On 22/09/2014 18:07, Felix Schumacher wrote: > Am 21.09.2014 um 20:41 schrieb Mark Thomas: >> On 21/09/2014 14:05, Felix Schumacher wrote: >>> Hi Mark, >>> >>> Am 18.09.2014 um 01:40 schrieb ma...@apache.org: >>>> Author: markt >>>> Date: Wed Sep 17 23:40:48 2014 >>>> New Revision: 1625854 >>>> >>>> URL: http://svn.apache.org/r1625854 >>>> Log: >>>> After double-checking SPN to domain user is a one to one mapping >>>> >>>> Modified: >>>> tomcat/trunk/webapps/docs/windows-auth-howto.xml >>>> >>>> Modified: tomcat/trunk/webapps/docs/windows-auth-howto.xml >>>> URL: >>>> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/windows-auth-howto.xml?rev=1625854&r1=1625853&r2=1625854&view=diff >>>> >>>> >>>> ============================================================================== >>>> >>>> >>>> --- tomcat/trunk/webapps/docs/windows-auth-howto.xml (original) >>>> +++ tomcat/trunk/webapps/docs/windows-auth-howto.xml Wed Sep 17 >>>> 23:40:48 2014 >>>> @@ -64,9 +64,7 @@ debug logs in this case.</li> >>>> intranet.</li> >>>> <li>The SPN does not have to start with HTTP but the SPN must be the >>>> same in all >>>> the files it is used.</li> >>> I thought that the browser will always prepend HTTP/ to the hostname, >>> which it connects. That is what I read from the last paragraph in 4.1 of >>> rfc 4559. >>> >>> Can you tell me where you got the information, that it could be >>> anything? >> I tested it. > How did you test it?
By following the instructions at: http://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Built-in_Tomcat_support but replacing "HTTP/win-tc01.dev.local" first with "HTTPA/win-tc01.dev.local" and then with "XYZ/win-tc01.dev.local" It worked in all cases. > It didn't work for me. Given my tests are using Windows AD and your test wasn't that isn;t a huge surprise. > I set up my kerberos server (apacheds running on > kerberos.example.com:60088) and inserted an object with a SPN > XYZ/www.example.com. > Then I created a keytab with only one entry, namely XYZ/www.example.com. > After that I edited jaas.conf and krb5.ini (both in $CATALINA_BASE/conf) > to use XYZ/www.example.com instead of HTTP/www.example.com and changed > the keytab entries to the new keytab. > Now I started jmeter to do a request to a secured page and...it didn't > authenticate. > > Before I tested the setup with HTTP/www.example.com and it did work. > After the failed test, I changed the entries back to > HTTP/www.example.com and the original keytab and it worked again. I'd double check you got all those changes right but I am not entirely surprised. If you confirm your results that this doesn't work with apache DS then I'll update the docs with some suitable words. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
