On 22/09/2014 20:48, Mark Thomas wrote: > On 22/09/2014 20:44, Felix Schumacher wrote:
<snip/> >> I am still wondering how it should work with anything other than HTTP/... >> since the client is requesting a ticket for HTTP/... before it is getting >> any information about the spn from the server and the server should be able >> to decrypt the service ticket with an appropiate spn ticket only. > > Is it though? I wonder. If I get a few minutes, I'll fire the VMs back > up and start up Wireshark to see exactly what is going on. > >> Starting the server with any ticket will work of course. The fun starts, >> when requests arrive. >> >> But if it works for you, I will not say anything more on this. > > ACK. Interesting... The more I dig into this, the more I wish I hadn't. Trying to figure out what is actually going on based on observed behaviour is non-trivial to say the least. It appears that the domain user has to have the "correct" SPN set. i.e. "HTTP/fqdn". The SPN used in the keytab file and the jass.conf have to agree with each other but they do not have to be the same as the SPN associated with the domain user. There are obvious advantages (for figuring out what on earth is going on) if they are the same. I don't think I am even going to document this possibility. The reason this appeared to be working before was that I had multiple SPNs set on the domain user and didn't realise. As I have the VMs up and running I'll answer a few more of the questions on the Windows auth page and then update it. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
