Child pages
  • Windows Integrated Authentication for Crowd-enabled Applications
Skip to end of metadata
Go to start of metadata

Name

Windows Integrated Authentication for Crowd-enabled Applications

Version

1.0

Product Versions

Crowd 1.5.2

Author(s)

Bruno Vincent

Homepage

Bruno Vincent

Price

Free

License

LGPL

JavaDocs

 

IssueTracking

 

Download

WindowsIntegratedAuth_1.0.jar

Download Source

WindowsIntegratedAuth_src_1.0.zip

Description/Features

Automatic Logon to Crowd-enabled Applications in a Windows Domain.Windows Integrated Authentication (or Integrated Windows Authentication) allows Windows domain users to log into web applications without providing an application password. This functionality can be provided through Kerberos or NTLM.

The plugin provided here implements Windows Integrated Authentication for Crowd-enabled applications (e.g.: your own applications, Atlassian Confluence, Jira, Crowd's administration console, etc.).

The latest version implements both NTLM and Kerberos.

Prerequisites

The plugin has been tested with Crowd Server 1.5.2 in a "full Windows" environment:

  • Active Directory 2003
  • Tomcat v5.5, v6 (Windows 2003)
  • WebSphere Application Server v6.1.0.13 (NTLM version only, Windows 2003)
  • MS Internet Explorer v6, v7 (Win XP, 2003)
  • Mozilla Firefox v2, v3 (Win XP, 2003)

Other versions (Linux, GlassFish, Opera etc.) might work as well. Please let me know about successful deployments.

Please note that Java 6 and Windows 2003 SP1 are required to run the Kerberos implementation.

Usage

The Windows Integrated Authentication plugin is a simple servlet filter. It first checks wether the user owns a valid Crowd token or not. If not, it sends a Kerberos or NTLM challenge to the user. If the challenge succeeds, it creates a Crowd token for that user.

The target application must be linked (through Crowd's Administration Console) to a directory (Internal, LDAP etc.) that contains the same userid as the one used to logon to the Windows workstation. That userid (the one in Crowd's directory) should be either in lower case (e.g.: bruno) or upper case (e.g.: BRUNO) format, but not in a mix of them (e.g. Bruno). The format of the Windows username does not matter.

Set up Windows Integrated Authentication

First of all, install and configure Crowd SSO for your application (see Atlassian Documentation).

Then, choose either NTLM or Kerberos as an authentication method and follow the corresponding steps.

Set up NTLM Authentication

Install and Configure the servlet filter

  1. Download the latest WindowsIntegratedAuth_X.X.jar, jcifs-1.2.24.jar and log4j.properties from the attachments of this page
  2. Copy those files to the WEB-INF/lib folder of your application
  3. Copy the log4j.properties file to the WEB-INF/classes folder of your application
  4. Edit WEB-INF/web.xml

Add the following lines before the other filters:

web.xml_NTLMfilter
<filter>
    <filter-name>VerifyCrowdNtlmTokenFilter</filter-name>
    <filter-class>com.itekia.crowd.integration.VerifyCrowdNtlmTokenFilter</filter-class>
    <init-param>
        <param-name>jcifs.http.domainController</param-name>
        <param-value>Domain_Controller_FQDN</param-value>
    </init-param>
    <init-param>
        <param-name>jcifs.smb.client.domain</param-name>
        <param-value>Windows_Domain_Name</param-value>
    </init-param>
    <init-param>
        <param-name>jcifs.resolveOrder</param-name>
        <param-value>DNS</param-value>
    </init-param>
    <init-param>
        <param-name>jcifs.smb.client.username</param-name>
        <param-value>Windows_Account_With_Read_Rights</param-value>
    </init-param>
    <init-param>
        <param-name>jcifs.smb.client.password</param-name>
        <param-value>Windows_Account_Password</param-value>
    </init-param>
</filter>

jCIFS parameters are fully detailed on jCIFS's website.

Please, note that if you use jcifs-1.3.0.jar or above (that you might have downloaded from jCIFS's website), you need to add the following parameter to the latter configuration:

web.xml_NTLMfilter_jcifs-1.3.x
    <init-param>
        <param-name>jcifs.smb.client.useExtendedSecurity</param-name>
        <param-value>false</param-value>
    </init-param>

Then, add the following lines before the other filter mappings:

web.xml_NTLMmapping
<filter-mapping>
    <filter-name>VerifyCrowdNtlmTokenFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

The url-pattern should be the same as the one used by VerifyTokenFilter (which is provided by Atlassian). Please note that you do not need VerifyTokenFilter anymore since the Windows Integrated Authentication filter checks wether the user owns a valid Crowd token before trying an NTLM challenge. However, you might keep it for simpler integration. This would only mean that users' tokens would be validated twice.

Configure Internet Explorer and Mozilla Firefox

In Internet Explorer, go to Tools > Internet Options > Local intranet > Sites > Advanced and add your intranet, e.g.: http://*.itekia.com

IE6/7 users also need to add a value to the following registry key: HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Internet Settings/

Value Name: DisableNTLMPreAuthData Type: REG_DWORDValue: 1

In Firefox, type about:config in the address bar.
Then edit network.automatic-ntlm-auth.trusted-uris and add your intranet, e.g.: .itekia.com

Test NTLM Authentication

Restart your application and open its home page using Firefox or Internet Explorer, e.g. http://confluence.itekia.com:8080/ or http://crowd.itekia.com:8095/crowd/

You should be logged on automatically. If not, verify that your browser is enabled for NTLM authentication (otherwise you will see an authentication popup window) and that the userid in the directory that is linked to the application is the same as the one you used to logon to your Windows Workstation.

Set up Kerberos Authentication

Configure Kerberos in Active Directory

  1. Download and install the Windows Support tools from this link.
  2. Create a regular Windows user in Active Directory. Let's call him crowd.
  3. Type the following line in a command prompt. This will map crowd to a Kerberos Service Principal Name (SPN):
ktpass -out appsrv.keytab -princ HTTP/Fqdn_Of_Your_Application_Server@YOUR_WINDOWS_DOMAIN -mapuser crowd -pass Crowd_User_Password -ptype KRB5_NT_PRINCIPAL

For instance:

ktpass -out appsrv.keytab -princ HTTP/my.appserver.itekia.com@ITEKIA.COM -mapuser crowd -pass password -ptype KRB5_NT_PRINCIPAL

Configure Kerberos in your application server

  1. Copy appsrv.keytab from Active Directory to your application server
  2. Edit C:\Kerberos\jaas-krb5.conf
jaas-krb5.conf
com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  storeKey=true
  keyTab="c:\\Kerberos\\appsrv.keytab"
  doNotPrompt=true
  useKeyTab=true
  realm="YOUR_WINDOWS_DOMAIN"
  principal="HTTP/Fqdn_Of_Your_Application_Server"
  debug=true;
};

For instance:

jaas-krb5.conf_example
com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required
  storeKey=true
  keyTab="c:\\Kerberos\\appsrv.keytab"
  doNotPrompt=true
  useKeyTab=true
  realm="ITEKIA.COM"
  principal="HTTP/my.appserver.itekia.com@ITEKIA.COM"
  debug=true;
};

Then edit C:\Kerberos\krb5.conf

krb5.conf
[libdefaults]
     default_realm = YOUR_WINDOWS_DOMAIN
     default_tkt_enctypes = des-cbc-md5 rc4-hmac
     default_tgs_enctypes = des-cbc-md5 rc4-hmac
[realms]
     YOUR_WINDOWS_DOMAIN = {
     kdc = Fqdn_Of_Your_Active_Directory_Server:88
     default_domain = .your_windows_domain_extension
     }
[domain_realm]
     .your_windows_domain_extension = YOUR_WINDOWS_DOMAIN

For instance:

krb5.conf_example
[libdefaults]
     default_realm = ITEKIA.COM
     default_tkt_enctypes = des-cbc-md5 rc4-hmac
     default_tgs_enctypes = des-cbc-md5 rc4-hmac
[realms]
     ITEKIA.COM = {
     kdc = itekia-win2003.itekia.com:88
     default_domain = .itekia.com
     }
[domain_realm]
     .itekia.com = ITEKIA.COM

Then add the following Java options to the startup script of your application server (e.g.: you might do this in setenv.bat for a Tomcat application server):

-Djava.security.auth.login.config=C:\Kerberos\jaas-krb5.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.krb5.conf=C:\Kerberos\krb5.conf

Install and Configure the servlet filter

  1. Download the latest WindowsIntegratedAuth_X.X.jar and log4j.properties from the attachments of this page
  2. Copy WindowsIntegratedAuth_X.X.jar to the WEB-INF/lib folder of your application
  3. Copy the log4j.properties file to the WEB-INF/classes folder of your application
  4. Edit WEB-INF/web.xml

Add the following lines before the other filters:

web.xml_Kerberosfilter
<filter>
    <filter-name>VerifyCrowdKerberosTokenFilter</filter-name>
    <filter-class>com.itekia.crowd.integration.VerifyCrowdKerberosTokenFilter</filter-class>
    <init-param>
        <param-name>kerberos.application.principal</param-name>
        <param-value>HTTP/Fqdn_Of_Your_Application_Server</param-value>
   </init-param>
</filter>

Then, add the following lines before the other filter mappings:

web.xml_Kerberosmapping
<filter-mapping>
    <filter-name>VerifyCrowdKerberosTokenFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

The url-pattern should be the same as the one used by VerifyTokenFilter (which is provided by Atlassian). Please note that you do not need VerifyTokenFilter anymore since the Windows Integrated Authentication filter checks wether the user owns a valid Crowd token before trying a Kerberos challenge. However, you might keep it for simpler integration. This would only mean that users' tokens would be validated twice.

Configure Internet Explorer and Mozilla Firefox

In Internet Explorer, go to Tools > Internet Options > Local intranet > Sites > AdvancedAnd add your intranet, e.g.: http://*.itekia.com

In Firefox, type about:config in the address bar.
Then edit network.negotiate-auth.trusted-uris and add your intranet, e.g.: .itekia.com

Test Kerberos Authentication

Restart your application and open its home page using Firefox or Internet Explorer, e.g. http://confluence.itekia.com:8080/ or http://crowd.itekia.com:8095/crowd/

You should be logged on automatically. If not, verify that your browser is enabled for Kerberos authentication (otherwise you will see the usual application login form) and that the userid in the directory that is linked to the application is the same as the one you used to logon to your Windows Workstation.

Version History

Version

Release Date

Description

0.9

November 24th, 2008

Initial Version

1.0

December 26th, 2008

Kerberos Support

Limitations

The Kerberos implementation relies on Java 6. If your application server runs on an earlier version of Sun's JRE, you should consider using NTLM instead.

43 Comments

  1. S

    Crowd has long needed this feature - so I'm really glad to see this plugin. However... There's no apparent way of turning on NTLM authentication for all but the remote API (using its trusted application authentication). As currently enabling this plugin for Fisheye/Crucible prevents the Jira Fisheye plugin from communicating with it.

  2. Hi,

    Have you made any progress with Kerberos? Is there anywhere I can view (and perhaps contribute) to work so far?

    John

    1. Hi John,

      time is actually flying! I wanted to do this earlier but I have not had much free time recently. I had found a few SPNEGO code implementation examples on the web so as far as I understood them, this should not be too complex to implement. I will try to do code the rest of this plugin asap. In the meantime, please feel free to email me so that I can give you the hints I have found so far.

      Bruno

    2. Hi John,

      Well, I have good news: the Kerberos version is now ready for use! (smile)
      It works well on Tomcat and should also be ok for any Java 6 application server.

      Bruno

  3. No luck with a linux install. This is a feature that we're dieing to have. It will definatly help our adoption of confluence (most/all users just don't log in, even though it's their homepage)

    1. Hi Coen,

      Did you try the NTLM or Kerberos implementation ? I would not be surprised that the Kerberos version needs to be adapted to work on a Linux box. However the NTLM implementation should  immediately run since the jCIFS library is supported on both operating systems. What do you get in the log files ?

      Bruno

      1. Hi Bruno,

        I was trying to implement NTLM. When i set it up as discribed above i get an ArrayIndexOutOfBoundsException thrown when i try to access it in the web browser. It seems to startup fine.

        I've uploaded the output here http://www.2shared.com/file/4629021/4b07b6d7/exception.html

        Cheers,

        Coen

        1. Hi Coen,

          I remember I had this very exception on Windows when I was developing the NTLM plugin. The reason why was the version of the jCIFS library (the ByteToArray method which throwns the exception is part of it). Version 1.3 used to throw the exception whereas version 1.2.24 did not. That is why I included version 1.2.24 in the attachments of this page.

          Which version did you use ?

          Bruno

          1. Hi guys, it should be possible to use 1.3.x, I stumbled across the issue on the Confluence NTLM authenticator. The exception is probably coming from the response processing, whereby jcifs is returning a 0byte rather than 8byte NTLM response. Set the following environement variable on jcifs and it should work fine:

            jcifs.smb.client.useExtendedSecurity=false
            

            Andy

            1. Hi Andy,

              your tip just works fine! I have added it to the documentation.

              Thanks a lot.

              Bruno

          2. Ah.. yes i was using version 1.3.x. Andy's solution worked at treat. (smile) But due to the problem below i reverted to 1.2.24 just in case.

            Now that i've enabled this filter confluence redirects to localhost:8080...(jira), obviously the user doesn't have jira installed on their local machine, so that's bad news..also why jira?. We use apache as a proxy to route confluence.server to server:8081 and jira.server to server:8080. If i load up server:8081 or server:8080 i get confluence and jira respectivly all logged in and ready to go. NTLM is working.

            Coen

            1. Hi Coen,

              Hmm, there's absolutely no hard coded URL in the filter so I guess you probably need to modify the crowd.properties file of your application. That's what I meant in the documentation with "First of all, install and configure Crowd SSO for your application " (smile)

              You should also be careful with Crowd token's domain. If Crowd has been configured for the ".server" domain, the cookie will not be sent to URL that do not include this domain.

              Bruno

              1. Hi Bruno,

                Thanks for your help. SSO for confluence and jira was working fine before i attempted to set up this filter and still is if i request confluence through it's port number (NTLM works as well). In the crowd.properties file there is a setting 'application.login.url' which was set to http://localhost:8080/. It appears as though the plugin is not authenticating when i request confluence through the reverse proxy (confluence.server) as opposed to server:8081 (if i remove the filter mapping everything works... well except for NTLM.. ). I have tried changing 'application.login.url' to all kinds of variations of confluence, except i get an infinate redirect loop. Any idea on what is going wrong?

                Cheers,
                Coen

                EDIT: After some research if may not be possible for apache to pass through NTLM.

                1. Hi Coen,

                  I should have seen what was going wrong at first sight, sorry about that! You are right, the reason why is actually the reverse proxy mode which disables NTLM. Thus, your requests are not authenticated and the plugin redirects you to the login page which is configured to be http://localhost:8080 in the crowd.properties file.

                  I am not sure there is a solution to pass through NTLM in an Apache Reverse Proxy. You might want to try this: http://modntlm.sourceforge.net/ (they say there is patch that supports reverse proxy mode).

                  Bruno

                2. Bleugh, use mod_jk, job done (smile)

                  1. Yeah that's what i was going to try first.

  4. Hi All,

    Is there any way i can specify in the url-patten tag of VerifyCrowdNtlmTokenFilter

    to skip authentication for a specific action like "login.action".

    We want to have a fall back mechanism where non domain people should be redirected to a login form. Currently a blank screen appears when the user is

    redirected to the login page specified in crowd.properties file (which i guess is due to the use of /*).

    Our applcation is running in linux environment and the silent login works perfectly for domain users with NTLM authentication.

    Kind Regards,

    M.A.Suman.

    1. Hi Suman,

      you can actually apply the filter to something else than "/*". For example you could apply the filter to "/secure/*", which would be the private part of your application, and not apply it to "/login.jsp".

      You can also modify the filter very easily. In the doFilter method of VerifyCrowdNtlmTokenFilter, you just need to chain the filter before any other action if the requested URL equals the value of formLoginPage.

      Hope this helps.

      Bruno

      1. Hi Bruno,

        Thanks for the reply. I am able to skip authentication for login.action by following the above steps, but i have run into a different problem.

        Actually we want the fallback to login form to happen when NTLM authentication fails.

        Currently non domain users are prompted with a login box to provide credentials. If they press cancel then nothing is happening. Looks like this cancel request

        is not being propagated back to the application and the user is shown a blank screen. (is it because the authentication code is being called from a filter instead of a servlet ?)

        Also for some reason response.sendRedirect is not working.

        Can you please provide me a different approach for this.

        Kind Regards,

        M.A.Suman

        1. This is similar in functionality to what i'd like. We have a few users who anonymously browse our wiki as they do not have accounts. It's impractical to give them accounts as they are only browsing for one session and they will never be back. It would be nice if we had the option of falling back to standard authentication. Preferred behavior would be if NTLM succeeds then fantastic, if it doesn't then behave as usual pre NTLM filter.

        2. Hi All,

          Finally found a work around.

          Initially i thought of adopting an IP based approach to distinguish between domain and external users, but as our proxy server was coming in between so it was not possible to get the remote users ip address. (This approach may be valid and useful for others)

          2nd was to use a certificate based approach . All users in our domain have a special certificate identifying them as employees in the browser. So i did the following changes.

          a) Edit the attribute clientAuth="false" to clientAuth="want" in connector tag of tomcat's server.xml file. This attribute makes the browser submit all the user certificates to the application.

          b) In the do filter method get all the certificates using

          X509Certificate[] certs = (java.security.cert.X509Certificate[])request. getAttribute( "javax.servlet.request.X509Certificate" );

          c) Check each X509Certificate object to see if the Issuer Dn string matches that of your company.

          (For example) certs[0].getIssuerDn().getName().equals("[YOUR_COMPANY_DN]")

          If no matching certificate is found then the user can be considered an external user and can be directly forwarded to the login page if he does not have a valid crowd token.

          Kind Regards,

          M.A.Suman.

          1. Hi guys,

            sorry for replying so late.

            Well, first of all, I am glad you found a solution. You actually needed to find a way to distinguish between the domain users and the external users before applying the NTLM filter (and you are right, the proxy's IP address might be in most cases a very good criteria).

            The reason why we cannot do that once the NTLM process has begun is because the browser opens an authentication pop-up window when it receives the "WWW-Authenticate: NTLM" header which is the very first step of the NTLM process (of course, the browser opens the pop-up window only if it cannot send a correct answer to this "challenge"). If you click "cancel" you actually get a blank screen because the browser does not do anything else afterwards (there is no other HTTP request sent to the server).

            I guess there might be a solution for the Kerberos implementation with Ajax (see Taglabs' implementation: Try Spnego Login with JavaScript on http://dev.taglab.com/sites/taglab-public/support/spnego.html).

            Regards,

            Bruno

  5. Hi Bruno,

    When ever NTLM authentication succeds i am not able to edit or create anything in wiki using I.E .

    While saving every time i get validation errors from server side asking to enter all the required fields even though i filled everything correctly.

    This problem does not come in firefox. Upon further debugging i see that none of the request parameters are received. This only happens when NTLM authentication succeeds.

    Did any one else face this problem. Why arent request parameters received when NTLM authentication succeeds.

    Also i tried rearranging the <filter-mapping> of NTLM at several places to see if it fixes the problem, but it didnt help.

    Kind Regards,

    M.A.Suman

    1. Hi,

      Well, this really sounds weird. The filter does not do anything once the user has obtained a valid crowd token. Besides, even at first authentication when it "transforms" the NTLM token into the crowd token, it does not change any request parameter...

      What is your wiki application ? Confluence ? Which version of Internet Explorer are you using ?

      Regards,

      Bruno

      1. Hi Bruno,

        I am using confluence 2.9.2. This problem occurs with both IE6 and IE7.

        This seems to be a bug with IE and NTLM as i am losing most of the request data.

        Further debugging is needed to find out where the problem lies.

        Kind Regards,

        M.A.Suman.

        1. Hi,

          Well, sorry for the delay. I finally found time to have a look at this problem!

          It is entirely due to an Internet Explorer's performance "feature". Once an IE user has logged on a web site using NTLM, IE thinks it will need to renegociate all further requests to this web site. Thus, it does not supply the POST data and prepares itself to renegociate again. This behaviour is controlled by a registry key called DisableNTLMPreAuth. Thus you need to add this key as explained in the "Configure Internet Explorer for NTLM" part of this page. I have just tested it, it does work (smile)

          You might also fall back to the Kerberos implementation which is not affected by this so called IE "feature"

          Regards,

          Bruno

          1. Hi Bruno,

            Thanks for the information.

            I switched to kerberos implementation and faced no problems.

            Kind Regards,

            M.A.Suman.

  6. Hi,

    I tried the plug-in and facing the following error:

    System Error
    A system error has occurred.
    If this problem persists - please notify your JIRA administrator of this problem.
    Otherwise, please create a support issue on our support system at http://support.atlassian.com with the following information:
    a description of your problem
    cut & paste the error and system information found below
    attach the application server log file ( C:\WINDOWS\system32\atlassian-jira.log )
    Cause:
    GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
    Stack Trace: [hide]
    GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
        at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:80)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:287)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at com.itekia.crowd.integration.VerifyCrowdKerberosTokenFilter.getToken(VerifyCrowdKerberosTokenFilter.java:278)
        at com.itekia.crowd.integration.VerifyCrowdKerberosTokenFilter.doFilter(VerifyCrowdKerberosTokenFilter.java:103)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
        at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
        at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
        at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
        at java.lang.Thread.run(Thread.java:619)
    Referer URL: Unknown
    Build Information:
    Uptime : N/A
    Edition : Enterprise
    Version : 3.13.2
    Build Number : 335
    Atlassian Partner : null
    Installation Type : Standalone
    Server ID : Contact your Administrator to discover this property value.
    Server Information:
    Application Server: Apache Tomcat/5.5.26
    Servlet Version: 2.4
    File Paths:
    Contact your System Administrator to discover file path information.
    Memory Information:
    Total Memory: 493 MB
    Free Memory: 464 MB
    Used Memory: 29 MB
    Total PermGen Memory: 176 MB
    Free PermGen Memory: 145 MB
    Used PermGen Memory: 30 MB
    System Information:
    System Date : Thursday, 26 Mar 2009
    System Time : 10:31:16
    Current Working Directory : Contact your System Administrator to discover this property value.
    Java Version : 1.6.0_03
    Java Vendor : Sun Microsystems Inc.
    JVM Version : 1.0
    JVM Vendor : Sun Microsystems Inc.
    JVM Implementation Version : 1.6.0_03-b05
    Java Runtime : Java(TM) SE Runtime Environment
    Java VM : Java HotSpot(TM) Server VM
    User Name : SYSTEM
    User Timezone : Asia/Singapore
    User Locale : English (United States)
    System Encoding : Cp1252
    Operating System : Windows XP 5.1
    OS Architecture : x86
    Application Server Container :
    Database type : hsql
    Database JNDI address : java:comp/env/jdbc/JiraDS
    Database URL : Hidden
    Database version : 1.8.0
    Database driver : HSQL Database Engine Driver 1.8.0
    External user management : OFF
    Crowd integration : ON
    JVM Input Arguments : Contact your System Administrator to discover this property value.
    Language Info:
    Installed languages: Chinese (China)
    Chinese (Taiwan)
    Czech (Czech Republic)
    Danish (Denmark)
    Dutch (Belgium)
    English (UK)
    French (France)
    German (Germany)
    German (Switzerland)
    Hungarian (Hungary)
    Italian (Italy)
    Japanese (Japan)
    Norwegian (Norway)
    Polish (Poland)
    Portuguese (Brazil)
    Russian (Russia)
    Slovak (Slovakia)
    Spanish (Spain)
    Turkish (Turkey) 
    Default language: English (United States) - System Default
    Request Information:
    - Request URL: http://mourougana/500page.jsp
    - Scheme: http
    - Server: mourougana
    - Port: 80
    - URI: /500page.jsp
    - Context Path:
    - - Servlet Path: /500page.jsp
    - - Path Info: null
    - - Query String:
    Request Attributes
    - javax.servlet.forward.request_uri : /
    - javax.servlet.forward.context_path :
    - javax.servlet.forward.servlet_path : /default.jsp
    - javax.servlet.forward.path_info : /500page.jsp
    - javax.servlet.error.message :
    - webwork.result : Value stack =========== ===========
    - javax.servlet.error.status_code : 500
    - javax.servlet.error.servlet_name : jsp
    - javax.servlet.error.exception : javax.servlet.ServletException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
    - javax.servlet.error.request_uri : /
    Request Logging
    0 log statements generated by this request:
    Listeners
     - Issue Cache Listener (com.atlassian.jira.event.listeners.cache.IssueCacheListener)
     - Issue Index Listener (com.atlassian.jira.event.listeners.search.IssueIndexListener)
     - Mail Listener (com.atlassian.jira.event.listeners.mail.MailListener)
    Services
     - Backup Service (com.atlassian.jira.service.services.export.ExportService)
       - Delay: 720 minutes
     - Mail Queue Service (com.atlassian.jira.service.services.mail.MailQueueService)
       - Delay: 1 minutes
    Plugins
     - Admin Menu Sections 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Browse Project Operations Sections 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Content Link Resolvers Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Custom Field Types & Searchers 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Filter List Plugin 1.1.2 - Plugin by SourceLabs
       - Enabled
     - FishEye Plugin 2.2.2 - Plugin by Atlassian Software Systems
       - Enabled
     - Issue Operations Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Issue Tab Panels Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Issue Views Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - JIRA Bamboo Plugin 2.2 - Plugin by Atlassian Software Systems Pty Ltd
       - Enabled
     - JIRA Calendar Plugin 1.9 - Plugin by Atlassian Pty Ltd
       - Enabled
     - JIRA Charting Plugin 1.4.1 - Plugin by Atlassian Pty Ltd
       - Enabled
     - JIRA Footer 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Portlets Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Preset Filters Sections 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Project Panels Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Project Role Actors Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - RPC JIRA Plugin 3.13.1 - Plugin by Atlassian Software Systems Pty Ltd
       - Enabled
     - Renderer Component Factories Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Renderer Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Reports Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Top Navigation Bar 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - User Format 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - User Navigation Bar Sections 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - User Profile Links 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - View Project Operations Sections 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Web Resources Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Webwork Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Wiki Renderer Macros Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Workflow Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled

    Any help is highly appreciated.

    Thanks & Regards,

    Mourougan

    1. Hi Morougan,

      Looks like you received a NTLM token instead of a kerberos token. Kerberos token starts with YII.... sequence

      You can contact your network administrator to give you a correct keytab file and make sure that the user whose credentials will be used in

      the keytab file has been mapped to the kerberos service principle.

      Kind Regards,

      M.A.Suman.

      1. Hi Masuman,

        Thanks for the response.

        Now are are getting the below error.  Could you able to help to guide me?

        Filter: profiling] Using parameter [jira_profile]
        [Filter: profiling] defaulting to off [autostart=false]
        [Filter: profiling] Turning filter off [jira_profile=off]
        Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:\JIRA-Enterprise-3.13.2\Kerberos\appsrv.keytab refreshKrb5Config is false principal is HTTP/appsupport.mda.gov.sg@MDA tryFirstPass is false useFirstPass is false storePass is false clearPass is false
        principal's key obtained from the keytab
        Acquire TGT using AS Exchange
        2009-05-28 13:01:26,873 http-80-Processor25 WARN [itekia.crowd.integration.VerifyCrowdKerberosTokenFilter] GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
        2009-05-28 13:01:26,889 http-80-Processor25 WARN [itekia.crowd.integration.VerifyCrowdKerberosTokenFilter] GSSException major: No valid credentials provided
        2009-05-28 13:01:26,889 http-80-Processor25 WARN [itekia.crowd.integration.VerifyCrowdKerberosTokenFilter] GSSException minor: Attempt to obtain new ACCEPT credentials failed!
        2009-05-28 13:01:26,889 http-80-Processor25 ERROR [[Catalina].[localhost].[/].[jsp]] Servlet.service() for servlet jsp threw exception
        javax.security.auth.login.LoginException: java.lang.NullPointerException
         at sun.security.krb5.internal.KRBError.parsePAData(KRBError.java:216)
         at sun.security.krb5.internal.KRBError.<init>(KRBError.java:193)
         at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:53)
         at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
         at sun.security.krb5.Credentials.sendASRequest(Credentials.java:406)
         at sun.security.krb5.Credentials.acquireTGT(Credentials.java:355)
         at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:672)
         at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
         at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
         at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
         at sun.security.jgss.GSSUtil.login(GSSUtil.java:246)
         at sun.security.jgss.krb5.Krb5Util.getKeys(Krb5Util.java:185)
         at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:82)
         at java.security.AccessController.doPrivileged(Native Method)
         at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:79)
         at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
         at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:183)
         at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:220)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:301)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
         at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:869)
         at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:536)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
         at com.itekia.crowd.integration.VerifyCrowdKerberosTokenFilter.getToken(VerifyCrowdKerberosTokenFilter.java:278)
         at com.itekia.crowd.integration.VerifyCrowdKerberosTokenFilter.doFilter(VerifyCrowdKerberosTokenFilter.java:103)
         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
         at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548)
         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
         at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
         at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
         at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
         at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
         at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
         at java.lang.Thread.run(Thread.java:619)

         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:872)
         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
         at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
         at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
         at sun.security.jgss.GSSUtil.login(GSSUtil.java:246)
         at sun.security.jgss.krb5.Krb5Util.getKeys(Krb5Util.java:185)
         at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:82)
         at java.security.AccessController.doPrivileged(Native Method)
         at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:79)
         at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
         at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:183)
         at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:220)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:301)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
         at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:869)
         at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:536)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
         at com.itekia.crowd.integration.VerifyCrowdKerberosTokenFilter.getToken(VerifyCrowdKerberosTokenFilter.java:278)
         at com.itekia.crowd.integration.VerifyCrowdKerberosTokenFilter.doFilter(VerifyCrowdKerberosTokenFilter.java:103)
         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
         at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548)
         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
         at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
         at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
         at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
         at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
         at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
         at java.lang.Thread.run(Thread.java:619)
        2009-05-28 13:01:27,014 http-80-Processor25 ERROR [500ErrorPage.jsp] Exception caught in 500 page No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
        GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
         at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:87)
         at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
         at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:183)
         at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:220)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:301)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
         at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:869)
         at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:536)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
         at com.itekia.crowd.integration.VerifyCrowdKerberosTokenFilter.getToken(VerifyCrowdKerberosTokenFilter.java:278)
         at com.itekia.crowd.integration.VerifyCrowdKerberosTokenFilter.doFilter(VerifyCrowdKerberosTokenFilter.java:103)
         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
         at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548)
         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
         at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
         at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
         at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
         at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
         at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
         at java.lang.Thread.run(Thread.java:619)
        Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
         at sun.security.krb5.internal.KRBError.parsePAData(KRBError.java:216)
         at sun.security.krb5.internal.KRBError.<init>(KRBError.java:193)
         at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:53)
         at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
         at sun.security.krb5.Credentials.sendASRequest(Credentials.java:406)
         at sun.security.krb5.Credentials.acquireTGT(Credentials.java:355)
         at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:672)
         at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
         at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
         at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
         at sun.security.jgss.GSSUtil.login(GSSUtil.java:246)
         at sun.security.jgss.krb5.Krb5Util.getKeys(Krb5Util.java:185)
         at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:82)
         at java.security.AccessController.doPrivileged(Native Method)
         at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:79)
         at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
         at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:183)
         at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:220)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:301)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
         at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:869)
         at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:536)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
         at com.itekia.crowd.integration.VerifyCrowdKerberosTokenFilter.getToken(VerifyCrowdKerberosTokenFilter.java:278)
         at com.itekia.crowd.integration.VerifyCrowdKerberosTokenFilter.doFilter(VerifyCrowdKerberosTokenFilter.java:103)
         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
         at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548)
         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
         at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
         at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
         at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
         at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
         at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
         at java.lang.Thread.run(Thread.java:619)

         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:872)
         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
         at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
         at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
         at sun.security.jgss.GSSUtil.login(GSSUtil.java:246)
         at sun.security.jgss.krb5.Krb5Util.getKeys(Krb5Util.java:185)
         at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:82)
         at java.security.AccessController.doPrivileged(Native Method)
         at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:79)
         ... 26 more

        The  jass-krb5.conf file is:

        com.sun.security.jgss.accept {
          com.sun.security.auth.module.Krb5LoginModule required
          storeKey=true
          keyTab="C:\\JIRA-Enterprise-3.13.2\\Kerberos
        appsrv.keytab"
          doNotPrompt=true
          useKeyTab=true
          realm="MDA"
          principal="HTTP/appsupport.mda.gov.sg@MDA"
          debug=true;
        };

        The krb5.conf

        [libdefaults]
             default_realm = MDA
             default_tkt_enctypes = des-cbc-md5 rc4-hmac
             default_tgs_enctypes = des-cbc-md5 rc4-hmac
        [realms]
             MDA =

        Unknown macro: {     kdc = FS.MDA}

        [domain_realm]
             .mda = MDA

        Any clue?

        Thanks in advance

        Mourougan

  7. Hi,

    I tried Kerberos implementation in JIRA and get the below:

    System Error
    A system error has occurred.
    If this problem persists - please notify your JIRA administrator of this problem.
    Otherwise, please create a support issue on our support system at http://support.atlassian.com with the following information:
    a description of your problem
    cut & paste the error and system information found below
    attach the application server log file ( C:\WINDOWS\system32\atlassian-jira.log )
    Cause:
    GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
    Stack Trace: [hide]
    GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
        at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:80)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:287)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at com.itekia.crowd.integration.VerifyCrowdKerberosTokenFilter.getToken(VerifyCrowdKerberosTokenFilter.java:278)
        at com.itekia.crowd.integration.VerifyCrowdKerberosTokenFilter.doFilter(VerifyCrowdKerberosTokenFilter.java:103)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:548)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
        at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
        at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
        at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
        at java.lang.Thread.run(Thread.java:619)
    Referer URL: Unknown
    Build Information:
    Uptime : N/A
    Edition : Enterprise
    Version : 3.13.2
    Build Number : 335
    Atlassian Partner : null
    Installation Type : Standalone
    Server ID : Contact your Administrator to discover this property value.
    Server Information:
    Application Server: Apache Tomcat/5.5.26
    Servlet Version: 2.4
    File Paths:
    Contact your System Administrator to discover file path information.
    Memory Information:
    Total Memory: 493 MB
    Free Memory: 464 MB
    Used Memory: 29 MB
    Total PermGen Memory: 176 MB
    Free PermGen Memory: 145 MB
    Used PermGen Memory: 30 MB
    System Information:
    System Date : Thursday, 26 Mar 2009
    System Time : 10:31:16
    Current Working Directory : Contact your System Administrator to discover this property value.
    Java Version : 1.6.0_03
    Java Vendor : Sun Microsystems Inc.
    JVM Version : 1.0
    JVM Vendor : Sun Microsystems Inc.
    JVM Implementation Version : 1.6.0_03-b05
    Java Runtime : Java(TM) SE Runtime Environment
    Java VM : Java HotSpot(TM) Server VM
    User Name : SYSTEM
    User Timezone : Asia/Singapore
    User Locale : English (United States)
    System Encoding : Cp1252
    Operating System : Windows XP 5.1
    OS Architecture : x86
    Application Server Container :
    Database type : hsql
    Database JNDI address : java:comp/env/jdbc/JiraDS
    Database URL : Hidden
    Database version : 1.8.0
    Database driver : HSQL Database Engine Driver 1.8.0
    External user management : OFF
    Crowd integration : ON
    JVM Input Arguments : Contact your System Administrator to discover this property value.
    Language Info:
    Installed languages: Chinese (China)
    Chinese (Taiwan)
    Czech (Czech Republic)
    Danish (Denmark)
    Dutch (Belgium)
    English (UK)
    French (France)
    German (Germany)
    German (Switzerland)
    Hungarian (Hungary)
    Italian (Italy)
    Japanese (Japan)
    Norwegian (Norway)
    Polish (Poland)
    Portuguese (Brazil)
    Russian (Russia)
    Slovak (Slovakia)
    Spanish (Spain)
    Turkish (Turkey) 
    Default language: English (United States) - System Default
    Request Information:
    - Request URL: http://mourougana/500page.jsp
    - Scheme: http
    - Server: mourougana
    - Port: 80
    - URI: /500page.jsp
    - Context Path:
    - - Servlet Path: /500page.jsp
    - - Path Info: null
    - - Query String:
    Request Attributes
    - javax.servlet.forward.request_uri : /
    - javax.servlet.forward.context_path :
    - javax.servlet.forward.servlet_path : /default.jsp
    - javax.servlet.forward.path_info : /500page.jsp
    - javax.servlet.error.message :
    - webwork.result : Value stack =========== ===========
    - javax.servlet.error.status_code : 500
    - javax.servlet.error.servlet_name : jsp
    - javax.servlet.error.exception : javax.servlet.ServletException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
    - javax.servlet.error.request_uri : /
    Request Logging
    0 log statements generated by this request:
    Listeners
     - Issue Cache Listener (com.atlassian.jira.event.listeners.cache.IssueCacheListener)
     - Issue Index Listener (com.atlassian.jira.event.listeners.search.IssueIndexListener)
     - Mail Listener (com.atlassian.jira.event.listeners.mail.MailListener)
    Services
     - Backup Service (com.atlassian.jira.service.services.export.ExportService)
       - Delay: 720 minutes
     - Mail Queue Service (com.atlassian.jira.service.services.mail.MailQueueService)
       - Delay: 1 minutes
    Plugins
     - Admin Menu Sections 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Browse Project Operations Sections 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Content Link Resolvers Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Custom Field Types & Searchers 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Filter List Plugin 1.1.2 - Plugin by SourceLabs
       - Enabled
     - FishEye Plugin 2.2.2 - Plugin by Atlassian Software Systems
       - Enabled
     - Issue Operations Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Issue Tab Panels Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Issue Views Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - JIRA Bamboo Plugin 2.2 - Plugin by Atlassian Software Systems Pty Ltd
       - Enabled
     - JIRA Calendar Plugin 1.9 - Plugin by Atlassian Pty Ltd
       - Enabled
     - JIRA Charting Plugin 1.4.1 - Plugin by Atlassian Pty Ltd
       - Enabled
     - JIRA Footer 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Portlets Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Preset Filters Sections 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Project Panels Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Project Role Actors Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - RPC JIRA Plugin 3.13.1 - Plugin by Atlassian Software Systems Pty Ltd
       - Enabled
     - Renderer Component Factories Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Renderer Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Reports Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Top Navigation Bar 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - User Format 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - User Navigation Bar Sections 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - User Profile Links 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - View Project Operations Sections 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Web Resources Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Webwork Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Wiki Renderer Macros Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled
     - Workflow Plugin 1.0 - Plugin by Atlassian Pty Ltd
       - Enabled

    Any help is highly appreciated.

    Thanks & Regards,

    Mathsavithri

  8. Hi

    I have installed "Windows Integrated Authentication for Crowd-enabled Applications" plugins for crowd but getting below error:

    Cause :
    java.net.UnknownHostException: Domain_Controller_FQDN

    Stack Trace :

    java.net.UnknownHostException: Domain_Controller_FQDN
    at jcifs.UniAddress.getAllByName(UniAddress.java:315)
    at jcifs.UniAddress.getByName(UniAddress.java:245)
    at com.itekia.crowd.integration.VerifyCrowdNtlmTokenFilter.negotiate(VerifyCrowdNtlmTokenFilter.java:308)
    at com.itekia.crowd.integration.VerifyCrowdNtlmTokenFilter.doFilter(VerifyCrowdNtlmTokenFilter.java:149)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
    at java.lang.Thread.run(Thread.java:619)

    [

     

    Build Information :
    Version : 2.0.2 (Build:#409 - 06-10-2009)

    Memory Information :
    Total Memory : 133 MB
    Free Memory : 90 MB
    Used Memory : 42 MB

    Request Information :

    • Request URL :
    • Scheme : http
    • Server :
    • Port : 8095
    • URI : /crowd/console/500.jsp
    • Context Path : /crowd
    • - Servlet Path : /console/500.jsp
    • - Path Info : null
    • - Query String :

    Request Attributes :

    • javax.servlet.forward.request_uri : /crowd/console/
    • javax.servlet.forward.context_path : /crowd
    • javax.servlet.forward.servlet_path : /console/index.jsp
    • javax.servlet.forward.path_info : /console/500.jsp
    • javax.servlet.error.message :
    • javax.servlet.error.status_code : 500
    • webwork.valueStack : com.opensymphony.xwork.util.OgnlValueStack@1c44fe9
    • javax.servlet.error.servlet_name : jsp
    • javax.servlet.error.exception : java.net.UnknownHostException: Domain_Controller_FQDN
    • javax.servlet.error.request_uri : /crowd/console/

    I did it with all steps provided in

    Any help is highly appreciated.

    Thanks & Regards,

    1. Hi Veronica,

      You have to replace the string "Domain_Controller_FQDN" with the fully qualified domain name of your Windows controller in web.xml, for instance "mydomaincontroller.mycompany.com".

      Regards,

      Bruno

  9. Hi Bruno

     why this is required "WebSphere Application Server v6.1.0.13 (NTLM version only, Windows 2003)".

    I dont have this is this the reason why i am getting above error. I am using Crowd Version: 2.0.2.

     If it is essential let me know how and where to install it....

    Thanks

    1. If you are using WebSphere 6, you need to have at least fixpack 13 to make the NTLM version work. You cannot use Websphere with the Kerberos version since the plugin is based on Sun's JDK, not IBM's.

      But this has nothing to do with the problem you're experiencing above :-)

  10. Bruno,

     Using NTLM method , whenever credentials are provided on window popup  it takes to blank page what can be the cause.

    Vernoica

  11. Bruno,

    After the above problem i just replace localhost value by IP in crowd.properties so now blank screen is not coming but different error is coming see below

    :

    Cause :
    jcifs.smb.SmbException: Connection timeout jcifs.util.transport.TransportException: Connection timeout at jcifs.util.transport.Transport.connect(Transport.java:178) at jcifs.smb.SmbTransport.connect(SmbTransport.java:293) at jcifs.smb.SmbSession.getChallenge(SmbSession.java:146) at jcifs.smb.SmbSession.getChallenge(SmbSession.java:140) at com.itekia.crowd.integration.VerifyCrowdNtlmTokenFilter.negotiate(VerifyCrowdNtlmTokenFilter.java:309) at com.itekia.crowd.integration.VerifyCrowdNtlmTokenFilter.doFilter(VerifyCrowdNtlmTokenFilter.java:149) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454) at java.lang.Thread.run(Thread.java:619)

    Stack Trace : jcifs.smb.SmbException: Connection timeout
    jcifs.util.transport.TransportException: Connection timeout
    at jcifs.util.transport.Transport.connect(Transport.java:178)
    at jcifs.smb.SmbTransport.connect(SmbTransport.java:293)
    at jcifs.smb.SmbSession.getChallenge(SmbSession.java:146)
    at jcifs.smb.SmbSession.getChallenge(SmbSession.java:140)
    at com.itekia.crowd.integration.VerifyCrowdNtlmTokenFilter.negotiate(VerifyCrowdNtlmTokenFilter.java:309)
    at com.itekia.crowd.integration.VerifyCrowdNtlmTokenFilter.doFilter(VerifyCrowdNtlmTokenFilter.java:149)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
    at java.lang.Thread.run(Thread.java:619)

    at jcifs.smb.SmbTransport.connect(SmbTransport.java:295)
    at jcifs.smb.SmbSession.getChallenge(SmbSession.java:146)
    at jcifs.smb.SmbSession.getChallenge(SmbSession.java:140)
    at com.itekia.crowd.integration.VerifyCrowdNtlmTokenFilter.negotiate(VerifyCrowdNtlmTokenFilter.java:309)
    at com.itekia.crowd.integration.VerifyCrowdNtlmTokenFilter.doFilter(VerifyCrowdNtlmTokenFilter.java:149)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
    at java.lang.Thread.run(Thread.java:619)
    Veronica

  12. Bruno,

     Again :) Using NTLM method , whenever credentials are provided on window popup  it takes to blank page what can be the cause.

    in logs such type of error is showing

    2009-11-25 14:16:33,046 http-8095-2 WARN [itekia.crowd.integration.VerifyCrowdNtlmTokenFilter] Unable to connect to crowd server URL: null; nested exception is:
        java.lang.NullPointerException
    2009-11-25 14:17:10,437 http-8095-1 DEBUG [itekia.crowd.integration.VerifyCrowdNtlmTokenFilter] VerifyCrowdNtlmTokenFilter: vernica.grower successfully authenticated against 0.0.0.0<00>/172.16.0.114
    2009-11-25 14:17:10,437 http-8095-1 FATAL [service.soap.client.SecurityServerClientImpl] Unable to connect to crowd server URL: null

    Vernoica

  13. Hi Bruno

      I put crowd.properties file in classes directoy, now i jumped the above error but this error is still coming on the screen

    Cause :
    org.codehaus.xfire.XFireRuntimeException: Could not invoke service.. Nested exception is org.codehaus.xfire.fault.XFireFault: Server returned error code = 401 for URI : http://172.16.0.114:8095/crowd/services/SecurityServer. Check server logs for details

    Stack Trace : org.codehaus.xfire.XFireRuntimeException: Could not invoke service.. Nested exception is org.codehaus.xfire.fault.XFireFault: Server returned error code = 401 for URI : http://172.16.0.114:8095/crowd/services/SecurityServer. Check server logs for details
    org.codehaus.xfire.fault.XFireFault: Server returned error code = 401 for URI : http://172.16.0.114:8095/crowd/services/SecurityServer. Check server logs for details
    at org.codehaus.xfire.fault.XFireFault.createFault(XFireFault.java:89)
    at org.codehaus.xfire.client.Invocation.invoke(Invocation.java:83)
    at org.codehaus.xfire.client.Invocation.invoke(Invocation.java:114)
    at org.codehaus.xfire.client.Client.invoke(Client.java:336)
    at org.codehaus.xfire.client.XFireProxy.handleRequest(XFireProxy.java:77)
    at org.codehaus.xfire.client.XFireProxy.invoke(XFireProxy.java:57)
    at $Proxy71.authenticateApplication(Unknown Source)
    at com.atlassian.crowd.integration.service.soap.client.SecurityServerClientImpl.authenticate(SecurityServerClientImpl.java:191)
    at com.atlassian.crowd.integration.service.soap.client.SecurityServerClientImpl.getApplicationToken(SecurityServerClientImpl.java:168)
    at com.atlassian.crowd.integration.service.soap.client.SecurityServerClientImpl.findPrincipalByName(SecurityServerClientImpl.java:634)
    at com.itekia.crowd.integration.VerifyCrowdNtlmTokenFilter.doFilter(VerifyCrowdNtlmTokenFilter.java:166)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
    at java.lang.Thread.run(Thread.java:619)
    Caused by: org.codehaus.xfire.XFireRuntimeException: Server returned error code = 401 for URI : http://172.16.0.114:8095/crowd/services/SecurityServer. Check server logs for details
    at org.codehaus.xfire.transport.http.HttpChannel.sendViaClient(HttpChannel.java:130)
    at org.codehaus.xfire.transport.http.HttpChannel.send(HttpChannel.java:48)
    at org.codehaus.xfire.handler.OutMessageSender.invoke(OutMessageSender.java:26)
    at org.codehaus.xfire.handler.HandlerPipeline.invoke(HandlerPipeline.java:131)
    at org.codehaus.xfire.client.Invocation.invoke(Invocation.java:79)
    ... 21 more
    kindly suggest the solution
    veronica

    1. You should check the application name and password in crowd.properties and check that they are the same as the ones you entered in the crowd console when registering the application...

      (You should also have a look to the allowed remote addresses)

  14. Hi Bruno

     Checked both the things are correct still same error :(

    org.codehaus.xfire.XFireRuntimeException: Could not invoke service.. Nested exception is org.codehaus.xfire.fault.XFireFault: Server returned error code = 401 for URI : http://localhost:8095/crowd/services/SecurityServer.