith, and sAMAccountName to be jsmith@ABC.COM. Do these entries exist in the Kerberos database ? Do they belong to the same domain ?
Check out the msdn docs to get details on the attribute setup.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/naming_properties.asp
If you still get errors, send me the Kerberos debug output.
Seema
> I tried to change SamAccountName to jsmith@abc.com,
> it failed because @ is not allowed as part of name.
> We are using Active Directory 2003. Please let me
> know if you have other suggestions.
Do not change the SamAccountName but put a prefix in front of it when supplying login info:
Domain\SamAccountName, f.i. if your (AD-)domain is mydomain.net you should login as mydomain\jsmith
Regards,
Albrecht
