SECURITY: Mandatory credentials not supplied

Vishal_Rai · September 28, 2016, 8:21pm

MFT client is using JMS interface for connection and I am setting the credentials. UM log is showing the user@ under which MFT client is running, it should ideally show the user which is part of credentials entered.

Jonathan_Heywood · September 28, 2016, 9:08pm

What version of UM are you using?

Vishal_Rai · September 29, 2016, 12:21pm

Version 9.9

Vishal_Rai · March 9, 2017, 2:54pm

Hi Jonathan,

This is regarding clients connections with UM, we have several applications which are connecting with central UM HUB. We would like to authenticate the users connecting from those application in UM. We have set up the Active Directory based authentication and JMS clients are able to connect by passing the security credential and security prinicpal. However, DOTNET clients are unable to connect because we don’t have an option to pass credentials in DOTNET library. I can see the following error in the logs :
SECURITY: Mandatory credentials not supplied

I am not sure the next steps to resolve this.
Can you help me here please.

Thanks.
Vishal.

Jonathan_Heywood · March 9, 2017, 3:12pm

Hi Vishal,

the DotNet client does not (yet) support client authentication based on username/password. We are currently planning to include this in the October 2017 release of Universal Messaging.

Vishal_Rai · March 10, 2017, 6:23am

Thanks for the quick reply.

Do we need to setup the exception for DOTNET clients because for the moment we have AD based authentication setup for the JMS clients, how can we bypass that ?

Do we have any other ways to authenticate DOTNET client ?

Jonathan_Heywood · March 10, 2017, 1:01pm

Vishal,
you could authenticate DotNet clients using client certificates, but that will not work well in combination with basic authentication with your Java clients, so likely not an option.
What you could do is set up a file of authentication-exempt clients, e.g. based on the IP addresses of your DotNet clients. Create a file with the auth-exempt clients, e.g.
*@192.168.0.1
*@192.168.0.2
Then point to that file by adding this line to server_common.conf:
-DNirvana.auth.exempt=/path/to/file

This will allow your DotNet clients to connect, while still enforcing username/password for your Java clients.

Vishal_Rai · March 10, 2017, 4:04pm

Is there any way if they can co-exist ? I mean java client can use basic authentication and DotNet clients can use client certificates ?

May be not possible if using same REALM or if we can use different interface within same REALM?

Otherwise we need to use different REALM for DotNet clients to use client certificates.

Krishna_Gokaraju3 · January 8, 2020, 6:50am

Jonathan
Does this mean any user from the host 192.168.0.1 can connect with out credentials when the application is .net.
We also having same problem with .Net app. For me its only working when i provide username@hostname not *@hostname.

*@192.168.0.1
*@192.168.0.2
Then point to that file by adding this line to server_common.conf:
-DNirvana.auth.exempt=/path/to/file

Stefan_Vladov · January 8, 2020, 9:01am

Hi Krishna,

This thread is pretty old. In the meantime plain SASL authentication (with a username and a password) was made available in .Net (depending on the version you are using you may have to install the latest fixes - check the respective fix readme for further information).

To your question, you cannot use wildcards when adding users that are exception to authentication - only explicit user@host is allowed there.

Thanks,
Stefan