Re: SPNEGO test configuration with Manager webapp
On 14/05/2015 22:29, Mark Thomas wrote: On 14/05/2015 21:11, Mark Thomas wrote: On 29/03/2015 23:13, André Warnier wrote: David Marsh wrote: I've tested all the following public JDKs jdk-7u45-windows-i586.exe jdk-7u65-windows-i586.exe jdk-7u75-windows-i586.exe jdk-8-windows-i586.exe jdk-8u5-windows-i586.exe jdk-8u11-windows-i586.exe jdk-8u20-windows-i586.exe jdk-8u25-windows-i586.exe jdk-8u31-windows-i586.exe jdk-8u40-windows-i586.exe -- Only this one fails SPNEGO / Bad GSS Token Seems a recent fix must broken it. That is really great info. Thanks. As promised I have found some time to look into this. It appears that this fix in 8u40 onwards broke SPNEGO. https://bugs.openjdk.java.net/browse/JDK-8048194 The fix that was applied wasn't the one suggested in the bug report. I've spent some time looking at the code but I haven't found a way around this yet. Good news (sort of). I have an *extremely* dirty hack that fixes this on my test instance by moving some of the data about in the token that the client sends. It works with 8u20 and 8u45. At the moment the hack is extremely fragile. I need to make it more robust and make it optional. I should be able to get that done tomorrow and have it included in the next Tomcat 8 release. Fix applied to trunk (for 9.0.x), 8.0.x (for 8.0.23 onwards) and 7.0.x (for 7.0.63 onwards). Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
On 29/03/2015 23:13, André Warnier wrote: David Marsh wrote: I've tested all the following public JDKs jdk-7u45-windows-i586.exe jdk-7u65-windows-i586.exe jdk-7u75-windows-i586.exe jdk-8-windows-i586.exe jdk-8u5-windows-i586.exe jdk-8u11-windows-i586.exe jdk-8u20-windows-i586.exe jdk-8u25-windows-i586.exe jdk-8u31-windows-i586.exe jdk-8u40-windows-i586.exe -- Only this one fails SPNEGO / Bad GSS Token Seems a recent fix must broken it. That is really great info. Thanks. As promised I have found some time to look into this. It appears that this fix in 8u40 onwards broke SPNEGO. https://bugs.openjdk.java.net/browse/JDK-8048194 The fix that was applied wasn't the one suggested in the bug report. I've spent some time looking at the code but I haven't found a way around this yet. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
On 14/05/2015 21:11, Mark Thomas wrote: On 29/03/2015 23:13, André Warnier wrote: David Marsh wrote: I've tested all the following public JDKs jdk-7u45-windows-i586.exe jdk-7u65-windows-i586.exe jdk-7u75-windows-i586.exe jdk-8-windows-i586.exe jdk-8u5-windows-i586.exe jdk-8u11-windows-i586.exe jdk-8u20-windows-i586.exe jdk-8u25-windows-i586.exe jdk-8u31-windows-i586.exe jdk-8u40-windows-i586.exe -- Only this one fails SPNEGO / Bad GSS Token Seems a recent fix must broken it. That is really great info. Thanks. As promised I have found some time to look into this. It appears that this fix in 8u40 onwards broke SPNEGO. https://bugs.openjdk.java.net/browse/JDK-8048194 The fix that was applied wasn't the one suggested in the bug report. I've spent some time looking at the code but I haven't found a way around this yet. Good news (sort of). I have an *extremely* dirty hack that fixes this on my test instance by moving some of the data about in the token that the client sends. It works with 8u20 and 8u45. At the moment the hack is extremely fragile. I need to make it more robust and make it optional. I should be able to get that done tomorrow and have it included in the next Tomcat 8 release. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Am 28. März 2015 17:46:50 MEZ, schrieb Mark Thomas ma...@apache.org: On 28/03/2015 14:43, David Marsh wrote: Ok so I went back to basics and created three new VM's. Windows Server 2008 R2 Windows 7 Client Windows 7 Tomcat I still had same issues, until I changed the Java on the tomcat server to JDK 7 u45. It appears there are breaking changes to JAAS/GSS in newer JDKs ? Thank you for doing all this testing. That is useful information to know. The next step (for you, me or anyone who has the time and wants to help) is to test subsequent Java 7 releases and see at which version it stops working. I'd hope that a review of the relevant change log would identify the change that triggered the breakage and provide some clues on how to fix it. It would be worth testing the Java 8 releases the same way. I read it, that jdk 7 works and jdk 8 is problematic. There are a few Kerberos related Chaves in jdk 8 ( http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html). Interesting are the two changes: * DES is disabled by default * constrained delegation is supported. My guess would be, that it would help (in this case) to reenable DES by adding allow_weak_crypto=true in the krb5.conf. Regards Felix Mark David From: dmars...@outlook.com To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Date: Fri, 27 Mar 2015 23:40:06 + By the way Tomcat 8 was running on JDK :- C:\Windows\system32java -version java version 1.8.0_40 Java(TM) SE Runtime Environment (build 1.8.0_40-b26) Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode) Version update 40 should include some JRE fixes around GSS and SPNEGO, including ignoring parts of NegoEx, however it does not seem to work. I've also created a Windows 7 client with same config just different DNS of win-pc02.kerbtest.local It has the same issue going from firefox to http://win-tc01.kerbtest.local/manager/html I get the same three 401's and the Negotiate. Date: Thu, 26 Mar 2015 12:11:34 +0100 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp David Marsh wrote: Hi Mark, Thanks for that, yes I've got 30 years windows experience, I can use Linux at a push but its not really my area expertise. I'm a Java / Windows programmer so I should be able to understand it, but not kerberos or Active Directory expert. I have used Waffle in the past with success and used JAAS/GSS-API in Java thick clients. I made the IE settings you outlined but it seems to still prompt. IE has win-tc01.kerbtest.local as a trusted site. Enable Windows Integrated Authentication is on Auto logon only in Intranet Zone is on I've been using Firefox to test and that does send 401 and negotiate, but causes the GSS token error mentioned. Active directory and krb5.ini are using eType 23 which is rc4-hmac The windows client OS and tomcat server OS has registry setting for allowtgtsessionkey set to 1 (enabled). Java kinit test works and stores a ticket in the Java session cache. So problem seems to be either :- 1. Browser sends bad token 2. Token is good but Oracle JDK 8 GSS-API cannot handle it Another shot almost in the dark : while browsing hundreds of Kerberos-related pages on the WWW, one other recommendation which seems to appear regularly (and Mark also mentioned that somewhere), is that each time you make a change somewhere, you should reboot the machine afterward, before re-testing. (Particularly on Windows machines). I know it's a PITA, but I have also found the same to be true sometimes when merely dealing with NTLM matters. There are probably some hidden caches that get cleared only in that way. many thanks David Date: Thu, 26 Mar 2015 11:32:39 +0100 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp David Marsh wrote: Hi Mark, Thanks that would be great ! Do you have a good mechanism to test and ensure kerberos token is passed to tomcat and not NTLM token ? I believe that I can answer that. And the basic answer is no. First the basic principle, valid for this and many many other areas : the server cannot impose anything on the browser. The local user can always override anything received from the server, by a setting in the browser. And a hacker can of course do anything. All the server can do, is tell the browser what it will accept, and the browser can tell the server ditto. So, never assume the opposite, and you will save yourself a lot of fruitless searches and dead-ends. Now more specific : 1) For Kerberos to be used at all at the browser level, the server must send a 401 response with Negociate as the requested authentication method. Unless it does that, the browser will never even attempt to send a Kerberos Authorization
RE: SPNEGO test configuration with Manager webapp
I've tested all the following public JDKs jdk-7u45-windows-i586.exe jdk-7u65-windows-i586.exe jdk-7u75-windows-i586.exe jdk-8-windows-i586.exe jdk-8u5-windows-i586.exe jdk-8u11-windows-i586.exe jdk-8u20-windows-i586.exe jdk-8u25-windows-i586.exe jdk-8u31-windows-i586.exe jdk-8u40-windows-i586.exe -- Only this one fails SPNEGO / Bad GSS Token Seems a recent fix must broken it. David Subject: Re: SPNEGO test configuration with Manager webapp From: felix.schumac...@internetallee.de Date: Sun, 29 Mar 2015 10:13:29 +0200 To: users@tomcat.apache.org Am 28. März 2015 17:46:50 MEZ, schrieb Mark Thomas ma...@apache.org: On 28/03/2015 14:43, David Marsh wrote: Ok so I went back to basics and created three new VM's. Windows Server 2008 R2 Windows 7 Client Windows 7 Tomcat I still had same issues, until I changed the Java on the tomcat server to JDK 7 u45. It appears there are breaking changes to JAAS/GSS in newer JDKs ? Thank you for doing all this testing. That is useful information to know. The next step (for you, me or anyone who has the time and wants to help) is to test subsequent Java 7 releases and see at which version it stops working. I'd hope that a review of the relevant change log would identify the change that triggered the breakage and provide some clues on how to fix it. It would be worth testing the Java 8 releases the same way. I read it, that jdk 7 works and jdk 8 is problematic. There are a few Kerberos related Chaves in jdk 8 ( http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html). Interesting are the two changes: * DES is disabled by default * constrained delegation is supported. My guess would be, that it would help (in this case) to reenable DES by adding allow_weak_crypto=true in the krb5.conf. Regards Felix Mark David From: dmars...@outlook.com To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Date: Fri, 27 Mar 2015 23:40:06 + By the way Tomcat 8 was running on JDK :- C:\Windows\system32java -version java version 1.8.0_40 Java(TM) SE Runtime Environment (build 1.8.0_40-b26) Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode) Version update 40 should include some JRE fixes around GSS and SPNEGO, including ignoring parts of NegoEx, however it does not seem to work. I've also created a Windows 7 client with same config just different DNS of win-pc02.kerbtest.local It has the same issue going from firefox to http://win-tc01.kerbtest.local/manager/html I get the same three 401's and the Negotiate. Date: Thu, 26 Mar 2015 12:11:34 +0100 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp David Marsh wrote: Hi Mark, Thanks for that, yes I've got 30 years windows experience, I can use Linux at a push but its not really my area expertise. I'm a Java / Windows programmer so I should be able to understand it, but not kerberos or Active Directory expert. I have used Waffle in the past with success and used JAAS/GSS-API in Java thick clients. I made the IE settings you outlined but it seems to still prompt. IE has win-tc01.kerbtest.local as a trusted site. Enable Windows Integrated Authentication is on Auto logon only in Intranet Zone is on I've been using Firefox to test and that does send 401 and negotiate, but causes the GSS token error mentioned. Active directory and krb5.ini are using eType 23 which is rc4-hmac The windows client OS and tomcat server OS has registry setting for allowtgtsessionkey set to 1 (enabled). Java kinit test works and stores a ticket in the Java session cache. So problem seems to be either :- 1. Browser sends bad token 2. Token is good but Oracle JDK 8 GSS-API cannot handle it Another shot almost in the dark : while browsing hundreds of Kerberos-related pages on the WWW, one other recommendation which seems to appear regularly (and Mark also mentioned that somewhere), is that each time you make a change somewhere, you should reboot the machine afterward, before re-testing. (Particularly on Windows machines). I know it's a PITA, but I have also found the same to be true sometimes when merely dealing with NTLM matters. There are probably some hidden caches that get cleared only in that way. many thanks David Date: Thu, 26 Mar 2015 11:32:39 +0100 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp David Marsh wrote: Hi Mark, Thanks that would be great ! Do you have a good mechanism to test and ensure kerberos token is passed to tomcat and not NTLM token ? I believe that I can answer that. And the basic answer is no. First the basic principle, valid for this and many many other areas : the server cannot impose anything on the browser. The local
Re: SPNEGO test configuration with Manager webapp
David Marsh wrote: I've tested all the following public JDKs jdk-7u45-windows-i586.exe jdk-7u65-windows-i586.exe jdk-7u75-windows-i586.exe jdk-8-windows-i586.exe jdk-8u5-windows-i586.exe jdk-8u11-windows-i586.exe jdk-8u20-windows-i586.exe jdk-8u25-windows-i586.exe jdk-8u31-windows-i586.exe jdk-8u40-windows-i586.exe -- Only this one fails SPNEGO / Bad GSS Token Seems a recent fix must broken it. That is really great info. Thanks. By the way, would you still have the Tomcat Kerberos logs that fail, in comparison to one where it works ? David Subject: Re: SPNEGO test configuration with Manager webapp From: felix.schumac...@internetallee.de Date: Sun, 29 Mar 2015 10:13:29 +0200 To: users@tomcat.apache.org Am 28. März 2015 17:46:50 MEZ, schrieb Mark Thomas ma...@apache.org: On 28/03/2015 14:43, David Marsh wrote: Ok so I went back to basics and created three new VM's. Windows Server 2008 R2 Windows 7 Client Windows 7 Tomcat I still had same issues, until I changed the Java on the tomcat server to JDK 7 u45. It appears there are breaking changes to JAAS/GSS in newer JDKs ? Thank you for doing all this testing. That is useful information to know. The next step (for you, me or anyone who has the time and wants to help) is to test subsequent Java 7 releases and see at which version it stops working. I'd hope that a review of the relevant change log would identify the change that triggered the breakage and provide some clues on how to fix it. It would be worth testing the Java 8 releases the same way. I read it, that jdk 7 works and jdk 8 is problematic. There are a few Kerberos related Chaves in jdk 8 ( http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html). Interesting are the two changes: * DES is disabled by default * constrained delegation is supported. My guess would be, that it would help (in this case) to reenable DES by adding allow_weak_crypto=true in the krb5.conf. Regards Felix Mark David From: dmars...@outlook.com To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Date: Fri, 27 Mar 2015 23:40:06 + By the way Tomcat 8 was running on JDK :- C:\Windows\system32java -version java version 1.8.0_40 Java(TM) SE Runtime Environment (build 1.8.0_40-b26) Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode) Version update 40 should include some JRE fixes around GSS and SPNEGO, including ignoring parts of NegoEx, however it does not seem to work. I've also created a Windows 7 client with same config just different DNS of win-pc02.kerbtest.local It has the same issue going from firefox to http://win-tc01.kerbtest.local/manager/html I get the same three 401's and the Negotiate. Date: Thu, 26 Mar 2015 12:11:34 +0100 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp David Marsh wrote: Hi Mark, Thanks for that, yes I've got 30 years windows experience, I can use Linux at a push but its not really my area expertise. I'm a Java / Windows programmer so I should be able to understand it, but not kerberos or Active Directory expert. I have used Waffle in the past with success and used JAAS/GSS-API in Java thick clients. I made the IE settings you outlined but it seems to still prompt. IE has win-tc01.kerbtest.local as a trusted site. Enable Windows Integrated Authentication is on Auto logon only in Intranet Zone is on I've been using Firefox to test and that does send 401 and negotiate, but causes the GSS token error mentioned. Active directory and krb5.ini are using eType 23 which is rc4-hmac The windows client OS and tomcat server OS has registry setting for allowtgtsessionkey set to 1 (enabled). Java kinit test works and stores a ticket in the Java session cache. So problem seems to be either :- 1. Browser sends bad token 2. Token is good but Oracle JDK 8 GSS-API cannot handle it Another shot almost in the dark : while browsing hundreds of Kerberos-related pages on the WWW, one other recommendation which seems to appear regularly (and Mark also mentioned that somewhere), is that each time you make a change somewhere, you should reboot the machine afterward, before re-testing. (Particularly on Windows machines). I know it's a PITA, but I have also found the same to be true sometimes when merely dealing with NTLM matters. There are probably some hidden caches that get cleared only in that way. many thanks David Date: Thu, 26 Mar 2015 11:32:39 +0100 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp David Marsh wrote: Hi Mark, Thanks that would be great ! Do you have a good mechanism to test and ensure kerberos token is passed to tomcat and not NTLM token ? I believe that I can answer that. And the basic answer
RE: SPNEGO test configuration with Manager webapp
= null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq creating message KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=3, number of retries =3, #bytes= 247 KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=3,Attempt =1, #bytes=247 KrbKdcReq send: #bytes read=100 KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=3, number of retries =3, #bytes= 247 KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=3,Attempt =1, #bytes=247 DEBUG: TCPClient reading 1475 bytes KrbKdcReq send: #bytes read=1475 KdcAccessibility: remove win-dc01.kerbtest.local:88 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Will use keytab Commit Succeeded Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab C:\keytab\tomcat.keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found KeyTab C:\keytab\tomcat.keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST .LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015 25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.SpnegoAuthentic ator.authenticate Unable to login as the service principal java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G SSHeader did not find the right tag) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja va:243) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108 6) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav a:659) at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto col.java:223) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) at sun.security.jgss.GSSHeader.init(GSSHeader.java:97) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato r.java:336) at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato r.java:323) ... 18 more [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject 25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Failed authenticate() test Date: Mon, 30 Mar 2015 00:13:54 +0200 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp David Marsh wrote: I've tested all the following public JDKs jdk-7u45-windows-i586.exe jdk-7u65-windows-i586.exe jdk-7u75-windows-i586.exe jdk-8-windows-i586.exe jdk-8u5-windows-i586.exe jdk-8u11-windows-i586.exe jdk-8u20-windows-i586.exe jdk-8u25-windows-i586.exe jdk-8u31-windows
RE: SPNEGO test configuration with Manager webapp
if -- false 28-Mar-2015 14:21:28.832 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /images/tomcat.gif -- false 28-Mar-2015 14:21:28.848 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /images/tomca t.gif -- false 28-Mar-2015 14:21:28.864 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G ET /images/tomcat.gif -- false 28-Mar-2015 14:21:28.879 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /images/tomcat.g if -- false 28-Mar-2015 14:21:28.895 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /images/tomcat.gif -- false 28-Mar-2015 14:21:28.910 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /images/tomca t.gif -- false 28-Mar-2015 14:21:28.926 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC onstraints No applicable constraint located 28-Mar-2015 14:21:28.926 FINE [http-nio-80-exec-4] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Not subject to any constraint Date: Mon, 30 Mar 2015 00:13:54 +0200 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp David Marsh wrote: I've tested all the following public JDKs jdk-7u45-windows-i586.exe jdk-7u65-windows-i586.exe jdk-7u75-windows-i586.exe jdk-8-windows-i586.exe jdk-8u5-windows-i586.exe jdk-8u11-windows-i586.exe jdk-8u20-windows-i586.exe jdk-8u25-windows-i586.exe jdk-8u31-windows-i586.exe jdk-8u40-windows-i586.exe -- Only this one fails SPNEGO / Bad GSS Token Seems a recent fix must broken it. That is really great info. Thanks. By the way, would you still have the Tomcat Kerberos logs that fail, in comparison to one where it works ? David Subject: Re: SPNEGO test configuration with Manager webapp From: felix.schumac...@internetallee.de Date: Sun, 29 Mar 2015 10:13:29 +0200 To: users@tomcat.apache.org Am 28. März 2015 17:46:50 MEZ, schrieb Mark Thomas ma...@apache.org: On 28/03/2015 14:43, David Marsh wrote: Ok so I went back to basics and created three new VM's. Windows Server 2008 R2 Windows 7 Client Windows 7 Tomcat I still had same issues, until I changed the Java on the tomcat server to JDK 7 u45. It appears there are breaking changes to JAAS/GSS in newer JDKs ? Thank you for doing all this testing. That is useful information to know. The next step (for you, me or anyone who has the time and wants to help) is to test subsequent Java 7 releases and see at which version it stops working. I'd hope that a review of the relevant change log would identify the change that triggered the breakage and provide some clues on how to fix it. It would be worth testing the Java 8 releases the same way. I read it, that jdk 7 works and jdk 8 is problematic. There are a few Kerberos related Chaves in jdk 8 ( http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html). Interesting are the two changes: * DES is disabled by default * constrained delegation is supported. My guess would be, that it would help (in this case) to reenable DES by adding allow_weak_crypto=true in the krb5.conf. Regards Felix Mark David From: dmars...@outlook.com To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Date: Fri, 27 Mar 2015 23:40:06 + By the way Tomcat 8 was running on JDK :- C:\Windows\system32java -version java version 1.8.0_40 Java(TM) SE Runtime Environment (build 1.8.0_40-b26) Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode) Version update 40 should include some JRE fixes around GSS and SPNEGO, including ignoring parts of NegoEx, however it does not seem to work. I've also created a Windows 7 client with same config just different DNS of win-pc02.kerbtest.local It has the same issue going from firefox to http://win-tc01.kerbtest.local/manager/html I get the same three 401's and the Negotiate. Date: Thu, 26 Mar 2015 12:11:34 +0100 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp David Marsh wrote: Hi Mark, Thanks for that, yes I've got 30 years windows experience
RE: SPNEGO test configuration with Manager webapp
Ok so I went back to basics and created three new VM's. Windows Server 2008 R2 Windows 7 Client Windows 7 Tomcat I still had same issues, until I changed the Java on the tomcat server to JDK 7 u45. It appears there are breaking changes to JAAS/GSS in newer JDKs ? David From: dmars...@outlook.com To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Date: Fri, 27 Mar 2015 23:40:06 + By the way Tomcat 8 was running on JDK :- C:\Windows\system32java -version java version 1.8.0_40 Java(TM) SE Runtime Environment (build 1.8.0_40-b26) Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode) Version update 40 should include some JRE fixes around GSS and SPNEGO, including ignoring parts of NegoEx, however it does not seem to work. I've also created a Windows 7 client with same config just different DNS of win-pc02.kerbtest.local It has the same issue going from firefox to http://win-tc01.kerbtest.local/manager/html I get the same three 401's and the Negotiate. Date: Thu, 26 Mar 2015 12:11:34 +0100 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp David Marsh wrote: Hi Mark, Thanks for that, yes I've got 30 years windows experience, I can use Linux at a push but its not really my area expertise. I'm a Java / Windows programmer so I should be able to understand it, but not kerberos or Active Directory expert. I have used Waffle in the past with success and used JAAS/GSS-API in Java thick clients. I made the IE settings you outlined but it seems to still prompt. IE has win-tc01.kerbtest.local as a trusted site. Enable Windows Integrated Authentication is on Auto logon only in Intranet Zone is on I've been using Firefox to test and that does send 401 and negotiate, but causes the GSS token error mentioned. Active directory and krb5.ini are using eType 23 which is rc4-hmac The windows client OS and tomcat server OS has registry setting for allowtgtsessionkey set to 1 (enabled). Java kinit test works and stores a ticket in the Java session cache. So problem seems to be either :- 1. Browser sends bad token 2. Token is good but Oracle JDK 8 GSS-API cannot handle it Another shot almost in the dark : while browsing hundreds of Kerberos-related pages on the WWW, one other recommendation which seems to appear regularly (and Mark also mentioned that somewhere), is that each time you make a change somewhere, you should reboot the machine afterward, before re-testing. (Particularly on Windows machines). I know it's a PITA, but I have also found the same to be true sometimes when merely dealing with NTLM matters. There are probably some hidden caches that get cleared only in that way. many thanks David Date: Thu, 26 Mar 2015 11:32:39 +0100 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp David Marsh wrote: Hi Mark, Thanks that would be great ! Do you have a good mechanism to test and ensure kerberos token is passed to tomcat and not NTLM token ? I believe that I can answer that. And the basic answer is no. First the basic principle, valid for this and many many other areas : the server cannot impose anything on the browser. The local user can always override anything received from the server, by a setting in the browser. And a hacker can of course do anything. All the server can do, is tell the browser what it will accept, and the browser can tell the server ditto. So, never assume the opposite, and you will save yourself a lot of fruitless searches and dead-ends. Now more specific : 1) For Kerberos to be used at all at the browser level, the server must send a 401 response with Negociate as the requested authentication method. Unless it does that, the browser will never even attempt to send a Kerberos Authorization back. 2) for the browser to consider returning a Kerberos Authorization header to the server, additional conditions depend on the browser. For IE : a) the enable Windows Integrated Authentication setting must be on (checked), whether this is done locally by the user, or part of the standard IE settings company-wide, or imposed by some network policy at corporate level. b) the server to which the browser is talking, must be known to IE as either - part of the Intranet - or at least a trusted server That is defined in IE's security zones (which again can be local, or corporation-wide). If condition (a) is not met, when the server sends a 401 Negociate, IE will fall back to NTLM, always. And there is nothing you can do about that at the server level. (Funnily enough, disabling the enable Windows Integrated Authentication at the IE level, has the effect of disabling Kerberos, but not NTLM). If condition (b
Re: SPNEGO test configuration with Manager webapp
On 28/03/2015 14:43, David Marsh wrote: Ok so I went back to basics and created three new VM's. Windows Server 2008 R2 Windows 7 Client Windows 7 Tomcat I still had same issues, until I changed the Java on the tomcat server to JDK 7 u45. It appears there are breaking changes to JAAS/GSS in newer JDKs ? Thank you for doing all this testing. That is useful information to know. The next step (for you, me or anyone who has the time and wants to help) is to test subsequent Java 7 releases and see at which version it stops working. I'd hope that a review of the relevant change log would identify the change that triggered the breakage and provide some clues on how to fix it. It would be worth testing the Java 8 releases the same way. Mark David From: dmars...@outlook.com To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Date: Fri, 27 Mar 2015 23:40:06 + By the way Tomcat 8 was running on JDK :- C:\Windows\system32java -version java version 1.8.0_40 Java(TM) SE Runtime Environment (build 1.8.0_40-b26) Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode) Version update 40 should include some JRE fixes around GSS and SPNEGO, including ignoring parts of NegoEx, however it does not seem to work. I've also created a Windows 7 client with same config just different DNS of win-pc02.kerbtest.local It has the same issue going from firefox to http://win-tc01.kerbtest.local/manager/html I get the same three 401's and the Negotiate. Date: Thu, 26 Mar 2015 12:11:34 +0100 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp David Marsh wrote: Hi Mark, Thanks for that, yes I've got 30 years windows experience, I can use Linux at a push but its not really my area expertise. I'm a Java / Windows programmer so I should be able to understand it, but not kerberos or Active Directory expert. I have used Waffle in the past with success and used JAAS/GSS-API in Java thick clients. I made the IE settings you outlined but it seems to still prompt. IE has win-tc01.kerbtest.local as a trusted site. Enable Windows Integrated Authentication is on Auto logon only in Intranet Zone is on I've been using Firefox to test and that does send 401 and negotiate, but causes the GSS token error mentioned. Active directory and krb5.ini are using eType 23 which is rc4-hmac The windows client OS and tomcat server OS has registry setting for allowtgtsessionkey set to 1 (enabled). Java kinit test works and stores a ticket in the Java session cache. So problem seems to be either :- 1. Browser sends bad token 2. Token is good but Oracle JDK 8 GSS-API cannot handle it Another shot almost in the dark : while browsing hundreds of Kerberos-related pages on the WWW, one other recommendation which seems to appear regularly (and Mark also mentioned that somewhere), is that each time you make a change somewhere, you should reboot the machine afterward, before re-testing. (Particularly on Windows machines). I know it's a PITA, but I have also found the same to be true sometimes when merely dealing with NTLM matters. There are probably some hidden caches that get cleared only in that way. many thanks David Date: Thu, 26 Mar 2015 11:32:39 +0100 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp David Marsh wrote: Hi Mark, Thanks that would be great ! Do you have a good mechanism to test and ensure kerberos token is passed to tomcat and not NTLM token ? I believe that I can answer that. And the basic answer is no. First the basic principle, valid for this and many many other areas : the server cannot impose anything on the browser. The local user can always override anything received from the server, by a setting in the browser. And a hacker can of course do anything. All the server can do, is tell the browser what it will accept, and the browser can tell the server ditto. So, never assume the opposite, and you will save yourself a lot of fruitless searches and dead-ends. Now more specific : 1) For Kerberos to be used at all at the browser level, the server must send a 401 response with Negociate as the requested authentication method. Unless it does that, the browser will never even attempt to send a Kerberos Authorization back. 2) for the browser to consider returning a Kerberos Authorization header to the server, additional conditions depend on the browser. For IE : a) the enable Windows Integrated Authentication setting must be on (checked), whether this is done locally by the user, or part of the standard IE settings company-wide, or imposed by some network policy at corporate level. b) the server to which the browser is talking, must be known to IE
RE: SPNEGO test configuration with Manager webapp
By the way Tomcat 8 was running on JDK :- C:\Windows\system32java -version java version 1.8.0_40 Java(TM) SE Runtime Environment (build 1.8.0_40-b26) Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode) Version update 40 should include some JRE fixes around GSS and SPNEGO, including ignoring parts of NegoEx, however it does not seem to work. I've also created a Windows 7 client with same config just different DNS of win-pc02.kerbtest.local It has the same issue going from firefox to http://win-tc01.kerbtest.local/manager/html I get the same three 401's and the Negotiate. Date: Thu, 26 Mar 2015 12:11:34 +0100 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp David Marsh wrote: Hi Mark, Thanks for that, yes I've got 30 years windows experience, I can use Linux at a push but its not really my area expertise. I'm a Java / Windows programmer so I should be able to understand it, but not kerberos or Active Directory expert. I have used Waffle in the past with success and used JAAS/GSS-API in Java thick clients. I made the IE settings you outlined but it seems to still prompt. IE has win-tc01.kerbtest.local as a trusted site. Enable Windows Integrated Authentication is on Auto logon only in Intranet Zone is on I've been using Firefox to test and that does send 401 and negotiate, but causes the GSS token error mentioned. Active directory and krb5.ini are using eType 23 which is rc4-hmac The windows client OS and tomcat server OS has registry setting for allowtgtsessionkey set to 1 (enabled). Java kinit test works and stores a ticket in the Java session cache. So problem seems to be either :- 1. Browser sends bad token 2. Token is good but Oracle JDK 8 GSS-API cannot handle it Another shot almost in the dark : while browsing hundreds of Kerberos-related pages on the WWW, one other recommendation which seems to appear regularly (and Mark also mentioned that somewhere), is that each time you make a change somewhere, you should reboot the machine afterward, before re-testing. (Particularly on Windows machines). I know it's a PITA, but I have also found the same to be true sometimes when merely dealing with NTLM matters. There are probably some hidden caches that get cleared only in that way. many thanks David Date: Thu, 26 Mar 2015 11:32:39 +0100 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp David Marsh wrote: Hi Mark, Thanks that would be great ! Do you have a good mechanism to test and ensure kerberos token is passed to tomcat and not NTLM token ? I believe that I can answer that. And the basic answer is no. First the basic principle, valid for this and many many other areas : the server cannot impose anything on the browser. The local user can always override anything received from the server, by a setting in the browser. And a hacker can of course do anything. All the server can do, is tell the browser what it will accept, and the browser can tell the server ditto. So, never assume the opposite, and you will save yourself a lot of fruitless searches and dead-ends. Now more specific : 1) For Kerberos to be used at all at the browser level, the server must send a 401 response with Negociate as the requested authentication method. Unless it does that, the browser will never even attempt to send a Kerberos Authorization back. 2) for the browser to consider returning a Kerberos Authorization header to the server, additional conditions depend on the browser. For IE : a) the enable Windows Integrated Authentication setting must be on (checked), whether this is done locally by the user, or part of the standard IE settings company-wide, or imposed by some network policy at corporate level. b) the server to which the browser is talking, must be known to IE as either - part of the Intranet - or at least a trusted server That is defined in IE's security zones (which again can be local, or corporation-wide). If condition (a) is not met, when the server sends a 401 Negociate, IE will fall back to NTLM, always. And there is nothing you can do about that at the server level. (Funnily enough, disabling the enable Windows Integrated Authentication at the IE level, has the effect of disabling Kerberos, but not NTLM). If condition (b) is not met, IE will try neither Kerberos nor NTLM, and it /might/ fall back to Basic authentication, if its other settings allow that. That's when you see the browser popup login dialog; and in an SSO context, this is a sure sign that something isn't working as expected. Some authentication modules, at the server level, are able to adapt to what the browser sends, others not. I believe that Waffle can accept either browser NTLM or Kerberos authentication. Waffle works only
Re: SPNEGO test configuration with Manager webapp
David Marsh wrote: Hi Mark, Thanks that would be great ! Do you have a good mechanism to test and ensure kerberos token is passed to tomcat and not NTLM token ? I believe that I can answer that. And the basic answer is no. First the basic principle, valid for this and many many other areas : the server cannot impose anything on the browser. The local user can always override anything received from the server, by a setting in the browser. And a hacker can of course do anything. All the server can do, is tell the browser what it will accept, and the browser can tell the server ditto. So, never assume the opposite, and you will save yourself a lot of fruitless searches and dead-ends. Now more specific : 1) For Kerberos to be used at all at the browser level, the server must send a 401 response with Negociate as the requested authentication method. Unless it does that, the browser will never even attempt to send a Kerberos Authorization back. 2) for the browser to consider returning a Kerberos Authorization header to the server, additional conditions depend on the browser. For IE : a) the enable Windows Integrated Authentication setting must be on (checked), whether this is done locally by the user, or part of the standard IE settings company-wide, or imposed by some network policy at corporate level. b) the server to which the browser is talking, must be known to IE as either - part of the Intranet - or at least a trusted server That is defined in IE's security zones (which again can be local, or corporation-wide). If condition (a) is not met, when the server sends a 401 Negociate, IE will fall back to NTLM, always. And there is nothing you can do about that at the server level. (Funnily enough, disabling the enable Windows Integrated Authentication at the IE level, has the effect of disabling Kerberos, but not NTLM). If condition (b) is not met, IE will try neither Kerberos nor NTLM, and it /might/ fall back to Basic authentication, if its other settings allow that. That's when you see the browser popup login dialog; and in an SSO context, this is a sure sign that something isn't working as expected. Some authentication modules, at the server level, are able to adapt to what the browser sends, others not. I believe that Waffle can accept either browser NTLM or Kerberos authentication. Waffle works only on a Windows Tomcat server, not on a Linux Tomcat server. I do not know about the SPNEGO thing in Tomcat (from the name, it should). The Jespa module from www.ioplex.com does not handle Kerberos, just NTLM, but it works under both Windows and Linux. And finally, about your problems : it seems that you have fallen in a very specific kind of hell, because you are trying to talk to a Windows-based Kerberos KDC (which is using Windows Kerberos libraries and encryption method choices and hostname formats etc..), from a Java JVM-based client (in this case the Tomcat server, whatever its underlying platform is), which is using Java Kerberos libraries and encryption method choices etc... And it seems that between this Java Kerberos part and the Windows Kerberos part, there are a number of areas of mutual incomprehension (such as which key encryption methods they each implement, or which ones are the default ones for each). And I am sure that the issue can be resolved. But it is probably a question of finding out which among the 25 or more settings one can alter on each side, overlap and either agree or contradict eachother. One underlying issue is that, as well in corporations as on the WWW, the Windows people and the Linux people tend to be 2 separate groups. If you ask the Windows people how to set this up, they will tell you just do this and it works (assuming that all the moving parts are Windows-based); and if you ask the Linux people, they will tell you just do this and it works (assuming that all the moving parts are Linux-based). And there are very few people (and web pages) which span both worlds with their various combinations. David Date: Thu, 26 Mar 2015 09:00:22 + From: ma...@apache.org To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp On 26/03/2015 00:36, David Marsh wrote: Still getting :- java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G SSHeader did not find the right tag) Folks here mention lack of NegoEx support or bugs in GSS-APi ? http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1 Does Tomcat 8 work with NegoEx ? Is Windows 8.1 and Windows Server 2012 RC2 supported ? My test environment is Windows 2008 R2 server and Windows 7. It is certainly possibly security has been tightened between those versions and 2012/R2 + 8 that means things don't work by default with Java. I'll see if I can find some time in the next few weeks to update my test environment and do some more testing. Mark
Re: SPNEGO test configuration with Manager webapp
On 26/03/2015 00:36, David Marsh wrote: Still getting :- java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G SSHeader did not find the right tag) Folks here mention lack of NegoEx support or bugs in GSS-APi ? http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1 Does Tomcat 8 work with NegoEx ? Is Windows 8.1 and Windows Server 2012 RC2 supported ? My test environment is Windows 2008 R2 server and Windows 7. It is certainly possibly security has been tightened between those versions and 2012/R2 + 8 that means things don't work by default with Java. I'll see if I can find some time in the next few weeks to update my test environment and do some more testing. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Hi Mark, Thanks that would be great ! Do you have a good mechanism to test and ensure kerberos token is passed to tomcat and not NTLM token ? David Date: Thu, 26 Mar 2015 09:00:22 + From: ma...@apache.org To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp On 26/03/2015 00:36, David Marsh wrote: Still getting :- java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G SSHeader did not find the right tag) Folks here mention lack of NegoEx support or bugs in GSS-APi ? http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1 Does Tomcat 8 work with NegoEx ? Is Windows 8.1 and Windows Server 2012 RC2 supported ? My test environment is Windows 2008 R2 server and Windows 7. It is certainly possibly security has been tightened between those versions and 2012/R2 + 8 that means things don't work by default with Java. I'll see if I can find some time in the next few weeks to update my test environment and do some more testing. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Hi Mark, Thanks for that, yes I've got 30 years windows experience, I can use Linux at a push but its not really my area expertise. I'm a Java / Windows programmer so I should be able to understand it, but not kerberos or Active Directory expert. I have used Waffle in the past with success and used JAAS/GSS-API in Java thick clients. I made the IE settings you outlined but it seems to still prompt. IE has win-tc01.kerbtest.local as a trusted site. Enable Windows Integrated Authentication is on Auto logon only in Intranet Zone is on I've been using Firefox to test and that does send 401 and negotiate, but causes the GSS token error mentioned. Active directory and krb5.ini are using eType 23 which is rc4-hmac The windows client OS and tomcat server OS has registry setting for allowtgtsessionkey set to 1 (enabled). Java kinit test works and stores a ticket in the Java session cache. So problem seems to be either :- 1. Browser sends bad token 2. Token is good but Oracle JDK 8 GSS-API cannot handle it many thanks David Date: Thu, 26 Mar 2015 11:32:39 +0100 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp David Marsh wrote: Hi Mark, Thanks that would be great ! Do you have a good mechanism to test and ensure kerberos token is passed to tomcat and not NTLM token ? I believe that I can answer that. And the basic answer is no. First the basic principle, valid for this and many many other areas : the server cannot impose anything on the browser. The local user can always override anything received from the server, by a setting in the browser. And a hacker can of course do anything. All the server can do, is tell the browser what it will accept, and the browser can tell the server ditto. So, never assume the opposite, and you will save yourself a lot of fruitless searches and dead-ends. Now more specific : 1) For Kerberos to be used at all at the browser level, the server must send a 401 response with Negociate as the requested authentication method. Unless it does that, the browser will never even attempt to send a Kerberos Authorization back. 2) for the browser to consider returning a Kerberos Authorization header to the server, additional conditions depend on the browser. For IE : a) the enable Windows Integrated Authentication setting must be on (checked), whether this is done locally by the user, or part of the standard IE settings company-wide, or imposed by some network policy at corporate level. b) the server to which the browser is talking, must be known to IE as either - part of the Intranet - or at least a trusted server That is defined in IE's security zones (which again can be local, or corporation-wide). If condition (a) is not met, when the server sends a 401 Negociate, IE will fall back to NTLM, always. And there is nothing you can do about that at the server level. (Funnily enough, disabling the enable Windows Integrated Authentication at the IE level, has the effect of disabling Kerberos, but not NTLM). If condition (b) is not met, IE will try neither Kerberos nor NTLM, and it /might/ fall back to Basic authentication, if its other settings allow that. That's when you see the browser popup login dialog; and in an SSO context, this is a sure sign that something isn't working as expected. Some authentication modules, at the server level, are able to adapt to what the browser sends, others not. I believe that Waffle can accept either browser NTLM or Kerberos authentication. Waffle works only on a Windows Tomcat server, not on a Linux Tomcat server. I do not know about the SPNEGO thing in Tomcat (from the name, it should). The Jespa module from www.ioplex.com does not handle Kerberos, just NTLM, but it works under both Windows and Linux. And finally, about your problems : it seems that you have fallen in a very specific kind of hell, because you are trying to talk to a Windows-based Kerberos KDC (which is using Windows Kerberos libraries and encryption method choices and hostname formats etc..), from a Java JVM-based client (in this case the Tomcat server, whatever its underlying platform is), which is using Java Kerberos libraries and encryption method choices etc... And it seems that between this Java Kerberos part and the Windows Kerberos part, there are a number of areas of mutual incomprehension (such as which key encryption methods they each implement, or which ones are the default ones for each). And I am sure that the issue can be resolved. But it is probably a question of finding out which among the 25 or more settings one can alter on each side, overlap and either agree or contradict eachother. One underlying issue is that, as well in corporations as on the WWW, the Windows people and the Linux people tend to be 2 separate groups. If you ask
Re: SPNEGO test configuration with Manager webapp
David Marsh wrote: Hi Mark, Thanks for that, yes I've got 30 years windows experience, I can use Linux at a push but its not really my area expertise. I'm a Java / Windows programmer so I should be able to understand it, but not kerberos or Active Directory expert. I have used Waffle in the past with success and used JAAS/GSS-API in Java thick clients. I made the IE settings you outlined but it seems to still prompt. IE has win-tc01.kerbtest.local as a trusted site. Enable Windows Integrated Authentication is on Auto logon only in Intranet Zone is on I've been using Firefox to test and that does send 401 and negotiate, but causes the GSS token error mentioned. Active directory and krb5.ini are using eType 23 which is rc4-hmac The windows client OS and tomcat server OS has registry setting for allowtgtsessionkey set to 1 (enabled). Java kinit test works and stores a ticket in the Java session cache. So problem seems to be either :- 1. Browser sends bad token 2. Token is good but Oracle JDK 8 GSS-API cannot handle it Another shot almost in the dark : while browsing hundreds of Kerberos-related pages on the WWW, one other recommendation which seems to appear regularly (and Mark also mentioned that somewhere), is that each time you make a change somewhere, you should reboot the machine afterward, before re-testing. (Particularly on Windows machines). I know it's a PITA, but I have also found the same to be true sometimes when merely dealing with NTLM matters. There are probably some hidden caches that get cleared only in that way. many thanks David Date: Thu, 26 Mar 2015 11:32:39 +0100 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp David Marsh wrote: Hi Mark, Thanks that would be great ! Do you have a good mechanism to test and ensure kerberos token is passed to tomcat and not NTLM token ? I believe that I can answer that. And the basic answer is no. First the basic principle, valid for this and many many other areas : the server cannot impose anything on the browser. The local user can always override anything received from the server, by a setting in the browser. And a hacker can of course do anything. All the server can do, is tell the browser what it will accept, and the browser can tell the server ditto. So, never assume the opposite, and you will save yourself a lot of fruitless searches and dead-ends. Now more specific : 1) For Kerberos to be used at all at the browser level, the server must send a 401 response with Negociate as the requested authentication method. Unless it does that, the browser will never even attempt to send a Kerberos Authorization back. 2) for the browser to consider returning a Kerberos Authorization header to the server, additional conditions depend on the browser. For IE : a) the enable Windows Integrated Authentication setting must be on (checked), whether this is done locally by the user, or part of the standard IE settings company-wide, or imposed by some network policy at corporate level. b) the server to which the browser is talking, must be known to IE as either - part of the Intranet - or at least a trusted server That is defined in IE's security zones (which again can be local, or corporation-wide). If condition (a) is not met, when the server sends a 401 Negociate, IE will fall back to NTLM, always. And there is nothing you can do about that at the server level. (Funnily enough, disabling the enable Windows Integrated Authentication at the IE level, has the effect of disabling Kerberos, but not NTLM). If condition (b) is not met, IE will try neither Kerberos nor NTLM, and it /might/ fall back to Basic authentication, if its other settings allow that. That's when you see the browser popup login dialog; and in an SSO context, this is a sure sign that something isn't working as expected. Some authentication modules, at the server level, are able to adapt to what the browser sends, others not. I believe that Waffle can accept either browser NTLM or Kerberos authentication. Waffle works only on a Windows Tomcat server, not on a Linux Tomcat server. I do not know about the SPNEGO thing in Tomcat (from the name, it should). The Jespa module from www.ioplex.com does not handle Kerberos, just NTLM, but it works under both Windows and Linux. And finally, about your problems : it seems that you have fallen in a very specific kind of hell, because you are trying to talk to a Windows-based Kerberos KDC (which is using Windows Kerberos libraries and encryption method choices and hostname formats etc..), from a Java JVM-based client (in this case the Tomcat server, whatever its underlying platform is), which is using Java Kerberos libraries and encryption method choices etc... And it seems that between this Java Kerberos part and the Windows Kerberos part, there are a number of areas of mutual incomprehension (such as which key encryption methods
Re: SPNEGO test configuration with Manager webapp
David Marsh wrote: Put keytab in c:\keytab\tomcat.keytab, ensured owner was tc01@KERTEST.LOCAL, still same symptoms. Ran klist on client after firefox test and the three 401 responses. :- C:\Users\test.KERBTEST.000klist Current LogonId is 0:0x2fd7a Cached Tickets: (2) #0 Client: test @ KERBTEST.LOCAL Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e1 - forwardable renewable initial pre_authent nam e_canonicalize Start Time: 3/25/2015 14:46:43 (local) End Time: 3/26/2015 0:46:43 (local) Renew Time: 4/1/2015 14:46:43 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x1 - PRIMARY Kdc Called: 192.168.0.200 #1 Client: test @ KERBTEST.LOCAL Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a1 - forwardable renewable pre_authent name_canoni calize Start Time: 3/25/2015 14:51:21 (local) End Time: 3/26/2015 0:46:43 (local) Renew Time: 4/1/2015 14:46:43 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0 Kdc Called: 192.168.0.200 Looks like I was granted a ticket for the SPN HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ? If I have ticket why do I get 401 ? Maybe because these things come from 2 different places ? - ticket # 0 is a general ticket-granting ticket (krbtgt) obtained by the client directly from the KDC - ticket # 1 is a ticket to access HTTP/Tomcat, obtained by the client directly from the KDC (after presenting his ticket-granting ticket) - the 401 response is a response from Tomcat, when the client tries to access it by presenting his HTTP/Tomcat ticket So the problem could be that Tomcat is unable to validate the client ticket, for some reason proper to Tomcat itself, not to the client ticket per se (which is probably valid) Again, in your (presumably Tomcat) Kerberos log, it looked as if Tomcat was having trouble pre-authenticating itself, whatever that means. Maybe such a succesful pre-authentication is a pre-requisite for Tomcat to be able to recognise client tickets to itself ? Date: Tue, 24 Mar 2015 22:46:15 + From: ma...@apache.org To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp On 24/03/2015 20:47, David Marsh wrote: Hi Felix, Thanks fort your help! I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and also added the same definitions to the Java parameters in Configure Tomcat tool.I definitely got more information when using startup.bat, not sure the settings get picked up by the windows service ? I do not think authentication completes, certainly authorization does not as I cant see the site and get 401 http status. I have not configured a tomcat realm but I have put the test user a manager-gui group in Active Directory. I've only given your config a quick scan, but the thing that jumps out at me is spaces in the some of the paths. I'm not sure how well krb5.ini will handle those. It might be fine. It might not be. Mark David Date: Tue, 24 Mar 2015 21:39:38 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:25 schrieb David Marsh: Everything is as described and still not working, except the jaas.conf is :- com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; In other words the principal is the tomcat server as it should be. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32
RE: SPNEGO test configuration with Manager webapp
Put keytab in c:\keytab\tomcat.keytab, ensured owner was tc01@KERTEST.LOCAL, still same symptoms. Ran klist on client after firefox test and the three 401 responses. :- C:\Users\test.KERBTEST.000klist Current LogonId is 0:0x2fd7a Cached Tickets: (2) #0 Client: test @ KERBTEST.LOCAL Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e1 - forwardable renewable initial pre_authent nam e_canonicalize Start Time: 3/25/2015 14:46:43 (local) End Time: 3/26/2015 0:46:43 (local) Renew Time: 4/1/2015 14:46:43 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x1 - PRIMARY Kdc Called: 192.168.0.200 #1 Client: test @ KERBTEST.LOCAL Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a1 - forwardable renewable pre_authent name_canoni calize Start Time: 3/25/2015 14:51:21 (local) End Time: 3/26/2015 0:46:43 (local) Renew Time: 4/1/2015 14:46:43 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0 Kdc Called: 192.168.0.200 Looks like I was granted a ticket for the SPN HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ? If I have ticket why do I get 401 ? Date: Tue, 24 Mar 2015 22:46:15 + From: ma...@apache.org To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp On 24/03/2015 20:47, David Marsh wrote: Hi Felix, Thanks fort your help! I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and also added the same definitions to the Java parameters in Configure Tomcat tool.I definitely got more information when using startup.bat, not sure the settings get picked up by the windows service ? I do not think authentication completes, certainly authorization does not as I cant see the site and get 401 http status. I have not configured a tomcat realm but I have put the test user a manager-gui group in Active Directory. I've only given your config a quick scan, but the thing that jumps out at me is spaces in the some of the paths. I'm not sure how well krb5.ini will handle those. It might be fine. It might not be. Mark David Date: Tue, 24 Mar 2015 21:39:38 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:25 schrieb David Marsh: Everything is as described and still not working, except the jaas.conf is :- com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; In other words the principal is the tomcat server as it should be. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation
RE: SPNEGO test configuration with Manager webapp
Am 25.03.2015 16:09, schrieb David Marsh: Put keytab in c:\keytab\tomcat.keytab, ensured owner was tc01@KERTEST.LOCAL, still same symptoms. Ran klist on client after firefox test and the three 401 responses. :- C:\Users\test.KERBTEST.000klist Current LogonId is 0:0x2fd7a Cached Tickets: (2) #0 Client: test @ KERBTEST.LOCAL Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e1 - forwardable renewable initial pre_authent nam e_canonicalize Start Time: 3/25/2015 14:46:43 (local) End Time: 3/26/2015 0:46:43 (local) Renew Time: 4/1/2015 14:46:43 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x1 - PRIMARY Kdc Called: 192.168.0.200 #1 Client: test @ KERBTEST.LOCAL Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a1 - forwardable renewable pre_authent name_canoni calize Start Time: 3/25/2015 14:51:21 (local) End Time: 3/26/2015 0:46:43 (local) Renew Time: 4/1/2015 14:46:43 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0 Kdc Called: 192.168.0.200 Looks like I was granted a ticket for the SPN HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ? If I have ticket why do I get 401 ? Your client has got a service ticket for HTTP/win-tc01... This is used by firefox for authentication. Firefox transmits this service ticket to the server (as base64 encoded in the WWW-Authenticate header). Your server has to decrypt this ticket using its own ticket to get at the user information. This is where your problems arise. It looks like your server has trouble to get its own ticket. Are you sure, that the password you used for keytab generation (on the server side), is correct? ktpass will probably accept any input as a password. Maybe you can check the keytab by using kinit (though I don't know, if it exists for windows, or how the java one is used). Felix Date: Tue, 24 Mar 2015 22:46:15 + From: ma...@apache.org To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp On 24/03/2015 20:47, David Marsh wrote: Hi Felix, Thanks fort your help! I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and also added the same definitions to the Java parameters in Configure Tomcat tool.I definitely got more information when using startup.bat, not sure the settings get picked up by the windows service ? I do not think authentication completes, certainly authorization does not as I cant see the site and get 401 http status. I have not configured a tomcat realm but I have put the test user a manager-gui group in Active Directory. I've only given your config a quick scan, but the thing that jumps out at me is spaces in the some of the paths. I'm not sure how well krb5.ini will handle those. It might be fine. It might not be. Mark David Date: Tue, 24 Mar 2015 21:39:38 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:25 schrieb David Marsh: Everything is as described and still not working, except the jaas.conf is :- com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; In other words the principal is the tomcat server as it should be. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local
RE: SPNEGO test configuration with Manager webapp
Subject 25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Failed authenticate() test Date: Wed, 25 Mar 2015 16:48:10 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Am 25.03.2015 16:09, schrieb David Marsh: Put keytab in c:\keytab\tomcat.keytab, ensured owner was tc01@KERTEST.LOCAL, still same symptoms. Ran klist on client after firefox test and the three 401 responses. :- C:\Users\test.KERBTEST.000klist Current LogonId is 0:0x2fd7a Cached Tickets: (2) #0 Client: test @ KERBTEST.LOCAL Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e1 - forwardable renewable initial pre_authent nam e_canonicalize Start Time: 3/25/2015 14:46:43 (local) End Time: 3/26/2015 0:46:43 (local) Renew Time: 4/1/2015 14:46:43 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x1 - PRIMARY Kdc Called: 192.168.0.200 #1 Client: test @ KERBTEST.LOCAL Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a1 - forwardable renewable pre_authent name_canoni calize Start Time: 3/25/2015 14:51:21 (local) End Time: 3/26/2015 0:46:43 (local) Renew Time: 4/1/2015 14:46:43 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0 Kdc Called: 192.168.0.200 Looks like I was granted a ticket for the SPN HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ? If I have ticket why do I get 401 ? Your client has got a service ticket for HTTP/win-tc01... This is used by firefox for authentication. Firefox transmits this service ticket to the server (as base64 encoded in the WWW-Authenticate header). Your server has to decrypt this ticket using its own ticket to get at the user information. This is where your problems arise. It looks like your server has trouble to get its own ticket. Are you sure, that the password you used for keytab generation (on the server side), is correct? ktpass will probably accept any input as a password. Maybe you can check the keytab by using kinit (though I don't know, if it exists for windows, or how the java one is used). Felix Date: Tue, 24 Mar 2015 22:46:15 + From: ma...@apache.org To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp On 24/03/2015 20:47, David Marsh wrote: Hi Felix, Thanks fort your help! I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and also added the same definitions to the Java parameters in Configure Tomcat tool.I definitely got more information when using startup.bat, not sure the settings get picked up by the windows service ? I do not think authentication completes, certainly authorization does not as I cant see the site and get 401 http status. I have not configured a tomcat realm but I have put the test user a manager-gui group in Active Directory. I've only given your config a quick scan, but the thing that jumps out at me is spaces in the some of the paths. I'm not sure how well krb5.ini will handle those. It might be fine. It might not be. Mark David Date: Tue, 24 Mar 2015 21:39:38 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:25 schrieb David Marsh: Everything is as described and still not working, except the jaas.conf is :- com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; In other words the principal is the tomcat server as it should be. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working
RE: SPNEGO test configuration with Manager webapp
Date: Wed, 25 Mar 2015 16:48:10 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Am 25.03.2015 16:09, schrieb David Marsh: Put keytab in c:\keytab\tomcat.keytab, ensured owner was tc01@KERTEST.LOCAL, still same symptoms. Ran klist on client after firefox test and the three 401 responses. :- C:\Users\test.KERBTEST.000klist Current LogonId is 0:0x2fd7a Cached Tickets: (2) #0 Client: test @ KERBTEST.LOCAL Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e1 - forwardable renewable initial pre_authent nam e_canonicalize Start Time: 3/25/2015 14:46:43 (local) End Time: 3/26/2015 0:46:43 (local) Renew Time: 4/1/2015 14:46:43 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x1 - PRIMARY Kdc Called: 192.168.0.200 #1 Client: test @ KERBTEST.LOCAL Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a1 - forwardable renewable pre_authent name_canoni calize Start Time: 3/25/2015 14:51:21 (local) End Time: 3/26/2015 0:46:43 (local) Renew Time: 4/1/2015 14:46:43 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0 Kdc Called: 192.168.0.200 Looks like I was granted a ticket for the SPN HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ? If I have ticket why do I get 401 ? Your client has got a service ticket for HTTP/win-tc01... This is used by firefox for authentication. Firefox transmits this service ticket to the server (as base64 encoded in the WWW-Authenticate header). Your server has to decrypt this ticket using its own ticket to get at the user information. This is where your problems arise. It looks like your server has trouble to get its own ticket. Are you sure, that the password you used for keytab generation (on the server side), is correct? ktpass will probably accept any input as a password. Maybe you can check the keytab by using kinit (though I don't know, if it exists for windows, or how the java one is used). Felix Date: Tue, 24 Mar 2015 22:46:15 + From: ma...@apache.org To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp On 24/03/2015 20:47, David Marsh wrote: Hi Felix, Thanks fort your help! I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and also added the same definitions to the Java parameters in Configure Tomcat tool.I definitely got more information when using startup.bat, not sure the settings get picked up by the windows service ? I do not think authentication completes, certainly authorization does not as I cant see the site and get 401 http status. I have not configured a tomcat realm but I have put the test user a manager-gui group in Active Directory. I've only given your config a quick scan, but the thing that jumps out at me is spaces in the some of the paths. I'm not sure how well krb5.ini will handle those. It might be fine. It might not be. Mark David Date: Tue, 24 Mar 2015 21:39:38 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:25 schrieb David Marsh: Everything is as described and still not working, except the jaas.conf is :- com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; In other words the principal is the tomcat server as it should be. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012
RE: SPNEGO test configuration with Manager webapp
authenticate() test Date: Wed, 25 Mar 2015 16:48:10 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Am 25.03.2015 16:09, schrieb David Marsh: Put keytab in c:\keytab\tomcat.keytab, ensured owner was tc01@KERTEST.LOCAL, still same symptoms. Ran klist on client after firefox test and the three 401 responses. :- C:\Users\test.KERBTEST.000klist Current LogonId is 0:0x2fd7a Cached Tickets: (2) #0 Client: test @ KERBTEST.LOCAL Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e1 - forwardable renewable initial pre_authent nam e_canonicalize Start Time: 3/25/2015 14:46:43 (local) End Time: 3/26/2015 0:46:43 (local) Renew Time: 4/1/2015 14:46:43 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x1 - PRIMARY Kdc Called: 192.168.0.200 #1 Client: test @ KERBTEST.LOCAL Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a1 - forwardable renewable pre_authent name_canoni calize Start Time: 3/25/2015 14:51:21 (local) End Time: 3/26/2015 0:46:43 (local) Renew Time: 4/1/2015 14:46:43 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0 Kdc Called: 192.168.0.200 Looks like I was granted a ticket for the SPN HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ? If I have ticket why do I get 401 ? Your client has got a service ticket for HTTP/win-tc01... This is used by firefox for authentication. Firefox transmits this service ticket to the server (as base64 encoded in the WWW-Authenticate header). Your server has to decrypt this ticket using its own ticket to get at the user information. This is where your problems arise. It looks like your server has trouble to get its own ticket. Are you sure, that the password you used for keytab generation (on the server side), is correct? ktpass will probably accept any input as a password. Maybe you can check the keytab by using kinit (though I don't know, if it exists for windows, or how the java one is used). Felix Date: Tue, 24 Mar 2015 22:46:15 + From: ma...@apache.org To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp On 24/03/2015 20:47, David Marsh wrote: Hi Felix, Thanks fort your help! I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and also added the same definitions to the Java parameters in Configure Tomcat tool.I definitely got more information when using startup.bat, not sure the settings get picked up by the windows service ? I do not think authentication completes, certainly authorization does not as I cant see the site and get 401 http status. I have not configured a tomcat realm but I have put the test user a manager-gui group in Active Directory. I've only given your config a quick scan, but the thing that jumps out at me is spaces in the some of the paths. I'm not sure how well krb5.ini will handle those. It might be fine. It might not be. Mark David Date: Tue, 24 Mar 2015 21:39:38 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:25 schrieb David Marsh: Everything is as described and still not working, except the jaas.conf is :- com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; In other words the principal is the tomcat server as it should be. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32
RE: SPNEGO test configuration with Manager webapp
Javas version of kinit seems to report issue ? C:\Program Files\Apache Software Foundation\Tomcat 8.0\confC:\Program Files\Ja va\jdk1.8.0_40\bin\kinit -t -k c:\keytab\tomcat.keytab Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error KrbException: Do not have keys of types listed in default_tkt_enctypes available ; only have keys of following type: at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280) at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261) at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) at sun.security.krb5.internal.tools.Kinit.init(Kinit.java:219) at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113) From: dmars...@outlook.com To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Date: Wed, 25 Mar 2015 16:50:47 + Its possible I guess, although I would not expect that. The test is :- Client Test Windows 8.1 VM with Firefox - Tomcat Server Windows 8.1 VM Firefox is not configured to use a proxy, its all in Vmware Workstation 10 using the Vmnet01 virtual network. Firefox has three 401 responses with headers Authorization and WWW-Authenticate :- 1 :- Reponse WWW-Authenticate: Negotiate 2 :- Request Authorization: Negotiate YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACCjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1bHVkmmuJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4= Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg== 3 :- Request Authorization: Negotiate oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACCjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am
Re: SPNEGO test configuration with Manager webapp
David Marsh wrote: Javas version of kinit seems to report issue ? C:\Program Files\Apache Software Foundation\Tomcat 8.0\confC:\Program Files\Ja va\jdk1.8.0_40\bin\kinit -t -k c:\keytab\tomcat.keytab Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error KrbException: Do not have keys of types listed in default_tkt_enctypes available ; only have keys of following type: at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280) at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261) at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) at sun.security.krb5.internal.tools.Kinit.init(Kinit.java:219) at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113) That seems to indicate that between the Java Kerberos module in Tomcat, and the KDC's Kerberos software, there is a mismatch in the types of keys used (type of encryption), so they do not understand eachother. This may be relevant : https://community.igniterealtime.org/thread/49913 It is also a bit strange that it says : only have keys of following type: (with nothing behind the :.. ) From what I keep browsing on the WWW, it also seems that the types of key encryptions that might match between Java Kerberos and Windows Kerberos, depend on the versions of both Java and Windows Server.. Man, this thing is really a nightmare, isn't it ? From: dmars...@outlook.com To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Date: Wed, 25 Mar 2015 16:50:47 + Its possible I guess, although I would not expect that. The test is :- Client Test Windows 8.1 VM with Firefox - Tomcat Server Windows 8.1 VM Firefox is not configured to use a proxy, its all in Vmware Workstation 10 using the Vmnet01 virtual network. Firefox has three 401 responses with headers Authorization and WWW-Authenticate :- 1 :- Reponse WWW-Authenticate: Negotiate 2 :- Request Authorization: Negotiate YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACCjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxD yCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1bHVkm muJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4= Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg== 3 :- Request Authorization: Negotiate oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACCjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8
Re: SPNEGO test configuration with Manager webapp
Felix Schumacher wrote: Am 25.03.2015 um 20:19 schrieb André Warnier: David Marsh wrote: Javas version of kinit seems to report issue ? C:\Program Files\Apache Software Foundation\Tomcat 8.0\confC:\Program Files\Ja va\jdk1.8.0_40\bin\kinit -t -k c:\keytab\tomcat.keytab Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error KrbException: Do not have keys of types listed in default_tkt_enctypes available ; only have keys of following type: at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280) at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261) at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) at sun.security.krb5.internal.tools.Kinit.init(Kinit.java:219) at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113) That seems to indicate that between the Java Kerberos module in Tomcat, and the KDC's Kerberos software, there is a mismatch in the types of keys used (type of encryption), so they do not understand eachother. This may be relevant : https://community.igniterealtime.org/thread/49913 It is also a bit strange that it says : only have keys of following type: (with nothing behind the :.. ) From what I keep browsing on the WWW, it also seems that the types of key encryptions that might match between Java Kerberos and Windows Kerberos, depend on the versions of both Java and Windows Server.. +1 (read your answer to late, I found the same link and posted it :) Man, this thing is really a nightmare, isn't it ? I especially like the error messages. Yes, and the thing is : there are a lot of pages on the www that describe the correct procedure, step by step, some even with screenshots etc.. But they always leave something out, and you don't know what they left out.. Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Date: Wed, 25 Mar 2015 16:50:47 + Its possible I guess, although I would not expect that. The test is :- Client Test Windows 8.1 VM with Firefox - Tomcat Server Windows 8.1 VM Firefox is not configured to use a proxy, its all in Vmware Workstation 10 using the Vmnet01 virtual network. Firefox has three 401 responses with headers Authorization and WWW-Authenticate :- 1 :- Reponse WWW-Authenticate: Negotiate 2 :- Request Authorization: Negotiate YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACCjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxD yCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1b HVkm muJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4= Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg== 3 :- Request Authorization: Negotiate
RE: SPNEGO test configuration with Manager webapp
=3, number of retries =3, #bytes=305 KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=3,Attempt =1, #bytes=305 KrbKdcReq send: #bytes read=180 Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l ocal, s2kparams = null PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null KdcAccessibility: remove win-dc01.kerbtest.local:88 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Wed Mar 25 21:09:08 GMT 2015 1427317748000 suSec is 600802 error code is 24 error Message is Pre-authentication information was invalid sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l ocal, s2kparams = null PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-auth entication information was invalid KrbException: Pre-authentication information was invalid (24) at sun.security.krb5.KrbAsRep.init(Unknown Source) at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source) at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source) at sun.security.krb5.internal.tools.Kinit.init(Unknown Source) at sun.security.krb5.internal.tools.Kinit.main(Unknown Source) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(Unknown Source) at sun.security.krb5.internal.ASRep.init(Unknown Source) at sun.security.krb5.internal.ASRep.init(Unknown Source) ... 5 more Date: Wed, 25 Mar 2015 22:00:13 +0100 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Felix Schumacher wrote: Am 25.03.2015 um 20:19 schrieb André Warnier: David Marsh wrote: Javas version of kinit seems to report issue ? C:\Program Files\Apache Software Foundation\Tomcat 8.0\confC:\Program Files\Ja va\jdk1.8.0_40\bin\kinit -t -k c:\keytab\tomcat.keytab Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error KrbException: Do not have keys of types listed in default_tkt_enctypes available ; only have keys of following type: at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280) at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261) at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) at sun.security.krb5.internal.tools.Kinit.init(Kinit.java:219) at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113) That seems to indicate that between the Java Kerberos module in Tomcat, and the KDC's Kerberos software, there is a mismatch in the types of keys used (type of encryption), so they do not understand eachother. This may be relevant : https://community.igniterealtime.org/thread/49913 It is also a bit strange that it says : only have keys of following type: (with nothing behind the :.. ) From what I keep browsing on the WWW, it also seems that the types of key encryptions that might match between Java Kerberos and Windows Kerberos, depend on the versions of both Java and Windows Server.. +1 (read your answer to late, I found the same link and posted it :) Man, this thing is really a nightmare, isn't it ? I especially like the error messages. Yes, and the thing is : there are a lot of pages on the www that describe the correct procedure, step by step, some even with screenshots etc.. But they always leave something out, and you don't know what they left out.. Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Date: Wed, 25 Mar 2015 16:50:47 + Its possible I guess, although I would not expect that. The test is :- Client Test Windows 8.1 VM with Firefox - Tomcat Server Windows 8.1 VM Firefox is not configured to use a proxy, its all in Vmware Workstation 10 using the Vmnet01 virtual network. Firefox has three 401 responses with headers Authorization and WWW-Authenticate :- 1 :- Reponse WWW-Authenticate: Negotiate 2 :- Request Authorization: Negotiate YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACCjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr
Re: SPNEGO test configuration with Manager webapp
Am 25.03.2015 um 18:29 schrieb David Marsh: Javas version of kinit seems to report issue ? C:\Program Files\Apache Software Foundation\Tomcat 8.0\confC:\Program Files\Ja va\jdk1.8.0_40\bin\kinit -t -k c:\keytab\tomcat.keytab Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error KrbException: Do not have keys of types listed in default_tkt_enctypes available ; only have keys of following type: at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280) at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261) at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) at sun.security.krb5.internal.tools.Kinit.init(Kinit.java:219) at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113) Could it be that you have to enable DES in the AD (see a similar problem described at https://community.igniterealtime.org/thread/49913)? Alternatively you could try to remove the enctype references from your krb5.ini and/or add -crypto DES-CBC-CRC to the ktpass call (as in https://community.oracle.com/thread/1527560). Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Date: Wed, 25 Mar 2015 16:50:47 + Its possible I guess, although I would not expect that. The test is :- Client Test Windows 8.1 VM with Firefox - Tomcat Server Windows 8.1 VM Firefox is not configured to use a proxy, its all in Vmware Workstation 10 using the Vmnet01 virtual network. Firefox has three 401 responses with headers Authorization and WWW-Authenticate :- 1 :- Reponse WWW-Authenticate: Negotiate 2 :- Request Authorization: Negotiate YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACCjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1bHVkmmuJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4= Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg== 3 :- Request Authorization: Negotiate oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACCjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw
Re: SPNEGO test configuration with Manager webapp
Am 25.03.2015 um 20:19 schrieb André Warnier: David Marsh wrote: Javas version of kinit seems to report issue ? C:\Program Files\Apache Software Foundation\Tomcat 8.0\confC:\Program Files\Ja va\jdk1.8.0_40\bin\kinit -t -k c:\keytab\tomcat.keytab Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error KrbException: Do not have keys of types listed in default_tkt_enctypes available ; only have keys of following type: at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280) at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261) at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) at sun.security.krb5.internal.tools.Kinit.init(Kinit.java:219) at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113) That seems to indicate that between the Java Kerberos module in Tomcat, and the KDC's Kerberos software, there is a mismatch in the types of keys used (type of encryption), so they do not understand eachother. This may be relevant : https://community.igniterealtime.org/thread/49913 It is also a bit strange that it says : only have keys of following type: (with nothing behind the :.. ) From what I keep browsing on the WWW, it also seems that the types of key encryptions that might match between Java Kerberos and Windows Kerberos, depend on the versions of both Java and Windows Server.. +1 (read your answer to late, I found the same link and posted it :) Man, this thing is really a nightmare, isn't it ? I especially like the error messages. Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Date: Wed, 25 Mar 2015 16:50:47 + Its possible I guess, although I would not expect that. The test is :- Client Test Windows 8.1 VM with Firefox - Tomcat Server Windows 8.1 VM Firefox is not configured to use a proxy, its all in Vmware Workstation 10 using the Vmnet01 virtual network. Firefox has three 401 responses with headers Authorization and WWW-Authenticate :- 1 :- Reponse WWW-Authenticate: Negotiate 2 :- Request Authorization: Negotiate YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACCjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxD yCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1bHVkm muJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4= Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg== 3 :- Request Authorization: Negotiate oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACCjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr
RE: SPNEGO test configuration with Manager webapp
.kerbtest.local:88Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version: 15Added key: 18version: 15Added key: 23version: 15Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.localNew ticket is stored in cache file C:\Users\tc01.KERBTEST\krb5cc_tc01 From: dmars...@outlook.com To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Date: Wed, 25 Mar 2015 22:26:22 + Turns out to use the Java kinit I need a krb5.conf inside the jdk/jre lib/secrutiy folder. Now I get :- C:\java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit k -t c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01 Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Kinit using keytab Kinit keytab file name: c:\keytab\tomcat.keytab Java config name: null LSA: Found Ticket LSA: Made NewWeakGlobalRef LSA: Found PrincipalName LSA: Made NewWeakGlobalRef LSA: Found DerValue LSA: Made NewWeakGlobalRef LSA: Found EncryptionKey LSA: Made NewWeakGlobalRef LSA: Found TicketFlags LSA: Made NewWeakGlobalRef LSA: Found KerberosTime LSA: Made NewWeakGlobalRef LSA: Found String LSA: Made NewWeakGlobalRef LSA: Found DerValue constructor LSA: Found Ticket constructor LSA: Found PrincipalName constructor LSA: Found EncryptionKey constructor LSA: Found TicketFlags constructor LSA: Found KerberosTime constructor LSA: Finished OnLoad processing Native config name: C:\Windows\krb5.ini Loaded from native config Kinit realm name is KERBTEST.LOCAL Creating KrbAsReq KrbKdcReq local addresses for win-tc01 are: win-tc01/192.168.0.3 IPv4 address win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3 IPv6 address KdcAccessibility: reset KeyTabInputStream, readName(): kerbtest.local KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): win-tc01.kerbtest.local KeyTab: load() entry length: 70; type: 1 KeyTabInputStream, readName(): kerbtest.local KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): win-tc01.kerbtest.local KeyTab: load() entry length: 70; type: 3 KeyTabInputStream, readName(): kerbtest.local KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): win-tc01.kerbtest.local KeyTab: load() entry length: 78; type: 23 KeyTabInputStream, readName(): kerbtest.local KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): win-tc01.kerbtest.local KeyTab: load() entry length: 94; type: 18 KeyTabInputStream, readName(): kerbtest.local KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): win-tc01.kerbtest.local KeyTab: load() entry length: 78; type: 17 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 17version: 5 Added key: 18version: 5 Added key: 23version: 5 Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=3, number o retries =3, #bytes=216 KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=3,Attempt =1, #bytes=216 KrbKdcReq send: #bytes read=100 KdcAccessibility: remove win-dc01.kerbtest.local:88 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Wed Mar 25 22:24:32 GMT 2015 1427322272000 suSec is 681217 error code is 6 error Message is Client not found in Kerberos database sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL msgType is 30 Exception: krb_error 6 Client not found in Kerberos database (6) Client not fou d in Kerberos database KrbException: Client not found in Kerberos database (6) at sun.security.krb5.KrbAsRep.init(Unknown Source) at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source) at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source) at sun.security.krb5.internal.tools.Kinit.init(Unknown Source) at sun.security.krb5.internal.tools.Kinit.main(Unknown Source) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(Unknown Source) at sun.security.krb5.internal.ASRep.init(Unknown Source) at sun.security.krb5.internal.ASRep.init(Unknown Source) ... 5 more From: dmars...@outlook.com To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Date: Wed, 25 Mar 2015 21:19:30 +
RE: SPNEGO test configuration with Manager webapp
Turns out to use the Java kinit I need a krb5.conf inside the jdk/jre lib/secrutiy folder. Now I get :- C:\java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit k -t c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01 Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Kinit using keytab Kinit keytab file name: c:\keytab\tomcat.keytab Java config name: null LSA: Found Ticket LSA: Made NewWeakGlobalRef LSA: Found PrincipalName LSA: Made NewWeakGlobalRef LSA: Found DerValue LSA: Made NewWeakGlobalRef LSA: Found EncryptionKey LSA: Made NewWeakGlobalRef LSA: Found TicketFlags LSA: Made NewWeakGlobalRef LSA: Found KerberosTime LSA: Made NewWeakGlobalRef LSA: Found String LSA: Made NewWeakGlobalRef LSA: Found DerValue constructor LSA: Found Ticket constructor LSA: Found PrincipalName constructor LSA: Found EncryptionKey constructor LSA: Found TicketFlags constructor LSA: Found KerberosTime constructor LSA: Finished OnLoad processing Native config name: C:\Windows\krb5.ini Loaded from native config Kinit realm name is KERBTEST.LOCAL Creating KrbAsReq KrbKdcReq local addresses for win-tc01 are: win-tc01/192.168.0.3 IPv4 address win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3 IPv6 address KdcAccessibility: reset KeyTabInputStream, readName(): kerbtest.local KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): win-tc01.kerbtest.local KeyTab: load() entry length: 70; type: 1 KeyTabInputStream, readName(): kerbtest.local KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): win-tc01.kerbtest.local KeyTab: load() entry length: 70; type: 3 KeyTabInputStream, readName(): kerbtest.local KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): win-tc01.kerbtest.local KeyTab: load() entry length: 78; type: 23 KeyTabInputStream, readName(): kerbtest.local KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): win-tc01.kerbtest.local KeyTab: load() entry length: 94; type: 18 KeyTabInputStream, readName(): kerbtest.local KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): win-tc01.kerbtest.local KeyTab: load() entry length: 78; type: 17 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 17version: 5 Added key: 18version: 5 Added key: 23version: 5 Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=3, number o retries =3, #bytes=216 KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=3,Attempt =1, #bytes=216 KrbKdcReq send: #bytes read=100 KdcAccessibility: remove win-dc01.kerbtest.local:88 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Wed Mar 25 22:24:32 GMT 2015 1427322272000 suSec is 681217 error code is 6 error Message is Client not found in Kerberos database sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL msgType is 30 Exception: krb_error 6 Client not found in Kerberos database (6) Client not fou d in Kerberos database KrbException: Client not found in Kerberos database (6) at sun.security.krb5.KrbAsRep.init(Unknown Source) at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source) at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source) at sun.security.krb5.internal.tools.Kinit.init(Unknown Source) at sun.security.krb5.internal.tools.Kinit.main(Unknown Source) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(Unknown Source) at sun.security.krb5.internal.ASRep.init(Unknown Source) at sun.security.krb5.internal.ASRep.init(Unknown Source) ... 5 more From: dmars...@outlook.com To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Date: Wed, 25 Mar 2015 21:19:30 + Thanks for all the help guys, I managed to find the correct way to call kinit for Java on windows :- I get the following :- C:\java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit - k -t c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL tc01pas s KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01 Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Kinit using keytab Kinit keytab file name: c:\keytab\tomcat.keytab Java config name: null LSA: Found Ticket LSA: Made NewWeakGlobalRef LSA: Found PrincipalName LSA: Made NewWeakGlobalRef LSA: Found DerValue LSA: Made NewWeakGlobalRef LSA: Found EncryptionKey LSA: Made NewWeakGlobalRef LSA: Found TicketFlags LSA: Made NewWeakGlobalRef LSA: Found
Re: SPNEGO test configuration with Manager webapp
On 3/25/2015 2:19 PM, André Warnier wrote: David Marsh wrote: Javas version of kinit seems to report issue ? C:\Program Files\Apache Software Foundation\Tomcat 8.0\confC:\Program Files\Ja va\jdk1.8.0_40\bin\kinit -t -k c:\keytab\tomcat.keytab Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error KrbException: Do not have keys of types listed in default_tkt_enctypes available ; only have keys of following type: at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280) at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261) at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) at sun.security.krb5.internal.tools.Kinit.init(Kinit.java:219) at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113) That seems to indicate that between the Java Kerberos module in Tomcat, and the KDC's Kerberos software, there is a mismatch in the types of keys used (type of encryption), so they do not understand eachother. This may be relevant : https://community.igniterealtime.org/thread/49913 It is also a bit strange that it says : only have keys of following type: (with nothing behind the :.. ) From what I keep browsing on the WWW, it also seems that the types of key encryptions that might match between Java Kerberos and Windows Kerberos, depend on the versions of both Java and Windows Server.. Man, this thing is really a nightmare, isn't it ? From: dmars...@outlook.com To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Date: Wed, 25 Mar 2015 16:50:47 + Its possible I guess, although I would not expect that. The test is :- Client Test Windows 8.1 VM with Firefox - Tomcat Server Windows 8.1 VM Firefox is not configured to use a proxy, its all in Vmware Workstation 10 using the Vmnet01 virtual network. Firefox has three 401 responses with headers Authorization and WWW-Authenticate :- 1 :- Reponse WWW-Authenticate: Negotiate 2 :- Request Authorization: Negotiate YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACCjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxD yCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1bHVkm muJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4= Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg== 3 :- Request Authorization: Negotiate oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACCjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8
RE: SPNEGO test configuration with Manager webapp
Still getting :- java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G SSHeader did not find the right tag) Folks here mention lack of NegoEx support or bugs in GSS-APi ? http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1 Does Tomcat 8 work with NegoEx ? Is Windows 8.1 and Windows Server 2012 RC2 supported ? many thanks David From: dmars...@outlook.com To: users@tomcat.apache.org Subject: RE: SPNEGO test configuration with Manager webapp Date: Thu, 26 Mar 2015 00:18:11 + With the correct keytab and krb5.ini I can get kinit to pass... Still cannot get SPNEGO in tomcat to work, have the same 401 three times. C:\Windowsjava -Dsun.security.krb5.debug=true -Djava.security.krb5.conf=c:\windows\krb5.ini sun.security.krb5.internal.tools.Kinit -k -t c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALKinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Kinit using keytab Kinit keytab file name: c:\keytab\tomcat.keytabJava config name: c:\windows\krb5.iniLoaded from Java config Kinit realm name is KERBTEST.LOCAL Creating KrbAsReq KrbKdcReq local addresses for win-tc01 are: win-tc01/192.168.0.3IPv4 address win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3IPv6 address win-tc01/fe80:0:0:0:cd8:21c6:3f57:fffc%5IPv6 address win-tc01/2001:0:9d38:90d7:cd8:21c6:3f57:fffcIPv6 address KdcAccessibility: reset KeyTabInputStream, readName(): KERBTEST.LOCAL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): win-tc01.kerbtest.local KeyTab: load() entry length: 70; type: 1 KeyTabInputStream, readName(): KERBTEST.LOCAL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): win-tc01.kerbtest.local KeyTab: load() entry length: 70; type: 3 KeyTabInputStream, readName(): KERBTEST.LOCAL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): win-tc01.kerbtest.local KeyTab: load() entry length: 78; type: 23 KeyTabInputStream, readName(): KERBTEST.LOCAL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): win-tc01.kerbtest.local KeyTab: load() entry length: 94; type: 18 KeyTabInputStream, readName(): KERBTEST.LOCAL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): win-tc01.kerbtest.local KeyTab: load() entry length: 78; type: 17Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version: 15Added key: 18version: 15Added key: 23version: 15Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALdefault etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=3, number of retries =3, bytes=272 KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=3,Attempt=1, bytes=272 KrbKdcReq send: bytes read=213Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.local, s2kparams = null PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMPPre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove win-dc01.kerbtest.local:88 KDCRep: init() encoding tag is 126 req type is 11KRBError: sTime is Thu Mar 26 00:10:28 GMT 2015 1427328628000 suSec is 635591 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. msgType is 30Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.local, s2kparams = null PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMPPre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQdefault etypes for default_tkt_enctypes: 23 18 17.Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version: 15Added key: 18version: 15Added key: 23version: 15Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALLooking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version: 15Added key: 18version: 15Added key: 23version: 15Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALdefault etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType KrbAsReq creating message KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=3, number of retries =3, bytes=359
Re: SPNEGO test configuration with Manager webapp
David Marsh wrote: Hello, I'm trying to get SPNEGO authentication working with Tomcat 8. I've followed the guidelines on the website. jaas.conf com.sun.security.jgss.krb5.initiate {...}; com.sun.security.jgss.krb5.accept {com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=trueprincipal=HTTP/tc01.kerbtest.local@KERBTEST.LOCALuseKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tc01.keytab storeKey=true;}; krb5.ini [libdefaults]default_realm = KERBTEST.LOCALdefault_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tc01.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true [realms]KERBTEST.LOCAL = {kdc = Server2012dc.kerbtest.local:88} [domain_realm]kerbtest.local= KERBTEST.LOCAL.kerbtest.local= KERBTEST.LOCAL I want to use the tomcat manager app to test SPNEGO with Active Directory, Tomcat is currently installed on the domain controller. And that may well be the problem. It seems like authentication is never completed as in the browser (which is where ? also on the same host ? what browser are you using ?) (if it is IE : does it have enable Windows Integrated Authentication checked ? and is the tomcat server recognised as being part of the Intranet zone ?) Also let us know what kind of platforms are involved at - the browser level - the tomcat level - the KDC level (yes, I know, currenty the same as tomcat; but maybe not in future) Recently I was having some problems also with Kerberos authentication, and while digging the web for information, I remember reading somewhere that it would not work if the browser was on the same host as the server (I do not remember if this counted also for the Tomcat webserver, and I do not remember if this was platform-specific). But maybe your problem is a variation of the same issue ? So basically, what I am telling you is to search in Google more specifically for things such as Kerberos and localhost or similar.. Also, get an appropriate browser plugin to be able to really trace what kind of HTTP headers are passed back and forth between the browser and the Tomcat server. I get prompted for credentials over and over. That is where the browser plugin (Fiddler, HttpFox, LiveHttpHeaders, etc..) is invaluable. It will tell you if the browser is even /trying/ to perform Kerberos authentication e.g. So there appear two issues :-1. Authentication is not succeeding2. SPNEGO accept header is not currently sent I have created the tc01 and test users in active directory, and the keytab as instructed. I run tomcat as tc01 user :-runas /env /user:tc01@kerbtest.local startup.bat Output from running tomcat :- Server startup in 3443 ms24-Mar-2015 10:26:56.485 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Statusinterface]' against GET /html -- false24-Mar-2015 10:26:56.496 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html -- false24-Mar-2015 10:26:56.510 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html -- false24-Mar-2015 10:26:56.525 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html -- true24-Mar-2015 10:26:56.544 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking cons traint 'SecurityConstraint[Statusinterface]' against GET /html -- false24-Mar-2015 10:26:56.560 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html -- false24-Mar-2015 10:26:56.575 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html -- false24-Mar-2015 10:26:56.587 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html -- true24-Mar-2015 10:26:56.599 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions KeyTabInputStream, readName(): kerbtest.local KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): tc01.k erbtest.local KeyTab: load() entry length: 74; type: 23Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALJava config name: C:\Program Files\Apache Software
SPNEGO test configuration with Manager webapp
Hello, I'm trying to get SPNEGO authentication working with Tomcat 8. I've followed the guidelines on the website. jaas.conf com.sun.security.jgss.krb5.initiate {...}; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule requireddoNotPrompt=true principal=HTTP/tc01.kerbtest.local@KERBTEST.LOCALuseKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tc01.keytabstoreKey=true;}; krb5.ini [libdefaults]default_realm = KERBTEST.LOCALdefault_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tc01.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true [realms]KERBTEST.LOCAL = {kdc = Server2012dc.kerbtest.local:88} [domain_realm]kerbtest.local= KERBTEST.LOCAL.kerbtest.local= KERBTEST.LOCAL I want to use the tomcat manager app to test SPNEGO with Active Directory, Tomcat is currently installed on the domain controller. It seems like authentication is never completed as in the browser I get prompted for credentials over and over.So there appear two issues :-1. Authentication is not succeeding2. SPNEGO accept header is not currently sent I have created the tc01 and test users in active directory, and the keytab as instructed. I run tomcat as tc01 user :-runas /env /user:tc01@kerbtest.local startup.bat Output from running tomcat :- Server startup in 3443 ms24-Mar-2015 10:26:56.485 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Statusinterface]' against GET /html -- false24-Mar-2015 10:26:56.496 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html -- false24-Mar-2015 10:26:56.510 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html -- false24-Mar-2015 10:26:56.525 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html -- true24-Mar-2015 10:26:56.544 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Statusinterface]' against GET /html -- false24-Mar-2015 10:26:56.560 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html -- false24-Mar-2015 10:26:56.575 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html -- false24-Mar-2015 10:26:56.587 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html -- true24-Mar-2015 10:26:56.599 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions KeyTabInputStream, readName(): kerbtest.local KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): tc01.kerbtest.local KeyTab: load() entry length: 74; type: 23Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALJava config name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\krb5.iniLoaded from Java configAdded key: 23version: 7 KdcAccessibility: resetLooking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=Server2012dc.kerbtest.local UDP:88, timeout=3, number of retries =3, #bytes=160 KDCCommunication: kdc=Server2012dc.kerbtest.local UDP:88, timeout=3,Attempt =1, #bytes=160 KrbKdcReq send: #bytes read=185Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMPPre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove Server2012dc.kerbtest.local:88 KDCRep: init() encoding tag is 126 req type is 11KRBError: sTime is Tue Mar 24 10:26:57 GMT 2015 1427192817000 suSec is 627351 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. msgType is 30Pre-Authentication Data: PA-DATA type = 11
Re: SPNEGO test configuration with Manager webapp
On 24/03/2015 20:47, David Marsh wrote: Hi Felix, Thanks fort your help! I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and also added the same definitions to the Java parameters in Configure Tomcat tool.I definitely got more information when using startup.bat, not sure the settings get picked up by the windows service ? I do not think authentication completes, certainly authorization does not as I cant see the site and get 401 http status. I have not configured a tomcat realm but I have put the test user a manager-gui group in Active Directory. I've only given your config a quick scan, but the thing that jumps out at me is spaces in the some of the paths. I'm not sure how well krb5.ini will handle those. It might be fine. It might not be. Mark David Date: Tue, 24 Mar 2015 21:39:38 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:25 schrieb David Marsh: Everything is as described and still not working, except the jaas.conf is :- com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; In other words the principal is the tomcat server as it should be. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. The next has
Re: SPNEGO test configuration with Manager webapp
Hi. Just nitpicking, but with Kerberos everything has to be just right : Is the keytab file used by Tomcat owned by the user under which Tomcat runs ? (This may or may not matter under Windows, but it is absolutely mandatory under Linux, so you may want to check). Also verify that your SPNs are really in the form required by Windows AD/Kerberos. I seem to remember that there was something special there for the form of the services/hostnames, as compared to a Linux-style environment. tip : (maybe you already did that in a previous post) : there exists a Kerberos command-line utility which allows to check, from the client side, that this client (at the Windows level) can login to the Kerberos DC. Unfortunately, I do not remember its exact name, nor if it is available under Windows. (kinit ?) (You may need to install the MIT Kerberos binaries for Windows : http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0.html) tip : in an environment supposed to do SSO, you are right in thinking that if you see a login dialog from the browser, it is already a sign that something in the settings is not right. That browser login dialog is kind of a browser's last resort if something else before did not work. Related tip : under Linux, there is a Kerberos config file at the webserver level, and inside it there is a parameter : KrbMethodK5Passwd on/off If off, you should never see a browser login dialog (*). If on, you may see one (but see previous tip). I do not know if the same config file or parameter type is also used under windows/Tomcat/Kerberos. (*) you may instead just see a blank browser page This is one of the most complete articles I've seen so far, about what settings are exactly needed at browser level (and what happens otherwise) : https://ping.force.com/Support/PingIdentityArticle?id=kA340008RiECAU (make sure that you *really* follow every detail; Kerberos stuff is *really* picky) More useful pages : http://web.mit.edu/kerberos/ http://web.mit.edu/kerberos/krb5-1.13/doc/index.html http://web.mit.edu/kerberos/krb5-latest/doc/user/tkt_mgmt.html#obtaining-tickets-with-kinit (and display them with klist) And finally, here is a hodgepodge of pages which I found relevant during a recent bout of fighting with Kerberos auth (that was with Apache httpd, not Tomcat, but the underlying stuff is the same). A lot of information is repeated over these pages, and some of it is contradictory, but it might save you some hours of browsing anyway : http://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-debian-and-windows-server-2008-r2/ https://www.drupal.org/node/2123615 http://stackoverflow.com/questions/19842318/apache-kerberos-authentication-client-didnt-delegate-us-their-credential http://blogs.msdn.com/b/friis/archive/2009/12/31/things-to-check-when-kerberos-authentication-fails-using-iis-ie.aspx https://msdn.microsoft.com/library/aa480609.aspx#wss_ch7_kerbtechsupp_topic5 https://www.johnthedeveloper.co.uk/single-sign-on-active-directory-php-ubuntu http://seriousbirder.com/blogs/apache-with-kerberos-active-directory-authentication/ http://fluxcoil.net/doku.php/software/kerberos/kerberized_apache http://serverfault.com/questions/641974/apache-kerberos-authentication-to-active-directory-not-happening-is-krb5kdc-er http://www.websense.com/content/support/library/shared/v76/auth_service_config/test_ie8.aspx http://www.microhowto.info/howto/add_a_host_or_service_principal_to_a_keytab_using_mit_kerberos.html http://windowsitpro.com/security/kerberos-active-directory David Marsh wrote: Everything is as described and still not working, except the jaas.conf is :- com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; In other words the principal is the tomcat server as it should be. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying
RE: SPNEGO test configuration with Manager webapp
I was using Internet explorer and had added the ip address of to domain controller/ tomcat server to the trusted sites list in the Intranet zone.I was not using https.I was using a Windows 8 client VM to talk to a Windows Server 2012 VM. I have now tried Firefox with SPNEGO and can confirm with this set up I get similar logs and http header WWW-Authenticate: Negotiate is sent. In this test I do not get popup prompt but I still get 401 Http status. almBase.hasUserDataPermission User data constraint has no restrictionsLooking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=Server2012dc.kerbtest.local UDP:88, timeout=3, number of retries =3, #bytes=160 KDCCommunication: kdc=Server2012dc.kerbtest.local UDP:88, timeout=3,Attempt =1, #bytes=160 KrbKdcReq send: #bytes read=185Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMPPre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove Server2012dc.kerbtest.local:88 KDCRep: init() encoding tag is 126 req type is 11KRBError: sTime is Tue Mar 24 15:06:51 GMT 2015 1427209611000 suSec is 507817 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. msgType is 30Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMPPre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQdefault etypes for default_tkt_enctypes: 23 18 17.Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq creating message KrbKdcReq send: kdc=Server2012dc.kerbtest.local UDP:88, timeout=3, number of retries =3, #bytes=243 KDCCommunication: kdc=Server2012dc.kerbtest.local UDP:88, timeout=3,Attempt =1, #bytes=243 KrbKdcReq send: #bytes read=100 KrbKdcReq send: kdc=Server2012dc.kerbtest.local TCP:88, timeout=3, number of retries =3, #bytes=243 KDCCommunication: kdc=Server2012dc.kerbtest.local TCP:88, timeout=3,Attempt =1, #bytes=243DEBUG: TCPClient reading 1467 bytes KrbKdcReq send: #bytes read=1467 KdcAccessibility: remove Server2012dc.kerbtest.local:88Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/tc01.kerbtest.localSearch Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tc01.keytab for HTTP/tc01.kerbtest.local@KERBTEST.LOCALFound KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tc01.keytab for HTTP/tc01.kerbtest.local@KERBTEST.LOCALFound ticket for HTTP/tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL expiring on Wed Mar 25 01:06:51 GMT 2015
Re: SPNEGO test configuration with Manager webapp
On 24/03/2015 15:17, David Marsh wrote: snip/ SPNEGO is fickle. Sometimes the smallest change can cause problems. Set up a test environment as close to the How-To as possible. You should definitely be using three separate machines (or VMs). Get this working. If your test environment doesn't work, figure out what you did wrong. Suggest clarifications to the docs if required. (I know the How-To describes a working system - I wrote the how-to and still have the VMs which I use for testing.) Once you have that test environment working, start changing it to reflect what you really want one thing at a time. Make sure to log on/off the machine where Tomcat is running (and ideally reboot at least the Tomcat server between each change). I got caught out with this before thinking something was working only for it all to stop working after a reboot. At some point, you'll get stuck on a change that always breaks things. That would be the point to come back and ask for help telling: - what config works - what change you make - how it stops working Hopefully, we'll be able to suggest a way forward. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Mark Thomas wrote: On 24/03/2015 20:47, David Marsh wrote: Hi Felix, Thanks fort your help! I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and also added the same definitions to the Java parameters in Configure Tomcat tool.I definitely got more information when using startup.bat, not sure the settings get picked up by the windows service ? I do not think authentication completes, certainly authorization does not as I cant see the site and get 401 http status. I have not configured a tomcat realm but I have put the test user a manager-gui group in Active Directory. I've only given your config a quick scan, but the thing that jumps out at me is spaces in the some of the paths. I'm not sure how well krb5.ini will handle those. It might be fine. It might not be. Mark Considering your Kerberos logs, you may want to have a look at this : https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771 (gotten to by Googling for kerberos preauthentication, as this term seemed to appear in the logs). To me, your logs (assuming that they are the Tomcat Kerberos logs) would seem to indicate that it is Tomcat who is trying to pre-authenticate to the KDC, and failing to do so (for whatever reason I don't really know). I am not really a specialist of Kerberos, but from what I understand of it, the first action of a Kerberos client - when it logs in, which in this case could be construed as when Tomcat starts up - is to contact a Kerberos ticket granting server (usually the same as the KDC), and obtain a ticket-granting ticket from it. Then later, when the client wants to access a service, it re-contacts the KDC, passes it this ticket-granting ticket, and requests another ticket to access the desired service. Then it sends this service ticket to the host hosting the desired service, for authentication. For whatever reason, it looks as if Tomcat is at least trying to get such an initial ticket-granting ticket for itself at start, and failing. Maybe such a ticket is a necessary pre-condition for Tomcat's Kerberos stack, to be able to authenticate tomcat service tickets presented to it later by a browser client ? In terms of debugging what happens, I think that for the time being you should forget the browser clients for a moment, and concentrate on Tomcat and this Kerberos log of his, and find out why these seemingly error-messages appear in the log at start. I would assume that, if everything went as expected, one would see at least some message indicating success, which is not in evidence here for now. Maybe the SPNs don't match, between the KDC and the Tomcat server ? ktlist may be a good tool on both, to list what's there and compare. David Date: Tue, 24 Mar 2015 21:39:38 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:25 schrieb David Marsh: Everything is as described and still not working, except the jaas.conf is :- com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; In other words the principal is the tomcat server as it should be. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01
Re: SPNEGO test configuration with Manager webapp
Am 24.03.2015 um 21:25 schrieb David Marsh: Everything is as described and still not working, except the jaas.conf is :- com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; In other words the principal is the tomcat server as it should be. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. The next has an Authorization request http header with long encrypted string. That means, that tomcat is believing, it can use kerberos/SPNEGO and firefox is able to get a service ticket, for the server and sends it back. That far it is looking promising. But I assume the authentication does not complete, right? IE still prompts for credentials with a popup, not sure why as does chrome. The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites. It seems like authentication is never completed ? There are no errors in tomcat logs. Any ideas what is happening and what I can do to troubleshoot ? You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that should print out a lot of debug information, which should end up in catalina.out. Felix || I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up. many thanks David - To unsubscribe, e-mail
RE: SPNEGO test configuration with Manager webapp
Hi Felix, Thanks fort your help! I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and also added the same definitions to the Java parameters in Configure Tomcat tool.I definitely got more information when using startup.bat, not sure the settings get picked up by the windows service ? I do not think authentication completes, certainly authorization does not as I cant see the site and get 401 http status. I have not configured a tomcat realm but I have put the test user a manager-gui group in Active Directory. David Date: Tue, 24 Mar 2015 21:39:38 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:25 schrieb David Marsh: Everything is as described and still not working, except the jaas.conf is :- com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; In other words the principal is the tomcat server as it should be. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. The next has an Authorization request http header with long encrypted string. That means, that tomcat is believing, it can use kerberos
RE: SPNEGO test configuration with Manager webapp
is 581394 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 17. Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 0 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 0 default etypes for default_tkt_enctypes: 23 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq creating message KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=3, number of retries =3, #bytes=247 KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=3,Attempt =1, #bytes=247 KrbKdcReq send: #bytes read=100 KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=3, number of retries =3, #bytes=247 KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=3,Attempt =1, #bytes=247 DEBUG: TCPClient reading 1483 bytes KrbKdcReq send: #bytes read=1483 KdcAccessibility: remove win-dc01.kerbtest.local:88 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 0 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoC redElement) Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5 AcceptCredential) Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat. keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat. keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KER BTEST.LOCAL@KERBTEST.LOCAL expiring on Wed Mar 25 06:51:24 GMT 2015 Date: Tue, 24 Mar 2015 21:39:38 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:25 schrieb David Marsh: Everything is as described and still not working, except the jaas.conf is :- com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; In other words the principal is the tomcat server as it should be. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal
Re: SPNEGO test configuration with Manager webapp
Am 24.03.2015 um 21:02 schrieb David Marsh: I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL The documentation refers to HTTP/win-*tc01*... not *dc01*. This is important. It has to be the alias for the tomcat server! Regards Felix useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. The next has an Authorization request http header with long encrypted string. IE still prompts for credentials with a popup, not sure why as does chrome. The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites. It seems like authentication is never completed ? There are no errors in tomcat logs. Any ideas what is happening and what I can do to troubleshoot ? I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up. many thanks David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Everything is as described and still not working, except the jaas.conf is :- com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; In other words the principal is the tomcat server as it should be. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. The next has an Authorization request http header with long encrypted string. IE still prompts for credentials with a popup, not sure why as does chrome. The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites. It seems like authentication is never completed ? There are no errors in tomcat logs. Any ideas what is happening and what I can do to troubleshoot ? I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up. many thanks David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SPNEGO test configuration with Manager webapp
I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. The next has an Authorization request http header with long encrypted string. IE still prompts for credentials with a popup, not sure why as does chrome. The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites. It seems like authentication is never completed ? There are no errors in tomcat logs. Any ideas what is happening and what I can do to troubleshoot ? I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up. many thanks David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. The next has an Authorization request http header with long encrypted string. IE still prompts for credentials with a popup, not sure why as does chrome. The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites. It seems like authentication is never completed ? There are no errors in tomcat logs. Any ideas what is happening and what I can do to troubleshoot ? I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up. many thanks David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. The next has an Authorization request http header with long encrypted string. IE still prompts for credentials with a popup, not sure why as does chrome. The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites. It seems like authentication is never completed ? There are no errors in tomcat logs. Any ideas what is happening and what I can do to troubleshoot ? I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up. many thanks David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
I copied old config file to mail yes. Date: Tue, 24 Mar 2015 21:17:59 +0100 From: felix.schumac...@internetallee.de To: users@tomcat.apache.org Subject: Re: SPNEGO test configuration with Manager webapp Am 24.03.2015 um 21:05 schrieb David Marsh: Sorry thats :- principal=HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL under jaas.conf, it is set to the tomcat server DNS. Is it working with this configuration, or just to point out, that you copied the wrong jaas.conf for the mail? Felix From: dmars...@outlook.com To: users@tomcat.apache.org Subject: SPNEGO test configuration with Manager webapp Date: Tue, 24 Mar 2015 20:02:04 + I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal=HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL useKeyTab=true keyTab=C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. The next has an Authorization request http header with long encrypted string. IE still prompts for credentials with a popup, not sure why as does chrome. The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites. It seems like authentication is never completed ? There are no errors in tomcat logs. Any ideas what is happening and what I can do to troubleshoot ? I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up. many thanks David - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org