hello everyoneSGD + ActiveDirectory seem so unstable.in the most time , AD users can login SGD successfully , but sometimes AD users cannot login SGD (almost happened at night), but after several hours , AD users' login will be ok.I having a hard time of it.please helpSGD:4.4.1_907
SGD OS:solaris 10
AD : Win2k8krb5.conf:
[libdefaults]
default_realm = MYDOMAIN.NAME
default_checksum = rsa-md5[realms]
MYDOMAIN.NAME = {
kdc = adsrv01.mydomain.com
kdc = adsrv02.mydomain.com
admin_server = adsrv01.mydomain.com
kpasswd_protocol = SET_CHANGE
}[domain_realm]
mydomain.com = MYDOMAIN.NAME
.mydomain.com = MYDOMAIN.NAME[logging]
....
SGD OS:solaris 10
AD : Win2k8krb5.conf:
[libdefaults]
default_realm = MYDOMAIN.NAME
default_checksum = rsa-md5[realms]
MYDOMAIN.NAME = {
kdc = adsrv01.mydomain.com
kdc = adsrv02.mydomain.com
admin_server = adsrv01.mydomain.com
kpasswd_protocol = SET_CHANGE
}[domain_realm]
mydomain.com = MYDOMAIN.NAME
.mydomain.com = MYDOMAIN.NAME[logging]
....
Sun Secure Global Desktop Software (4.41) WARNING:Failed to find any kerberos TGT for access to domain/forest
''
on server
'Active Directory:adsrv01.mydomain.com:/10.0.4.111:3268:Up''Active Directory:adsrv01.mydomain.com:/10.0.4.111:3268:Up'
cannot be used to retrieve data from the Active Directory.This warning is normally associated with,
- Being unable to contact a KDC for this domain.
- Invalid Active Directory credentials being provided to SGD.Check your krb5.conf file for invalid kdc entries for this domain.Verify that SGD's Active Directory credentials are correct.2009/01/30 20:42:24.524 (pid 23879) server/ad/info #1233315744528
Additional information is available for an Active Directory error/warning.Message:
GSSAPI Authentication Failed: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)Stack Trace:
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:150)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at com.sco.tta.common.jndi.provider.ldap.LdapScopeState$doItGetContext.run(LdapScopeState.java:382)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at com.sco.tta.server.security.KerberosAuth.doAs(KerberosAuth.java:487)
at com.sco.tta.common.jndi.provider.ldap.LdapScopeState.getLdapContext(LdapScopeState.java:477)
at com.sco.tta.common.jndi.provider.ldap.LdapMultiCtx.getLdapContext(LdapMultiCtx.java:773)
at com.sco.tta.common.jndi.provider.ldap.LdapMultiCtx.lookupLink(LdapMultiCtx.java:139)
at com.sco.jndi.toolkit.provider.BaseContext.lookup(BaseContext.java:1024)
at com.sco.jndi.toolkit.provider.ToolkitContext.nns_lookup(ToolkitContext.java:2019)
at com.sco.jndi.toolkit.provider.PartialCompositeContext.lookup(PartialCompositeContext.java:225)
at com.sco.jndi.toolkit.provider.ToolkitContext.nns_lookup(ToolkitContext.java:2019)
at com.sco.jndi.provider.junction.JunctionContext.lookup(JunctionContext.java:154)
at com.sco.jndi.toolkit.provider.BaseContext.lookup(BaseContext.java:1036)
at com.sco.tta.server.login.ADLoginAuthority.getCandidate(ADLoginAuthority.java:326)
at com.sco.tta.server.login.ADLoginAuthority.authenticate(ADLoginAuthority.java:422)
at com.sco.tta.server.glue.LoginAsadOp$LoginHelper.findLoginAuthority(LoginAsadOp.java:841)
at com.sco.tta.server.glue.LoginAsadOp.login(LoginAsadOp.java:1248)
at com.sco.tta.server.soapcommands.WebtopSession.authenticateExt(WebtopSession.java:700)
at com.sco.tta.server.soapcommands.WebtopSession.authenticate(WebtopSession.java:644)
at sun.reflect.GeneratedMethodAccessor94.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sco.tta.server.server.soap.SOAPControlledElement.invoke(SOAPControlledElement.java:124)
at com.sco.tta.server.server.soap.SOAPController.invoke(SOAPController.java:204)
at com.sco.tta.server.server.soap.SOAPCalcTask.processEnvelope(SOAPCalcTask.java:213)
at com.sco.tta.server.server.CalcTask.runTask(CalcTask.java:125)
at com.sco.tta.server.server.Task.run(Task.java:122)
at com.sco.cid.common.WorkerPool$Worker.run(WorkerPool.java:524)
at java.lang.Thread.run(Thread.java:619)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
... 36 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:172)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:209)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
... 37 more
2009/01/30 20:42:24.524 (pid 23879) server/ad/warningerror #1233315744529
Sun Secure Global Desktop Software (4.41) WARNING:Failed to connect to the global catalog:
'Active Directory:adsrv01.mydomain.com:/10.0.4.111:3268:Up'. Reason:
GSSAPI Authentication Failed: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)Global catalog:
'Active Directory:adsrv01.mydomain.com:/10.0.4.111:3268:Up'
cannot be used to retrieve data from the forest.To help troubleshoot this warning,
- Verify that this global catalog is available on the network.
- Verify that SGD can resolve the global catalog's hostname via DNS.
- Verify that SGD can connect to port 3268 on the global catalog.
- Verify that this server is a global catalog for the forest.
Additional information is available for an Active Directory error/warning.Message:
Active Directory Service Failed: GSSAPI Authentication Failed: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)Stack Trace:
javax.naming.CommunicationException: GSSAPI Authentication Failed: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at com.sco.tta.common.jndi.provider.ldap.LdapRemoteService.handleError(LdapRemoteService.java:1053)
at com.sco.tta.common.jndi.provider.ldap.LdapScopeState.getLdapContext(LdapScopeState.java:490)
at com.sco.tta.common.jndi.provider.ldap.LdapMultiCtx.getLdapContext(LdapMultiCtx.java:773)
at com.sco.tta.common.jndi.provider.ldap.LdapMultiCtx.lookupLink(LdapMultiCtx.java:139)
at com.sco.jndi.toolkit.provider.BaseContext.lookup(BaseContext.java:1024)
at com.sco.jndi.toolkit.provider.ToolkitContext.nns_lookup(ToolkitContext.java:2019)
at com.sco.jndi.toolkit.provider.PartialCompositeContext.lookup(PartialCompositeContext.java:225)
at com.sco.jndi.toolkit.provider.ToolkitContext.nns_lookup(ToolkitContext.java:2019)
at com.sco.jndi.provider.junction.JunctionContext.lookup(JunctionContext.java:154)
at com.sco.jndi.toolkit.provider.BaseContext.lookup(BaseContext.java:1036)
at com.sco.tta.server.login.ADLoginAuthority.getCandidate(ADLoginAuthority.java:326)
at com.sco.tta.server.login.ADLoginAuthority.authenticate(ADLoginAuthority.java:422)
at com.sco.tta.server.glue.LoginAsadOp$LoginHelper.findLoginAuthority(LoginAsadOp.java:841)
at com.sco.tta.server.glue.LoginAsadOp.login(LoginAsadOp.java:1248)
at com.sco.tta.server.soapcommands.WebtopSession.authenticateExt(WebtopSession.java:700)
at com.sco.tta.server.soapcommands.WebtopSession.authenticate(WebtopSession.java:644)
at sun.reflect.GeneratedMethodAccessor94.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sco.tta.server.server.soap.SOAPControlledElement.invoke(SOAPControlledElement.java:124)
at com.sco.tta.server.server.soap.SOAPController.invoke(SOAPController.java:204)
at com.sco.tta.server.server.soap.SOAPCalcTask.processEnvelope(SOAPCalcTask.java:213)
at com.sco.tta.server.server.CalcTask.runTask(CalcTask.java:125)
at com.sco.tta.server.server.Task.run(Task.java:122)
at com.sco.cid.common.WorkerPool$Worker.run(WorkerPool.java:524)
at java.lang.Thread.run(Thread.java:619)
2009/01/30 20:42:24.524 (pid 23879) server/ldap/error #1233315744531
Sun Secure Global Desktop Software (4.41) ERROR:LDAP call failed: Active Directory:adsrv01.mydomain.com:/10.0.4.111:3268:Up lookupLink-.../_ldapmulti/forest/("DC=MYDOMAIN,DC=COM") 7ms javax.naming.CommunicationException: GSSAPI Authentication Failed: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)A call to LDAP failed. This might mean LDAP users cannot log in.Check the operation was correct, the LDAP configuration is valid, and the
LDAP server is still running.2009/01/30 20:42:24.525 (pid 23879) server/ldap/info #1233315744532
LDAP caught communication exception for scope forest: Active Directory(/10.0.4.111:3268) javax.naming.CommunicationException: GSSAPI Authentication Failed: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)2009/01/30 20:42:24.525 (pid 23879) server/ldap/info #1233315744533
LDAP stopped using server for scope forest: Active Directory(/10.0.4.111:3268)2009/01/30 20:42:24.525 (pid 23879) server/ldap/moreinfo #1233315744534
LDAP: Attempting to reset the server list2009/01/30 20:42:24.525 (pid 23879) server/ldap/error #1233315744535
Sun Secure Global Desktop Software (4.41) ERROR:LDAP call failed: Active Directory:mcolap01.mydomain.com:/10.0.4.112:3268:Up lookupLink-.../_ldapmulti/forest/("DC=MYDOMAIN,DC=COM") 8ms javax.naming.CommunicationException: GSSAPI Authentication Failed: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)A call to LDAP failed. This might mean LDAP users cannot log in.Check the operation was correct, the LDAP configuration is valid, and the
LDAP server is still running.2009/01/30 20:42:24.525 (pid 23879) server/login/info #1233315744536
The password for kimk was incorrect or has expired.
Exception was: javax.naming.CommunicationException: GSSAPI Authentication Failed: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at com.sco.tta.common.jndi.provider.ldap.LdapRemoteService.handleError(LdapRemoteService.java:1053)
at com.sco.tta.common.jndi.provider.ldap.LdapScopeState.getLdapContext(LdapScopeState.java:490)
at com.sco.tta.common.jndi.provider.ldap.LdapMultiCtx.getLdapContext(LdapMultiCtx.java:773)
at com.sco.tta.common.jndi.provider.ldap.LdapMultiCtx.lookupLink(LdapMultiCtx.java:139)
at com.sco.jndi.toolkit.provider.BaseContext.lookup(BaseContext.java:1024)
at com.sco.jndi.toolkit.provider.ToolkitContext.nns_lookup(ToolkitContext.java:2019)
at com.sco.jndi.toolkit.provider.PartialCompositeContext.lookup(PartialCompositeContext.java:225)
at com.sco.jndi.toolkit.provider.ToolkitContext.nns_lookup(ToolkitContext.java:2019)
at com.sco.jndi.provider.junction.JunctionContext.lookup(JunctionContext.java:154)
at com.sco.jndi.toolkit.provider.BaseContext.lookup(BaseContext.java:1036)
at com.sco.tta.server.login.ADLoginAuthority.getCandidate(ADLoginAuthority.java:326)
at com.sco.tta.server.login.ADLoginAuthority.authenticate(ADLoginAuthority.java:422)
at com.sco.tta.server.glue.LoginAsadOp$LoginHelper.findLoginAuthority(LoginAsadOp.java:841)
at com.sco.tta.server.glue.LoginAsadOp.login(LoginAsadOp.java:1248)
at com.sco.tta.server.soapcommands.WebtopSession.authenticateExt(WebtopSession.java:700)
at com.sco.tta.server.soapcommands.WebtopSession.authenticate(WebtopSession.java:644)
at sun.reflect.GeneratedMethodAccessor94.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sco.tta.server.server.soap.SOAPControlledElement.invoke(SOAPControlledElement.java:124)
at com.sco.tta.server.server.soap.SOAPController.invoke(SOAPController.java:204)
at com.sco.tta.server.server.soap.SOAPCalcTask.processEnvelope(SOAPCalcTask.java:213)
at com.sco.tta.server.server.CalcTask.runTask(CalcTask.java:125)
at com.sco.tta.server.server.Task.run(Task.java:122)
at com.sco.cid.common.WorkerPool$Worker.run(WorkerPool.java:524)
at java.lang.Thread.run(Thread.java:619)
2009/01/30 20:42:24.525 (pid 23879) server/login/auditinfo #1233315744537
Login attempt for kimk.
Login failed: none of the enabled login authorities authenticated the user.2009/01/30 20:42:24.525 (pid 23879) server/login/auditinfo #1233315744538
Login attempt for kimk.
Login failed: vetoed by a login filter.