This discussion is archived
0 Replies Latest reply: Feb 16, 2013 11:53 PM by 979011 RSS

(JRE BUG?) Active directory forest

979011 Newbie
Currently Being Moderated
We have few active directory controllers and domains and our system should be able to query one domain using user from other domain.
We didn't mange to do it in java 1.60_00 because of a bug:
[Java Bug|http://btsc.webapps.blackberry.com/btsc/viewdocument.do;jsessionid=F6E8EB086BF9B51A61F4D441EC9DAFBD?noCount=true&externalId=KB33449&sliceId=2&cmd=displayKCPopup&docType=kc&isLoadPublishedVer=&docTypeID=DT_SUPPORTISSUE_1_1&ispopup=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl ]
Currently we have a problem with the following setup:
We are trying to connect to QA.DOM using administrator user of D200.D1.W2K8.CORP.ME and we get the following error:
"Mechanism level: Fail to create credential. (63) - No service creds".

We can connect to RESOURCE.W2K8.CORP.ME, we can also connect to QA.DOM if we are using D1.W2K8.CORP.ME's administrator.
After investigating the pcap captures I think the java implementation has a bug regarding transitive trust to domains with different suffix.

BTW: we tried the same scenario with SMB based package written in C and it works.


Our active directory setup:

QA.DOM<----ForestTrust-->D1.W2K8.CORP.ME<-----ForestTrust--->RESOURCE.W2K8.CORP.ME
----------------------------------------------^
-----------------------------------------------|
-----------------------------------------------|
-----------------------------------------------|
-----------------------------------------------^
--------------------------------------------tree(two way trust)
----------------------------------------D200.D1.W2K8.CORP.ME (child of D1.W2K8.CORP.ME).


And the krb file:
[libdefaults]
     default_realm = D200.D1.W2K8.CORP.ME
     default_keytab_name = FILE:/usr/local/ctera/portal.keytab
[realms]
     D200.D1.W2K8.CORP.ME = {
          kdc = D200.D1.W2K8.CORP.ME
     }
     D1.W2K8.CORP.ME = {
          kdc = D1.W2K8.CORP.ME
     }
     RESOURCE.W2K8.CORP.ME = {
          kdc = RESOURCE.W2K8.CORP.ME
     }
     QA.DOM = {
          kdc = QA.DOM
     }
[domain_realm]
     .d200.d1.w2k8.corp.me = D200.D1.W2K8.CORP.ME
     d200.d1.w2k8.corp.me = D200.D1.W2K8.CORP.ME
     .d1.w2k8.corp.me = D1.W2K8.CORP.ME
     d1.w2k8.corp.me = D1.W2K8.CORP.ME
     .resource.w2k8.corp.me = RESOURCE.W2K8.CORP.ME
     resource.w2k8.corp.me = RESOURCE.W2K8.CORP.ME
     .qa.dom = QA.DOM
     qa.dom = QA.DOM

Edited by: 976008 on Feb 16, 2013 11:44 PM

Edited by: 976008 on Feb 16, 2013 11:45 PM

Edited by: 976008 on Feb 16, 2013 11:53 PM

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points