kerberos

问题 I have a HTTP service running on my domain. But I have few doubts regarding how the life time for my HTTP service is decided. how long can a client be able to use my HTTP service ? 回答1: A Kerberos ticket has a lifetime (e.g. 10 hours) and a renewable lifetime (e.g. 7 days). As long as the ticket is still valid and is still renewable, you can request a "free" renewal -- no password required --, and the lifetime counter is reset (e.g. 10h to go, again). When creating the ticket, each "lifetime"

问题 I have a system protected by SSL - and clients use a smartcard for accessing their certificate. I use java's pkcs11. I have posted this question here (even with bounty): pkcs11 sso (using prior windows login with smartcard) The same smartcard is used for windows login - and I would like to save the client the touble of re-logging using the smartcard (PIN). Many links I have read about this issue led me to the world of SSO: NTLM, Kerberose etc. I feel SSO is a bit an overspec for what I wanted

问题 I enable the Kerberos on the cluster and it is working fine. But due to some issue mapred user is not able to read and display log over JobHistory server. I check the logs of job history server and it giving access error as: org.apache.hadoop.security.AccessControlException: Permission denied:user=mapred, access=READ_EXECUTE, inode="/user/history/done_intermediate/prakul":prakul:hadoop:drwxrwx--- as we can see the directory have access to hadoop group and mapred is in hadoop group, even then

问题 This question already has answers here : Closed 8 years ago . Possible Duplicate: Can I turn off impersonation just in a couple instances I've created an application that, when uploaded to my server throws the following exceptions: [Win32Exception (0x80004005): No credentials are available in the security package] [AdomdConnectionException: Authentication failed.] Here is my connection string: public AdomdConnection conn = new AdomdConnection("Data Source=BTN-SQL1;Initial Catalog

问题 I would like to configure Tomcat to be able to connect to AD and authenticate users accordingly. In addition, I would also like to invoke some web services (in this case, Share Point) using the client credentials. So far, I've managed to successfully configure Tomcat to use SPNEGO authentication, as described in the tutorial at http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. Note that I have used Tomcat's SPNEGO authentication (not Source Forge's or Waffle). I did not use

问题 I have a C# client based on SSPI and Java server based on GSSAPI. The flow communication flow is as below. Client creates TGT Client passes TGT to server Server uses the TGT and generates server token Server passes the server token to client Client uses that server token and generates the SGT My communication flow breaks from the 6th step. SSPI client failed to validate the server token with the error "Failed to invoke InitializeSecurityContext for a client. The specified principle is not

问题 I have an Active Directory server and a Windows WAMP server hosting PHP web applications that need to be able to authenticate to Active Directory using Kerberos. I was able to easily connect and bind to the Active Directory host using some sample PHP code, but I'm not sure how to do so with Kerberos. I have see many forums and blogs detailing how to do this on *NIX machines, but that doesn't help me with my situation. I did use Wireshark and Fiddler to confirm that there is no Kerberos or

问题 I have some doubts regarding generating a keytab file for SQL server kerberos authentication. SQL server's SPN is: MSSQLSvc/myhost:1433@MYDOMAIN.COM I have created keytab file as: ktpass -out "C:\Users\myuser\KerberosConf\MSSQL\myappserver.keytab" -princ MSSQLSvc/myhost:1433@MYDOMAIN.COM -mapUser mydomain\myuser-pass Test@123 -crypto AES256-SHA1 -pType KRB5_NT_PRINCIPAL When viewing the keytab it shows the correct SPN as: [1] Service principal: MSSQLSvc/myhost:1433@MYDOMAIN.COM KVNO: 18 But

问题 C:\Dropbox\gittools\JsonLearning>Auth.py Traceback (most recent call last): File "C:\Dropbox\gittools\JsonLearning\Auth.py", line 31, in krb = KerberosTicket("HTTP@xyz.abc.com") File "C:\Dropbox\gittools\JsonLearning\Auth.py", line 9, in init kerberos.authGSSClientStep(krb_context, "") winkerberos.GSSError: SSPI: InitializeSecurityContext: The specified target is unknown or unreachable 回答1: SSPI does not understand GSS-API-style SPNs. Use HTTP/xyz.abc.com . This will work. 来源： https:/

问题 Clock Skew : In order to prevent intruders from resetting their system clocks in order to continue to use expired tickets, Kerberos V5 is set up to reject ticket requests from any host whose clock is not within the specified maximum clock skew of the KDC (as specified in the kdc.conf file). The default value for maximum clock skew is 300 seconds, or five minutes link Service Ticket lifetime : Value = 0 here means never expires. Now Say I have a kerberos service ticket that never expires, or