Using startup.bat to launch tomcat :- runas /env /user:tc01@kerbtest.local "startup.bat"
Here are the logs with the kerberos debug :- Server startup in 509 ms >>> KeyTabInputStream, readName(): KERBTEST.LOCAL >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>> KeyTab: load() entry length: 78; type: 23 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Java config name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\kr b5.ini Loaded from Java config Added key: 23version: 0 >>> KdcAccessibility: reset Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 0 default etypes for default_tkt_enctypes: 23 17. >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes=164 >>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=164 >>> KrbKdcReq send: #bytes read=185 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 >>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Tue Mar 24 20:51:24 GMT 2015 1427230284000 suSec is 441380 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 17. Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 0 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 0 default etypes for default_tkt_enctypes: 23 17. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes=247 >>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=247 >>> KrbKdcReq send: #bytes read=100 >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number of retries =3, #bytes=247 >>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt =1, #bytes=247 >>>DEBUG: TCPClient reading 1483 bytes >>> KrbKdcReq send: #bytes read=1483 >>> KdcAccessibility: remove win-dc01.kerbtest.local:88 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 0 >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoC redElement) Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5 AcceptCredential) Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat. keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat. keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KER BTEST.LOCAL@KERBTEST.LOCAL expiring on Wed Mar 25 06:51:24 GMT 2015 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 0 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 0 default etypes for default_tkt_enctypes: 23 17. >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes=164 >>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=164 >>> KrbKdcReq send: #bytes read=185 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 >>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Tue Mar 24 20:51:24 GMT 2015 1427230284000 suSec is 581394 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 17. Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 0 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 0 default etypes for default_tkt_enctypes: 23 17. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes=247 >>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=247 >>> KrbKdcReq send: #bytes read=100 >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number of retries =3, #bytes=247 >>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt =1, #bytes=247 >>>DEBUG: TCPClient reading 1483 bytes >>> KrbKdcReq send: #bytes read=1483 >>> KdcAccessibility: remove win-dc01.kerbtest.local:88 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 0 >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoC redElement) Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5 AcceptCredential) Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat. keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat. keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KER BTEST.LOCAL@KERBTEST.LOCAL expiring on Wed Mar 25 06:51:24 GMT 2015 > Date: Tue, 24 Mar 2015 21:39:38 +0100 > From: felix.schumac...@internetallee.de > To: users@tomcat.apache.org > Subject: Re: SPNEGO test configuration with Manager webapp > > Am 24.03.2015 um 21:25 schrieb David Marsh: > > Everything is as described and still not working, except the jaas.conf is :- > > > > com.sun.security.jgss.krb5.initiate { > > com.sun.security.auth.module.Krb5LoginModule required > > doNotPrompt=true > > principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" > > useKeyTab=true > > keyTab="C:/Program Files/Apache Software Foundation/Tomcat > > 8.0/conf/tomcat.keytab" > > storeKey=true; > > }; > > > > com.sun.security.jgss.krb5.accept { > > com.sun.security.auth.module.Krb5LoginModule required > > doNotPrompt=true > > principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" > > useKeyTab=true > > keyTab="C:/Program Files/Apache Software Foundation/Tomcat > > 8.0/conf/tomcat.keytab" > > storeKey=true; > > }; > > > > In other words the principal is the tomcat server as it should be. > > > >> Date: Tue, 24 Mar 2015 21:17:59 +0100 > >> From: felix.schumac...@internetallee.de > >> To: users@tomcat.apache.org > >> Subject: Re: SPNEGO test configuration with Manager webapp > >> > >> Am 24.03.2015 um 21:05 schrieb David Marsh: > >>> Sorry thats :- > >>> > >>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" > >>> under jaas.conf, it is set to the tomcat server DNS. > >> Is it working with this configuration, or just to point out, that you > >> copied the wrong jaas.conf for the mail? > >> > >> Felix > >>> ---------------------------------------- > >>>> From: dmars...@outlook.com > >>>> To: users@tomcat.apache.org > >>>> Subject: SPNEGO test configuration with Manager webapp > >>>> Date: Tue, 24 Mar 2015 20:02:04 +0000 > >>>> > >>>> I'm trying to get SPNEGO authentication working with Tomcat 8. > >>>> > >>>> I've created three Windows VMs :- > >>>> > >>>> Tomcat Server - Windows 8.1 32 bit VM > >>>> Test Client - Windows 8.1 32 bit VM > >>>> Domain Controller - Windows Server 2012 R2 64 bit VM > >>>> > >>>> The Tomcat Server and the Test Client are joined to the same domain > >>>> kerbtest.local, they are logged in with domain logins. > >>>> > >>>> The firewall is disabled on the Tomcat Server VM. > >>>> > >>>> I've followed the guidelines on the Apache Tomcat website. > >>>> > >>>> jaas.conf > >>>> > >>>> com.sun.security.jgss.krb5.initiate { > >>>> com.sun.security.auth.module.Krb5LoginModule required > >>>> doNotPrompt=true > >>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL" > >>>> useKeyTab=true > >>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat > >>>> 8.0/conf/tomcat.keytab" > >>>> storeKey=true; > >>>> }; > >>>> > >>>> com.sun.security.jgss.krb5.accept { > >>>> com.sun.security.auth.module.Krb5LoginModule required > >>>> doNotPrompt=true > >>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL" > >>>> useKeyTab=true > >>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat > >>>> 8.0/conf/tomcat.keytab" > >>>> storeKey=true; > >>>> }; > >>>> > >>>> krb5.ini > >>>> > >>>> [libdefaults] > >>>> default_realm = KERBTEST.LOCAL > >>>> default_keytab_name = FILE:C:\Program Files\Apache Software > >>>> Foundation\Tomcat 8.0\conf\tomcat.keytab > >>>> default_tkt_enctypes = > >>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 > >>>> default_tgs_enctypes = > >>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 > >>>> forwardable=true > >>>> > >>>> [realms] > >>>> KERBTEST.LOCAL = { > >>>> kdc = win-dc01.kerbtest.local:88 > >>>> } > >>>> > >>>> I want to use the tomcat manager app to test SPNEGO with Active > >>>> Directory. > >>>> > >>>> I have tried to keep the setup as basic and vanilla to the instructions > >>>> as possible. > >>>> > >>>> Users were created as instructed. > >>>> > >>>> Spn was created as instructed > >>>> setspn -A HTTP/win-tc01.kerbtest.local tc01 > >>>> > >>>> keytab was created as instructed > >>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ > >>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 > >>>> > >>>> I have tried to test with firefox, chrome and IE, after ensuring > >>>> http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I > >>>> added http://win-tc01.kerbtest.local to > >>>> network.negotiate-auth.delegation-uris and > >>>> network.negotiate-auth.trusted-uris. > >>>> > >>>> Tomcat is running as a Windows service under the tc01@kerbtest.local > >>>> account. > >>>> > >>>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local > >>>> in firefox results in 401 three times. > >>>> > >>>> Looking at the Network tab in developer tools in firefox shows 401 > >>>> response with WWW-Authenticate: Negotiate response http header. > >>>> > >>>> The next has an Authorization request http header with long encrypted > >>>> string. > That means, that tomcat is believing, it can use kerberos/SPNEGO and > firefox is able to get a service ticket, for the server and sends it > back. That far it is looking promising. But I assume the authentication > does not complete, right? > > > >>>> > >>>> IE still prompts for credentials with a popup, not sure why as does > >>>> chrome. > >>>> The setting User Authentication, Logon, Automatic Logon only in Intranet > >>>> Zone, is selected under trusted sites. > >>>> > >>>> It seems like authentication is never completed ? > >>>> > >>>> There are no errors in tomcat logs. > >>>> > >>>> Any ideas what is happening and what I can do to troubleshoot ? > You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that should > print out a lot of debug information, which should end up in catalina.out. > > Felix > || > >>>> > >>>> I'm quite happy to help improve the documentation and follow the > >>>> instructions, however I have tried that and cannot get a working basic > >>>> set up. > >>>> > >>>> many thanks > >>>> > >>>> David > >>>> > >>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >>> For additional commands, e-mail: users-h...@tomcat.apache.org > >>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > > >