RE: Tomcat windows authentication domain login issue
By the way, this is using tomcat 8 and it's running on Linux. Windows machines are the AD server and the client. -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023860.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat windows authentication domain login issue
Let's hope it works this time.
I need some idea on what's wrong with my tomcat configuration for windows
authentication. I followed the tomcat windows authentication tutorial and
uses the manager web application comes with tomcat to do a poc. In my
web.xml I change auth-methodBASIC/auth-method to
auth-methodSPNEGO/auth-method and also changes the auth-constraint to
the following auth-constraint role-name*/role-name
/auth-constraint
This is my krb5.ini [libdefaults] default_realm = ACME
default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab default_tkt_enctypes
= rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true
[realms] ACME = {kdc = AD-Server:88} [domain_realm] acme= ACME
.acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true; }; com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true;};
The weird thing is regardless of what username and password I put in when I
accessed the tomcat manager web-app the debug message shown is the same.
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt
true ticketCache is null isInitiator true KeyTab is
C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is
HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is
false clearPass is false KeyTabInputStream, readName(): acme
KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName():
Client2 KeyTab: load() entry length: 52; type: 23 Looking for keys for:
HTTP/Client2@ACME Java config name: C:\tomcat\conf\krb5.ini Loaded from
Java config Added key: 23version: 0 KdcAccessibility: reset Looking
for keys for: HTTP/Client2@ACME Added key: 23version: 0 default etypes for
default_tkt_enctypes: 23 17. KrbAsReq creating message KrbKdcReq
send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, #
bytes=124 KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt
=1, #bytes=124
KrbKdcReq send: #bytes read=538 KdcAccessibility: remove
AD-Server:88 Looking for keys for: HTTP/Client2@ACME Added key:
23version: 0 EType:
sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in
KrbAsReq.getReply HTTP/Client2 principal is HTTP/Client2@ACME Will use
keytab Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (DEF,
sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5
ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found
KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found KeyTab
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found ticket for
HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29
CST 2014[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
I added this in my server.xml Realm
className=org.apache.catalina.realm.LockOutRealm Realm
className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo
allRolesMode=strictAuthOnly / /Realm
When I tried login, it doesn't seem to recognize the valid credential. The
app keeps on asking me to enter a valid credential. What do I need to change
to make it work?
Date: Wed, 15 Oct 2014 00:56:33 -0700
From: ml-node+s10n5023861...@n6.nabble.com
To: ming...@outlook.com
Subject: Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 03:48 schrieb tantaryu:
Okay, now I tried with a email client. Let's see if it works.
I need some idea on what's wrong with my tomcat configuration for windows
authentication. I followed the tomcat windows authentication tutorial and
uses the manager web application comes with tomcat to do a poc. In my
web.xml I change auth-methodBASIC/auth-method to
auth-methodSPNEGO/auth-method and also changes the auth-constraint to the
following auth-constraint role-name*/role-name/auth-constraint.
This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name =
FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes
=
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
= {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACME
RE: Tomcat windows authentication domain login issue
Okay, this might sounds funny. But how do I add a newlines?
Date: Wed, 15 Oct 2014 01:37:42 -0700
From: ml-node+s10n5023863...@n6.nabble.com
To: ming...@outlook.com
Subject: Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 10:22 schrieb tantaryu:
Let's hope it works this time.
If this was your try to add newlines, than I think it failed.
Felix
I need some idea on what's wrong with my tomcat configuration for windows
authentication. I followed the tomcat windows authentication tutorial and
uses the manager web application comes with tomcat to do a poc. In my
web.xml I change auth-methodBASIC/auth-method to
auth-methodSPNEGO/auth-method and also changes the auth-constraint to
the following auth-constraint role-name*/role-name
/auth-constraint
This is my krb5.ini [libdefaults] default_realm = ACME
default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab
default_tkt_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true
[realms] ACME = {kdc = AD-Server:88} [domain_realm] acme= ACME
.acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true; }; com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true;};
The weird thing is regardless of what username and password I put in when I
accessed the tomcat manager web-app the debug message shown is the same.
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt
true ticketCache is null isInitiator true KeyTab is
C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is
HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is
false clearPass is false KeyTabInputStream, readName(): acme
KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName():
Client2 KeyTab: load() entry length: 52; type: 23 Looking for keys
for: HTTP/Client2@ACME Java config name: C:\tomcat\conf\krb5.ini Loaded
from Java config Added key: 23version: 0 KdcAccessibility: reset
Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 default
etypes for default_tkt_enctypes: 23 17. KrbAsReq creating message
KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries =3,
# bytes=124 KDCCommunication: kdc=AD-Server UDP:88,
timeout=3,Attempt =1, #bytes=124
KrbKdcReq send: #bytes read=538 KdcAccessibility: remove
AD-Server:88 Looking for keys for: HTTP/Client2@ACME Added key:
23version: 0 EType:
sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in
KrbAsReq.getReply HTTP/Client2 principal is HTTP/Client2@ACME Will use
keytab Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (DEF,
sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5
ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found
KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found KeyTab
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found ticket for
HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29
CST 2014[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
I added this in my server.xml Realm
className=org.apache.catalina.realm.LockOutRealm Realm
className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo
allRolesMode=strictAuthOnly / /Realm
When I tried login, it doesn't seem to recognize the valid credential. The
app keeps on asking me to enter a valid credential. What do I need to change
to make it work?
Date: Wed, 15 Oct 2014 00:56:33 -0700
From: [hidden email]
To: [hidden email]
Subject: Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 03:48 schrieb tantaryu:
Okay, now I tried with a email client. Let's see if it works.
I need some idea on what's wrong with my tomcat configuration for windows
authentication. I followed the tomcat windows authentication tutorial and
uses the manager web application comes with tomcat to do a poc. In my
web.xml I change auth-methodBASIC/auth-method to
auth-methodSPNEGO/auth-method and also changes the auth-constraint to
the following auth-constraint role-name*/role-name/auth-constraint.
This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name =
FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes
=
rc4
Re: Tomcat windows authentication domain login issue
Oh, let me try again. I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change to and also changes the auth-constraint to the following . This is my krb5.ini This is my jaas.conf The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. I added this in my server.xml When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023851.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat windows authentication domain login issue
Let me know if you can read it still. I didn't checked the Message is in HTML Format option. -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023853.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat windows authentication domain login issue
Okay, now I tried with a email client. Let's see if it works.
I need some idea on what's wrong with my tomcat configuration for windows
authentication. I followed the tomcat windows authentication tutorial and uses
the manager web application comes with tomcat to do a poc. In my web.xml I
change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method
and also changes the auth-constraint to the following auth-constraint
role-name*/role-name/auth-constraint.
This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name =
FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
= {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true;};com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true;};
The weird thing is regardless of what username and password I put in when I
accessed the tomcat manager web-app the debug message shown is the same. Debug
is true storeKey true useTicketCache false useKeyTab true doNotPrompt true
ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab
refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
KeyTabInputStream, readName(): acme KeyTabInputStream, readName(): HTTP
KeyTabInputStream, readName(): Client2 KeyTab: load() entry length: 52;
type: 23Looking for keys for: HTTP/Client2@ACMEJava config name:
C:\tomcat\conf\krb5.iniLoaded from Java configAdded key: 23version: 0
KdcAccessibility: resetLooking for keys for: HTTP/Client2@ACMEAdded key:
23version: 0default etypes for default_tkt_enctypes: 23 17. KrbAsReq
creating message KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number
of retries =3, #bytes=124 KDCCommunication: kdc=AD-Server UDP:88,
timeout=3,Attempt =1, #bytes=124
KrbKdcReq send: #bytes read=538 KdcAccessibility: remove
AD-Server:88Looking for keys for: HTTP/Client2@ACMEAdded key: 23version:
0 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep
cons in KrbAsReq.getReply HTTP/Client2principal is HTTP/Client2@ACMEWill
use keytabCommit Succeeded
Search Subject for SPNEGO ACCEPT cred (DEF,
sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5
ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound ticket for
HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST
2014[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
I added this in my server.xml Realm
className=org.apache.catalina.realm.LockOutRealmRealm
className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo
allRolesMode=strictAuthOnly / /Realm
When I tried login, it doesn't seem to recognize the valid credential. The app
keeps on asking me to enter a valid credential. What do I need to change to
make it work?
Date: Tue, 14 Oct 2014 18:03:07 -0700
From: ml-node+s10n5023854...@n6.nabble.com
To: ming...@outlook.com
Subject: RE: Tomcat windows authentication domain login issue
From: tantaryu [mailto:[hidden email]]
Subject: Re: Tomcat windows authentication domain login issue
Let me know if you can read it still. I didn't checked the Message is in
HTML Format option.
It didn't help. Don't use Nabble - post to the user's list directly from an
e-mail client.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
If you reply to this email, your message will be added to the
discussion below:
http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html
To unsubscribe from Tomcat windows authentication domain login
issue, click here
Tomcat windows authentication domain login issue
I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change and also changes the auth-constraint to the following . This is my krb5.ini This is my jaas.conf The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. I added this in my server.xml When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
