RE: Built-in Tomcat Support for Windows Authentication
Alright, thanks. We will try once more from scratch. -Original Message- From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Sent: donderdag 23 oktober 2014 20:42 To: Tomcat Users List Subject: Re: Built-in Tomcat Support for Windows Authentication Am 23.10.2014 um 11:07 schrieb Philippe Wijdh: Hi, Thank you for the response. The initial setup of the spn and the keytab was without the port-number, the registry key was a suggestion found on internet but this setting does not change the outcome. The command kinit on the Tomcat server returns the following C:\MyPrograms\Tomcat7\confset KRB5_CONFIG=C:\MyPrograms\Tomcat7\conf\krb5.conf C:\MyPrograms\Tomcat7\confc:\MyPrograms\Java\jdk1.7.0_60\bin\kinit -J-Djava.sec urity.krb5.conf=C:\MyPrograms\Tomcat7\conf\krb5.conf -J-Djava.security.auth.logi n.config=C:\MyPrograms\Tomcat7\conf\jaas.conf -J-Dsun.security.krb5.debug=true - k -t C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab HTTP/v3tcat4ad.assai.nl:8080@A SSAI.NL HTTP/v3tcat4ad.assai.nl:8...@assai.nl is the wrong spn. You have to use one without the port number (as described in the docs). Maybe it would be best to follow Mark's advice and start with a fresh system and follow step for step the documentation. Felix KinitOptions cache name is C:\Users\TestUser\krb5cc_testuser Principal is HTTP/v3tcat4ad.assai.nl:8...@assai.nl Kinit using keytab Kinit keytab file name: C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf Loaded from Java config Kinit realm name is ASSAI.NL Creating KrbAsReq KrbKdcReq local addresses for V3TCAT4AD are: V3TCAT4AD/10.1.0.67 IPv4 address V3TCAT4AD/fe80:0:0:0:d815:81c0:97e7:11d2%11 IPv6 address KdcAccessibility: reset KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080 KeyTab: load() entry length: 72; type: 23 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=198 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #byt es=198 KrbKdcReq send: #bytes read=173 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove v3dom1.assai.nl:88 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Thu Oct 23 10:21:31 CEST 2014 1414052491000 suSec is 776700 error code is 25 error Message is Additional pre-authentication required realm is ASSAI.NL sname is krbtgt/ASSAI.NL eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=283 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #byt es=283 KrbKdcReq send: #bytes read=88 KrbKdcReq send: kdc=v3dom1.assai.nl TCP:88, timeout=3, number of retries =3, #bytes=283 KDCCommunication: kdc=v3dom1.assai.nl TCP:88, timeout=3,Attempt =1, #byt es=283 DEBUG: TCPClient reading 1496 bytes KrbKdcReq send: #bytes read=1496 KdcAccessibility: remove v3dom1.assai.nl:88 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 New ticket is stored in cache file C:\Users\TestUser\krb5cc_testuser C:\MyPrograms
RE: Built-in Tomcat Support for Windows Authentication
Thanks Terrence, We will have a look at Waffle as well. Kind regards, Philippe Wijdh Senior Programmer Assai software services BV, Parallelweg Oost 13a, 4103 NC, Culemborg, The Netherlands P: +31 (0)345 516 663, E: p.wi...@assai.nl, W: www.assai-software.com -Original Message- From: Terence M. Bandoian [mailto:tere...@tmbsw.com] Sent: woensdag 22 oktober 2014 18:56 To: Tomcat Users List Subject: Built-in Tomcat Support for Windows Authentication On 10/22/2014 4:40 AM, Philippe Wijdh wrote: Hello, We have spent a long time now, trying to set up Apache Tomcat with Windows Authentication. We followed the instructions as per http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot make it work properly, the logon dialog keeps appearing and trying to log on fails. Additional to that we tried suggestions, like adding the registry key AllowTgtSessionKey and setting it to 0x01 Seems like we are close but we are missing something (see tomcat output below) Does anyone have a more complete documentation or have any suggestions on how to make this work. Kind regards, Philippe Wijdh Extra information on the setup: Windows 2008 r2 sp1 Apache Tomcat 7.0.54 jdk1.7.0_60 Tomcat is running as a service using account HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the port number, does not make a difference) Test is done with user testu...@assai.nlmailto:testu...@assai.nl in IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly added to the Intranet sites. Hi, Philippe- I have not used the built-in Tomcat Windows authentication but have had success using Waffle in a similar configuration. You might try that if all else fails. -Terence Bandoian Tomcat Output: KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080 KeyTab: load() entry length: 72; type: 23 Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf Loaded from Java config Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. KdcAccessibility: reset Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=152 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=152 KrbKdcReq send: #bytes read=173 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove v3dom1.assai.nl:88 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000 suSec is 403143 error code is 25 error Message is Additional pre-authentication required realm is ASSAI.NL sname is krbtgt/ASSAI.NL eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=235 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=235 KrbKdcReq send: #bytes read=1446 KdcAccessibility: remove v3dom1.assai.nl:88 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 Added key: 23version: 0 Ordering keys wrt
RE: Built-in Tomcat Support for Windows Authentication
Hi, Thank you for the response. The initial setup of the spn and the keytab was without the port-number, the registry key was a suggestion found on internet but this setting does not change the outcome. The command kinit on the Tomcat server returns the following C:\MyPrograms\Tomcat7\confset KRB5_CONFIG=C:\MyPrograms\Tomcat7\conf\krb5.conf C:\MyPrograms\Tomcat7\confc:\MyPrograms\Java\jdk1.7.0_60\bin\kinit -J-Djava.sec urity.krb5.conf=C:\MyPrograms\Tomcat7\conf\krb5.conf -J-Djava.security.auth.logi n.config=C:\MyPrograms\Tomcat7\conf\jaas.conf -J-Dsun.security.krb5.debug=true - k -t C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab HTTP/v3tcat4ad.assai.nl:8080@A SSAI.NL KinitOptions cache name is C:\Users\TestUser\krb5cc_testuser Principal is HTTP/v3tcat4ad.assai.nl:8...@assai.nl Kinit using keytab Kinit keytab file name: C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf Loaded from Java config Kinit realm name is ASSAI.NL Creating KrbAsReq KrbKdcReq local addresses for V3TCAT4AD are: V3TCAT4AD/10.1.0.67 IPv4 address V3TCAT4AD/fe80:0:0:0:d815:81c0:97e7:11d2%11 IPv6 address KdcAccessibility: reset KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080 KeyTab: load() entry length: 72; type: 23 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=198 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #byt es=198 KrbKdcReq send: #bytes read=173 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove v3dom1.assai.nl:88 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Thu Oct 23 10:21:31 CEST 2014 1414052491000 suSec is 776700 error code is 25 error Message is Additional pre-authentication required realm is ASSAI.NL sname is krbtgt/ASSAI.NL eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=283 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #byt es=283 KrbKdcReq send: #bytes read=88 KrbKdcReq send: kdc=v3dom1.assai.nl TCP:88, timeout=3, number of retries =3, #bytes=283 KDCCommunication: kdc=v3dom1.assai.nl TCP:88, timeout=3,Attempt =1, #byt es=283 DEBUG: TCPClient reading 1496 bytes KrbKdcReq send: #bytes read=1496 KdcAccessibility: remove v3dom1.assai.nl:88 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 New ticket is stored in cache file C:\Users\TestUser\krb5cc_testuser C:\MyPrograms\Tomcat7\confklist Current LogonId is 0:0x13380b5c Cached Tickets: (0) Kind regards, Philippe Wijdh Senior Programmer Assai software services BV, Parallelweg Oost 13a, 4103 NC, Culemborg, The Netherlands P: +31 (0)345 516 663, E: p.wi...@assai.nl, W: www.assai-software.com -Original Message- From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Sent: donderdag 23 oktober 2014 7:53 To: Tomcat Users List Subject: Re: Built-in Tomcat Support for Windows Authentication Am 22. Oktober 2014 11:40:56 MESZ, schrieb Philippe Wijdh p.wi...@assai.nl: Hello, We have spent a long time now, trying to set up Apache Tomcat with Windows Authentication. We followed the instructions as per http
Built-in Tomcat Support for Windows Authentication
Hello, We have spent a long time now, trying to set up Apache Tomcat with Windows Authentication. We followed the instructions as per http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot make it work properly, the logon dialog keeps appearing and trying to log on fails. Additional to that we tried suggestions, like adding the registry key AllowTgtSessionKey and setting it to 0x01 Seems like we are close but we are missing something (see tomcat output below) Does anyone have a more complete documentation or have any suggestions on how to make this work. Kind regards, Philippe Wijdh Extra information on the setup: Windows 2008 r2 sp1 Apache Tomcat 7.0.54 jdk1.7.0_60 Tomcat is running as a service using account HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the port number, does not make a difference) Test is done with user testu...@assai.nlmailto:testu...@assai.nl in IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly added to the Intranet sites. Tomcat Output: KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080 KeyTab: load() entry length: 72; type: 23 Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf Loaded from Java config Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. KdcAccessibility: reset Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=152 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=152 KrbKdcReq send: #bytes read=173 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KdcAccessibility: remove v3dom1.assai.nl:88 KDCRep: init() encoding tag is 126 req type is 11 KRBError: sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000 suSec is 403143 error code is 25 error Message is Additional pre-authentication required realm is ASSAI.NL sname is krbtgt/ASSAI.NL eData provided. msgType is 30 Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP Pre-Authentication Data: PA-DATA type = 16 Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=235 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=235 KrbKdcReq send: #bytes read=1446 KdcAccessibility: remove v3dom1.assai.nl:88 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. KrbAsReq creating message KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries =3, #bytes=152 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #bytes=152 KrbKdcReq send