Re: svn commit: r1625854 - /tomcat/trunk/webapps/docs/windows-auth-howto.xml

Mon, 22 Sep 2014 10:08:27 -0700 

Am 21.09.2014 um 20:41 schrieb Mark Thomas:

On 21/09/2014 14:05, Felix Schumacher wrote:

Hi Mark,

Am 18.09.2014 um 01:40 schrieb ma...@apache.org:

Author: markt
Date: Wed Sep 17 23:40:48 2014
New Revision: 1625854

URL: http://svn.apache.org/r1625854
Log:
After double-checking SPN to domain user is a one to one mapping

Modified:
      tomcat/trunk/webapps/docs/windows-auth-howto.xml

Modified: tomcat/trunk/webapps/docs/windows-auth-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/windows-auth-howto.xml?rev=1625854&r1=1625853&r2=1625854&view=diff

==============================================================================

--- tomcat/trunk/webapps/docs/windows-auth-howto.xml (original)
+++ tomcat/trunk/webapps/docs/windows-auth-howto.xml Wed Sep 17
23:40:48 2014
@@ -64,9 +64,7 @@ debug logs in this case.</li>
   intranet.</li>
   <li>The SPN does not have to start with HTTP but the SPN must be the
same in all
   the files it is used.</li>

I thought that the browser will always prepend HTTP/ to the hostname,
which it connects. That is what I read from the last paragraph in 4.1 of
rfc 4559.

Can you tell me where you got the information, that it could be anything?

I tested it.

How did you test it?

It didn't work for me.
I set up my kerberos server (apacheds running on kerberos.example.com:60088) and inserted an object with a SPN XYZ/www.example.com. 
Then I created a keytab with only one entry, namely XYZ/www.example.com.
After that I edited jaas.conf and krb5.ini (both in $CATALINA_BASE/conf) to use XYZ/www.example.com instead of HTTP/www.example.com and changed the keytab entries to the new keytab. Now I started jmeter to do a request to a secured page and...it didn't authenticate.
Before I tested the setup with HTTP/www.example.com and it did work. After the failed test, I changed the entries back to HTTP/www.example.com and the original keytab and it worked again. 

Regards
 Felix


Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to