473,233 Members | 1,566 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,233 software developers and data experts.

Kerberos / Windows authentication

Gday

I want to change to use Windows AD-integrated Kerberos authentication,
and have changed a server to KRB_SERVER_ENCRYPT for trial. Recataloged
the database at a client machine.
As far as I can tell, everything is in the right place (and seems to be
mostly set up automatically under Windows).

Attempting to connect without specifying name/password gives:
SQL30082N Attempt to establish connection failed with security reason
"26" ("SERVER SECURITY PLUGIN ERROR"). SQLSTATE=08001

The server event log contains:
2006-11-08-11.53.57.247000 Instance:DB2 Node:000
PID:3708(db2syscs.exe) TID:4728 Appid:*LOCAL.DB2.061108005252
bsu security sqlexSlsGssPluginAuthenticate Probe:45 Database:G13PDTA

ADM13000E Plug-in "IBMkrb5" received error code "1" from the GSS
(Generic Security Service) API "gss_accept_sec_context" with the error
message "".

Both server and client are version 8.1.10
Server Windows2003, DB2 Express
Client WindowsXP

Any clues?
Nov 8 '06 #1
2 5112
Greg Nash wrote:
Gday

I want to change to use Windows AD-integrated Kerberos authentication,
and have changed a server to KRB_SERVER_ENCRYPT for trial. Recataloged
the database at a client machine.
As far as I can tell, everything is in the right place (and seems to be
mostly set up automatically under Windows).

Attempting to connect without specifying name/password gives:
SQL30082N Attempt to establish connection failed with security reason
"26" ("SERVER SECURITY PLUGIN ERROR"). SQLSTATE=08001

The server event log contains:
2006-11-08-11.53.57.247000 Instance:DB2 Node:000
PID:3708(db2syscs.exe) TID:4728 Appid:*LOCAL.DB2.061108005252
bsu security sqlexSlsGssPluginAuthenticate Probe:45 Database:G13PDTA

ADM13000E Plug-in "IBMkrb5" received error code "1" from the GSS
(Generic Security Service) API "gss_accept_sec_context" with the error
message "".

Both server and client are version 8.1.10
Server Windows2003, DB2 Express
Client WindowsXP
Additional info:
The server is an AD domain controller, and a global catalog.
I get the same behaviour attempting a command-line connection locally on
the server.
Nov 8 '06 #2
Found 2 answers, effectively the same solution. The DB2 service was
running as domain\db2admin which didn't have kerberos ticket delegation
rights.
A. Change so DB2 runs as SYSTEM, and ensure the particular server has
delegation rights in Active Directory (which it did by default)
or
B. Give the db2admin account delegation rights. This required using
setspn to give db2admin an spn, which then makes the delegation tab
visible for that user in Active Directory Users & Computers.

I've gone for option A for simpler administration.

Greg Nash wrote:
Greg Nash wrote:
>Gday

I want to change to use Windows AD-integrated Kerberos authentication,
and have changed a server to KRB_SERVER_ENCRYPT for trial.
Recataloged the database at a client machine.
As far as I can tell, everything is in the right place (and seems to
be mostly set up automatically under Windows).

Attempting to connect without specifying name/password gives:
SQL30082N Attempt to establish connection failed with security reason
"26" ("SERVER SECURITY PLUGIN ERROR"). SQLSTATE=08001

The server event log contains:
2006-11-08-11.53.57.247000 Instance:DB2 Node:000
PID:3708(db2syscs.exe) TID:4728 Appid:*LOCAL.DB2.061108005252
bsu security sqlexSlsGssPluginAuthenticate Probe:45 Database:G13PDTA

ADM13000E Plug-in "IBMkrb5" received error code "1" from the GSS
(Generic Security Service) API "gss_accept_sec_context" with the error
message "".

Both server and client are version 8.1.10
Server Windows2003, DB2 Express
Client WindowsXP
Additional info:
The server is an AD domain controller, and a global catalog.
I get the same behaviour attempting a command-line connection locally on
the server.
Nov 10 '06 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: Brian Beck | last post by:
After a bit of searching I haven't been able to find a definite resource for Kerberos authentication from Python. Any help would be appreciated. Here's what I've found... ...
3
by: Jacob | last post by:
Hello All, I am trying to serve out some content via IIS that is hosted on a remote fileserver, and am unable to get the delegation working correctly. Our setup is as follows: Local LAN...
0
by: Paul Bacelar | last post by:
I have a problem with Windows integrated authentication and Kerberos. I use the object COM ServerXMLHTTP of MSXML3. On the Open method which requires the login password of the user, I use NULL and...
2
by: josh | last post by:
Hello Sharepoint Guru's, I have hit a bit of a brick wall in regards to Kerberos authentication. I have an ASP.Net web application that interfaces with sharepoint, this all works fine if I do...
0
by: CESAR DE LA TORRE [MVP] | last post by:
I am using WSE 3.0 with Visual Studio 2005, specifically I'm using Kerberos authentication and passing Kerberos ticket from Presentation Tier (VSTO.2005 client) to Server Tier through our Web...
1
by: russell.lane | last post by:
I've established user login identity impersonation and delegation for a multi-tier web application. I'm running into a case where authentication fails when a user accesses the app from a browser...
4
by: webrod | last post by:
Hi, I am trying to secure a WS using WSE 3.0 and kerberos. I used the "WSE 3.0 settings" from VS2005 with my own WS. I have a console application which try to access a WS. With the...
1
by: Tina | last post by:
I have a client that wants his new asp.net app to be authenticated using Kerberos instead of forms authentication. I used Kerberos years ago for logon security for users to long on to NT. However...
0
by: louis.lam | last post by:
Anyone has experience setting up kerberos authentication on SQL Server 2005 on Windows 64 bit? It is working for me on windows 32-bit. I didn't need to do anything, but to make sure the sever and...
2
by: Tapio Kulmala | last post by:
Hi! I've found an interesting problem that might have something to do with Kerberos. I have a www application running in a Windows Server 2003 box. The server did not have SP1 or SP2...
3
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 3 Jan 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). For other local times, please check World Time Buddy In...
0
by: jianzs | last post by:
Introduction Cloud-native applications are conventionally identified as those designed and nurtured on cloud infrastructure. Such applications, rooted in cloud technologies, skillfully benefit from...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: fareedcanada | last post by:
Hello I am trying to split number on their count. suppose i have 121314151617 (12cnt) then number should be split like 12,13,14,15,16,17 and if 11314151617 (11cnt) then should be split like...
0
Git
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
So, I have written a code for a cmd called "Send WhatsApp Message" to open and send WhatsApp messaage. The code is given below. Dim IE As Object Set IE =...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.