Hi,
I turned on the logging as you recommended, this is what it get in the
catalina.out
Krb5Context setting mySeqNumber to: 441582303
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
13-Feb-2019 14:07:56.755 FINE [http-nio-8080-exec-3]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
authenticate() test
13-Feb-2019 14:07:56.816 FINE [http-nio-8080-exec-5]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security
checking request GET /favicon.ico
13-Feb-2019 14:07:56.816 FINE [http-nio-8080-exec-5]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Tomcat SPNEGO Login Example]' against
GET /favicon.ico --> true
13-Feb-2019 14:07:56.817 FINE [http-nio-8080-exec-5]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Tomcat SPNEGO Login Example]' against
GET /favicon.ico --> true
13-Feb-2019 14:07:56.817 FINE [http-nio-8080-exec-5]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
13-Feb-2019 14:07:56.817 FINE [http-nio-8080-exec-5]
org.apache.catalina.realm.RealmBase.hasUserDataPermission User data
constraint has no restrictions
13-Feb-2019 14:07:56.817 FINE [http-nio-8080-exec-5]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
13-Feb-2019 14:07:56.818 FINE [http-nio-8080-exec-5]
org.apache.catalina.authenticator.SpnegoAuthenticator.doAuthenticate
No authorization header sent by client
13-Feb-2019 14:07:56.820 FINE [http-nio-8080-exec-5]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
authenticate() test
The part with the "No authorization header sent by client" seems to be
new, however I don't know what to conclude from that information.
Kind regards,
Thomas
Am Mo., 11. Feb. 2019 um 10:24 Uhr schrieb Mark Thomas :
>
> On 08/02/2019 21:43, Michael Osipov wrote:
> > Am 2019-02-08 um 12:54 schrieb Tommy Schneider:
> >> Hello,
> >>
> >> I'm trying to set up Tomcat 8.5 with SPNEGO in the following environment:
> >>
> >> Tomcat: 8.5.37 built: Dec 12 2018 12:07:02 UTC
> >> Platform/OS: AIX 7.2 ppc64
> >> Java: Eclipse OpenJ9 9-internal+0-adhoc.jenkins
> >>
> >>> From what I can see in the catalina log I think it's almost working
> >> (AD user is returned back correctly), but in the web application I
> >> always get stuck with a HTTP 401. No matter whether I'm using a JNDI
> >> realm or a simple JAAS realm. I also tried different approaches in the
> >> application's web.xml like using "*" as generic role name or
> >> specifiying a list of role names like they should come back from the
> >> AD). I'm starting to think the cause may still be somewhere in the
> >> SPNEGO/Kerberos stuff and not in my realm/application config.
> >>
> >> Currently I'm trying to use a simple JAAS realm (as I found a tutorial
> >> saying this is the simplest way to go when you just need the user name
> >> and no roles)
> >> snippet from server.xml
> >> >> autoDeploy="true">
> >>
> >> >> className="org.apache.catalina.authenticator.SpnegoAuthenticator"
> >> storeDelegatedCredential="true">
> >> >> className="org.apache.catalina.realm.JAASRealm"
> >> allRolesMode="strictAuthOnly" />
> >>
> >>
> >> snippet from catalina.out:
> >> Found KeyTab /opt/apache-tomcat-8.5/conf/tomcat.keytab for
> >> HTTP/mymachine.mycompany@mycompany.com
> >> Found ticket for
> >> HTTP/mymachine.mycompany@mycompany.com to go to
> >> krbtgt/mycompany@mycompany.com expiring on Fri Feb 08 21:26:27 CET
> >> 2019
> >> Entered Krb5Context.acceptSecContext with state=STATE_NEW
> >> Looking for keys for:
> >> HTTP/mymachine.mycompany@mycompany.com
> >> Added key: 17version: 15
> >> Added key: 18version: 15
> >> Added key: 23version: 15
> >> Found unsupported keytype (3) for
> >> HTTP/mymachine.mycompany@mycompany.com
> >> Found unsupported keytype (1) for
> >> HTTP/mymachine.mycompany@mycompany.com
> >> >>> EType:
> >> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
> >> Using builtin default etypes for permitted_enctypes
> >> default etypes for permitted_enctypes: 18 17 16 23.
> >> >>> EType:
> >> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
> >> MemoryCache: add
> >> 1549621587/000784/231A915D0FE70A039CF82095FC685C843F4D981D20A70F972015D8EB16D07CA5/myusern...@mycompany.com
> >>
> >> to myusern...@mycompany.com|
> >> HTTP/mymachine.mycompany@mycompany.com
> >> >>> KrbApReq: authenticate succeed.
> >> >>> EType:
> >> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
> >> >>>Delegated Creds have