On 22/09/2014 20:44, Felix Schumacher wrote: > > > On 22. September 2014 21:12:39 MESZ, Mark Thomas <ma...@apache.org> wrote: >> On 22/09/2014 18:07, Felix Schumacher wrote: >>> Am 21.09.2014 um 20:41 schrieb Mark Thomas: >>>> On 21/09/2014 14:05, Felix Schumacher wrote: >>>>> Hi Mark, >>>>> >>>>> Am 18.09.2014 um 01:40 schrieb ma...@apache.org: >>>>>> Author: markt >>>>>> Date: Wed Sep 17 23:40:48 2014 >>>>>> New Revision: 1625854 >>>>>> >>>>>> URL: http://svn.apache.org/r1625854 >>>>>> Log: >>>>>> After double-checking SPN to domain user is a one to one mapping >>>>>> >>>>>> Modified: >>>>>> tomcat/trunk/webapps/docs/windows-auth-howto.xml >>>>>> >>>>>> Modified: tomcat/trunk/webapps/docs/windows-auth-howto.xml >>>>>> URL: >>>>>> >> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/windows-auth-howto.xml?rev=1625854&r1=1625853&r2=1625854&view=diff >>>>>> >>>>>> >>>>>> >> ============================================================================== >>>>>> >>>>>> >>>>>> --- tomcat/trunk/webapps/docs/windows-auth-howto.xml (original) >>>>>> +++ tomcat/trunk/webapps/docs/windows-auth-howto.xml Wed Sep 17 >>>>>> 23:40:48 2014 >>>>>> @@ -64,9 +64,7 @@ debug logs in this case.</li> >>>>>> intranet.</li> >>>>>> <li>The SPN does not have to start with HTTP but the SPN must >> be the >>>>>> same in all >>>>>> the files it is used.</li> >>>>> I thought that the browser will always prepend HTTP/ to the >> hostname, >>>>> which it connects. That is what I read from the last paragraph in >> 4.1 of >>>>> rfc 4559. >>>>> >>>>> Can you tell me where you got the information, that it could be >>>>> anything? >>>> I tested it. >>> How did you test it? >> >> By following the instructions at: >> http://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Built-in_Tomcat_support >> >> but replacing "HTTP/win-tc01.dev.local" first with >> "HTTPA/win-tc01.dev.local" and then with "XYZ/win-tc01.dev.local" >> >> It worked in all cases. > Which client did you use?
Internet explorer. >>> It didn't work for me. >> >> Given my tests are using Windows AD and your test wasn't that isn;t a >> huge surprise. > > It should work the same. In an ideal world, yes. But this is Microsoft software... >>> I set up my kerberos server (apacheds running on >>> kerberos.example.com:60088) and inserted an object with a SPN >>> XYZ/www.example.com. >>> Then I created a keytab with only one entry, namely >> XYZ/www.example.com. >>> After that I edited jaas.conf and krb5.ini (both in >> $CATALINA_BASE/conf) >>> to use XYZ/www.example.com instead of HTTP/www.example.com and >> changed >>> the keytab entries to the new keytab. >>> Now I started jmeter to do a request to a secured page and...it >> didn't >>> authenticate. >>> >>> Before I tested the setup with HTTP/www.example.com and it did work. >>> After the failed test, I changed the entries back to >>> HTTP/www.example.com and the original keytab and it worked again. >> >> I'd double check you got all those changes right but I am not entirely >> surprised. >> >> If you confirm your results that this doesn't work with apache DS then >> I'll update the docs with some suitable words. > > I am still wondering how it should work with anything other than HTTP/... > since the client is requesting a ticket for HTTP/... before it is getting any > information about the spn from the server and the server should be able to > decrypt the service ticket with an appropiate spn ticket only. Is it though? I wonder. If I get a few minutes, I'll fire the VMs back up and start up Wireshark to see exactly what is going on. > Starting the server with any ticket will work of course. The fun starts, when > requests arrive. > > But if it works for you, I will not say anything more on this. ACK. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
