473,322 Members | 1,352 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

Kerberos / Windows authentication

Gday

I want to change to use Windows AD-integrated Kerberos authentication,
and have changed a server to KRB_SERVER_ENCRYPT for trial. Recataloged
the database at a client machine.
As far as I can tell, everything is in the right place (and seems to be
mostly set up automatically under Windows).

Attempting to connect without specifying name/password gives:
SQL30082N Attempt to establish connection failed with security reason
"26" ("SERVER SECURITY PLUGIN ERROR"). SQLSTATE=08001

The server event log contains:
2006-11-08-11.53.57.247000 Instance:DB2 Node:000
PID:3708(db2syscs.exe) TID:4728 Appid:*LOCAL.DB2.061108005252
bsu security sqlexSlsGssPluginAuthenticate Probe:45 Database:G13PDTA

ADM13000E Plug-in "IBMkrb5" received error code "1" from the GSS
(Generic Security Service) API "gss_accept_sec_context" with the error
message "".

Both server and client are version 8.1.10
Server Windows2003, DB2 Express
Client WindowsXP

Any clues?
Nov 8 '06 #1
2 5118
Greg Nash wrote:
Gday

I want to change to use Windows AD-integrated Kerberos authentication,
and have changed a server to KRB_SERVER_ENCRYPT for trial. Recataloged
the database at a client machine.
As far as I can tell, everything is in the right place (and seems to be
mostly set up automatically under Windows).

Attempting to connect without specifying name/password gives:
SQL30082N Attempt to establish connection failed with security reason
"26" ("SERVER SECURITY PLUGIN ERROR"). SQLSTATE=08001

The server event log contains:
2006-11-08-11.53.57.247000 Instance:DB2 Node:000
PID:3708(db2syscs.exe) TID:4728 Appid:*LOCAL.DB2.061108005252
bsu security sqlexSlsGssPluginAuthenticate Probe:45 Database:G13PDTA

ADM13000E Plug-in "IBMkrb5" received error code "1" from the GSS
(Generic Security Service) API "gss_accept_sec_context" with the error
message "".

Both server and client are version 8.1.10
Server Windows2003, DB2 Express
Client WindowsXP
Additional info:
The server is an AD domain controller, and a global catalog.
I get the same behaviour attempting a command-line connection locally on
the server.
Nov 8 '06 #2
Found 2 answers, effectively the same solution. The DB2 service was
running as domain\db2admin which didn't have kerberos ticket delegation
rights.
A. Change so DB2 runs as SYSTEM, and ensure the particular server has
delegation rights in Active Directory (which it did by default)
or
B. Give the db2admin account delegation rights. This required using
setspn to give db2admin an spn, which then makes the delegation tab
visible for that user in Active Directory Users & Computers.

I've gone for option A for simpler administration.

Greg Nash wrote:
Greg Nash wrote:
>Gday

I want to change to use Windows AD-integrated Kerberos authentication,
and have changed a server to KRB_SERVER_ENCRYPT for trial.
Recataloged the database at a client machine.
As far as I can tell, everything is in the right place (and seems to
be mostly set up automatically under Windows).

Attempting to connect without specifying name/password gives:
SQL30082N Attempt to establish connection failed with security reason
"26" ("SERVER SECURITY PLUGIN ERROR"). SQLSTATE=08001

The server event log contains:
2006-11-08-11.53.57.247000 Instance:DB2 Node:000
PID:3708(db2syscs.exe) TID:4728 Appid:*LOCAL.DB2.061108005252
bsu security sqlexSlsGssPluginAuthenticate Probe:45 Database:G13PDTA

ADM13000E Plug-in "IBMkrb5" received error code "1" from the GSS
(Generic Security Service) API "gss_accept_sec_context" with the error
message "".

Both server and client are version 8.1.10
Server Windows2003, DB2 Express
Client WindowsXP
Additional info:
The server is an AD domain controller, and a global catalog.
I get the same behaviour attempting a command-line connection locally on
the server.
Nov 10 '06 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: Brian Beck | last post by:
After a bit of searching I haven't been able to find a definite resource for Kerberos authentication from Python. Any help would be appreciated. Here's what I've found... ...
3
by: Jacob | last post by:
Hello All, I am trying to serve out some content via IIS that is hosted on a remote fileserver, and am unable to get the delegation working correctly. Our setup is as follows: Local LAN...
0
by: Paul Bacelar | last post by:
I have a problem with Windows integrated authentication and Kerberos. I use the object COM ServerXMLHTTP of MSXML3. On the Open method which requires the login password of the user, I use NULL and...
2
by: josh | last post by:
Hello Sharepoint Guru's, I have hit a bit of a brick wall in regards to Kerberos authentication. I have an ASP.Net web application that interfaces with sharepoint, this all works fine if I do...
0
by: CESAR DE LA TORRE [MVP] | last post by:
I am using WSE 3.0 with Visual Studio 2005, specifically I'm using Kerberos authentication and passing Kerberos ticket from Presentation Tier (VSTO.2005 client) to Server Tier through our Web...
1
by: russell.lane | last post by:
I've established user login identity impersonation and delegation for a multi-tier web application. I'm running into a case where authentication fails when a user accesses the app from a browser...
4
by: webrod | last post by:
Hi, I am trying to secure a WS using WSE 3.0 and kerberos. I used the "WSE 3.0 settings" from VS2005 with my own WS. I have a console application which try to access a WS. With the...
1
by: Tina | last post by:
I have a client that wants his new asp.net app to be authenticated using Kerberos instead of forms authentication. I used Kerberos years ago for logon security for users to long on to NT. However...
0
by: louis.lam | last post by:
Anyone has experience setting up kerberos authentication on SQL Server 2005 on Windows 64 bit? It is working for me on windows 32-bit. I didn't need to do anything, but to make sure the sever and...
2
by: Tapio Kulmala | last post by:
Hi! I've found an interesting problem that might have something to do with Kerberos. I have a www application running in a Windows Server 2003 box. The server did not have SP1 or SP2...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.