Still getting :- java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G SSHeader did not find the right tag)
Folks here mention lack of NegoEx support or bugs in GSS-APi ? http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1 Does Tomcat 8 work with NegoEx ? Is Windows 8.1 and Windows Server 2012 RC2 supported ? many thanks David > From: dmars...@outlook.com > To: users@tomcat.apache.org > Subject: RE: SPNEGO test configuration with Manager webapp > Date: Thu, 26 Mar 2015 00:18:11 +0000 > > With the correct keytab and krb5.ini I can get kinit to pass... > Still cannot get SPNEGO in tomcat to work, have the same 401 three times. > C:\Windows>java -Dsun.security.krb5.debug=true > -Djava.security.krb5.conf=c:\windows\krb5.ini > sun.security.krb5.internal.tools.Kinit -k -t c:\keytab\tomcat.keytab > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL>>>KinitOptions cache name is > C:\Users\tc01.KERBTEST\krb5cc_tc01Principal is > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL>>> Kinit using keytab>>> Kinit > keytab file name: c:\keytab\tomcat.keytabJava config name: > c:\windows\krb5.iniLoaded from Java config>>> Kinit realm name is > KERBTEST.LOCAL>>> Creating KrbAsReq>>> KrbKdcReq local addresses for win-tc01 > are: > win-tc01/192.168.0.3IPv4 address > win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3IPv6 address > win-tc01/fe80:0:0:0:cd8:21c6:3f57:fffc%5IPv6 address > win-tc01/2001:0:9d38:90d7:cd8:21c6:3f57:fffcIPv6 address>>> KdcAccessibility: > reset>>> KeyTabInputStream, readName(): KERBTEST.LOCAL>>> KeyTabInputStream, > readName(): HTTP>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local>>> > KeyTab: load() entry length: 70; type: 1>>> KeyTabInputStream, readName(): > KERBTEST.LOCAL>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, > readName(): win-tc01.kerbtest.local>>> KeyTab: load() entry length: 70; type: > 3>>> KeyTabInputStream, readName(): KERBTEST.LOCAL>>> KeyTabInputStream, > readName(): HTTP>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local>>> > KeyTab: load() entry length: 78; type: 23>>> KeyTabInputStream, readName(): > KERBTEST.LOCAL>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, > readName(): win-tc01.kerbtest.local>>> KeyTab: load() entry length: 94; type: > 18>>> KeyTabInputStream, readName(): KERBTEST.LOCAL>>> KeyTabInputStream, > readName(): HTTP>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local>>> > KeyTab: load() entry length: 78; type: 17Looking for keys for: > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version: 15Added key: > 18version: 15Added key: 23version: 15Found unsupported keytype (3) for > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported keytype (1) for > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALdefault etypes for > default_tkt_enctypes: 23 18 17.>>> KrbAsReq creating message>>> KrbKdcReq > send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries > =3, &bytes=272>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, > timeout=30000,Attempt=1, &bytes=272>>> KrbKdcReq send: &bytes > read=213>>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = > 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.local, s2kparams = null > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>>Pre-Authentication Data: PA-DATA type = 2 >>>>PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16 >>>>Pre-Authentication Data: PA-DATA type = 15 >>>> KdcAccessibility: remove win-dc01.kerbtest.local:88>>> KDCRep: init() >>>> encoding tag is 126 req type is 11>>>KRBError: sTime is Thu Mar 26 >>>> 00:10:28 GMT 2015 1427328628000 suSec is 635591 error code is 25 error >>>> Message is Additional pre-authentication required sname is >>>> krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. msgType is >>>> 30>>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 18, >>>> salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.local, s2kparams = null >>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>>Pre-Authentication Data: PA-DATA type = 2 >>>>PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16 >>>>Pre-Authentication Data: PA-DATA type = 15 > KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQdefault etypes for > default_tkt_enctypes: 23 18 17.Looking for keys for: > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version: 15Added key: > 18version: 15Added key: 23version: 15Found unsupported keytype (3) for > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported keytype (1) for > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALLooking for keys for: > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version: 15Added key: > 18version: 15Added key: 23version: 15Found unsupported keytype (3) for > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported keytype (1) for > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALdefault etypes for > default_tkt_enctypes: 23 18 17.>>> EType: > sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType>>> KrbAsReq creating > message>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, > number of retries =3, &bytes=359>>> KDCCommunication: > kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt=1, &bytes=359>>> > KrbKdcReq send: &bytes read=100>>> KrbKdcReq send: > kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number of retries =3, > &bytes=359>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, > timeout=30000,Attempt=1, &bytes=359>>>DEBUG: TCPClient reading 1653 bytes>>> > KrbKdcReq send: &bytes read=1653>>> KdcAccessibility: remove > win-dc01.kerbtest.local:88Looking for keys for: > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version: 15Added key: > 18version: 15Added key: 23version: 15Found unsupported keytype (3) for > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported keytype (1) for > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL>>> EType: > sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType>>> KrbAsRep cons in > KrbAsReq.getReply HTTP/win-tc01.kerbtest.localNew ticket is stored in cache > file C:\Users\tc01.KERBTEST\krb5cc_tc01 >> From: dmars...@outlook.com >> To: users@tomcat.apache.org >> Subject: RE: SPNEGO test configuration with Manager webapp >> Date: Wed, 25 Mar 2015 22:26:22 +0000 >> >> Turns out to use the Java kinit I need a krb5.conf inside the jdk/jre >> lib/secrutiy folder. >> >> Now I get :- >> >> >> C:\>java -Dsun.security.krb5.debug=true >> sun.security.krb5.internal.tools.Kinit >> k -t c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01 >> Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>> Kinit using keytab >>>>> Kinit keytab file name: c:\keytab\tomcat.keytab >> Java config name: null >> LSA: Found Ticket >> LSA: Made NewWeakGlobalRef >> LSA: Found PrincipalName >> LSA: Made NewWeakGlobalRef >> LSA: Found DerValue >> LSA: Made NewWeakGlobalRef >> LSA: Found EncryptionKey >> LSA: Made NewWeakGlobalRef >> LSA: Found TicketFlags >> LSA: Made NewWeakGlobalRef >> LSA: Found KerberosTime >> LSA: Made NewWeakGlobalRef >> LSA: Found String >> LSA: Made NewWeakGlobalRef >> LSA: Found DerValue constructor >> LSA: Found Ticket constructor >> LSA: Found PrincipalName constructor >> LSA: Found EncryptionKey constructor >> LSA: Found TicketFlags constructor >> LSA: Found KerberosTime constructor >> LSA: Finished OnLoad processing >> Native config name: C:\Windows\krb5.ini >> Loaded from native config >>>>> Kinit realm name is KERBTEST.LOCAL >>>>> Creating KrbAsReq >>>>> KrbKdcReq local addresses for win-tc01 are: >> >> win-tc01/192.168.0.3 >> IPv4 address >> >> win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3 >> IPv6 address >>>>> KdcAccessibility: reset >>>>> KeyTabInputStream, readName(): kerbtest.local >>>>> KeyTabInputStream, readName(): HTTP >>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>>>> KeyTab: load() entry length: 70; type: 1 >>>>> KeyTabInputStream, readName(): kerbtest.local >>>>> KeyTabInputStream, readName(): HTTP >>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>>>> KeyTab: load() entry length: 70; type: 3 >>>>> KeyTabInputStream, readName(): kerbtest.local >>>>> KeyTabInputStream, readName(): HTTP >>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>>>> KeyTab: load() entry length: 78; type: 23 >>>>> KeyTabInputStream, readName(): kerbtest.local >>>>> KeyTabInputStream, readName(): HTTP >>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>>>> KeyTab: load() entry length: 94; type: 18 >>>>> KeyTabInputStream, readName(): kerbtest.local >>>>> KeyTabInputStream, readName(): HTTP >>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>>>> KeyTab: load() entry length: 78; type: 17 >> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >> Added key: 17version: 5 >> Added key: 18version: 5 >> Added key: 23version: 5 >> Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >> Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >> default etypes for default_tkt_enctypes: 23 18 17. >>>>> KrbAsReq creating message >>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number >>>>> o >> retries =3, &bytes=216 >>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, >>>>> timeout=30000,Attempt >> =1, &bytes=216 >>>>> KrbKdcReq send: &bytes read=100 >>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>>KRBError: >> sTime is Wed Mar 25 22:24:32 GMT 2015 1427322272000 >> suSec is 681217 >> error code is 6 >> error Message is Client not found in Kerberos database >> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL >> msgType is 30 >> Exception: krb_error 6 Client not found in Kerberos database (6) Client not >> fou >> d in Kerberos database >> KrbException: Client not found in Kerberos database (6) >> at sun.security.krb5.KrbAsRep.(Unknown Source) >> at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source) >> at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source) >> at sun.security.krb5.internal.tools.Kinit.(Unknown Source) >> at sun.security.krb5.internal.tools.Kinit.main(Unknown Source) >> Caused by: KrbException: Identifier doesn't match expected value (906) >> at sun.security.krb5.internal.KDCRep.init(Unknown Source) >> at sun.security.krb5.internal.ASRep.init(Unknown Source) >> at sun.security.krb5.internal.ASRep.(Unknown Source) >> ... 5 more >> >> >> ---------------------------------------- >>> From: dmars...@outlook.com >>> To: users@tomcat.apache.org >>> Subject: RE: SPNEGO test configuration with Manager webapp >>> Date: Wed, 25 Mar 2015 21:19:30 +0000 >>> >>> >>> >>> >>> Thanks for all the help guys, I managed to find the correct way to call >>> kinit for Java on windows :- >>> >>> I get the following :- >>> >>> C:\>java -Dsun.security.krb5.debug=true >>> sun.security.krb5.internal.tools.Kinit - >>> k -t c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>> tc01pas >>> s >>>>>>KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01 >>> Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>> Kinit using keytab >>>>>> Kinit keytab file name: c:\keytab\tomcat.keytab >>> Java config name: null >>> LSA: Found Ticket >>> LSA: Made NewWeakGlobalRef >>> LSA: Found PrincipalName >>> LSA: Made NewWeakGlobalRef >>> LSA: Found DerValue >>> LSA: Made NewWeakGlobalRef >>> LSA: Found EncryptionKey >>> LSA: Made NewWeakGlobalRef >>> LSA: Found TicketFlags >>> LSA: Made NewWeakGlobalRef >>> LSA: Found KerberosTime >>> LSA: Made NewWeakGlobalRef >>> LSA: Found String >>> LSA: Made NewWeakGlobalRef >>> LSA: Found DerValue constructor >>> LSA: Found Ticket constructor >>> LSA: Found PrincipalName constructor >>> LSA: Found EncryptionKey constructor >>> LSA: Found TicketFlags constructor >>> LSA: Found KerberosTime constructor >>> LSA: Finished OnLoad processing >>> Native config name: C:\Windows\krb5.ini >>> Loaded from native config >>>>>> Kinit realm name is KERBTEST.LOCAL >>>>>> Creating KrbAsReq >>>>>> KrbKdcReq local addresses for win-tc01 are: >>> >>> win-tc01/192.168.0.3 >>> IPv4 address >>> >>> win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3 >>> IPv6 address >>>>>> KdcAccessibility: reset >>>>>> KeyTabInputStream, readName(): kerbtest.local >>>>>> KeyTabInputStream, readName(): HTTP >>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>>>>> KeyTab: load() entry length: 70; type: 1 >>>>>> KeyTabInputStream, readName(): kerbtest.local >>>>>> KeyTabInputStream, readName(): HTTP >>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>>>>> KeyTab: load() entry length: 70; type: 3 >>>>>> KeyTabInputStream, readName(): kerbtest.local >>>>>> KeyTabInputStream, readName(): HTTP >>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>>>>> KeyTab: load() entry length: 78; type: 23 >>>>>> KeyTabInputStream, readName(): kerbtest.local >>>>>> KeyTabInputStream, readName(): HTTP >>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>>>>> KeyTab: load() entry length: 94; type: 18 >>>>>> KeyTabInputStream, readName(): kerbtest.local >>>>>> KeyTabInputStream, readName(): HTTP >>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>>>>> KeyTab: load() entry length: 78; type: 17 >>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>> Added key: 17version: 5 >>> Added key: 18version: 5 >>> Added key: 23version: 5 >>> Found unsupported keytype (3) for >>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>> Found unsupported keytype (1) for >>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>> default etypes for default_tkt_enctypes: 23 18 17. >>>>>> KrbAsReq creating message >>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, >>>>>> number of >>> retries =3, &bytes=216 >>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, >>>>>> timeout=30000,Attempt >>> =1, &bytes=216 >>>>>> KrbKdcReq send: &bytes read=213 >>>>>>Pre-Authentication Data: >>> PA-DATA type = 19 >>> PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l >>> ocal, s2kparams = null >>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>> >>>>>>Pre-Authentication Data: >>> PA-DATA type = 2 >>> PA-ENC-TIMESTAMP >>>>>>Pre-Authentication Data: >>> PA-DATA type = 16 >>> >>>>>>Pre-Authentication Data: >>> PA-DATA type = 15 >>> >>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>>>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>>>KRBError: >>> sTime is Wed Mar 25 21:09:04 GMT 2015 1427317744000 >>> suSec is 382562 >>> error code is 25 >>> error Message is Additional pre-authentication required >>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL >>> eData provided. >>> msgType is 30 >>>>>>Pre-Authentication Data: >>> PA-DATA type = 19 >>> PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l >>> ocal, s2kparams = null >>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>> >>>>>>Pre-Authentication Data: >>> PA-DATA type = 2 >>> PA-ENC-TIMESTAMP >>>>>>Pre-Authentication Data: >>> PA-DATA type = 16 >>> >>>>>>Pre-Authentication Data: >>> PA-DATA type = 15 >>> >>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ >>> default etypes for default_tkt_enctypes: 23 18 17. >>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>> Added key: 17version: 5 >>> Added key: 18version: 5 >>> Added key: 23version: 5 >>> Found unsupported keytype (3) for >>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>> Found unsupported keytype (1) for >>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>> Added key: 17version: 5 >>> Added key: 18version: 5 >>> Added key: 23version: 5 >>> Found unsupported keytype (3) for >>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>> Found unsupported keytype (1) for >>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>> default etypes for default_tkt_enctypes: 23 18 17. >>>>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>>>>> KrbAsReq creating message >>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, >>>>>> number of >>> retries =3, &bytes=305 >>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, >>>>>> timeout=30000,Attempt >>> =1, &bytes=305 >>>>>> KrbKdcReq send: &bytes read=180 >>>>>>Pre-Authentication Data: >>> PA-DATA type = 19 >>> PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l >>> ocal, s2kparams = null >>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>> >>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>>>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>>>KRBError: >>> sTime is Wed Mar 25 21:09:08 GMT 2015 1427317748000 >>> suSec is 600802 >>> error code is 24 >>> error Message is Pre-authentication information was invalid >>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL >>> eData provided. >>> msgType is 30 >>>>>>Pre-Authentication Data: >>> PA-DATA type = 19 >>> PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l >>> ocal, s2kparams = null >>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>> >>> Exception: krb_error 24 Pre-authentication information was invalid (24) >>> Pre-auth >>> entication information was invalid >>> KrbException: Pre-authentication information was invalid (24) >>> at sun.security.krb5.KrbAsRep.(Unknown Source) >>> at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source) >>> at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source) >>> at sun.security.krb5.internal.tools.Kinit.(Unknown Source) >>> at sun.security.krb5.internal.tools.Kinit.main(Unknown Source) >>> Caused by: KrbException: Identifier doesn't match expected value (906) >>> at sun.security.krb5.internal.KDCRep.init(Unknown Source) >>> at sun.security.krb5.internal.ASRep.init(Unknown Source) >>> at sun.security.krb5.internal.ASRep.(Unknown Source) >>> ... 5 more >>> >>> >>> >>>> Date: Wed, 25 Mar 2015 22:00:13 +0100 >>>> From: a...@ice-sa.com >>>> To: users@tomcat.apache.org >>>> Subject: Re: SPNEGO test configuration with Manager webapp >>>> >>>> Felix Schumacher wrote: >>>>> Am 25.03.2015 um 20:19 schrieb André Warnier: >>>>>> David Marsh wrote: >>>>>>> Javas version of kinit seems to report issue ? >>>>>>> >>>>>>> C:\Program Files\Apache Software Foundation\Tomcat >>>>>>> 8.0\conf>"C:\Program Files\Ja >>>>>>> va\jdk1.8.0_40\bin\kinit" -t -k c:\keytab\tomcat.keytab >>>>>>> Exception: krb_error 0 Do not have keys of types listed in >>>>>>> default_tkt_enctypes >>>>>>> available; only have keys of following type: No error >>>>>>> KrbException: Do not have keys of types listed in >>>>>>> default_tkt_enctypes available >>>>>>> ; only have keys of following type: >>>>>>> at >>>>>>> sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280) >>>>>>> at >>>>>>> sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261) >>>>>>> at >>>>>>> sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315) >>>>>>> at >>>>>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) >>>>>>> at sun.security.krb5.internal.tools.Kinit.(Kinit.java:219) >>>>>>> at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113) >>>>>> >>>>>> That seems to indicate that between the Java Kerberos module in >>>>>> Tomcat, and the KDC's Kerberos software, there is a mismatch in the >>>>>> types of keys used (type of encryption), so they do not understand >>>>>> eachother. >>>>>> This may be relevant : https://community.igniterealtime.org/thread/49913 >>>>>> >>>>>> It is also a bit strange that it says : >>>>>> only have keys of following type: >>>>>> (with nothing behind the :.. ) >>>>>> >>>>>> From what I keep browsing on the WWW, it also seems that the types of >>>>>> key encryptions that might match between Java Kerberos and Windows >>>>>> Kerberos, depend on the versions of both Java and Windows Server.. >>>>>> >>>>> +1 (read your answer to late, I found the same link and posted it :) >>>>>> Man, this thing is really a nightmare, isn't it ? >>>>> I especially like the error messages. >>>>> >>>> >>>> Yes, and the thing is : there are a lot of pages on the www that describe >>>> the "correct" >>>> procedure, step by step, some even with screenshots etc.. >>>> But they always leave something out, and you don't know what they left >>>> out.. >>>> >>>> >>>>> Felix >>>>>> >>>>>> >>>>>>> >>>>>>> ---------------------------------------- >>>>>>>> From: dmars...@outlook.com >>>>>>>> To: users@tomcat.apache.org >>>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp >>>>>>>> Date: Wed, 25 Mar 2015 16:50:47 +0000 >>>>>>>> >>>>>>>> Its possible I guess, although I would not expect that. >>>>>>>> >>>>>>>> The test is :- >>>>>>>> >>>>>>>> Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM >>>>>>>> >>>>>>>> Firefox is not configured to use a proxy, its all in Vmware >>>>>>>> Workstation 10 using the Vmnet01 virtual network. >>>>>>>> >>>>>>>> Firefox has three 401 responses with headers "Authorization" and >>>>>>>> "WWW-Authenticate" :- >>>>>>>> >>>>>>>> 1 :- Reponse WWW-Authenticate: "Negotiate" >>>>>>>> >>>>>>>> 2 :- Request Authorization: "Negotiate >>>>>>>> YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxD >>>>>>>> >>>>>> yCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1b >>>> HVkm >>>>>> >>>>>> muJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4=" >>>>>> >>>>>>>> >>>>>>>> Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg== >>>>>>>> >>>>>>>> 3 :- Request Authorization: "Negotiate >>>>>>>> oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkco >>>>>>>> >>>>>> Kk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zw >>>> m+qh >>>>>> >>>>>> PF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E=" >>>>>> >>>>>>>> >>>>>>>> Reponse WWW-Authenticate: "Negotiate" >>>>>>>> >>>>>>>> I'm not sure how long they should be, but they all end "=" so expect >>>>>>>> not truncated ? >>>>>>>> >>>>>>>> ---------------------------------------- >>>>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp >>>>>>>>> From: felix.schumac...@internetallee.de >>>>>>>>> Date: Wed, 25 Mar 2015 17:31:51 +0100 >>>>>>>>> To: users@tomcat.apache.org >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh >>>>>>>>> : >>>>>>>>>> This is how the keytab was created :- >>>>>>>>>> >>>>>>>>>> ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser >>>>>>>>>> tc01@KERBTEST.LOCAL /princ >>>>>>>>>> HTTP/win-tc01.kerbtest.local@kerbtest.local >>>>>>>>>> /pass tc01pass >>>>>>>>>> >>>>>>>>>> The password is the correct password for the user tc01 associated >>>>>>>>>> with >>>>>>>>>> the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local >>>>>>>>>> >>>>>>>>>> I managed to turn on some more logging around JAAS, see the error >>>>>>>>>> :- java.security.PrivilegedActionException: GSSException: Defective >>>>>>>>>> token detected >>>>>>>>> Do you talk directly to Tomcat, or is there any kind of proxy in >>>>>>>>> between? >>>>>>>>> Could the header be truncated? >>>>>>>>> >>>>>>>>> Felix >>>>>>>>>> 25-Mar-2015 15:46:22.131 INFO [main] >>>>>>>>>> org.apache.catalina.core.StandardService.startInternal Starting >>>>>>>>>> service Catalina >>>>>>>>>> 25-Mar-2015 15:46:22.133 INFO [main] >>>>>>>>>> org.apache.catalina.core.StandardEngine.startInternal Starting >>>>>>>>>> Servlet Engine: Apache Tomcat/8.0.20 >>>>>>>>>> 25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1] >>>>>>>>>> org.apache.catalina.startup.HostConfig.deployD >>>>>>>>>> irectory Deploying web application directory C:\Program Files\Apache >>>>>>>>>> Software Foundation\Tomcat 8.0\ >>>>>>>>>> webapps\docs >>>>>>>>>> 25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1] >>>>>>>>>> org.apache.catalina.startup.HostConfig.deployD >>>>>>>>>> irectory Deployment of web application directory C:\Program >>>>>>>>>> Files\Apache Software Foundation\Tomcat >>>>>>>>>> 8.0\webapps\docs has finished in 380 ms >>>>>>>>>> 25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1] >>>>>>>>>> org.apache.catalina.startup.HostConfig.deployD >>>>>>>>>> irectory Deploying web application directory C:\Program Files\Apache >>>>>>>>>> Software Foundation\Tomcat 8.0\ >>>>>>>>>> webapps\manager >>>>>>>>>> 25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1] >>>>>>>>>> org.apache.catalina.authenticator.Authenticato >>>>>>>>>> rBase.startInternal No SingleSignOn Valve is present >>>>>>>>>> 25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1] >>>>>>>>>> org.apache.catalina.startup.HostConfig.deployD >>>>>>>>>> irectory Deployment of web application directory C:\Program >>>>>>>>>> Files\Apache Software Foundation\Tomcat >>>>>>>>>> 8.0\webapps\manager has finished in 93 ms >>>>>>>>>> 25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1] >>>>>>>>>> org.apache.catalina.startup.HostConfig.deployD >>>>>>>>>> irectory Deploying web application directory C:\Program Files\Apache >>>>>>>>>> Software Foundation\Tomcat 8.0\ >>>>>>>>>> webapps\ROOT >>>>>>>>>> 25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1] >>>>>>>>>> org.apache.catalina.startup.HostConfig.deployD >>>>>>>>>> irectory Deployment of web application directory C:\Program >>>>>>>>>> Files\Apache Software Foundation\Tomcat >>>>>>>>>> 8.0\webapps\ROOT has finished in 59 ms >>>>>>>>>> 25-Mar-2015 15:46:22.797 INFO [main] >>>>>>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl >>>>>>>>>> er ["http-nio-80"] >>>>>>>>>> 25-Mar-2015 15:46:22.806 INFO [main] >>>>>>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl >>>>>>>>>> er ["ajp-nio-8009"] >>>>>>>>>> 25-Mar-2015 15:46:22.808 INFO [main] >>>>>>>>>> org.apache.catalina.startup.Catalina.start Server startup in 72 >>>>>>>>>> 1 ms >>>>>>>>>> 25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1] >>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>>>> se.invoke Security checking request GET /manager/html >>>>>>>>>> 25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]' >>>>>>>>>> against GET /html --> false >>>>>>>>>> 25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy >>>>>>>>>> interface]' against GET /html --> fal >>>>>>>>>> se >>>>>>>>>> 25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager >>>>>>>>>> interface (for scripts)]' against >>>>>>>>>> GET /html --> false >>>>>>>>>> 25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager >>>>>>>>>> interface (for humans)]' against G >>>>>>>>>> ET /html --> true >>>>>>>>>> 25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]' >>>>>>>>>> against GET /html --> false >>>>>>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy >>>>>>>>>> interface]' against GET /html --> fal >>>>>>>>>> se >>>>>>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager >>>>>>>>>> interface (for scripts)]' against >>>>>>>>>> GET /html --> false >>>>>>>>>> 25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager >>>>>>>>>> interface (for humans)]' against G >>>>>>>>>> ET /html --> true >>>>>>>>>> 25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1] >>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>>>> se.invoke Calling hasUserDataPermission() >>>>>>>>>> 25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1] >>>>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe >>>>>>>>>> rmission User data constraint has no restrictions >>>>>>>>>> 25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1] >>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>>>> se.invoke Calling authenticate() >>>>>>>>>> 25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1] >>>>>>>>>> org.apache.catalina.authenticator.SpnegoAuthentic >>>>>>>>>> ator.authenticate No authorization header sent by client >>>>>>>>>> 25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1] >>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>>>> se.invoke Failed authenticate() test >>>>>>>>>> 25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2] >>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>>>> se.invoke Security checking request GET /manager/html >>>>>>>>>> 25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]' >>>>>>>>>> against GET /html --> false >>>>>>>>>> 25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy >>>>>>>>>> interface]' against GET /html --> fal >>>>>>>>>> se >>>>>>>>>> 25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager >>>>>>>>>> interface (for scripts)]' against >>>>>>>>>> GET /html --> false >>>>>>>>>> 25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager >>>>>>>>>> interface (for humans)]' against G >>>>>>>>>> ET /html --> true >>>>>>>>>> 25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]' >>>>>>>>>> against GET /html --> false >>>>>>>>>> 25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy >>>>>>>>>> interface]' against GET /html --> fal >>>>>>>>>> se >>>>>>>>>> 25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager >>>>>>>>>> interface (for scripts)]' against >>>>>>>>>> GET /html --> false >>>>>>>>>> 25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager >>>>>>>>>> interface (for humans)]' against G >>>>>>>>>> ET /html --> true >>>>>>>>>> 25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2] >>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>>>> se.invoke Calling hasUserDataPermission() >>>>>>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2] >>>>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe >>>>>>>>>> rmission User data constraint has no restrictions >>>>>>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2] >>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>>>> se.invoke Calling authenticate() >>>>>>>>>> Debug is true storeKey true useTicketCache false useKeyTab true >>>>>>>>>> doNotPrompt true ticketCache is nul >>>>>>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab >>>>>>>>>> refreshKrb5Config >>>>>>>>>> is false principal is HTTP/wi >>>>>>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false >>>>>>>>>> useFirstPass >>>>>>>>>> is false storePass is false >>>>>>>>>> clearPass is false >>>>>>>>>>>>> KeyTabInputStream, readName(): kerbtest.local >>>>>>>>>>>>> KeyTabInputStream, readName(): HTTP >>>>>>>>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>>>>>>>>>>>> KeyTab: load() entry length: 78; type: 23 >>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>>>> Java config name: C:\Program Files\Apache Software Foundation\Tomcat >>>>>>>>>> 8.0\conf\krb5.ini >>>>>>>>>> Loaded from Java config >>>>>>>>>> Added key: 23version: 3 >>>>>>>>>>>>> KdcAccessibility: reset >>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>>>> Added key: 23version: 3 >>>>>>>>>> default etypes for default_tkt_enctypes: 23 18 17. >>>>>>>>>>>>> KrbAsReq creating message >>>>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, >>>>>>>>>> number of retries =3, &bytes= >>>>>>>>>> 164 >>>>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, >>>>>>>>>> timeout=30000,Attempt =1, &bytes=164 >>>>>>>>>>>>> KrbKdcReq send: &bytes read=185 >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 11 >>>>>>>>>> PA-ETYPE-INFO etype = 23, salt = >>>>>>>>>> >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 19 >>>>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>>>>>>>> >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 2 >>>>>>>>>> PA-ENC-TIMESTAMP >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 16 >>>>>>>>>> >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 15 >>>>>>>>>> >>>>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>>>>>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>>>>>>>>>> KRBError: >>>>>>>>>> sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000 >>>>>>>>>> suSec is 701709 >>>>>>>>>> error code is 25 >>>>>>>>>> error Message is Additional pre-authentication required >>>>>>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL >>>>>>>>>> eData provided. >>>>>>>>>> msgType is 30 >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 11 >>>>>>>>>> PA-ETYPE-INFO etype = 23, salt = >>>>>>>>>> >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 19 >>>>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>>>>>>>> >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 2 >>>>>>>>>> PA-ENC-TIMESTAMP >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 16 >>>>>>>>>> >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 15 >>>>>>>>>> >>>>>>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ >>>>>>>>>> default etypes for default_tkt_enctypes: 23 18 17. >>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>>>> Added key: 23version: 3 >>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>>>> Added key: 23version: 3 >>>>>>>>>> default etypes for default_tkt_enctypes: 23 18 17. >>>>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>>>>>>>>>>> KrbAsReq creating message >>>>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, >>>>>>>>>> number of retries =3, &bytes= >>>>>>>>>> 247 >>>>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, >>>>>>>>>> timeout=30000,Attempt =1, &bytes=247 >>>>>>>>>>>>> KrbKdcReq send: &bytes read=100 >>>>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, >>>>>>>>>> number of retries =3, &bytes= >>>>>>>>>> 247 >>>>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, >>>>>>>>>> timeout=30000,Attempt =1, &bytes=247 >>>>>>>>>>>>> DEBUG: TCPClient reading 1475 bytes >>>>>>>>>>>>> KrbKdcReq send: &bytes read=1475 >>>>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>>>> Added key: 23version: 3 >>>>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>>>>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local >>>>>>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>>>> Will use keytab >>>>>>>>>> Commit Succeeded >>>>>>>>>> >>>>>>>>>> Search Subject for SPNEGO ACCEPT cred (<>, >>>>>>>>>> sun.security.jgss.spnego.SpNegoCredElement) >>>>>>>>>> Search Subject for Kerberos V5 ACCEPT cred (<>, >>>>>>>>>> sun.security.jgss.krb5.Krb5AcceptCredential) >>>>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for >>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for >>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to >>>>>>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST >>>>>>>>>> .LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015 >>>>>>>>>> [Krb5LoginModule]: Entering logout >>>>>>>>>> [Krb5LoginModule]: logged out Subject >>>>>>>>>> 25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2] >>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>>>> se.invoke Failed authenticate() test >>>>>>>>>> 25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3] >>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>>>> se.invoke Security checking request GET /manager/html >>>>>>>>>> 25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]' >>>>>>>>>> against GET /html --> false >>>>>>>>>> 25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy >>>>>>>>>> interface]' against GET /html --> fal >>>>>>>>>> se >>>>>>>>>> 25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager >>>>>>>>>> interface (for scripts)]' against >>>>>>>>>> GET /html --> false >>>>>>>>>> 25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager >>>>>>>>>> interface (for humans)]' against G >>>>>>>>>> ET /html --> true >>>>>>>>>> 25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]' >>>>>>>>>> against GET /html --> false >>>>>>>>>> 25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy >>>>>>>>>> interface]' against GET /html --> fal >>>>>>>>>> se >>>>>>>>>> 25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager >>>>>>>>>> interface (for scripts)]' against >>>>>>>>>> GET /html --> false >>>>>>>>>> 25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3] >>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC >>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager >>>>>>>>>> interface (for humans)]' against G >>>>>>>>>> ET /html --> true >>>>>>>>>> 25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3] >>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>>>> se.invoke Calling hasUserDataPermission() >>>>>>>>>> 25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3] >>>>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe >>>>>>>>>> rmission User data constraint has no restrictions >>>>>>>>>> 25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3] >>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>>>> se.invoke Calling authenticate() >>>>>>>>>> Debug is true storeKey true useTicketCache false useKeyTab true >>>>>>>>>> doNotPrompt true ticketCache is nul >>>>>>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab >>>>>>>>>> refreshKrb5Config >>>>>>>>>> is false principal is HTTP/wi >>>>>>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false >>>>>>>>>> useFirstPass >>>>>>>>>> is false storePass is false >>>>>>>>>> clearPass is false >>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>>>> Added key: 23version: 3 >>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>>>> Added key: 23version: 3 >>>>>>>>>> default etypes for default_tkt_enctypes: 23 18 17. >>>>>>>>>>>>> KrbAsReq creating message >>>>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, >>>>>>>>>> number of retries =3, &bytes= >>>>>>>>>> 164 >>>>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, >>>>>>>>>> timeout=30000,Attempt =1, &bytes=164 >>>>>>>>>>>>> KrbKdcReq send: &bytes read=185 >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 11 >>>>>>>>>> PA-ETYPE-INFO etype = 23, salt = >>>>>>>>>> >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 19 >>>>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>>>>>>>> >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 2 >>>>>>>>>> PA-ENC-TIMESTAMP >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 16 >>>>>>>>>> >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 15 >>>>>>>>>> >>>>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>>>>>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>>>>>>>>>> KRBError: >>>>>>>>>> sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000 >>>>>>>>>> suSec is 935731 >>>>>>>>>> error code is 25 >>>>>>>>>> error Message is Additional pre-authentication required >>>>>>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL >>>>>>>>>> eData provided. >>>>>>>>>> msgType is 30 >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 11 >>>>>>>>>> PA-ETYPE-INFO etype = 23, salt = >>>>>>>>>> >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 19 >>>>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>>>>>>>> >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 2 >>>>>>>>>> PA-ENC-TIMESTAMP >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 16 >>>>>>>>>> >>>>>>>>>>>>> Pre-Authentication Data: >>>>>>>>>> PA-DATA type = 15 >>>>>>>>>> >>>>>>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ >>>>>>>>>> default etypes for default_tkt_enctypes: 23 18 17. >>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>>>> Added key: 23version: 3 >>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>>>> Added key: 23version: 3 >>>>>>>>>> default etypes for default_tkt_enctypes: 23 18 17. >>>>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>>>>>>>>>>> KrbAsReq creating message >>>>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, >>>>>>>>>> number of retries =3, &bytes= >>>>>>>>>> 247 >>>>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, >>>>>>>>>> timeout=30000,Attempt =1, &bytes=247 >>>>>>>>>>>>> KrbKdcReq send: &bytes read=100 >>>>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, >>>>>>>>>> number of retries =3, &bytes= >>>>>>>>>> 247 >>>>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, >>>>>>>>>> timeout=30000,Attempt =1, &bytes=247 >>>>>>>>>>>>> DEBUG: TCPClient reading 1475 bytes >>>>>>>>>>>>> KrbKdcReq send: &bytes read=1475 >>>>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>>>> Added key: 23version: 3 >>>>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>>>>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local >>>>>>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>>>> Will use keytab >>>>>>>>>> Commit Succeeded >>>>>>>>>> >>>>>>>>>> Search Subject for SPNEGO ACCEPT cred (<>, >>>>>>>>>> sun.security.jgss.spnego.SpNegoCredElement) >>>>>>>>>> Search Subject for Kerberos V5 ACCEPT cred (<>, >>>>>>>>>> sun.security.jgss.krb5.Krb5AcceptCredential) >>>>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for >>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for >>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>>>>>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to >>>>>>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST >>>>>>>>>> .LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015 >>>>>>>>>> 25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3] >>>>>>>>>> org.apache.catalina.authenticator.SpnegoAuthentic >>>>>>>>>> ator.authenticate Unable to login as the service principal >>>>>>>>>> java.security.PrivilegedActionException: GSSException: Defective >>>>>>>>>> token >>>>>>>>>> detected (Mechanism level: G >>>>>>>>>> SSHeader did not find the right tag) >>>>>>>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>>>>>>> at javax.security.auth.Subject.doAs(Subject.java:422) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja >>>>>>>>>> >>>>>>>>>> va:243) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576) >>>>>>>>>> >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) >>>>>>>>>> >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) >>>>>>>>>> >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) >>>>>>>>>> >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) >>>>>>>>>> >>>>>>>>>> at >>>>>>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108 >>>>>>>>>> >>>>>>>>>> 6) >>>>>>>>>> at >>>>>>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav >>>>>>>>>> >>>>>>>>>> a:659) >>>>>>>>>> at >>>>>>>>>> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto >>>>>>>>>> >>>>>>>>>> col.java:223) >>>>>>>>>> at >>>>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) >>>>>>>>>> >>>>>>>>>> at >>>>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) >>>>>>>>>> >>>>>>>>>> at >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>>>>>>>>> >>>>>>>>>> at >>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>>>>>>>>> >>>>>>>>>> at >>>>>>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>>>>>>>>> >>>>>>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>>>>>> Caused by: GSSException: Defective token detected (Mechanism level: >>>>>>>>>> GSSHeader did not find the right >>>>>>>>>> tag) >>>>>>>>>> at sun.security.jgss.GSSHeader.(GSSHeader.java:97) >>>>>>>>>> at >>>>>>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306) >>>>>>>>>> >>>>>>>>>> at >>>>>>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) >>>>>>>>>> >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato >>>>>>>>>> >>>>>>>>>> r.java:336) >>>>>>>>>> at >>>>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato >>>>>>>>>> >>>>>>>>>> r.java:323) >>>>>>>>>> ... 18 more >>>>>>>>>> >>>>>>>>>> [Krb5LoginModule]: Entering logout >>>>>>>>>> [Krb5LoginModule]: logged out Subject >>>>>>>>>> 25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3] >>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa >>>>>>>>>> se.invoke Failed authenticate() test >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Date: Wed, 25 Mar 2015 16:48:10 +0100 >>>>>>>>>>> From: felix.schumac...@internetallee.de >>>>>>>>>>> To: users@tomcat.apache.org >>>>>>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp >>>>>>>>>>> >>>>>>>>>>> Am 25.03.2015 16:09, schrieb David Marsh: >>>>>>>>>>>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was >>>>>>>>>>>> tc01@KERTEST.LOCAL, still same symptoms. >>>>>>>>>>>> >>>>>>>>>>>> Ran klist on client after firefox test and the three 401 responses. >>>>>>>>>> :- >>>>>>>>>>>> C:\Users\test.KERBTEST.000>klist >>>>>>>>>>>> >>>>>>>>>>>> Current LogonId is 0:0x2fd7a >>>>>>>>>>>> >>>>>>>>>>>> Cached Tickets: (2) >>>>>>>>>>>> >>>>>>>>>>>> &0> Client: test @ KERBTEST.LOCAL >>>>>>>>>>>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL >>>>>>>>>>>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 >>>>>>>>>>>> Ticket Flags 0x40e10000 -> forwardable renewable initial >>>>>>>>>>>> pre_authent nam >>>>>>>>>>>> e_canonicalize >>>>>>>>>>>> Start Time: 3/25/2015 14:46:43 (local) >>>>>>>>>>>> End Time: 3/26/2015 0:46:43 (local) >>>>>>>>>>>> Renew Time: 4/1/2015 14:46:43 (local) >>>>>>>>>>>> Session Key Type: AES-256-CTS-HMAC-SHA1-96 >>>>>>>>>>>> Cache Flags: 0x1 -> PRIMARY >>>>>>>>>>>> Kdc Called: 192.168.0.200 >>>>>>>>>>>> >>>>>>>>>>>> &1> Client: test @ KERBTEST.LOCAL >>>>>>>>>>>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL >>>>>>>>>>>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) >>>>>>>>>>>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent >>>>>>>>>>>> name_canoni >>>>>>>>>>>> calize >>>>>>>>>>>> Start Time: 3/25/2015 14:51:21 (local) >>>>>>>>>>>> End Time: 3/26/2015 0:46:43 (local) >>>>>>>>>>>> Renew Time: 4/1/2015 14:46:43 (local) >>>>>>>>>>>> Session Key Type: RSADSI RC4-HMAC(NT) >>>>>>>>>>>> Cache Flags: 0 >>>>>>>>>>>> Kdc Called: 192.168.0.200 >>>>>>>>>>>> >>>>>>>>>>>> Looks like I was granted a ticket for the SPN >>>>>>>>>>>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ? >>>>>>>>>>>> >>>>>>>>>>>> If I have ticket why do I get 401 ? >>>>>>>>>>> Your client has got a service ticket for HTTP/win-tc01... This is >>>>>>>>>> used >>>>>>>>>>> by firefox for authentication. Firefox transmits >>>>>>>>>>> this service ticket to the server (as base64 encoded in the >>>>>>>>>>> WWW-Authenticate header). >>>>>>>>>>> >>>>>>>>>>> Your server has to decrypt this ticket using its own ticket to >>>>>>>>>>> get at >>>>>>>>>>> the user information. This is where your problems arise. >>>>>>>>>>> It looks like your server has trouble to get its own ticket. >>>>>>>>>>> >>>>>>>>>>> Are you sure, that the password you used for keytab generation (on >>>>>>>>>> the >>>>>>>>>>> server side), is correct? ktpass will probably accept >>>>>>>>>>> any input as a password. Maybe you can check the keytab by using >>>>>>>>>> kinit >>>>>>>>>>> (though I don't know, if it exists for windows, or how >>>>>>>>>>> the java one is used). >>>>>>>>>>> >>>>>>>>>>> Felix >>>>>>>>>>> >>>>>>>>>>>> ---------------------------------------- >>>>>>>>>>>>> Date: Tue, 24 Mar 2015 22:46:15 +0000 >>>>>>>>>>>>> From: ma...@apache.org >>>>>>>>>>>>> To: users@tomcat.apache.org >>>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp >>>>>>>>>>>>> >>>>>>>>>>>>> On 24/03/2015 20:47, David Marsh wrote: >>>>>>>>>>>>>> Hi Felix, >>>>>>>>>>>>>> Thanks fort your help! >>>>>>>>>>>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in >>>>>>>>>>>>>> startup.bat and also added the same definitions to the Java >>>>>>>>>>>>>> parameters in Configure Tomcat tool.I definitely got more >>>>>>>>>> information >>>>>>>>>>>>>> when using startup.bat, not sure the settings get picked up by >>>>>>>>>>>>>> the >>>>>>>>>>>>>> windows service ? >>>>>>>>>>>>>> I do not think authentication completes, certainly authorization >>>>>>>>>> does >>>>>>>>>>>>>> not as I cant see the site and get 401 http status. >>>>>>>>>>>>>> I have not configured a tomcat realm but I have put the test user >>>>>>>>>> a >>>>>>>>>>>>>> manager-gui group in Active Directory. >>>>>>>>>>>>> I've only given your config a quick scan, but the thing that jumps >>>>>>>>>> out >>>>>>>>>>>>> at me is spaces in the some of the paths. I'm not sure how well >>>>>>>>>>>>> krb5.ini >>>>>>>>>>>>> will handle those. It might be fine. It might not be. >>>>>>>>>>>>> >>>>>>>>>>>>> Mark >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> David >>>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100 >>>>>>>>>>>>>>> From: felix.schumac...@internetallee.de >>>>>>>>>>>>>>> To: users@tomcat.apache.org >>>>>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh: >>>>>>>>>>>>>>>> Everything is as described and still not working, except the >>>>>>>>>>>>>>>> jaas.conf is :- >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate { >>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>>>>>>>>>>>> doNotPrompt=true >>>>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>>>>>>>>>>> useKeyTab=true >>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab" >>>>>>>>>>>>>>>> storeKey=true; >>>>>>>>>>>>>>>> }; >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.accept { >>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>>>>>>>>>>>> doNotPrompt=true >>>>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>>>>>>>>>>> useKeyTab=true >>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab" >>>>>>>>>>>>>>>> storeKey=true; >>>>>>>>>>>>>>>> }; >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> In other words the principal is the tomcat server as it should >>>>>>>>>> be. >>>>>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100 >>>>>>>>>>>>>>>>> From: felix.schumac...@internetallee.de >>>>>>>>>>>>>>>>> To: users@tomcat.apache.org >>>>>>>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh: >>>>>>>>>>>>>>>>>> Sorry thats :- >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>>>>>>>>>>>>> under jaas.conf, it is set to the tomcat server DNS. >>>>>>>>>>>>>>>>> Is it working with this configuration, or just to point out, >>>>>>>>>> that >>>>>>>>>>>>>>>>> you >>>>>>>>>>>>>>>>> copied the wrong jaas.conf for the mail? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Felix >>>>>>>>>>>>>>>>>> ---------------------------------------- >>>>>>>>>>>>>>>>>>> From: dmars...@outlook.com >>>>>>>>>>>>>>>>>>> To: users@tomcat.apache.org >>>>>>>>>>>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp >>>>>>>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000 >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat >>>>>>>>>> 8. >>>>>>>>>>>>>>>>>>> I've created three Windows VMs :- >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM >>>>>>>>>>>>>>>>>>> Test Client - Windows 8.1 32 bit VM >>>>>>>>>>>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> The Tomcat Server and the Test Client are joined to the same >>>>>>>>>>>>>>>>>>> domain kerbtest.local, they are logged in with domain >>>>>>>>>>>>>>>>>>> logins. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> The firewall is disabled on the Tomcat Server VM. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I've followed the guidelines on the Apache Tomcat website. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> jaas.conf >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate { >>>>>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>>>>>>>>>>>>>>> doNotPrompt=true >>>>>>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>>>>>>>>>>>>>> useKeyTab=true >>>>>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>>>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab" >>>>>>>>>>>>>>>>>>> storeKey=true; >>>>>>>>>>>>>>>>>>> }; >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.accept { >>>>>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>>>>>>>>>>>>>>> doNotPrompt=true >>>>>>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>>>>>>>>>>>>>> useKeyTab=true >>>>>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>>>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab" >>>>>>>>>>>>>>>>>>> storeKey=true; >>>>>>>>>>>>>>>>>>> }; >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> krb5.ini >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> [libdefaults] >>>>>>>>>>>>>>>>>>> default_realm = KERBTEST.LOCAL >>>>>>>>>>>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software >>>>>>>>>>>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab >>>>>>>>>>>>>>>>>>> default_tkt_enctypes = >>>>>>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 >>>>>>>>>>>>>>>>>>> default_tgs_enctypes = >>>>>>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 >>>>>>>>>>>>>>>>>>> forwardable=true >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> [realms] >>>>>>>>>>>>>>>>>>> KERBTEST.LOCAL = { >>>>>>>>>>>>>>>>>>> kdc = win-dc01.kerbtest.local:88 >>>>>>>>>>>>>>>>>>> } >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with >>>>>>>>>> Active >>>>>>>>>>>>>>>>>>> Directory. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I have tried to keep the setup as basic and vanilla to the >>>>>>>>>>>>>>>>>>> instructions as possible. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Users were created as instructed. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Spn was created as instructed >>>>>>>>>>>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01 >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> keytab was created as instructed >>>>>>>>>>>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL >>>>>>>>>> /princ >>>>>>>>>>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass >>>>>>>>>> /kvno >>>>>>>>>>>>>>>>>>> 0 >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I have tried to test with firefox, chrome and IE, after >>>>>>>>>> ensuring >>>>>>>>>>>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In >>>>>>>>>>>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to >>>>>>>>>>>>>>>>>>> network.negotiate-auth.delegation-uris and >>>>>>>>>>>>>>>>>>> network.negotiate-auth.trusted-uris. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Tomcat is running as a Windows service under the >>>>>>>>>>>>>>>>>>> tc01@kerbtest.local account. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Visiting URL from the Test Client VM :- >>>>>>>>>>>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401 >>>>>>>>>> three >>>>>>>>>>>>>>>>>>> times. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Looking at the Network tab in developer tools in firefox >>>>>>>>>> shows >>>>>>>>> >>>>>>>>> --------------------------------------------------------------------- >>>>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>>>>> >>>>>>>> --------------------------------------------------------------------- >>>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>>>> >>>>>>> --------------------------------------------------------------------- >>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>> >>>>> >>>>> >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>> >>>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >