Re: SPNEGO GSSCaller {UNKNOWN} No Delegated Creds

2024-05-03 Thread Tom Delaney 
Thanks for the reply Michael,

I'm trying to achieve retrieving delegated credentials. I'm confused by the
debug output because I'm being told that authentication succeeded but no
indication of why I'm not receiving delegated credentials other than there
are none.I have looked over the delegation rules for the service account
and SPN multiple times. When you mentioned "S4U is tried, but not
configured for that account. Totally fine" What does that mean? Is there a
specific place on Tomcat or Windows I need to look for this?

What I'm expecting to see outputted "Delegated Creds have pname=
tdela...@subdomain.domain.com sname=krbtgt/SUBDOMAIN.DOMAIN.COM
authtime=null starttime={date/timestamp} endtime={date/timestamp}"

P.S
I see in my ktpass command I made a typo and meant to put SA_EX_VAISSO
instead of "SA_EX_SSO"

On Fri, May 3, 2024 at 8:26 AM Michael Osipov  wrote:

> On 2024/05/02 19:20:59 Tom Delaney wrote:
> > Hi All,
> >
> > Sorry for the duplicate requests. The first one was accidentally flagged
> > for Google's new Confidential Mode which happened to be flagged.
> > I have a red hat 9.2 server hosting a web application on a single
> instance
> > of Apache Tomcat. This instance is behind an apache HTTP server on
> version
> > 2.4.57.The application is hosted on Tomcat 9.0.54.
> >
> > Domain: subdomain.domain.com
> > Site: devexample.domain.com
> >
> > URL hit: https://example.subdomain.domain.com/webclient/
> > <https://devexample.domain.com/webclient_devex/exclient.jsp>exclient.jsp
> >
> > *I keep getting this in the Tomcat Logs when accessing the application:*
> > *>>> Constrained deleg from GSSCaller{UNKNOWN}*
>
> You should first try to describe what you are trying to achieve and not
> what the debug output is. The debug message comes from:
> https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L540
> The message is obviously caused by this call:
> https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L254-L263
>
> S4U is tried, but not configured for that account. Totally fine.
>
> BTW: The filter you use isn't from us.
>
> M
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

SPNEGO GSSCaller {UNKNOWN} No Delegated Creds

2024-05-02 Thread Tom Delaney 
Hi All,

Sorry for the duplicate requests. The first one was accidentally flagged
for Google's new Confidential Mode which happened to be flagged.
I have a red hat 9.2 server hosting a web application on a single instance
of Apache Tomcat. This instance is behind an apache HTTP server on version
2.4.57.The application is hosted on Tomcat 9.0.54.

Domain: subdomain.domain.com
Site: devexample.domain.com

URL hit: https://example.subdomain.domain.com/webclient/
exclient.jsp

*I keep getting this in the Tomcat Logs when accessing the application:*
*>>> Constrained deleg from GSSCaller{UNKNOWN}*

*The site outputs: No Delegated Creds*

==> /usr/local/tomcat.base1/logs/catalina.out <==
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 82 07 9c 30 82 07 98
a0 30 30 2e 06 09 2a 86 48 82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02
02 06 0a 2b 06 01 04 01 82 37 02 02 1e 06 0a 2b 06 01 04 01 82 37 02 02 0a
a2 82 07 62 04 82 07 5e 60 82 07 5a 06 09 2a 86 48 86 f7 12 01 02 02 01 00
6e 82 07 49 30 82 07 45 a0 03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 20 00
00 00 a3 82 05 5c 61 82 05 58 30 82 05 54 a0 03 02 01 05 a1 15 1b 13 46 55
54 55 52 45 54 45 43 48 2e 46 54 45 49 2e 43 4f 4d a2 2a 30 28 a0 03 02 01
02 a1 21 30 1f 1b 04 48 54 54 50 1b 17 73 32 6b 2e 66 75 74 75 72 65 74 65
63 68 2e 66 74 65 69 2e 63 6f 6d a3 82 05 08 30 82 05 04 a0 03 02 01 12 a1
03 02 01 08 a2 82 04 f6 04 82 04 f2 6f c8 bd c5 94 ec a6 05 e6 36 6e 51 f4
ef c5 06 64 3d ba b8 01 c0 f3 0b 61 7f da 55 bc ba ae 8b dd d1 d0 f8 f0 b1
be 99 36 ae 6b 60 c2 31 88 af 4e f2 de a4 ce 6e e7 56 58 62 15 76 fc 41 e9
38 99 bc 3c 83 5a d7 b3 41 fa 65 0e 14 ae 6e f8 ea 23 3a d4 d8 61 37 bf 22
db 0f 48 e1 31 42 59 e9 08 55 cd 6f 50 fc 8e f7 11 76 3a 7f 69 a4 1e 3d 36
9d c8 98 00 e1 43 d0 fc cd 66 97 4a ac 41 d9 76 a4 a1 31 c8 df 11 10 dc f8
74 c4 56 1e cc f9 bc 72 41 e4 ab d6 d4 a0 79 1d 47 4a d0 61 f5 9b 72 9d fb
8a 9a 6b ec 7e d4 72 45 67 66 ff 35 3c b0 42 c1 07 38 c1 4c 90 77 c3 d8 98
64 04 fa 29 d1 37 aa be 32 03 43 5c 1e 31 ce c0 dc 42 1d 51 8f d9 bb 53 35
3c 85 42 ba e9 84 e5 c6 bd b2 e0 1b cb b0 79 00 39 4d b2 71 9d 8d 4a d9 03
35 38 d0 2c f0 1c 2b 61 29 b4 9e 73 15 f2 8a 94 cd 2a ff 61 09 0d 9f 91 2f
3f af d3 99 da 67 1e e0 14 01 fe 60 24 23 40 a0 17 b3 6f 8d 22 19 a7 59 4b
1b b3 86 94 4a 2b 55 e0 b8 77 84 19 fe 25 34 ca 7e 08 a9 f1 39 87 5c f8 bb
33 53 aa 21 48 53 f6 dc 33 39 77 87 cc 20 8b a9 33 d4 bd c6 43 17 a3 0b 0b
bd fd b3 02 a8 32 ad ee c3 35 4d 89 0a 33 de 04 7a 0a cb 6b 6d dc db dd 4f
65 23 4a 1d ba af eb 33 4a 9a e0 87 c3 14 44 bf 6a 1c 5d a3 9c 8b 32 fc e7
e1 ad df 67 cf 49 2e 18 f7 f7 1c de e1 60 6d d0 e9 47 33 d2 19 a4 6c da 49
03 d8 b5 d9 0f 1e d3 81 1b 51 f5 d7 56 a0 f7 48 fa aa 9a ba f6 11 6c c9 64
43 77 8e d6 fe 5d 56 d4 77 34 c0 28 db 22 23 5b 52 97 10 5d 42 ed 67 ad 01
75 a3 ac fe da a4 e6 46 7d c1 b7 3a 8a 07 87 fb 79 3a a1 c0 79 c4 35 7a 2a
53 2d 8f 88 8a 85 73 c4 8e 12 34 1d c4 d9 f6 10 f5 ce f5 9e 35 2f 12 fd 00
84 d4 9e 8c 39 8c 5b ee bd 79 8a 1b f1 7b af 41 3e ec 57 71 2b a7 8c 47 7c
fe ff 88 ff f9 b4 e1 86 0b 6f 05 5b 58 36 d9 85 d8 6c 18 77 de b2 d4 16 91
d5 74 d2 8a 45 bd 4a c7 a1 99 1b bd f2 9a d3 53 2d 6b 45 47 9b e0 31 80 d7
63 b4 f1 c7 a9 64 6d 68 45 56 14 85 02 16 26 df 64 47 77 5e 35 13 55 10 a3
f5 70 3d 9c 4a c7 9f c8 a5 65 e1 63 ed 20 49 39 65 a0 ce 2a d8 c3 f0 06 7f
b1 df 89 f8 29 b5 21 90 ae 32 8a 1e d4 f5 d6 38 87 5b 5a e6 2f c3 ab c1 ed
cb 22 ca 1d 80 29 c6 c7 c4 c1 df b3 e8 02 9f b2 eb ec 49 d3 e6 90 2a b2 05
24 8b e5 ac 73 94 ba 9d 9f 6e 7b 4b fb 66 ae 73 27 30 0d 32 9d a8 07 63 4b
fa 53 44 9e 29 ae ec 7f 15 16 82 12 18 7a a4 31 90 0f 43 3c b1 c7 7f 66 4d
e1 3d 6e b6 c1 13 23 a5 6b 56 09 dd a5 df 27 4e fd 4c ec 93 48 2b d5 b0 d4
91 87 39 e9 e9 53 b9 84 7a 64 f3 e7 11 02 ba b3 7d 7a 92 86 82 c9 bd 48 03
dc cc 60 a1 ad 5f 15 96 a8 88 79 92 1c c5 6a 33 1e c4 0b 5e 3a 12 36 fd bb
d9 c7 dd 77 56 73 ae e6 d5 d9 7d b5 a3 66 75 8a 51 9b 65 ff e3 42 c3 8f dd
5a bf 65 33 96 d2 81 75 ff c4 0c 41 91 10 83 ea 78 f8 1e 3c 65 ab 42 ba 19
57 a5 a7 6d ba 3e 3a f3 01 67 eb 60 7d 5a 30 94 e7 60 9a bd 16 47 f6 21 d2
68 c1 63 30 f5 3b 4e f6 1c fe 99 a1 ea c1 c2 8b 17 b6 bb b3 13 20 73 69 99
9b fb d6 8c d4 21 90 b7 b1 dd 30 5d f2 7b 56 59 ea aa 7e ec b8 62 a3 32 c3
c0 40 4e 88 f9 95 54 85 17 83 06 1a 37 8c f4 21 07 d5 44 c2 ed 3c 8a 76 58
2b 73 2f 0d 7e 57 3c 2d 72 b8 03 e6 46 fa 80 8e 3e 45 93 65 6a 59 77 b4 b0
d2 20 95 1d fd 95 fb e5 e0 b0 40 91 e1 16 b9 4d 9c 4e bc c8 97 15 f2 9c e8
0a fa a4 14 27 42 ad da 03 54 72 c3 f2 b4 5b 69 ce 14 68 ed fe 20 67 3f ad
95 f6 05 4f 30 e3 62 ae a9 eb 46 7e 54 31 47 9e 08 e8 90 54 17 19 80 73 99
6d a6 c2 f3 47 b2 59 84 18 24 fb a0 60 ec ec cf ce 6a f6 3c 9d 99 53 34 c9
de e2 96 00 76 51 9e a3 fa 4d 3f fd 28 69 02 ce 9d 4e 7e 18 5b 22 58 cb 21
24 63 fd 05 0a 1c d7 ff f9 d8 15 3a f4 d5 33 59 00 7e 84 43 87 27 ab 05 b3
d9 5d ba 6b 39 4f 80 f3 47 7d eb 98 44 f7 46 24 f9 a5 00 df 47

Re: SPNEGO GSSCaller {UNKNOWN} No Delegated Creds

2024-05-02 Thread Tom Delaney 

Tom Delaney has sent you an email via Gmail confidential mode:

[image: Gmail logo]Re: SPNEGO GSSCaller {UNKNOWN} No Delegated Creds 
<https://confidential-mail.google.com/msg/AJ05YhfeGMtaULvQONHydor3-HWpWsb1xJ3tZJ35SH0U8kxvJIPpKEc9wRaa7uacfDUwg1PbwWJJZqFQzDl26IiNtrsAyHw3t4XjnbAx4Qn6Lj7vtEi-Xcxt6tJnUUfej7SO3Sne2qWRO10Ugp6Co4_iag==>

This message was sent on May 2, 2024 at 6:21:50 AM PDT
You can open it by clicking the link below. This link will only work for 
users@tomcat.apache.org.

View the email 
<https://confidential-mail.google.com/msg/AJ05YhfeGMtaULvQONHydor3-HWpWsb1xJ3tZJ35SH0U8kxvJIPpKEc9wRaa7uacfDUwg1PbwWJJZqFQzDl26IiNtrsAyHw3t4XjnbAx4Qn6Lj7vtEi-Xcxt6tJnUUfej7SO3Sne2qWRO10Ugp6Co4_iag==>

Gmail confidential mode gives you more control over the messages you send. The 
sender may have chosen to set an expiration time, disable printing or 
forwarding, or track access to this message. Learn more 
<https://support.google.com/mail/answer/7674059>
Gmail: Email by Google
Use is subject to the Google Privacy Policy 
<https://myaccount.google.com/privacypolicy?hl=en>
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
You have received this message because someone sent you an email via Gmail 
confidential mode.
[image: Google logo]

SPNEGO GSSCaller {UNKNOWN} No Delegated Creds

2024-05-01 Thread Tom Delaney 

Tom Delaney has sent you an email via Gmail confidential mode:

[image: Gmail logo]SPNEGO GSSCaller {UNKNOWN} No Delegated Creds 
<https://confidential-mail.google.com/msg/AJ05YhfSWzjP5hETcDm0c4Q_HGCDBEAybeYFYy-yB0-TEBBYkOGaFXoQ9wOEK-QsVlOWdz36OHsf4GYg6nS92w7CA518JhBWiCItJAFCZyNSZ8XenmGKryRDYeuP-x3EvfLU9zZ61zJOT4Z6OC_gPrSroA==>

This message was sent on May 1, 2024 at 12:51:56 PM PDT
You can open it by clicking the link below. This link will only work for 
users@tomcat.apache.org.

View the email 
<https://confidential-mail.google.com/msg/AJ05YhfSWzjP5hETcDm0c4Q_HGCDBEAybeYFYy-yB0-TEBBYkOGaFXoQ9wOEK-QsVlOWdz36OHsf4GYg6nS92w7CA518JhBWiCItJAFCZyNSZ8XenmGKryRDYeuP-x3EvfLU9zZ61zJOT4Z6OC_gPrSroA==>

Gmail confidential mode gives you more control over the messages you send. The 
sender may have chosen to set an expiration time, disable printing or 
forwarding, or track access to this message. Learn more 
<https://support.google.com/mail/answer/7674059>
Gmail: Email by Google
Use is subject to the Google Privacy Policy 
<https://myaccount.google.com/privacypolicy?hl=en>
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
You have received this message because someone sent you an email via Gmail 
confidential mode.
[image: Google logo]

Re: SSO SPNEGO GSS API CheckSum Failed Error

2024-02-23 Thread Tom Delaney 
Please don't respond to this email. I was able to figure out the issue. The
server hosting devexample.domain.com was using a canonicalized hostname.
This was throwing tomcat off when reading over the token and keytab file. I
only wish there was a better way for this error to pick up on that.

On Fri, Feb 23, 2024 at 11:36 AM Thomas Delaney 
wrote:

>
>
> Hi all,
>
> I have a redhat 9.2 server hosting a web application on 5 seperate
> instances of Apache Tomcat. I have configured SPNEGO on instances 1,2,3 and
> 4. These instances are behind an apache proxy load balancer on version
> 2.4.57. Instance 1,2, and 3 are load balanced. While 4 and 5 are not. The
> application is hosted on Tomcat 9.0.54.
>
> Domain: domain.com
> Site: devexample.domain.com
>
> URL hit: https://devexample.domain.com/webclient_devex/exclient.jsp
>
> *I keep getting this when accessing the application on instance 5:*
> HTTP Status 500 – Internal Server Error
> Type Exception Report
>
> Message GSSException: Failure unspecified at GSS-API level (Mechanism
> level: Checksum failed)
> Description The server encountered an unexpected condition that prevented
> it from fulfilling the request.
> Exception
> javax.servlet.ServletException: GSSException: Failure unspecified at
> GSS-API level (Mechanism level: Checksum failed)
> net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:287)
> Root Cause
> GSSException: Failure unspecified at GSS-API level (Mechanism level:
> Checksum failed)
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
> sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
> sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
>
> net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487)
>
> net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327)
> net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283)
> Root Cause
> KrbException: Checksum failed
> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown
> Source)
> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown
> Source)
> sun.security.krb5.EncryptedData.decrypt(Unknown Source)
> sun.security.krb5.KrbApReq.authenticate(Unknown Source)
> sun.security.krb5.KrbApReq.(Unknown Source)
> sun.security.jgss.krb5.InitSecContextToken.(Unknown Source)
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
> sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
> sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
>
> net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487)
>
> net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327)
> net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283)
> Root Cause
> java.security.GeneralSecurityException: Checksum failed
> sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(Unknown Source)
> sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(Unknown Source)
> sun.security.krb5.internal.crypto.Aes256.decrypt(Unknown Source)
> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown
> Source)
> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown
> Source)
> sun.security.krb5.EncryptedData.decrypt(Unknown Source)
> sun.security.krb5.KrbApReq.authenticate(Unknown Source)
> sun.security.krb5.KrbApReq.(Unknown Source)
> sun.security.jgss.krb5.InitSecContextToken.(Unknown Source)
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
> sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
> sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
>
> net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487)
>
> net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327)
> net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283)
>
>
> In the catalina logs:
> Entered SpNegoContext.acceptSecContext with state=STATE_NEW
> SpNegoContext.acceptSecContext: