Re: Kerberos authentication issue

[Sebastiaan van Erk]

Hi,

I guess it's useful to have the wire log as well, so I just attached it.

Regards,
Sebastiaan

Sebastiaan van Erk wrote:

Hi,

I'm trying to use the new Kerberos authentication in httpclient-4.1-alpha1. To start of, I'm simply running the example kerberos authentication program for the url "http://tunneltest.servoy.com/private"; (this is an internal test url, so it does not work from the internet). I tested the test url with Firefox with Kerberos authentication and it works fine, but with httpclient I'm seeing 2 things I don't understand:

2) The ticket request fails with the error:












Thanks in advance,
Sebastiaan

login.conf
------8<------
com.sun.security.jgss.initiate {

};

com.sun.security.jgss.accept {

};
------8<------

krb5.conf
------8<------
[libdefaults]
        default_realm = SERVOY.COM

[realms]
        SERVOY.COM = {
                kdc = tunneltest.servoy.com
                kpasswd_server = tunneltest.servoy.com
        }

[domain_realm]
        .servoy.com = SERVOY.COM
------8<------

the main method:
------8<------
    public static void main(String[] args) throws Exception {


        System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
        System.setProperty("sun.security.krb5.debug", "true");


        DefaultHttpClient httpclient = new DefaultHttpClient();

        NegotiateSchemeFactory nsf = new NegotiateSchemeFactory();
        // nsf.setStripPort(false);
        // nsf.setSpengoGenerator(new BouncySpnegoTokenGenerator());

        httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf);

        Credentials use_jaas_creds = new Credentials() {

            public String getPassword() {
                return null;
            }

            public Principal getUserPrincipal() {
                return null;
            }

        };

1) A ticket request is done for the HTTP/tunneltest.servoy....@servoy.com service even though it's already in my ticket cache. Dec 11, 2009 10:40:11 AM org.apache.http.client.protocol.RequestTargetAuthentication process SEVERE: Authentication error: Defective token detected (Mechanism level: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : DerInputStream.getLength(): lengthTag=127, too big.)) First of all, I don't understand why it has to request the ticket for the service if it's already in the cache. However, the request is for the right service, because I get the following line in my kdc.log: 2009-12-11T10:37:03 TGS-REQ testu...@servoy.com from IPv4:85.147.225.232 for HTTP/tunneltest.servoy....@servoy.com This is slightly different from the line I get when requesting the url from firefox, which reads: 2009-12-11T10:49:49 TGS-REQ testu...@servoy.com from IPv4:85.147.225.232 for HTTP/tunneltest.servoy....@servoy.com [canonicalize] Does anybody know what I'm doing wrong? To make sure that I'm not withholding any relevant information, below I've posted all the details. Especially interesting is the program output... com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache="true" ticketCache="/tmp/krb5cc_1000" debug=true; com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache="true" ticketCache="/tmp/krb5cc_1000" debug=true; System.setProperty("java.security.auth.login.config", "/home/sebster/login.conf"); System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); httpclient.getCredentialsProvider().setCredentials(new AuthScope(null, -1, null), use_jaas_creds); HttpUriRequest request = new HttpGet("http://tunneltest.servoy.com/private";);

        HttpResponse response = httpclient.execute(request);
        HttpEntity entity = response.getEntity();

        System.out.println("----------------------------------------");
        System.out.println(response.getStatusLine());
        System.out.println("----------------------------------------");
        if (entity != null) {
            System.out.println(EntityUtils.toString(entity));
        }
        System.out.println("----------------------------------------");

        // This ensures the connection gets released back to the manager
        if (entity != null) {
            entity.consumeContent();
        }

        // When HttpClient instance is no longer needed,
        // shut down the connection manager to ensure
        // immediate deallocation of all system resources
        httpclient.getConnectionManager().shutdown();
    }
------8<------

the program output:
------8<------

Acquire TGT from Cache
 >>>DEBUG <CCacheInputStream>  client principal is testu...@servoy.com

 >>>DEBUG <CCacheInputStream> key type: 16
 >>>DEBUG <CCacheInputStream> auth time: Fri Dec 11 08:23:24 CET 2009
 >>>DEBUG <CCacheInputStream> start time: Fri Dec 11 08:23:24 CET 2009
 >>>DEBUG <CCacheInputStream> end time: Fri Dec 11 18:26:31 CET 2009
 >>>DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 01:00:00 CET 1970
 >>> CCacheInputStream: readFlags()  INITIAL;
 >>>DEBUG <CCacheInputStream>
 >>>DEBUG <CCacheInputStream>  client principal is testu...@servoy.com

 >>>DEBUG <CCacheInputStream> key type: 16
 >>>DEBUG <CCacheInputStream> auth time: Fri Dec 11 08:23:24 CET 2009
 >>>DEBUG <CCacheInputStream> start time: Fri Dec 11 10:49:49 CET 2009
 >>>DEBUG <CCacheInputStream> end time: Fri Dec 11 18:26:31 CET 2009
 >>>DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 01:00:00 CET 1970
 >>> CCacheInputStream: readFlags()
 >>>DEBUG <CCacheInputStream>
Principal is testu...@servoy.com
Commit Succeeded


Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
 >>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
 >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
 >>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType

 >>> KrbKdcReq send: #bytes read=553
 >>> KrbKdcReq send: #bytes read=553
 >>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
 >>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
 >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Krb5Context setting mySeqNumber to: 97051396
Created InitSecContextToken:
0000: 01 00 6E 82 01 D5 30 82   01 D1 A0 03 02 01 05 A1  ..n...0.........
0010: 03 02 01 0E A2 07 03 05   00 20 00 00 00 A3 82 01  ......... ......
0020: 01 61 81 FE 30 81 FB A0   03 02 01 05 A1 0C 1B 0A  .a..0...........
0030: 53 45 52 56 4F 59 2E 43   4F 4D A2 28 30 26 A0 03  SERVOY.COM.(0&..
0040: 02 01 01 A1 1F 30 1D 1B   04 48 54 54 50 1B 15 74  .....0...HTTP..t
0050: 75 6E 6E 65 6C 74 65 73   74 2E 73 65 72 76 6F 79  unneltest.servoy
0060: 2E 63 6F 6D A3 81 BB 30   81 B8 A0 03 02 01 03 A1  .com...0........
0070: 03 02 01 01 A2 81 AB 04   81 A8 CF 09 B8 16 47 4B  ..............GK
0080: A0 F1 83 49 AA A9 9F EA   25 C2 E0 07 C1 DF E9 5C  ...I....%......\
0090: 82 F6 09 55 F3 3F 35 5C   C6 BE 22 B6 20 23 D0 92  ...U.?5\..". #..
00A0: 2E AF 3B 71 5B 6F 88 5C   D2 33 F7 8B 6B 7C 4C FB  ..;q[o.\.3..k.L.
00B0: 95 F7 D0 22 A3 D1 85 58   B9 CB 40 8C B4 6B B4 51  ..."......@..k.q
00C0: 87 FD 97 AD BC B8 A7 7D   5E 5D 42 78 F2 CC 41 A0  ........^]Bx..A.
00D0: 39 C8 5B 29 86 C4 62 77   3B E8 33 19 69 8F 33 62  9.[)..bw;.3.i.3b
00E0: 0A 14 9F B2 35 B9 04 6C   0D 31 B4 21 66 7B 1F 06  ....5..l.1.!f...
00F0: FA 1F 0C AF 73 E5 57 86   CC D7 46 23 79 B9 4A CB  ....s.W...F#y.J.
0100: 69 13 46 E6 30 18 93 69   91 D6 91 E3 86 DD DE B5  i.F.0..i........
0110: 8A 7C 73 E8 6F 12 F2 21   64 19 F0 9F 21 B3 00 1E  ..s.o..!d...!...
0120: A0 3F A4 81 B6 30 81 B3   A0 03 02 01 03 A2 81 AB  .?...0..........
0130: 04 81 A8 9D 59 DC 23 05   29 7B 79 3E 99 35 30 61  ....Y.#.).y>.50a
0140: EC 59 46 2C F4 0B 82 87   72 9C 36 9F F3 C4 32 55  .YF,....r.6...2U
0150: 67 AA 47 DF 0A 61 A9 41   7C 25 CD F2 32 36 B6 4E  g.G..a.A.%..26.N
0160: 22 5F 3C 60 CA D2 97 15   26 32 E9 4A B6 79 4A 23  "_<`....&2.J.yJ#
0170: F2 15 17 95 FB 87 66 63   8A 93 8D B2 BD 36 E3 D4  ......fc.....6..
0180: 26 75 CD CA 23 3B E1 C5   8B 32 CD E2 70 1D 1A 03  &u..#;...2..p...
0190: DD ED 2B 1B AF 97 AB 19   A9 88 EF 52 87 6A 2D 94  ..+........R.j-.
01A0: DA 84 4E F4 F0 99 CE E6   CF 67 A8 E6 7F CB 7D C5  ..N......g......
01B0: 68 D5 15 57 B5 52 08 F8   AC 24 21 52 B2 9E 55 68  h..W.R...$!R..Uh
01C0: D2 3D FA C2 51 D4 92 5B   CF 60 E4 59 3C A8 85 4E  .=..Q..[.`.Y<..N
01D0: 8F BB EE 39 3B 79 3A AE   06 F4 CC                 ...9;y:....


----------------------------------------
HTTP/1.1 401 Authorization Required
----------------------------------------
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>

----------------------------------------
------8<------

Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is /tmp/krb5cc_1000 isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false >>>DEBUG <CCacheInputStream> server principal is krbtgt/servoy....@servoy.com >>>DEBUG <CCacheInputStream> server principal is HTTP/tunneltest.servoy....@servoy.com Found ticket for testu...@servoy.com to go to krbtgt/servoy....@servoy.com expiring on Fri Dec 11 18:26:31 CET 2009 >>> KrbKdcReq send: kdc=tunneltest.servoy.com UDP:88, timeout=30000, number of retries =3, #bytes=589 >>> KDCCommunication: kdc=tunneltest.servoy.com UDP:88, timeout=30000,Attempt =1, #bytes=589 Dec 11, 2009 10:55:08 AM org.apache.http.client.protocol.RequestTargetAuthentication process SEVERE: Authentication error: Defective token detected (Mechanism level: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : DerInputStream.getLength(): lengthTag=127, too big.))

13:45:46.729 DEBUG [main] org.apache.http.impl.conn.SingleClientConnManager
 Get connection for route HttpRoute[{}->http://tunneltest.servoy.com]
13:45:46.824 DEBUG [main] org.apache.http.client.protocol.RequestAddCookies
 CookieSpec selected: best-match
13:45:46.844 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Attempt 1 to execute request
13:45:46.845 DEBUG [main] org.apache.http.impl.conn.DefaultClientConnection
 Sending request: GET /private HTTP/1.1
13:45:46.845 DEBUG [main] org.apache.http.wire
 >> "GET /private HTTP/1.1[EOL]"
13:45:46.847 DEBUG [main] org.apache.http.wire
 >> "Host: tunneltest.servoy.com[EOL]"
13:45:46.847 DEBUG [main] org.apache.http.wire
 >> "Connection: Keep-Alive[EOL]"
13:45:46.847 DEBUG [main] org.apache.http.wire
 >> "User-Agent: Apache-HttpClient/4.1-alpha1 (java 1.5)[EOL]"
13:45:46.847 DEBUG [main] org.apache.http.wire
 >> "[EOL]"
13:45:46.847 DEBUG [main] org.apache.http.headers
 >> GET /private HTTP/1.1
13:45:46.847 DEBUG [main] org.apache.http.headers
 >> Host: tunneltest.servoy.com
13:45:46.847 DEBUG [main] org.apache.http.headers
 >> Connection: Keep-Alive
13:45:46.847 DEBUG [main] org.apache.http.headers
 >> User-Agent: Apache-HttpClient/4.1-alpha1 (java 1.5)
13:45:47.304 DEBUG [main] org.apache.http.wire
 << "HTTP/1.1 401 Authorization Required[EOL]"
13:45:47.310 DEBUG [main] org.apache.http.wire
 << "Date: Fri, 11 Dec 2009 12:41:39 GMT[EOL]"
13:45:47.310 DEBUG [main] org.apache.http.wire
 << "Server: Apache/2.2.13 (FreeBSD) mod_ssl/2.2.13 OpenSSL/0.9.8e DAV/2 
mod_auth_kerb/5.4[EOL]"
13:45:47.311 DEBUG [main] org.apache.http.wire
 << "WWW-Authenticate: Negotiate[EOL]"
13:45:47.311 DEBUG [main] org.apache.http.wire
 << "Content-Length: 401[EOL]"
13:45:47.311 DEBUG [main] org.apache.http.wire
 << "Keep-Alive: timeout=5, max=100[EOL]"
13:45:47.311 DEBUG [main] org.apache.http.wire
 << "Connection: Keep-Alive[EOL]"
13:45:47.311 DEBUG [main] org.apache.http.wire
 << "Content-Type: text/html; charset=iso-8859-1[EOL]"
13:45:47.321 DEBUG [main] org.apache.http.wire
 << "[EOL]"
13:45:47.323 DEBUG [main] org.apache.http.impl.conn.DefaultClientConnection
 Receiving response: HTTP/1.1 401 Authorization Required
13:45:47.323 DEBUG [main] org.apache.http.headers
 << HTTP/1.1 401 Authorization Required
13:45:47.323 DEBUG [main] org.apache.http.headers
 << Date: Fri, 11 Dec 2009 12:41:39 GMT
13:45:47.323 DEBUG [main] org.apache.http.headers
 << Server: Apache/2.2.13 (FreeBSD) mod_ssl/2.2.13 OpenSSL/0.9.8e DAV/2 
mod_auth_kerb/5.4
13:45:47.323 DEBUG [main] org.apache.http.headers
 << WWW-Authenticate: Negotiate
13:45:47.323 DEBUG [main] org.apache.http.headers
 << Content-Length: 401
13:45:47.323 DEBUG [main] org.apache.http.headers
 << Keep-Alive: timeout=5, max=100
13:45:47.323 DEBUG [main] org.apache.http.headers
 << Connection: Keep-Alive
13:45:47.323 DEBUG [main] org.apache.http.headers
 << Content-Type: text/html; charset=iso-8859-1
13:45:47.332 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Connection can be kept alive for 5000 ms
13:45:47.333 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Target requested authentication
13:45:47.333 DEBUG [main] 
org.apache.http.impl.client.DefaultTargetAuthenticationHandler
 Authentication schemes in the order of preference: [negotiate, NTLM, Digest, 
Basic]
13:45:47.333 DEBUG [main] 
org.apache.http.impl.client.DefaultTargetAuthenticationHandler
 negotiate authentication scheme selected
13:45:47.336 DEBUG [main] org.apache.http.impl.auth.NegotiateScheme
 Will NOT strip ports off Service Names e.g. HTTP/server:8080 -> HTTP/server
13:45:47.336 DEBUG [main] org.apache.http.impl.auth.NegotiateScheme
 Challenge header: WWW-Authenticate: Negotiate
13:45:47.336 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Authorization challenge processed
13:45:47.336 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Authentication scope: NEGOTIATE <any realm>@tunneltest.servoy.com:80
13:45:47.336 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Found credentials
13:45:47.336 DEBUG [main] org.apache.http.wire
 << "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">[\n]"
13:45:47.336 DEBUG [main] org.apache.http.wire
 << "<html><head>[\n]"
13:45:47.336 DEBUG [main] org.apache.http.wire
 << "<title>401 Authorization Required</title>[\n]"
13:45:47.336 DEBUG [main] org.apache.http.wire
 << "</head><body>[\n]"
13:45:47.337 DEBUG [main] org.apache.http.wire
 << "<h1>Authorization Required</h1>[\n]"
13:45:47.337 DEBUG [main] org.apache.http.wire
 << "<p>This server could not verify that you[\n]"
13:45:47.337 DEBUG [main] org.apache.http.wire
 << "are authorized to access the document[\n]"
13:45:47.337 DEBUG [main] org.apache.http.wire
 << "requested.  Either you supplied the wrong[\n]"
13:45:47.337 DEBUG [main] org.apache.http.wire
 << "credentials (e.g., bad password), or your[\n]"
13:45:47.337 DEBUG [main] org.apache.http.wire
 << "browser doesn't understand how to supply[\n]"
13:45:47.337 DEBUG [main] org.apache.http.wire
 << "the credentials required.</p>[\n]"
13:45:47.337 DEBUG [main] org.apache.http.wire
 << "</body></html>[\n]"
13:45:47.337 DEBUG [main] org.apache.http.client.protocol.RequestAddCookies
 CookieSpec selected: best-match
13:45:47.337 DEBUG [main] org.apache.http.impl.auth.NegotiateScheme
 init tunneltest.servoy.com
Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt 
false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is 
false principal is null tryFirstPass is false useFirstPass is false storePass 
is false clearPass is false
Acquire TGT from Cache
>>>KinitOptions cache name is /tmp/krb5cc_1000
>>>DEBUG <CCacheInputStream>  client principal is testu...@servoy.com
>>>DEBUG <CCacheInputStream> server principal is krbtgt/servoy....@servoy.com
>>>DEBUG <CCacheInputStream> key type: 16
>>>DEBUG <CCacheInputStream> auth time: Fri Dec 11 12:59:30 CET 2009
>>>DEBUG <CCacheInputStream> start time: Fri Dec 11 12:59:30 CET 2009
>>>DEBUG <CCacheInputStream> end time: Fri Dec 11 23:03:37 CET 2009
>>>DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 01:00:00 CET 1970
>>> CCacheInputStream: readFlags()  INITIAL;
>>>DEBUG <CCacheInputStream>
Principal is testu...@servoy.com
Commit Succeeded 

Found ticket for testu...@servoy.com to go to krbtgt/servoy....@servoy.com 
expiring on Fri Dec 11 23:03:37 CET 2009
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
>>> KrbKdcReq send: kdc=tunneltest.servoy.com UDP:88, timeout=30000, number of 
>>> retries =3, #bytes=589
>>> KDCCommunication: kdc=tunneltest.servoy.com UDP:88, timeout=30000,Attempt 
>>> =1, #bytes=589
>>> KrbKdcReq send: #bytes read=553
>>> KrbKdcReq send: #bytes read=553
>>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Krb5Context setting mySeqNumber to: 25201998
Created InitSecContextToken:
0000: 01 00 6E 82 01 D5 30 82   01 D1 A0 03 02 01 05 A1  ..n...0.........
0010: 03 02 01 0E A2 07 03 05   00 20 00 00 00 A3 82 01  ......... ......
0020: 01 61 81 FE 30 81 FB A0   03 02 01 05 A1 0C 1B 0A  .a..0...........
0030: 53 45 52 56 4F 59 2E 43   4F 4D A2 28 30 26 A0 03  SERVOY.COM.(0&..
0040: 02 01 01 A1 1F 30 1D 1B   04 48 54 54 50 1B 15 74  .....0...HTTP..t
0050: 75 6E 6E 65 6C 74 65 73   74 2E 73 65 72 76 6F 79  unneltest.servoy
0060: 2E 63 6F 6D A3 81 BB 30   81 B8 A0 03 02 01 03 A1  .com...0........
0070: 03 02 01 01 A2 81 AB 04   81 A8 4C C7 38 9A 6F AC  ..........L.8.o.
0080: 11 20 88 D0 DF B0 52 47   84 38 BB 79 A0 1E D3 AA  . ....RG.8.y....
0090: A5 D3 5F 62 7F 46 2C D3   B6 89 39 8C B0 46 04 28  .._b.F,...9..F.(
00A0: 70 6D 65 82 C2 C3 ED 26   1D 63 D3 EC 67 86 73 F4  pme....&.c..g.s.
00B0: 8A A8 38 AE 67 8F 71 C7   F1 DC 64 18 DC B5 09 0A  ..8.g.q...d.....
00C0: 92 56 0F 50 79 F2 99 C9   25 BD 4B A8 46 36 E8 BF  .V.Py...%.K.F6..
00D0: 82 DF 81 A9 84 C6 98 82   89 30 CA FB 80 0A B9 B2  .........0......
00E0: 3C EB DE C3 E6 10 FF 3D   89 D9 B5 C6 A2 82 D2 A9  <......=........
00F0: D7 91 EB F0 60 FF A4 34   69 85 4C D7 82 9C 52 94  ....`..4i.L...R.
0100: 0D B5 22 45 DF BD 52 85   BD E6 9E 25 68 A9 A6 0E  .."E..R....%h...
0110: 04 77 54 6E F6 40 F1 A4   0E 5A 56 C0 27 A0 89 91  .w...@...zv.'...
0120: 91 D9 A4 81 B6 30 81 B3   A0 03 02 01 03 A2 81 AB  .....0..........
0130: 04 81 A8 B3 98 D8 3F AD   3D 3D 6E 1B 1D 09 DE 91  ......?.==n.....
0140: D8 90 98 91 85 EC EB 5A   F8 CF 2A A1 BD 2B 62 56  .......Z..*..+bV
0150: DE 6B B5 54 C5 36 46 09   F8 0E 50 14 F4 D6 8A 24  .k.T.6F...P....$
0160: 55 3E CD AE 31 9F BE 90   89 E3 2B 4A BA BF 04 9F  U>..1.....+J....
0170: F8 BE 24 27 3E 9A BA 0E   A7 E4 32 2A ED C0 A7 F0  ..$'>.....2*....
0180: 51 BD CF 0B 29 84 9B 7C   2A 2D 84 B9 65 21 17 74  Q...)...*-..e!.t
0190: B9 21 17 98 BA 59 1A 0F   9F A9 F8 DF 75 72 69 74  .!...Y......urit
01A0: 77 F3 D1 63 E0 40 3E 9E   74 0D 9F F8 3E 38 BE 9B  w..c.@>.t...>8..
01B0: 0C 70 06 45 DF E3 0B A2   E3 A8 16 69 21 D1 A4 44  .p.E.......i!..D
01C0: D6 FC 6F 80 A5 C7 3D 05   7D 13 0E AA E7 F7 12 C7  ..o...=.........
01D0: F4 AF F8 4C 54 7E DF 67   6B A6 EA                 ...LT..gk..

13:45:48.118 INFO  [main] org.apache.http.impl.auth.NegotiateScheme
 got token, sending 539 bytes to server
13:45:48.125 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Attempt 2 to execute request
13:45:48.125 DEBUG [main] org.apache.http.impl.conn.DefaultClientConnection
 Sending request: GET /private HTTP/1.1
13:45:48.125 DEBUG [main] org.apache.http.wire
 >> "GET /private HTTP/1.1[EOL]"
13:45:48.125 DEBUG [main] org.apache.http.wire
 >> "Host: tunneltest.servoy.com[EOL]"
13:45:48.125 DEBUG [main] org.apache.http.wire
 >> "Connection: Keep-Alive[EOL]"
13:45:48.125 DEBUG [main] org.apache.http.wire
 >> "User-Agent: Apache-HttpClient/4.1-alpha1 (java 1.5)[EOL]"
13:45:48.125 DEBUG [main] org.apache.http.wire
 >> "Authorization: Negotiate 
 >> YIICFwYGKwYBBQUCoIICCzCCAgegDTALBgkqhkiG9xIBAgKhBAMCAD6iggHuBIIB6mCCAeYGCSqGSIb3EgECAgEAboIB1TCCAdGgAwIBBaEDAgEOogcDBQAgAAAAo4IBAWGB/jCB+6ADAgEFoQwbClNFUlZPWS5DT02iKDAmoAMCAQGhHzAdGwRIVFRQGxV0dW5uZWx0ZXN0LnNlcnZveS5jb22jgbswgbigAwIBA6EDAgEBooGrBIGoTMc4mm+sESCI0N+wUkeEOLt5oB7TqqXTX2J/RizTtok5jLBGBChwbWWCwsPtJh1j0+xnhnP0iqg4rmePccfx3GQY3LUJCpJWD1B58pnJJb1LqEY26L+C34GphMaYgokwyvuACrmyPOvew+YQ/z2J2bXGooLSqdeR6/Bg/6Q0aYVM14KcUpQNtSJF371Shb3mniVoqaYOBHdUbvZA8aQOWlbAJ6CJkZHZpIG2MIGzoAMCAQOigasEgaizmNg/rT09bhsdCd6R2JCYkYXs61r4zyqhvStiVt5rtVTFNkYJ+A5QFPTWiiRVPs2uMZ++kInjK0q6vwSf+L4kJz6aug6n5DIq7cCn8FG9zwsphJt8Ki2EuWUhF3S5IReYulkaD5+p+N91cml0d/PRY+BAPp50DZ/4Pji+mwxwBkXf4wui46gWaSHRpETW/G+Apcc9BX0TDqrn9xLH9K/4TFR+32drpuo=[EOL]"
13:45:48.125 DEBUG [main] org.apache.http.wire
 >> "[EOL]"
13:45:48.126 DEBUG [main] org.apache.http.headers
 >> GET /private HTTP/1.1
13:45:48.126 DEBUG [main] org.apache.http.headers
 >> Host: tunneltest.servoy.com
13:45:48.126 DEBUG [main] org.apache.http.headers
 >> Connection: Keep-Alive
13:45:48.126 DEBUG [main] org.apache.http.headers
 >> User-Agent: Apache-HttpClient/4.1-alpha1 (java 1.5)
13:45:48.126 DEBUG [main] org.apache.http.headers
 >> Authorization: Negotiate 
 >> YIICFwYGKwYBBQUCoIICCzCCAgegDTALBgkqhkiG9xIBAgKhBAMCAD6iggHuBIIB6mCCAeYGCSqGSIb3EgECAgEAboIB1TCCAdGgAwIBBaEDAgEOogcDBQAgAAAAo4IBAWGB/jCB+6ADAgEFoQwbClNFUlZPWS5DT02iKDAmoAMCAQGhHzAdGwRIVFRQGxV0dW5uZWx0ZXN0LnNlcnZveS5jb22jgbswgbigAwIBA6EDAgEBooGrBIGoTMc4mm+sESCI0N+wUkeEOLt5oB7TqqXTX2J/RizTtok5jLBGBChwbWWCwsPtJh1j0+xnhnP0iqg4rmePccfx3GQY3LUJCpJWD1B58pnJJb1LqEY26L+C34GphMaYgokwyvuACrmyPOvew+YQ/z2J2bXGooLSqdeR6/Bg/6Q0aYVM14KcUpQNtSJF371Shb3mniVoqaYOBHdUbvZA8aQOWlbAJ6CJkZHZpIG2MIGzoAMCAQOigasEgaizmNg/rT09bhsdCd6R2JCYkYXs61r4zyqhvStiVt5rtVTFNkYJ+A5QFPTWiiRVPs2uMZ++kInjK0q6vwSf+L4kJz6aug6n5DIq7cCn8FG9zwsphJt8Ki2EuWUhF3S5IReYulkaD5+p+N91cml0d/PRY+BAPp50DZ/4Pji+mwxwBkXf4wui46gWaSHRpETW/G+Apcc9BX0TDqrn9xLH9K/4TFR+32drpuo=
13:45:48.277 DEBUG [main] org.apache.http.wire
 << "HTTP/1.1 301 Moved Permanently[EOL]"
13:45:48.277 DEBUG [main] org.apache.http.wire
 << "Date: Fri, 11 Dec 2009 12:41:40 GMT[EOL]"
13:45:48.277 DEBUG [main] org.apache.http.wire
 << "Server: Apache/2.2.13 (FreeBSD) mod_ssl/2.2.13 OpenSSL/0.9.8e DAV/2 
mod_auth_kerb/5.4[EOL]"
13:45:48.277 DEBUG [main] org.apache.http.wire
 << "WWW-Authenticate: Negotiate 
oYGDMIGAoAMKAQChCwYJKoZIhvcSAQIComwEamBoBgkqhkiG9xIBAgICAG9ZMFegAwIBBaEDAgEPokswSaADAgEDokIEQBLB5mJ4DvfAROo4dYtyeqGGil91tPslGqSrPpzUzhUyOVmUHDoAa93xlL3YDKmacF7QxHaFRh2qmoRWApWtlIo=[EOL]"
13:45:48.277 DEBUG [main] org.apache.http.wire
 << "Location: http://tunneltest.servoy.com/private/[EOL]";
13:45:48.277 DEBUG [main] org.apache.http.wire
 << "Content-Length: 245[EOL]"
13:45:48.277 DEBUG [main] org.apache.http.wire
 << "Keep-Alive: timeout=5, max=99[EOL]"
13:45:48.277 DEBUG [main] org.apache.http.wire
 << "Connection: Keep-Alive[EOL]"
13:45:48.278 DEBUG [main] org.apache.http.wire
 << "Content-Type: text/html; charset=iso-8859-1[EOL]"
13:45:48.278 DEBUG [main] org.apache.http.wire
 << "[EOL]"
13:45:48.278 DEBUG [main] org.apache.http.impl.conn.DefaultClientConnection
 Receiving response: HTTP/1.1 301 Moved Permanently
13:45:48.278 DEBUG [main] org.apache.http.headers
 << HTTP/1.1 301 Moved Permanently
13:45:48.278 DEBUG [main] org.apache.http.headers
 << Date: Fri, 11 Dec 2009 12:41:40 GMT
13:45:48.278 DEBUG [main] org.apache.http.headers
 << Server: Apache/2.2.13 (FreeBSD) mod_ssl/2.2.13 OpenSSL/0.9.8e DAV/2 
mod_auth_kerb/5.4
13:45:48.278 DEBUG [main] org.apache.http.headers
 << WWW-Authenticate: Negotiate 
oYGDMIGAoAMKAQChCwYJKoZIhvcSAQIComwEamBoBgkqhkiG9xIBAgICAG9ZMFegAwIBBaEDAgEPokswSaADAgEDokIEQBLB5mJ4DvfAROo4dYtyeqGGil91tPslGqSrPpzUzhUyOVmUHDoAa93xlL3YDKmacF7QxHaFRh2qmoRWApWtlIo=
13:45:48.278 DEBUG [main] org.apache.http.headers
 << Location: http://tunneltest.servoy.com/private/
13:45:48.278 DEBUG [main] org.apache.http.headers
 << Content-Length: 245
13:45:48.278 DEBUG [main] org.apache.http.headers
 << Keep-Alive: timeout=5, max=99
13:45:48.278 DEBUG [main] org.apache.http.headers
 << Connection: Keep-Alive
13:45:48.278 DEBUG [main] org.apache.http.headers
 << Content-Type: text/html; charset=iso-8859-1
13:45:48.278 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Connection can be kept alive for 5000 ms
13:45:48.278 DEBUG [main] org.apache.http.impl.client.DefaultRedirectHandler
 Redirect requested to location 'http://tunneltest.servoy.com/private/'
13:45:48.279 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Redirecting to 'http://tunneltest.servoy.com/private/' via 
HttpRoute[{}->http://tunneltest.servoy.com]
13:45:48.280 DEBUG [main] org.apache.http.wire
 << "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">[\n]"
13:45:48.280 DEBUG [main] org.apache.http.wire
 << "<html><head>[\n]"
13:45:48.280 DEBUG [main] org.apache.http.wire
 << "<title>301 Moved Permanently</title>[\n]"
13:45:48.280 DEBUG [main] org.apache.http.wire
 << "</head><body>[\n]"
13:45:48.280 DEBUG [main] org.apache.http.wire
 << "<h1>Moved Permanently</h1>[\n]"
13:45:48.280 DEBUG [main] org.apache.http.wire
 << "<p>The document has moved <a 
href="http://tunneltest.servoy.com/private/";>here</a>.</p>[\n]"
13:45:48.280 DEBUG [main] org.apache.http.wire
 << "</body></html>[\n]"
13:45:48.280 DEBUG [main] org.apache.http.client.protocol.RequestAddCookies
 CookieSpec selected: best-match
13:45:48.280 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Attempt 3 to execute request
13:45:48.280 DEBUG [main] org.apache.http.impl.conn.DefaultClientConnection
 Sending request: GET /private/ HTTP/1.1
13:45:48.280 DEBUG [main] org.apache.http.wire
 >> "GET /private/ HTTP/1.1[EOL]"
13:45:48.280 DEBUG [main] org.apache.http.wire
 >> "Host: tunneltest.servoy.com[EOL]"
13:45:48.280 DEBUG [main] org.apache.http.wire
 >> "Connection: Keep-Alive[EOL]"
13:45:48.281 DEBUG [main] org.apache.http.wire
 >> "User-Agent: Apache-HttpClient/4.1-alpha1 (java 1.5)[EOL]"
13:45:48.281 DEBUG [main] org.apache.http.wire
 >> "[EOL]"
13:45:48.281 DEBUG [main] org.apache.http.headers
 >> GET /private/ HTTP/1.1
13:45:48.281 DEBUG [main] org.apache.http.headers
 >> Host: tunneltest.servoy.com
13:45:48.281 DEBUG [main] org.apache.http.headers
 >> Connection: Keep-Alive
13:45:48.281 DEBUG [main] org.apache.http.headers
 >> User-Agent: Apache-HttpClient/4.1-alpha1 (java 1.5)
13:45:48.319 DEBUG [main] org.apache.http.wire
 << "HTTP/1.1 401 Authorization Required[EOL]"
13:45:48.319 DEBUG [main] org.apache.http.wire
 << "Date: Fri, 11 Dec 2009 12:41:40 GMT[EOL]"
13:45:48.319 DEBUG [main] org.apache.http.wire
 << "Server: Apache/2.2.13 (FreeBSD) mod_ssl/2.2.13 OpenSSL/0.9.8e DAV/2 
mod_auth_kerb/5.4[EOL]"
13:45:48.319 DEBUG [main] org.apache.http.wire
 << "WWW-Authenticate: Negotiate[EOL]"
13:45:48.319 DEBUG [main] org.apache.http.wire
 << "Content-Length: 401[EOL]"
13:45:48.320 DEBUG [main] org.apache.http.wire
 << "Keep-Alive: timeout=5, max=98[EOL]"
13:45:48.320 DEBUG [main] org.apache.http.wire
 << "Connection: Keep-Alive[EOL]"
13:45:48.320 DEBUG [main] org.apache.http.wire
 << "Content-Type: text/html; charset=iso-8859-1[EOL]"
13:45:48.320 DEBUG [main] org.apache.http.wire
 << "[EOL]"
13:45:48.320 DEBUG [main] org.apache.http.impl.conn.DefaultClientConnection
 Receiving response: HTTP/1.1 401 Authorization Required
13:45:48.320 DEBUG [main] org.apache.http.headers
 << HTTP/1.1 401 Authorization Required
13:45:48.320 DEBUG [main] org.apache.http.headers
 << Date: Fri, 11 Dec 2009 12:41:40 GMT
13:45:48.320 DEBUG [main] org.apache.http.headers
 << Server: Apache/2.2.13 (FreeBSD) mod_ssl/2.2.13 OpenSSL/0.9.8e DAV/2 
mod_auth_kerb/5.4
13:45:48.320 DEBUG [main] org.apache.http.headers
 << WWW-Authenticate: Negotiate
13:45:48.320 DEBUG [main] org.apache.http.headers
 << Content-Length: 401
13:45:48.320 DEBUG [main] org.apache.http.headers
 << Keep-Alive: timeout=5, max=98
13:45:48.320 DEBUG [main] org.apache.http.headers
 << Connection: Keep-Alive
13:45:48.320 DEBUG [main] org.apache.http.headers
 << Content-Type: text/html; charset=iso-8859-1
13:45:48.320 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Connection can be kept alive for 5000 ms
13:45:48.320 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Target requested authentication
13:45:48.320 DEBUG [main] org.apache.http.impl.auth.NegotiateScheme
 Challenge header: WWW-Authenticate: Negotiate
13:45:48.320 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Authorization challenge processed
13:45:48.320 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Authentication scope: NEGOTIATE <any realm>@tunneltest.servoy.com:80
13:45:48.321 DEBUG [main] org.apache.http.wire
 << "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">[\n]"
13:45:48.321 DEBUG [main] org.apache.http.wire
 << "<html><head>[\n]"
13:45:48.321 DEBUG [main] org.apache.http.wire
 << "<title>401 Authorization Required</title>[\n]"
13:45:48.321 DEBUG [main] org.apache.http.wire
 << "</head><body>[\n]"
13:45:48.321 DEBUG [main] org.apache.http.wire
 << "<h1>Authorization Required</h1>[\n]"
13:45:48.321 DEBUG [main] org.apache.http.wire
 << "<p>This server could not verify that you[\n]"
13:45:48.321 DEBUG [main] org.apache.http.wire
 << "are authorized to access the document[\n]"
13:45:48.321 DEBUG [main] org.apache.http.wire
 << "requested.  Either you supplied the wrong[\n]"
13:45:48.321 DEBUG [main] org.apache.http.wire
 << "credentials (e.g., bad password), or your[\n]"
13:45:48.321 DEBUG [main] org.apache.http.wire
 << "browser doesn't understand how to supply[\n]"
13:45:48.321 DEBUG [main] org.apache.http.wire
 << "the credentials required.</p>[\n]"
13:45:48.321 DEBUG [main] org.apache.http.wire
 << "</body></html>[\n]"
13:45:48.321 DEBUG [main] org.apache.http.client.protocol.RequestAddCookies
 CookieSpec selected: best-match
13:45:48.323 ERROR [main] 
org.apache.http.client.protocol.RequestTargetAuthentication
 Authentication error: Defective token detected (Mechanism level: Defective 
token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : 
DerInputStream.getLength(): lengthTag=127, too big.))
13:45:48.324 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Attempt 4 to execute request
13:45:48.324 DEBUG [main] org.apache.http.impl.conn.DefaultClientConnection
 Sending request: GET /private/ HTTP/1.1
13:45:48.324 DEBUG [main] org.apache.http.wire
 >> "GET /private/ HTTP/1.1[EOL]"
13:45:48.324 DEBUG [main] org.apache.http.wire
 >> "Host: tunneltest.servoy.com[EOL]"
13:45:48.324 DEBUG [main] org.apache.http.wire
 >> "Connection: Keep-Alive[EOL]"
13:45:48.324 DEBUG [main] org.apache.http.wire
 >> "User-Agent: Apache-HttpClient/4.1-alpha1 (java 1.5)[EOL]"
13:45:48.324 DEBUG [main] org.apache.http.wire
 >> "[EOL]"
13:45:48.324 DEBUG [main] org.apache.http.headers
 >> GET /private/ HTTP/1.1
13:45:48.324 DEBUG [main] org.apache.http.headers
 >> Host: tunneltest.servoy.com
13:45:48.324 DEBUG [main] org.apache.http.headers
 >> Connection: Keep-Alive
13:45:48.324 DEBUG [main] org.apache.http.headers
 >> User-Agent: Apache-HttpClient/4.1-alpha1 (java 1.5)
13:45:48.370 DEBUG [main] org.apache.http.wire
 << "HTTP/1.1 401 Authorization Required[EOL]"
13:45:48.371 DEBUG [main] org.apache.http.wire
 << "Date: Fri, 11 Dec 2009 12:41:40 GMT[EOL]"
13:45:48.371 DEBUG [main] org.apache.http.wire
 << "Server: Apache/2.2.13 (FreeBSD) mod_ssl/2.2.13 OpenSSL/0.9.8e DAV/2 
mod_auth_kerb/5.4[EOL]"
13:45:48.371 DEBUG [main] org.apache.http.wire
 << "WWW-Authenticate: Negotiate[EOL]"
13:45:48.371 DEBUG [main] org.apache.http.wire
 << "Content-Length: 401[EOL]"
13:45:48.371 DEBUG [main] org.apache.http.wire
 << "Keep-Alive: timeout=5, max=97[EOL]"
13:45:48.371 DEBUG [main] org.apache.http.wire
 << "Connection: Keep-Alive[EOL]"
13:45:48.371 DEBUG [main] org.apache.http.wire
 << "Content-Type: text/html; charset=iso-8859-1[EOL]"
13:45:48.371 DEBUG [main] org.apache.http.wire
 << "[EOL]"
13:45:48.371 DEBUG [main] org.apache.http.impl.conn.DefaultClientConnection
 Receiving response: HTTP/1.1 401 Authorization Required
13:45:48.371 DEBUG [main] org.apache.http.headers
 << HTTP/1.1 401 Authorization Required
13:45:48.371 DEBUG [main] org.apache.http.headers
 << Date: Fri, 11 Dec 2009 12:41:40 GMT
13:45:48.371 DEBUG [main] org.apache.http.headers
 << Server: Apache/2.2.13 (FreeBSD) mod_ssl/2.2.13 OpenSSL/0.9.8e DAV/2 
mod_auth_kerb/5.4
13:45:48.371 DEBUG [main] org.apache.http.headers
 << WWW-Authenticate: Negotiate
13:45:48.371 DEBUG [main] org.apache.http.headers
 << Content-Length: 401
13:45:48.371 DEBUG [main] org.apache.http.headers
 << Keep-Alive: timeout=5, max=97
13:45:48.371 DEBUG [main] org.apache.http.headers
 << Connection: Keep-Alive
13:45:48.371 DEBUG [main] org.apache.http.headers
 << Content-Type: text/html; charset=iso-8859-1
13:45:48.372 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Connection can be kept alive for 5000 ms
13:45:48.372 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Target requested authentication
13:45:48.372 DEBUG [main] org.apache.http.impl.auth.NegotiateScheme
 Challenge header: WWW-Authenticate: Negotiate
13:45:48.372 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Authorization challenge processed
13:45:48.372 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Authentication scope: NEGOTIATE <any realm>@tunneltest.servoy.com:80
13:45:48.372 DEBUG [main] org.apache.http.impl.client.DefaultHttpClient
 Authentication failed
----------------------------------------
HTTP/1.1 401 Authorization Required
----------------------------------------
13:45:48.377 DEBUG [main] org.apache.http.wire
 << "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">[\n]"
13:45:48.377 DEBUG [main] org.apache.http.wire
 << "<html><head>[\n]"
13:45:48.377 DEBUG [main] org.apache.http.wire
 << "<title>401 Authorization Required</title>[\n]"
13:45:48.377 DEBUG [main] org.apache.http.wire
 << "</head><body>[\n]"
13:45:48.377 DEBUG [main] org.apache.http.wire
 << "<h1>Authorization Required</h1>[\n]"
13:45:48.377 DEBUG [main] org.apache.http.wire
 << "<p>This server could not verify that you[\n]"
13:45:48.377 DEBUG [main] org.apache.http.wire
 << "are authorized to access the document[\n]"
13:45:48.377 DEBUG [main] org.apache.http.wire
 << "requested.  Either you supplied the wrong[\n]"
13:45:48.377 DEBUG [main] org.apache.http.wire
 << "credentials (e.g., bad password), or your[\n]"
13:45:48.377 DEBUG [main] org.apache.http.wire
 << "browser doesn't understand how to supply[\n]"
13:45:48.377 DEBUG [main] org.apache.http.wire
 << "the credentials required.</p>[\n]"
13:45:48.377 DEBUG [main] org.apache.http.wire
 << "</body></html>[\n]"
13:45:48.377 DEBUG [main] org.apache.http.impl.conn.SingleClientConnManager
 Releasing connection 
org.apache.http.impl.conn.singleclientconnmanager$connadap...@47a0d4
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>

----------------------------------------
13:45:48.377 DEBUG [main] org.apache.http.impl.conn.DefaultClientConnection
 Connection shut down

smime.p7s
Description: S/MIME Cryptographic Signature