Using startup.bat to launch tomcat :-
runas /env /user:tc01@kerbtest.local "startup.bat"
Here are the logs with the kerberos debug :-
Server startup in 509 ms
>>> KeyTabInputStream, readName(): KERBTEST.LOCAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 78; type: 23
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Java config name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\kr
b5.ini
Loaded from Java config
Added key: 23version: 0
>>> KdcAccessibility: reset
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
retries =3, #bytes=164
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
=1, #bytes=164
>>> KrbKdcReq send: #bytes read=185
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Mar 24 20:51:24 GMT 2015 1427230284000
suSec is 441380
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 17.
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
retries =3, #bytes=247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
=1, #bytes=247
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number of
retries =3, #bytes=247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt
=1, #bytes=247
>>>DEBUG: TCPClient reading 1483 bytes
>>> KrbKdcReq send: #bytes read=1483
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoC
redElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5
AcceptCredential)
Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.
keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.
keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KER
BTEST.LOCAL@KERBTEST.LOCAL expiring on Wed Mar 25 06:51:24 GMT 2015
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
retries =3, #bytes=164
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
=1, #bytes=164
>>> KrbKdcReq send: #bytes read=185
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Mar 24 20:51:24 GMT 2015 1427230284000
suSec is 581394
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 17.
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
retries =3, #bytes=247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
=1, #bytes=247
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number of
retries =3, #bytes=247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt
=1, #bytes=247
>>>DEBUG: TCPClient reading 1483 bytes
>>> KrbKdcReq send: #bytes read=1483
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoC
redElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5
AcceptCredential)
Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.
keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.
keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KER
BTEST.LOCAL@KERBTEST.LOCAL expiring on Wed Mar 25 06:51:24 GMT 2015
> Date: Tue, 24 Mar 2015 21:39:38 +0100
> From: felix.schumac...@internetallee.de
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> Am 24.03.2015 um 21:25 schrieb David Marsh:
> > Everything is as described and still not working, except the jaas.conf is :-
> >
> > com.sun.security.jgss.krb5.initiate {
> > com.sun.security.auth.module.Krb5LoginModule required
> > doNotPrompt=true
> > principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> > useKeyTab=true
> > keyTab="C:/Program Files/Apache Software Foundation/Tomcat
> > 8.0/conf/tomcat.keytab"
> > storeKey=true;
> > };
> >
> > com.sun.security.jgss.krb5.accept {
> > com.sun.security.auth.module.Krb5LoginModule required
> > doNotPrompt=true
> > principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> > useKeyTab=true
> > keyTab="C:/Program Files/Apache Software Foundation/Tomcat
> > 8.0/conf/tomcat.keytab"
> > storeKey=true;
> > };
> >
> > In other words the principal is the tomcat server as it should be.
> >
> >> Date: Tue, 24 Mar 2015 21:17:59 +0100
> >> From: felix.schumac...@internetallee.de
> >> To: users@tomcat.apache.org
> >> Subject: Re: SPNEGO test configuration with Manager webapp
> >>
> >> Am 24.03.2015 um 21:05 schrieb David Marsh:
> >>> Sorry thats :-
> >>>
> >>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> >>> under jaas.conf, it is set to the tomcat server DNS.
> >> Is it working with this configuration, or just to point out, that you
> >> copied the wrong jaas.conf for the mail?
> >>
> >> Felix
> >>> ----------------------------------------
> >>>> From: dmars...@outlook.com
> >>>> To: users@tomcat.apache.org
> >>>> Subject: SPNEGO test configuration with Manager webapp
> >>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
> >>>>
> >>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
> >>>>
> >>>> I've created three Windows VMs :-
> >>>>
> >>>> Tomcat Server - Windows 8.1 32 bit VM
> >>>> Test Client - Windows 8.1 32 bit VM
> >>>> Domain Controller - Windows Server 2012 R2 64 bit VM
> >>>>
> >>>> The Tomcat Server and the Test Client are joined to the same domain
> >>>> kerbtest.local, they are logged in with domain logins.
> >>>>
> >>>> The firewall is disabled on the Tomcat Server VM.
> >>>>
> >>>> I've followed the guidelines on the Apache Tomcat website.
> >>>>
> >>>> jaas.conf
> >>>>
> >>>> com.sun.security.jgss.krb5.initiate {
> >>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>> doNotPrompt=true
> >>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
> >>>> useKeyTab=true
> >>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
> >>>> 8.0/conf/tomcat.keytab"
> >>>> storeKey=true;
> >>>> };
> >>>>
> >>>> com.sun.security.jgss.krb5.accept {
> >>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>> doNotPrompt=true
> >>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
> >>>> useKeyTab=true
> >>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
> >>>> 8.0/conf/tomcat.keytab"
> >>>> storeKey=true;
> >>>> };
> >>>>
> >>>> krb5.ini
> >>>>
> >>>> [libdefaults]
> >>>> default_realm = KERBTEST.LOCAL
> >>>> default_keytab_name = FILE:C:\Program Files\Apache Software
> >>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
> >>>> default_tkt_enctypes =
> >>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> >>>> default_tgs_enctypes =
> >>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> >>>> forwardable=true
> >>>>
> >>>> [realms]
> >>>> KERBTEST.LOCAL = {
> >>>> kdc = win-dc01.kerbtest.local:88
> >>>> }
> >>>>
> >>>> I want to use the tomcat manager app to test SPNEGO with Active
> >>>> Directory.
> >>>>
> >>>> I have tried to keep the setup as basic and vanilla to the instructions
> >>>> as possible.
> >>>>
> >>>> Users were created as instructed.
> >>>>
> >>>> Spn was created as instructed
> >>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
> >>>>
> >>>> keytab was created as instructed
> >>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ
> >>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
> >>>>
> >>>> I have tried to test with firefox, chrome and IE, after ensuring
> >>>> http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I
> >>>> added http://win-tc01.kerbtest.local to
> >>>> network.negotiate-auth.delegation-uris and
> >>>> network.negotiate-auth.trusted-uris.
> >>>>
> >>>> Tomcat is running as a Windows service under the tc01@kerbtest.local
> >>>> account.
> >>>>
> >>>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local
> >>>> in firefox results in 401 three times.
> >>>>
> >>>> Looking at the Network tab in developer tools in firefox shows 401
> >>>> response with WWW-Authenticate: Negotiate response http header.
> >>>>
> >>>> The next has an Authorization request http header with long encrypted
> >>>> string.
> That means, that tomcat is believing, it can use kerberos/SPNEGO and
> firefox is able to get a service ticket, for the server and sends it
> back. That far it is looking promising. But I assume the authentication
> does not complete, right?
>
>
> >>>>
> >>>> IE still prompts for credentials with a popup, not sure why as does
> >>>> chrome.
> >>>> The setting User Authentication, Logon, Automatic Logon only in Intranet
> >>>> Zone, is selected under trusted sites.
> >>>>
> >>>> It seems like authentication is never completed ?
> >>>>
> >>>> There are no errors in tomcat logs.
> >>>>
> >>>> Any ideas what is happening and what I can do to troubleshoot ?
> You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that should
> print out a lot of debug information, which should end up in catalina.out.
>
> Felix
> ||
> >>>>
> >>>> I'm quite happy to help improve the documentation and follow the
> >>>> instructions, however I have tried that and cannot get a working basic
> >>>> set up.
> >>>>
> >>>> many thanks
> >>>>
> >>>> David
> >>>>
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >
>
