On 22. September 2014 21:12:39 MESZ, Mark Thomas <ma...@apache.org> wrote: >On 22/09/2014 18:07, Felix Schumacher wrote: >> Am 21.09.2014 um 20:41 schrieb Mark Thomas: >>> On 21/09/2014 14:05, Felix Schumacher wrote: >>>> Hi Mark, >>>> >>>> Am 18.09.2014 um 01:40 schrieb ma...@apache.org: >>>>> Author: markt >>>>> Date: Wed Sep 17 23:40:48 2014 >>>>> New Revision: 1625854 >>>>> >>>>> URL: http://svn.apache.org/r1625854 >>>>> Log: >>>>> After double-checking SPN to domain user is a one to one mapping >>>>> >>>>> Modified: >>>>> tomcat/trunk/webapps/docs/windows-auth-howto.xml >>>>> >>>>> Modified: tomcat/trunk/webapps/docs/windows-auth-howto.xml >>>>> URL: >>>>> >http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/windows-auth-howto.xml?rev=1625854&r1=1625853&r2=1625854&view=diff >>>>> >>>>> >>>>> >============================================================================== >>>>> >>>>> >>>>> --- tomcat/trunk/webapps/docs/windows-auth-howto.xml (original) >>>>> +++ tomcat/trunk/webapps/docs/windows-auth-howto.xml Wed Sep 17 >>>>> 23:40:48 2014 >>>>> @@ -64,9 +64,7 @@ debug logs in this case.</li> >>>>> intranet.</li> >>>>> <li>The SPN does not have to start with HTTP but the SPN must >be the >>>>> same in all >>>>> the files it is used.</li> >>>> I thought that the browser will always prepend HTTP/ to the >hostname, >>>> which it connects. That is what I read from the last paragraph in >4.1 of >>>> rfc 4559. >>>> >>>> Can you tell me where you got the information, that it could be >>>> anything? >>> I tested it. >> How did you test it? > >By following the instructions at: >http://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Built-in_Tomcat_support > >but replacing "HTTP/win-tc01.dev.local" first with >"HTTPA/win-tc01.dev.local" and then with "XYZ/win-tc01.dev.local" > >It worked in all cases. Which client did you use?
> >> It didn't work for me. > >Given my tests are using Windows AD and your test wasn't that isn;t a >huge surprise. It should work the same. > >> I set up my kerberos server (apacheds running on >> kerberos.example.com:60088) and inserted an object with a SPN >> XYZ/www.example.com. >> Then I created a keytab with only one entry, namely >XYZ/www.example.com. >> After that I edited jaas.conf and krb5.ini (both in >$CATALINA_BASE/conf) >> to use XYZ/www.example.com instead of HTTP/www.example.com and >changed >> the keytab entries to the new keytab. >> Now I started jmeter to do a request to a secured page and...it >didn't >> authenticate. >> >> Before I tested the setup with HTTP/www.example.com and it did work. >> After the failed test, I changed the entries back to >> HTTP/www.example.com and the original keytab and it worked again. > >I'd double check you got all those changes right but I am not entirely >surprised. > >If you confirm your results that this doesn't work with apache DS then >I'll update the docs with some suitable words. I am still wondering how it should work with anything other than HTTP/... since the client is requesting a ticket for HTTP/... before it is getting any information about the spn from the server and the server should be able to decrypt the service ticket with an appropiate spn ticket only. Starting the server with any ticket will work of course. The fun starts, when requests arrive. But if it works for you, I will not say anything more on this. Felix > >Mark > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >For additional commands, e-mail: dev-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
