Turns out to use the Java kinit I need a krb5.conf inside the jdk/jre lib/secrutiy folder.
Now I get :- C:\>java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit k -t c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01 Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>> Kinit using keytab >>> Kinit keytab file name: c:\keytab\tomcat.keytab Java config name: null LSA: Found Ticket LSA: Made NewWeakGlobalRef LSA: Found PrincipalName LSA: Made NewWeakGlobalRef LSA: Found DerValue LSA: Made NewWeakGlobalRef LSA: Found EncryptionKey LSA: Made NewWeakGlobalRef LSA: Found TicketFlags LSA: Made NewWeakGlobalRef LSA: Found KerberosTime LSA: Made NewWeakGlobalRef LSA: Found String LSA: Made NewWeakGlobalRef LSA: Found DerValue constructor LSA: Found Ticket constructor LSA: Found PrincipalName constructor LSA: Found EncryptionKey constructor LSA: Found TicketFlags constructor LSA: Found KerberosTime constructor LSA: Finished OnLoad processing Native config name: C:\Windows\krb5.ini Loaded from native config >>> Kinit realm name is KERBTEST.LOCAL >>> Creating KrbAsReq >>> KrbKdcReq local addresses for win-tc01 are: win-tc01/192.168.0.3 IPv4 address win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3 IPv6 address >>> KdcAccessibility: reset >>> KeyTabInputStream, readName(): kerbtest.local >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>> KeyTab: load() entry length: 70; type: 1 >>> KeyTabInputStream, readName(): kerbtest.local >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>> KeyTab: load() entry length: 70; type: 3 >>> KeyTabInputStream, readName(): kerbtest.local >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>> KeyTab: load() entry length: 78; type: 23 >>> KeyTabInputStream, readName(): kerbtest.local >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>> KeyTab: load() entry length: 94; type: 18 >>> KeyTabInputStream, readName(): kerbtest.local >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>> KeyTab: load() entry length: 78; type: 17 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 17version: 5 Added key: 18version: 5 Added key: 23version: 5 Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL default etypes for default_tkt_enctypes: 23 18 17. >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number o retries =3, #bytes=216 >>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=216 >>> KrbKdcReq send: #bytes read=100 >>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Wed Mar 25 22:24:32 GMT 2015 1427322272000 suSec is 681217 error code is 6 error Message is Client not found in Kerberos database sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL msgType is 30 Exception: krb_error 6 Client not found in Kerberos database (6) Client not fou d in Kerberos database KrbException: Client not found in Kerberos database (6) at sun.security.krb5.KrbAsRep.<init>(Unknown Source) at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source) at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source) at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source) at sun.security.krb5.internal.tools.Kinit.main(Unknown Source) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(Unknown Source) at sun.security.krb5.internal.ASRep.init(Unknown Source) at sun.security.krb5.internal.ASRep.<init>(Unknown Source) ... 5 more ---------------------------------------- > From: dmars...@outlook.com > To: users@tomcat.apache.org > Subject: RE: SPNEGO test configuration with Manager webapp > Date: Wed, 25 Mar 2015 21:19:30 +0000 > > > > > Thanks for all the help guys, I managed to find the correct way to call kinit > for Java on windows :- > > I get the following :- > > C:\>java -Dsun.security.krb5.debug=true > sun.security.krb5.internal.tools.Kinit - > k -t c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL > tc01pas > s >>>>KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01 > Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>> Kinit using keytab >>>> Kinit keytab file name: c:\keytab\tomcat.keytab > Java config name: null > LSA: Found Ticket > LSA: Made NewWeakGlobalRef > LSA: Found PrincipalName > LSA: Made NewWeakGlobalRef > LSA: Found DerValue > LSA: Made NewWeakGlobalRef > LSA: Found EncryptionKey > LSA: Made NewWeakGlobalRef > LSA: Found TicketFlags > LSA: Made NewWeakGlobalRef > LSA: Found KerberosTime > LSA: Made NewWeakGlobalRef > LSA: Found String > LSA: Made NewWeakGlobalRef > LSA: Found DerValue constructor > LSA: Found Ticket constructor > LSA: Found PrincipalName constructor > LSA: Found EncryptionKey constructor > LSA: Found TicketFlags constructor > LSA: Found KerberosTime constructor > LSA: Finished OnLoad processing > Native config name: C:\Windows\krb5.ini > Loaded from native config >>>> Kinit realm name is KERBTEST.LOCAL >>>> Creating KrbAsReq >>>> KrbKdcReq local addresses for win-tc01 are: > > win-tc01/192.168.0.3 > IPv4 address > > win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3 > IPv6 address >>>> KdcAccessibility: reset >>>> KeyTabInputStream, readName(): kerbtest.local >>>> KeyTabInputStream, readName(): HTTP >>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>>> KeyTab: load() entry length: 70; type: 1 >>>> KeyTabInputStream, readName(): kerbtest.local >>>> KeyTabInputStream, readName(): HTTP >>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>>> KeyTab: load() entry length: 70; type: 3 >>>> KeyTabInputStream, readName(): kerbtest.local >>>> KeyTabInputStream, readName(): HTTP >>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>>> KeyTab: load() entry length: 78; type: 23 >>>> KeyTabInputStream, readName(): kerbtest.local >>>> KeyTabInputStream, readName(): HTTP >>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>>> KeyTab: load() entry length: 94; type: 18 >>>> KeyTabInputStream, readName(): kerbtest.local >>>> KeyTabInputStream, readName(): HTTP >>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>>> KeyTab: load() entry length: 78; type: 17 > Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL > Added key: 17version: 5 > Added key: 18version: 5 > Added key: 23version: 5 > Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL > Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL > default etypes for default_tkt_enctypes: 23 18 17. >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number >>>> of > retries =3, #bytes=216 >>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt > =1, #bytes=216 >>>> KrbKdcReq send: #bytes read=213 >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l > ocal, s2kparams = null > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>>Pre-Authentication Data: > PA-DATA type = 16 > >>>>Pre-Authentication Data: > PA-DATA type = 15 > >>>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>KRBError: > sTime is Wed Mar 25 21:09:04 GMT 2015 1427317744000 > suSec is 382562 > error code is 25 > error Message is Additional pre-authentication required > sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL > eData provided. > msgType is 30 >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l > ocal, s2kparams = null > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>>Pre-Authentication Data: > PA-DATA type = 16 > >>>>Pre-Authentication Data: > PA-DATA type = 15 > > KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ > default etypes for default_tkt_enctypes: 23 18 17. > Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL > Added key: 17version: 5 > Added key: 18version: 5 > Added key: 23version: 5 > Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL > Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL > Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL > Added key: 17version: 5 > Added key: 18version: 5 > Added key: 23version: 5 > Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL > Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL > default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number >>>> of > retries =3, #bytes=305 >>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt > =1, #bytes=305 >>>> KrbKdcReq send: #bytes read=180 >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l > ocal, s2kparams = null > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>KRBError: > sTime is Wed Mar 25 21:09:08 GMT 2015 1427317748000 > suSec is 600802 > error code is 24 > error Message is Pre-authentication information was invalid > sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL > eData provided. > msgType is 30 >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l > ocal, s2kparams = null > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > > Exception: krb_error 24 Pre-authentication information was invalid (24) > Pre-auth > entication information was invalid > KrbException: Pre-authentication information was invalid (24) > at sun.security.krb5.KrbAsRep.<init>(Unknown Source) > at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source) > at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source) > at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source) > at sun.security.krb5.internal.tools.Kinit.main(Unknown Source) > Caused by: KrbException: Identifier doesn't match expected value (906) > at sun.security.krb5.internal.KDCRep.init(Unknown Source) > at sun.security.krb5.internal.ASRep.init(Unknown Source) > at sun.security.krb5.internal.ASRep.<init>(Unknown Source) > ... 5 more > > > >> Date: Wed, 25 Mar 2015 22:00:13 +0100 >> From: a...@ice-sa.com >> To: users@tomcat.apache.org >> Subject: Re: SPNEGO test configuration with Manager webapp >> >> Felix Schumacher wrote: >>> Am 25.03.2015 um 20:19 schrieb André Warnier: >>>> David Marsh wrote: >>>>> Javas version of kinit seems to report issue ? >>>>> >>>>> C:\Program Files\Apache Software Foundation\Tomcat >>>>> 8.0\conf>"C:\Program Files\Ja >>>>> va\jdk1.8.0_40\bin\kinit" -t -k c:\keytab\tomcat.keytab >>>>> Exception: krb_error 0 Do not have keys of types listed in >>>>> default_tkt_enctypes >>>>> available; only have keys of following type: No error >>>>> KrbException: Do not have keys of types listed in >>>>> default_tkt_enctypes available >>>>> ; only have keys of following type: >>>>> at >>>>> sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280) >>>>> at >>>>> sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261) >>>>> at >>>>> sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315) >>>>> at >>>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) >>>>> at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219) >>>>> at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113) >>>> >>>> That seems to indicate that between the Java Kerberos module in >>>> Tomcat, and the KDC's Kerberos software, there is a mismatch in the >>>> types of keys used (type of encryption), so they do not understand >>>> eachother. >>>> This may be relevant : https://community.igniterealtime.org/thread/49913 >>>> >>>> It is also a bit strange that it says : >>>> only have keys of following type: >>>> (with nothing behind the :.. ) >>>> >>>> From what I keep browsing on the WWW, it also seems that the types of >>>> key encryptions that might match between Java Kerberos and Windows >>>> Kerberos, depend on the versions of both Java and Windows Server.. >>>> >>> +1 (read your answer to late, I found the same link and posted it :) >>>> Man, this thing is really a nightmare, isn't it ? >>> I especially like the error messages. >>> >> >> Yes, and the thing is : there are a lot of pages on the www that describe >> the "correct" >> procedure, step by step, some even with screenshots etc.. >> But they always leave something out, and you don't know what they left out.. >> >> >>> Felix >>>> >>>> >>>>> >>>>> ---------------------------------------- >>>>>> From: dmars...@outlook.com >>>>>> To: users@tomcat.apache.org >>>>>> Subject: RE: SPNEGO test configuration with Manager webapp >>>>>> Date: Wed, 25 Mar 2015 16:50:47 +0000 >>>>>> >>>>>> Its possible I guess, although I would not expect that. >>>>>> >>>>>> The test is :- >>>>>> >>>>>> Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM >>>>>> >>>>>> Firefox is not configured to use a proxy, its all in Vmware >>>>>> Workstation 10 using the Vmnet01 virtual network. >>>>>> >>>>>> Firefox has three 401 responses with headers "Authorization" and >>>>>> "WWW-Authenticate" :- >>>>>> >>>>>> 1 :- Reponse WWW-Authenticate: "Negotiate" >>>>>> >>>>>> 2 :- Request Authorization: "Negotiate >>>>>> YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxD >>>>>> >>>> yCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1b >> HVkm >>>> >>>> muJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4=" >>>> >>>>>> >>>>>> Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg== >>>>>> >>>>>> 3 :- Request Authorization: "Negotiate >>>>>> oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkco >>>>>> >>>> Kk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zw >> m+qh >>>> >>>> PF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E=" >>>> >>>>>> >>>>>> Reponse WWW-Authenticate: "Negotiate" >>>>>> >>>>>> I'm not sure how long they should be, but they all end "=" so expect >>>>>> not truncated ? >>>>>> >>>>>> ---------------------------------------- >>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp >>>>>>> From: felix.schumac...@internetallee.de >>>>>>> Date: Wed, 25 Mar 2015 17:31:51 +0100 >>>>>>> To: users@tomcat.apache.org >>>>>>> >>>>>>> >>>>>>> >>>>>>> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh >>>>>>> <dmars...@outlook.com>: >>>>>>>> This is how the keytab was created :- >>>>>>>> >>>>>>>> ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser >>>>>>>> tc01@KERBTEST.LOCAL /princ >>>>>>>> HTTP/win-tc01.kerbtest.local@kerbtest.local >>>>>>>> /pass tc01pass >>>>>>>> >>>>>>>> The password is the correct password for the user tc01 associated >>>>>>>> with >>>>>>>> the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local >>>>>>>> >>>>>>>> I managed to turn on some more logging around JAAS, see the error >>>>>>>> :- java.security.PrivilegedActionException: GSSException: Defective >>>>>>>> token detected >>>>>>> Do you talk directly to Tomcat, or is there any kind of proxy in >>>>>>> between? >>>>>>> Could the header be truncated? >>>>>>> >>>>>>> Felix >>>>>>>> 25-Mar-2015 15:46:22.131 INFO [main] >>>>>>>> org.apache.catalina.core.StandardService.startInternal Starting >>>>>>>> service Catalina >>>>>>>> 25-Mar-2015 15:46:22.133 INFO [main] >>>>>>>> org.apache.catalina.core.StandardEngine.startInternal Starting >>>>>>>> Servlet Engine: Apache Tomcat/8.0.20 >>>>>>>> 25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1] >>>>>>>> org.apache.catalina.startup.HostConfig.deployD >>>>>>>> irectory Deploying web application directory C:\Program Files\Apache >>>>>>>> Software Foundation\Tomcat 8.0\ >>>>>>>> webapps\docs >>>>>>>> 25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1] >>>>>>>> org.apache.catalina.startup.HostConfig.deployD >>>>>>>> irectory Deployment of web application directory C:\Program >>>>>>>> Files\Apache Software Foundation\Tomcat >>>>>>>> 8.0\webapps\docs has finished in 380 ms >>>>>>>> 25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1] >>>>>>>> org.apache.catalina.startup.HostConfig.deployD >>>>>>>> irectory Deploying web application directory C:\Program Files\Apache >>>>>>>> Software Foundation\Tomcat 8.0\ >>>>>>>> webapps\manager >>>>>>>> 25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1] >>>>>>>> org.apache.catalina.authenticator.Authenticato >>>>>>>> rBase.startInternal No SingleSignOn Valve is present >>>>>>>> 25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1] >>>>>>>> org.apache.catalina.startup.HostConfig.deployD >>>>>>>> irectory Deployment of web application directory C:\Program >>>>>>>> Files\Apache Software Foundation\Tomcat >>>>>>>> 8.0\webapps\manager has finished in 93 ms >>>>>>>> 25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1] >>>>>>>> org.apache.catalina.startup.HostConfig.deployD >>>>>>>> irectory Deploying web application directory C:\Program Files\Apache >>>>>>>> Software Foundation\Tomcat 8.0\ >>>>>>>> webapps\ROOT >>>>>>>> 25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1] >>>>>>>> org.apache.catalina.startup.HostConfig.deployD >>>>>>>> irectory Deployment of web application directory C:\Program >>>>>>>> Files\Apache Software Foundation\Tomcat >>>>>>>> 8.0\webapps\ROOT has finished in 59 ms >>>>>>>> 25-Mar-2015 15:46:22.797 INFO [main] >>>>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl >>>>>>>> er ["http-nio-80"] >>>>>>>> 25-Mar-2015 15:46:22.806 INFO [main] >>>>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl >>>>>>>> er ["ajp-nio-8009"] >>>>>>>> 25-Mar-2015 15:46:22.808 INFO [main] >>>>>>>> org.apache.catalina.startup.Catalina.start Server startup in 72 >>>>>>>> 1 ms >>>>>>>> 25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1] >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>> se.invoke Security checking request GET /manager/html >>>>>>>> 25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]' >>>>>>>> against GET /html --> false >>>>>>>> 25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy >>>>>>>> interface]' against GET /html --> fal >>>>>>>> se >>>>>>>> 25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager >>>>>>>> interface (for scripts)]' against >>>>>>>> GET /html --> false >>>>>>>> 25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager >>>>>>>> interface (for humans)]' against G >>>>>>>> ET /html --> true >>>>>>>> 25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]' >>>>>>>> against GET /html --> false >>>>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy >>>>>>>> interface]' against GET /html --> fal >>>>>>>> se >>>>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager >>>>>>>> interface (for scripts)]' against >>>>>>>> GET /html --> false >>>>>>>> 25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager >>>>>>>> interface (for humans)]' against G >>>>>>>> ET /html --> true >>>>>>>> 25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1] >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>> se.invoke Calling hasUserDataPermission() >>>>>>>> 25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1] >>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe >>>>>>>> rmission User data constraint has no restrictions >>>>>>>> 25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1] >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>> se.invoke Calling authenticate() >>>>>>>> 25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1] >>>>>>>> org.apache.catalina.authenticator.SpnegoAuthentic >>>>>>>> ator.authenticate No authorization header sent by client >>>>>>>> 25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1] >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>> se.invoke Failed authenticate() test >>>>>>>> 25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2] >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>> se.invoke Security checking request GET /manager/html >>>>>>>> 25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]' >>>>>>>> against GET /html --> false >>>>>>>> 25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy >>>>>>>> interface]' against GET /html --> fal >>>>>>>> se >>>>>>>> 25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager >>>>>>>> interface (for scripts)]' against >>>>>>>> GET /html --> false >>>>>>>> 25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager >>>>>>>> interface (for humans)]' against G >>>>>>>> ET /html --> true >>>>>>>> 25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]' >>>>>>>> against GET /html --> false >>>>>>>> 25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy >>>>>>>> interface]' against GET /html --> fal >>>>>>>> se >>>>>>>> 25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager >>>>>>>> interface (for scripts)]' against >>>>>>>> GET /html --> false >>>>>>>> 25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager >>>>>>>> interface (for humans)]' against G >>>>>>>> ET /html --> true >>>>>>>> 25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2] >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>> se.invoke Calling hasUserDataPermission() >>>>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2] >>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe >>>>>>>> rmission User data constraint has no restrictions >>>>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2] >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>> se.invoke Calling authenticate() >>>>>>>> Debug is true storeKey true useTicketCache false useKeyTab true >>>>>>>> doNotPrompt true ticketCache is nul >>>>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab >>>>>>>> refreshKrb5Config >>>>>>>> is false principal is HTTP/wi >>>>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false >>>>>>>> useFirstPass >>>>>>>> is false storePass is false >>>>>>>> clearPass is false >>>>>>>>>>> KeyTabInputStream, readName(): kerbtest.local >>>>>>>>>>> KeyTabInputStream, readName(): HTTP >>>>>>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>>>>>>>>>> KeyTab: load() entry length: 78; type: 23 >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>> Java config name: C:\Program Files\Apache Software Foundation\Tomcat >>>>>>>> 8.0\conf\krb5.ini >>>>>>>> Loaded from Java config >>>>>>>> Added key: 23version: 3 >>>>>>>>>>> KdcAccessibility: reset >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>> Added key: 23version: 3 >>>>>>>> default etypes for default_tkt_enctypes: 23 18 17. >>>>>>>>>>> KrbAsReq creating message >>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, >>>>>>>> number of retries =3, #bytes= >>>>>>>> 164 >>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, >>>>>>>> timeout=30000,Attempt =1, #bytes=164 >>>>>>>>>>> KrbKdcReq send: #bytes read=185 >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 11 >>>>>>>> PA-ETYPE-INFO etype = 23, salt = >>>>>>>> >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 19 >>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>>>>>> >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 2 >>>>>>>> PA-ENC-TIMESTAMP >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 16 >>>>>>>> >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 15 >>>>>>>> >>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>>>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>>>>>>>> KRBError: >>>>>>>> sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000 >>>>>>>> suSec is 701709 >>>>>>>> error code is 25 >>>>>>>> error Message is Additional pre-authentication required >>>>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL >>>>>>>> eData provided. >>>>>>>> msgType is 30 >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 11 >>>>>>>> PA-ETYPE-INFO etype = 23, salt = >>>>>>>> >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 19 >>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>>>>>> >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 2 >>>>>>>> PA-ENC-TIMESTAMP >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 16 >>>>>>>> >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 15 >>>>>>>> >>>>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ >>>>>>>> default etypes for default_tkt_enctypes: 23 18 17. >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>> Added key: 23version: 3 >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>> Added key: 23version: 3 >>>>>>>> default etypes for default_tkt_enctypes: 23 18 17. >>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>>>>>>>>> KrbAsReq creating message >>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, >>>>>>>> number of retries =3, #bytes= >>>>>>>> 247 >>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, >>>>>>>> timeout=30000,Attempt =1, #bytes=247 >>>>>>>>>>> KrbKdcReq send: #bytes read=100 >>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, >>>>>>>> number of retries =3, #bytes= >>>>>>>> 247 >>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, >>>>>>>> timeout=30000,Attempt =1, #bytes=247 >>>>>>>>>>> DEBUG: TCPClient reading 1475 bytes >>>>>>>>>>> KrbKdcReq send: #bytes read=1475 >>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>> Added key: 23version: 3 >>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local >>>>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>> Will use keytab >>>>>>>> Commit Succeeded >>>>>>>> >>>>>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, >>>>>>>> sun.security.jgss.spnego.SpNegoCredElement) >>>>>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, >>>>>>>> sun.security.jgss.krb5.Krb5AcceptCredential) >>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for >>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for >>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to >>>>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST >>>>>>>> .LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015 >>>>>>>> [Krb5LoginModule]: Entering logout >>>>>>>> [Krb5LoginModule]: logged out Subject >>>>>>>> 25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2] >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>> se.invoke Failed authenticate() test >>>>>>>> 25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3] >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>> se.invoke Security checking request GET /manager/html >>>>>>>> 25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]' >>>>>>>> against GET /html --> false >>>>>>>> 25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy >>>>>>>> interface]' against GET /html --> fal >>>>>>>> se >>>>>>>> 25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager >>>>>>>> interface (for scripts)]' against >>>>>>>> GET /html --> false >>>>>>>> 25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager >>>>>>>> interface (for humans)]' against G >>>>>>>> ET /html --> true >>>>>>>> 25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]' >>>>>>>> against GET /html --> false >>>>>>>> 25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy >>>>>>>> interface]' against GET /html --> fal >>>>>>>> se >>>>>>>> 25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager >>>>>>>> interface (for scripts)]' against >>>>>>>> GET /html --> false >>>>>>>> 25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3] >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager >>>>>>>> interface (for humans)]' against G >>>>>>>> ET /html --> true >>>>>>>> 25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3] >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>> se.invoke Calling hasUserDataPermission() >>>>>>>> 25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3] >>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe >>>>>>>> rmission User data constraint has no restrictions >>>>>>>> 25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3] >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>> se.invoke Calling authenticate() >>>>>>>> Debug is true storeKey true useTicketCache false useKeyTab true >>>>>>>> doNotPrompt true ticketCache is nul >>>>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab >>>>>>>> refreshKrb5Config >>>>>>>> is false principal is HTTP/wi >>>>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false >>>>>>>> useFirstPass >>>>>>>> is false storePass is false >>>>>>>> clearPass is false >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>> Added key: 23version: 3 >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>> Added key: 23version: 3 >>>>>>>> default etypes for default_tkt_enctypes: 23 18 17. >>>>>>>>>>> KrbAsReq creating message >>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, >>>>>>>> number of retries =3, #bytes= >>>>>>>> 164 >>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, >>>>>>>> timeout=30000,Attempt =1, #bytes=164 >>>>>>>>>>> KrbKdcReq send: #bytes read=185 >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 11 >>>>>>>> PA-ETYPE-INFO etype = 23, salt = >>>>>>>> >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 19 >>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>>>>>> >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 2 >>>>>>>> PA-ENC-TIMESTAMP >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 16 >>>>>>>> >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 15 >>>>>>>> >>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>>>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>>>>>>>> KRBError: >>>>>>>> sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000 >>>>>>>> suSec is 935731 >>>>>>>> error code is 25 >>>>>>>> error Message is Additional pre-authentication required >>>>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL >>>>>>>> eData provided. >>>>>>>> msgType is 30 >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 11 >>>>>>>> PA-ETYPE-INFO etype = 23, salt = >>>>>>>> >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 19 >>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>>>>>> >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 2 >>>>>>>> PA-ENC-TIMESTAMP >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 16 >>>>>>>> >>>>>>>>>>> Pre-Authentication Data: >>>>>>>> PA-DATA type = 15 >>>>>>>> >>>>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ >>>>>>>> default etypes for default_tkt_enctypes: 23 18 17. >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>> Added key: 23version: 3 >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>> Added key: 23version: 3 >>>>>>>> default etypes for default_tkt_enctypes: 23 18 17. >>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>>>>>>>>> KrbAsReq creating message >>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, >>>>>>>> number of retries =3, #bytes= >>>>>>>> 247 >>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, >>>>>>>> timeout=30000,Attempt =1, #bytes=247 >>>>>>>>>>> KrbKdcReq send: #bytes read=100 >>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, >>>>>>>> number of retries =3, #bytes= >>>>>>>> 247 >>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, >>>>>>>> timeout=30000,Attempt =1, #bytes=247 >>>>>>>>>>> DEBUG: TCPClient reading 1475 bytes >>>>>>>>>>> KrbKdcReq send: #bytes read=1475 >>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>> Added key: 23version: 3 >>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local >>>>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>> Will use keytab >>>>>>>> Commit Succeeded >>>>>>>> >>>>>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, >>>>>>>> sun.security.jgss.spnego.SpNegoCredElement) >>>>>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, >>>>>>>> sun.security.jgss.krb5.Krb5AcceptCredential) >>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for >>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for >>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to >>>>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST >>>>>>>> .LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015 >>>>>>>> 25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3] >>>>>>>> org.apache.catalina.authenticator.SpnegoAuthentic >>>>>>>> ator.authenticate Unable to login as the service principal >>>>>>>> java.security.PrivilegedActionException: GSSException: Defective >>>>>>>> token >>>>>>>> detected (Mechanism level: G >>>>>>>> SSHeader did not find the right tag) >>>>>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>>>>> at javax.security.auth.Subject.doAs(Subject.java:422) >>>>>>>> at >>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja >>>>>>>> >>>>>>>> va:243) >>>>>>>> at >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576) >>>>>>>> >>>>>>>> at >>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) >>>>>>>> >>>>>>>> at >>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) >>>>>>>> >>>>>>>> at >>>>>>>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) >>>>>>>> >>>>>>>> >>>>>>>> at >>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) >>>>>>>> >>>>>>>> at >>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) >>>>>>>> >>>>>>>> at >>>>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108 >>>>>>>> >>>>>>>> 6) >>>>>>>> at >>>>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav >>>>>>>> >>>>>>>> a:659) >>>>>>>> at >>>>>>>> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto >>>>>>>> >>>>>>>> col.java:223) >>>>>>>> at >>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) >>>>>>>> >>>>>>>> at >>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) >>>>>>>> >>>>>>>> at >>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>>>>>>> >>>>>>>> at >>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>>>>>>> >>>>>>>> at >>>>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>>>>>>> >>>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>>> Caused by: GSSException: Defective token detected (Mechanism level: >>>>>>>> GSSHeader did not find the right >>>>>>>> tag) >>>>>>>> at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97) >>>>>>>> at >>>>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306) >>>>>>>> >>>>>>>> at >>>>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) >>>>>>>> >>>>>>>> at >>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato >>>>>>>> >>>>>>>> r.java:336) >>>>>>>> at >>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato >>>>>>>> >>>>>>>> r.java:323) >>>>>>>> ... 18 more >>>>>>>> >>>>>>>> [Krb5LoginModule]: Entering logout >>>>>>>> [Krb5LoginModule]: logged out Subject >>>>>>>> 25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3] >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>> se.invoke Failed authenticate() test >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> Date: Wed, 25 Mar 2015 16:48:10 +0100 >>>>>>>>> From: felix.schumac...@internetallee.de >>>>>>>>> To: users@tomcat.apache.org >>>>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp >>>>>>>>> >>>>>>>>> Am 25.03.2015 16:09, schrieb David Marsh: >>>>>>>>>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was >>>>>>>>>> tc01@KERTEST.LOCAL, still same symptoms. >>>>>>>>>> >>>>>>>>>> Ran klist on client after firefox test and the three 401 responses. >>>>>>>> :- >>>>>>>>>> C:\Users\test.KERBTEST.000>klist >>>>>>>>>> >>>>>>>>>> Current LogonId is 0:0x2fd7a >>>>>>>>>> >>>>>>>>>> Cached Tickets: (2) >>>>>>>>>> >>>>>>>>>> #0> Client: test @ KERBTEST.LOCAL >>>>>>>>>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL >>>>>>>>>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 >>>>>>>>>> Ticket Flags 0x40e10000 -> forwardable renewable initial >>>>>>>>>> pre_authent nam >>>>>>>>>> e_canonicalize >>>>>>>>>> Start Time: 3/25/2015 14:46:43 (local) >>>>>>>>>> End Time: 3/26/2015 0:46:43 (local) >>>>>>>>>> Renew Time: 4/1/2015 14:46:43 (local) >>>>>>>>>> Session Key Type: AES-256-CTS-HMAC-SHA1-96 >>>>>>>>>> Cache Flags: 0x1 -> PRIMARY >>>>>>>>>> Kdc Called: 192.168.0.200 >>>>>>>>>> >>>>>>>>>> #1> Client: test @ KERBTEST.LOCAL >>>>>>>>>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL >>>>>>>>>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) >>>>>>>>>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent >>>>>>>>>> name_canoni >>>>>>>>>> calize >>>>>>>>>> Start Time: 3/25/2015 14:51:21 (local) >>>>>>>>>> End Time: 3/26/2015 0:46:43 (local) >>>>>>>>>> Renew Time: 4/1/2015 14:46:43 (local) >>>>>>>>>> Session Key Type: RSADSI RC4-HMAC(NT) >>>>>>>>>> Cache Flags: 0 >>>>>>>>>> Kdc Called: 192.168.0.200 >>>>>>>>>> >>>>>>>>>> Looks like I was granted a ticket for the SPN >>>>>>>>>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ? >>>>>>>>>> >>>>>>>>>> If I have ticket why do I get 401 ? >>>>>>>>> Your client has got a service ticket for HTTP/win-tc01... This is >>>>>>>> used >>>>>>>>> by firefox for authentication. Firefox transmits >>>>>>>>> this service ticket to the server (as base64 encoded in the >>>>>>>>> WWW-Authenticate header). >>>>>>>>> >>>>>>>>> Your server has to decrypt this ticket using its own ticket to >>>>>>>>> get at >>>>>>>>> the user information. This is where your problems arise. >>>>>>>>> It looks like your server has trouble to get its own ticket. >>>>>>>>> >>>>>>>>> Are you sure, that the password you used for keytab generation (on >>>>>>>> the >>>>>>>>> server side), is correct? ktpass will probably accept >>>>>>>>> any input as a password. Maybe you can check the keytab by using >>>>>>>> kinit >>>>>>>>> (though I don't know, if it exists for windows, or how >>>>>>>>> the java one is used). >>>>>>>>> >>>>>>>>> Felix >>>>>>>>> >>>>>>>>>> ---------------------------------------- >>>>>>>>>>> Date: Tue, 24 Mar 2015 22:46:15 +0000 >>>>>>>>>>> From: ma...@apache.org >>>>>>>>>>> To: users@tomcat.apache.org >>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp >>>>>>>>>>> >>>>>>>>>>> On 24/03/2015 20:47, David Marsh wrote: >>>>>>>>>>>> Hi Felix, >>>>>>>>>>>> Thanks fort your help! >>>>>>>>>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in >>>>>>>>>>>> startup.bat and also added the same definitions to the Java >>>>>>>>>>>> parameters in Configure Tomcat tool.I definitely got more >>>>>>>> information >>>>>>>>>>>> when using startup.bat, not sure the settings get picked up by >>>>>>>>>>>> the >>>>>>>>>>>> windows service ? >>>>>>>>>>>> I do not think authentication completes, certainly authorization >>>>>>>> does >>>>>>>>>>>> not as I cant see the site and get 401 http status. >>>>>>>>>>>> I have not configured a tomcat realm but I have put the test user >>>>>>>> a >>>>>>>>>>>> manager-gui group in Active Directory. >>>>>>>>>>> I've only given your config a quick scan, but the thing that jumps >>>>>>>> out >>>>>>>>>>> at me is spaces in the some of the paths. I'm not sure how well >>>>>>>>>>> krb5.ini >>>>>>>>>>> will handle those. It might be fine. It might not be. >>>>>>>>>>> >>>>>>>>>>> Mark >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> David >>>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100 >>>>>>>>>>>>> From: felix.schumac...@internetallee.de >>>>>>>>>>>>> To: users@tomcat.apache.org >>>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp >>>>>>>>>>>>> >>>>>>>>>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh: >>>>>>>>>>>>>> Everything is as described and still not working, except the >>>>>>>>>>>>>> jaas.conf is :- >>>>>>>>>>>>>> >>>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate { >>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>>>>>>>>>> doNotPrompt=true >>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>>>>>>>>> useKeyTab=true >>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>>>>>>>>>>>> 8.0/conf/tomcat.keytab" >>>>>>>>>>>>>> storeKey=true; >>>>>>>>>>>>>> }; >>>>>>>>>>>>>> >>>>>>>>>>>>>> com.sun.security.jgss.krb5.accept { >>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>>>>>>>>>> doNotPrompt=true >>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>>>>>>>>> useKeyTab=true >>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>>>>>>>>>>>> 8.0/conf/tomcat.keytab" >>>>>>>>>>>>>> storeKey=true; >>>>>>>>>>>>>> }; >>>>>>>>>>>>>> >>>>>>>>>>>>>> In other words the principal is the tomcat server as it should >>>>>>>> be. >>>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100 >>>>>>>>>>>>>>> From: felix.schumac...@internetallee.de >>>>>>>>>>>>>>> To: users@tomcat.apache.org >>>>>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh: >>>>>>>>>>>>>>>> Sorry thats :- >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>>>>>>>>>>> under jaas.conf, it is set to the tomcat server DNS. >>>>>>>>>>>>>>> Is it working with this configuration, or just to point out, >>>>>>>> that >>>>>>>>>>>>>>> you >>>>>>>>>>>>>>> copied the wrong jaas.conf for the mail? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Felix >>>>>>>>>>>>>>>> ---------------------------------------- >>>>>>>>>>>>>>>>> From: dmars...@outlook.com >>>>>>>>>>>>>>>>> To: users@tomcat.apache.org >>>>>>>>>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp >>>>>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat >>>>>>>> 8. >>>>>>>>>>>>>>>>> I've created three Windows VMs :- >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM >>>>>>>>>>>>>>>>> Test Client - Windows 8.1 32 bit VM >>>>>>>>>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The Tomcat Server and the Test Client are joined to the same >>>>>>>>>>>>>>>>> domain kerbtest.local, they are logged in with domain >>>>>>>>>>>>>>>>> logins. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> The firewall is disabled on the Tomcat Server VM. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I've followed the guidelines on the Apache Tomcat website. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> jaas.conf >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate { >>>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>>>>>>>>>>>>> doNotPrompt=true >>>>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>>>>>>>>>>>> useKeyTab=true >>>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab" >>>>>>>>>>>>>>>>> storeKey=true; >>>>>>>>>>>>>>>>> }; >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.accept { >>>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>>>>>>>>>>>>> doNotPrompt=true >>>>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>>>>>>>>>>>> useKeyTab=true >>>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab" >>>>>>>>>>>>>>>>> storeKey=true; >>>>>>>>>>>>>>>>> }; >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> krb5.ini >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> [libdefaults] >>>>>>>>>>>>>>>>> default_realm = KERBTEST.LOCAL >>>>>>>>>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software >>>>>>>>>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab >>>>>>>>>>>>>>>>> default_tkt_enctypes = >>>>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 >>>>>>>>>>>>>>>>> default_tgs_enctypes = >>>>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 >>>>>>>>>>>>>>>>> forwardable=true >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> [realms] >>>>>>>>>>>>>>>>> KERBTEST.LOCAL = { >>>>>>>>>>>>>>>>> kdc = win-dc01.kerbtest.local:88 >>>>>>>>>>>>>>>>> } >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with >>>>>>>> Active >>>>>>>>>>>>>>>>> Directory. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I have tried to keep the setup as basic and vanilla to the >>>>>>>>>>>>>>>>> instructions as possible. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Users were created as instructed. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Spn was created as instructed >>>>>>>>>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> keytab was created as instructed >>>>>>>>>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL >>>>>>>> /princ >>>>>>>>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass >>>>>>>> /kvno >>>>>>>>>>>>>>>>> 0 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I have tried to test with firefox, chrome and IE, after >>>>>>>> ensuring >>>>>>>>>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In >>>>>>>>>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to >>>>>>>>>>>>>>>>> network.negotiate-auth.delegation-uris and >>>>>>>>>>>>>>>>> network.negotiate-auth.trusted-uris. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Tomcat is running as a Windows service under the >>>>>>>>>>>>>>>>> tc01@kerbtest.local account. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Visiting URL from the Test Client VM :- >>>>>>>>>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401 >>>>>>>> three >>>>>>>>>>>>>>>>> times. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Looking at the Network tab in developer tools in firefox >>>>>>>> shows >>>>>>> >>>>>>> --------------------------------------------------------------------- >>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>> >>>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org