RE: Built-in Tomcat Support for Windows Authentication
Alright, thanks. We will try once more from scratch. -Original Message- From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Sent: donderdag 23 oktober 2014 20:42 To: Tomcat Users List Subject: Re: Built-in Tomcat Support for Windows Authentication Am 23.10.2014 um 11:07 schrieb Philippe Wijdh: Hi, Thank you for the response. The initial setup of the spn and the keytab was without the port-number, the registry key was a suggestion found on internet but this setting does not change the outcome. The command kinit on the Tomcat server returns the following C:\MyPrograms\Tomcat7\confset KRB5_CONFIG=C:\MyPrograms\Tomcat7\conf\krb5.conf C:\MyPrograms\Tomcat7\confc:\MyPrograms\Java\jdk1.7.0_60\bin\kinit -J-Djava.sec urity.krb5.conf=C:\MyPrograms\Tomcat7\conf\krb5.conf -J-Djava.security.auth.logi n.config=C:\MyPrograms\Tomcat7\conf\jaas.conf -J-Dsun.security.krb5.debug=true - k -t C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab HTTP/v3tcat4ad.assai.nl:8080@A SSAI.NL HTTP/v3tcat4ad.assai.nl:8...@assai.nl is the wrong spn. You have to use one without the port number (as described in the docs). Maybe it would be best to follow Mark's advice and start with a fresh system and follow step for step the documentation. Felix KinitOptions cache name is C:\Users\TestUser\krb5cc_testuser Principal is HTTP/v3tcat4ad.assai.nl:8...@assai.nl Kinit using keytab Kinit keytab file name: C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf Loaded from Java config Kinit realm name is ASSAI.NL Creating KrbAsReq KrbKdcReq local addresses for V3TCAT4AD are: V3TCAT4AD/10.1.0.67 IPv4 address V3TCAT4AD/fe80:0:0:0:d815:81c0:97e7:11d2%11 IPv6 address KdcAccessibility: reset KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080 KeyTab: load() entry length: 72; type: 23 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=198 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #byt es=198 KrbKdcReq send: #bytes read=173 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove v3dom1.assai.nl:88 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Thu Oct 23 10:21:31 CEST 2014 1414052491000 suSec is 776700 error code is 25 error Message is Additional pre-authentication required realm is ASSAI.NL sname is krbtgt/ASSAI.NL eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=283 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #byt es=283 KrbKdcReq send: #bytes read=88 KrbKdcReq send: kdc=v3dom1.assai.nl TCP:88, timeout=3, number of retries =3, #bytes=283 KDCCommunication: kdc=v3dom1.assai.nl TCP:88, timeout=3,Attempt =1, #byt es=283 DEBUG: TCPClient reading 1496 bytes KrbKdcReq send: #bytes read=1496 KdcAccessibility: remove v3dom1.assai.nl:88 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 New ticket is stored in cache file C:\Users\TestUser\krb5cc_testuser
RE: Built-in Tomcat Support for Windows Authentication
Thanks Terrence, We will have a look at Waffle as well. Kind regards, Philippe Wijdh Senior Programmer Assai software services BV, Parallelweg Oost 13a, 4103 NC, Culemborg, The Netherlands P: +31 (0)345 516 663, E: p.wi...@assai.nl, W: www.assai-software.com -Original Message- From: Terence M. Bandoian [mailto:tere...@tmbsw.com] Sent: woensdag 22 oktober 2014 18:56 To: Tomcat Users List Subject: Built-in Tomcat Support for Windows Authentication On 10/22/2014 4:40 AM, Philippe Wijdh wrote: Hello, We have spent a long time now, trying to set up Apache Tomcat with Windows Authentication. We followed the instructions as per http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot make it work properly, the logon dialog keeps appearing and trying to log on fails. Additional to that we tried suggestions, like adding the registry key AllowTgtSessionKey and setting it to 0x01 Seems like we are close but we are missing something (see tomcat output below) Does anyone have a more complete documentation or have any suggestions on how to make this work. Kind regards, Philippe Wijdh Extra information on the setup: Windows 2008 r2 sp1 Apache Tomcat 7.0.54 jdk1.7.0_60 Tomcat is running as a service using account HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the port number, does not make a difference) Test is done with user testu...@assai.nlmailto:testu...@assai.nl in IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly added to the Intranet sites. Hi, Philippe- I have not used the built-in Tomcat Windows authentication but have had success using Waffle in a similar configuration. You might try that if all else fails. -Terence Bandoian Tomcat Output: KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080 KeyTab: load() entry length: 72; type: 23 Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf Loaded from Java config Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. KdcAccessibility: reset Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=152 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=152 KrbKdcReq send: #bytes read=173 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove v3dom1.assai.nl:88 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000 suSec is 403143 error code is 25 error Message is Additional pre-authentication required realm is ASSAI.NL sname is krbtgt/ASSAI.NL eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=235 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=235 KrbKdcReq send: #bytes read=1446 KdcAccessibility: remove v3dom1.assai.nl:88 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 Added key: 23version: 0 Ordering keys wrt
Re: JDBCStore
Am 23.10.2014 um 19:45 schrieb spr...@gmx.eu: You may want to have a look at parallel deployment ( http://tomcat.apache.org/tomcat-7.0-doc/config/context.html). At the moment /Catalina/localhost/ is used as value in column app. It is the root app. Would a war ROOT##2.war use another value? No. OK, then this would not solve the prob. Sorry, the name used for the app column changes with the version number. So you can use it. Felix Thx! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
catalina.out filled with binary data
We have an apache/tomcat application running on AS/400. It dies several times a week. This is a vendor supplied application over which I have little control. Unfortunately, the vendor hasn't done a good job trouble-shooting the problem. After a recent crash, I looked at the logs to see if I could pinpoint the request that preceded the crash. I discovered that catalina.out was filled with binary data. Then entire log looks like this: ����k��z���k��z�kz���k��zk��z�kz���k��z��k��z�kz���k��z��k��z�kz���k��z���k��z�kz���k��z��k��z�kz���k���z��kz��kzл�%م��z@�z��%Á��z@���zk�z�m�m�k��z���zk��z�kz���k��zk��z�kz���k��z���k��z�kz���k��zk��z�kz���k��z��k��z�kz���k��z���k��z�kz���k��z���k��z�kz���k��z��k��z�kz���k���z��kz��kzл�%م��z@�z��%Á��z@���zk�z�m�m�k��z���zk��z�kz���k��zk��z�kz���k��z���k��z�kz���k��zk��z�kz���k��z��k��z� I'm not sure what to make of this. It feels like a native problem, libraries, JVM, JDBC, etc. How do I get to the bottom of this? Regards, Jeff
Re: catalina.out filled with binary data
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeffrey, Please don't hijack threads by replying to an existing message and changing the subject. Instead, please start a new mail message to users@tomcat.apache.org if you have a new question. Thanks, - -chris On 10/24/14 11:58 AM, Jeffrey D. Fulmer wrote: We have an apache/tomcat application running on AS/400. It dies several times a week. This is a vendor supplied application over which I have little control. Unfortunately, the vendor hasn't done a good job trouble-shooting the problem. After a recent crash, I looked at the logs to see if I could pinpoint the request that preceded the crash. I discovered that catalina.out was filled with binary data. Then entire log looks like this: ����k��z���k��z�kz���k��zk��z�kz���k��z��k��z�kz���k��z��k��z�kz���k��z���k��z�kz���k��z��k��z�kz���k���z��kz��kzл�%م��z@�z��%Á��z@���zk�z�m�m�k��z���z�� � ���k��z�kz���k��zk��z�kz���k��z���k��z�kz���k��zk��z�kz���k��z��k��z�kz���k��z���k��z�kz���k��z���k��z�kz���k��z��k��z�kz���k���z��kz��kzл�%م�� z @�z��%Á��z@���zk�z�m�m�k��z���zk��z�kz���k��zk��z�kz���k��z���k��z�kz���k��zk��z�kz���k��z��k��z� I'm not sure what to make of this. It feels like a native problem, libraries, JVM, JDBC, etc. How do I get to the bottom of this? Regards, Jeff - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUSqHVAAoJEBzwKT+lPKRYJLsQAIwCxFDOa91nVWS50J6b+hwI 057FY0IVxBTaJ5K/Cxz0aY9XGSej3z/GMeQeAEHcs3UEPMEOFD9NAHoOr2bkA5L+ UBxtchU5UvnFrylZqxLDMxGGB/JzDk1V4odl1xgXtkTqsWUascVbUwfDTGcgYv0o TaKydlLBByW0FsOF4hbQHQvZHLgK9OZyhqIqA66hmn5SPzFFkqTlRO0EH8gj2PxA 0+K8UxcPs0/oOt9zIvm6xKny4BtPtcMiC5Xf6yfp9+cxGswg68hIUS/ebDT5z299 ubQ97uy/jTflHQ8KF1WJiETIQ+l1UZ2Tf6ApluMHHJaS6JZgcEnLmk7NnMOa4M3b VECXv5lo0zOnNHJyXw2xdQPWtZm8Q5nR8+UQQ+Jvkd4ywPKxzpUgjok9MYEvzvUO HatSDuSbhiNtmTk2XP5ogfqiVulCcnEv6V/xeZxSwIZoBN00qj43IICVIMN0EuH/ yVS6Y5qsxRETTo8QcEgEpinfiHyu188koTTkWJWe2qtDG5i9kQNy0t612ymA/ykW I9Wpqb4gjcI8WRGuNDnstkX8e8fJnD5kN5bM1S9QmXzGnDfyZtMzyhuHNQPBvGD5 qhpH3Virni+sCNqZ/ffjl3uFf+jkqkBeaVnRNQyR4ncjwZ/sQPcNnpfdP6uPl37Y tKBchQw8INKEbmC2vc5m =v11U -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
embedded tomcat Defense Information Systems Agency
Does anyone happen to know if embedded tomcat is in Defense Information Systems Agency list? I know regular tomcat is but I have a need to use embedded tomcat for what I need to accomplish. Jason Ricles
Re: embedded tomcat Defense Information Systems Agency
On 24/10/2014 23:30, Jason Ricles wrote: Does anyone happen to know if embedded tomcat is in Defense Information Systems Agency list? I know regular tomcat is but I have a need to use embedded tomcat for what I need to accomplish. It is exactly the same code, just in fewer, larger JARs. In a logical world that would mean if regular Tomcat was OK, so was embedded Tomcat but this is the US Federal Government we are talking about here. The simplest solution may well be just to use the JARs from regular Tomcat to do what you want to do. The results will be exactly the same, you'll just have a handful of smaller JARs rather than a few larger ones to put on your classpath. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
