Re: Tomcat windows authentication domain login issue
Tantaryu, The problem currently is that you messages appear to the list readers, as pretty unreadable blobs of text. Not many of the busy people here will feel motivated enough to decrypt/reformat them, before they understand even the basics of your questions. Since you are the one who needs help, making it easier for someone to provide it is the way to go. If such an option is available in your email client, please select send messages as plain text. If it is not available, install Thunderbird or similar and try again. If everything else fails, inserting a blank line between each of the real lines of text /may/ help. Next, do not send your configuration snippets as attachments. Paste them directly in the email to the list (also as plain text of course). Next, do not top-post. Respond below the message portion to which you are responding. It helps keeping a natural flow to the the conversation. Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat windows authentication domain login issue
By the way, this is using tomcat 8 and it's running on Linux. Windows machines are the AD server and the client. -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023860.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 03:48 schrieb tantaryu: Okay, now I tried with a email client. Let's see if it works. I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name/auth-constraint. This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME = {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME This is my jaas.conf com.sun.security.jgss.krb5.initiate {com.sun.security.auth.module.Krb5LoginModule required debug=truedoNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true storeKey=true;};com.sun.security.jgss.krb5.accept {com.sun.security.auth.module.Krb5LoginModule required debug=truedoNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=truestoreKey=true;}; The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false KeyTabInputStream, readName(): acme KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): Client2 KeyTab: load() entry length: 52; type: 23Looking for keys for: HTTP/Client2@ACMEJava config name: C:\tomcat\conf\krb5.iniLoaded from Java configAdded key: 23version: 0 KdcAccessibility: resetLooking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0default etypes for default_tkt_enctypes: 23 17. KrbAsReq creating message KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, #bytes=124 KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt =1, #bytes=124 Could you try to add the missing newlines? It is really hard to read the text without them. Regards Felix KrbKdcReq send: #bytes read=538 KdcAccessibility: remove AD-Server:88Looking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/Client2principal is HTTP/Client2@ACMEWill use keytabCommit Succeeded Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014[Krb5LoginModule]: Entering logout[Krb5LoginModule]: logged out Subject I added this in my server.xml Realm className=org.apache.catalina.realm.LockOutRealmRealm className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo allRolesMode=strictAuthOnly / /Realm When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? Date: Tue, 14 Oct 2014 18:03:07 -0700 From: ml-node+s10n5023854...@n6.nabble.com To: ming...@outlook.com Subject: RE: Tomcat windows authentication domain login issue From: tantaryu [mailto:[hidden email]] Subject: Re: Tomcat windows authentication domain login issue Let me know if you can read it still. I didn't checked the Message is in HTML Format option. It didn't help. Don't use Nabble - post to the user's list directly from an e-mail client. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email] If you reply to this email, your message will be added to the discussion below: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html
RE: Tomcat windows authentication domain login issue
Let's hope it works this time. I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name /auth-constraint This is my krb5.ini [libdefaults] default_realm = ACME default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] ACME = {kdc = AD-Server:88} [domain_realm] acme= ACME .acme= ACME This is my jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule requireddebug=true doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule requireddebug=true doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true storeKey=true;}; The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false KeyTabInputStream, readName(): acme KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): Client2 KeyTab: load() entry length: 52; type: 23 Looking for keys for: HTTP/Client2@ACME Java config name: C:\tomcat\conf\krb5.ini Loaded from Java config Added key: 23version: 0 KdcAccessibility: reset Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 default etypes for default_tkt_enctypes: 23 17. KrbAsReq creating message KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, # bytes=124 KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt =1, #bytes=124 KrbKdcReq send: #bytes read=538 KdcAccessibility: remove AD-Server:88 Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/Client2 principal is HTTP/Client2@ACME Will use keytab Commit Succeeded Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014[Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject I added this in my server.xml Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo allRolesMode=strictAuthOnly / /Realm When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? Date: Wed, 15 Oct 2014 00:56:33 -0700 From: ml-node+s10n5023861...@n6.nabble.com To: ming...@outlook.com Subject: Re: Tomcat windows authentication domain login issue Am 15.10.2014 um 03:48 schrieb tantaryu: Okay, now I tried with a email client. Let's see if it works. I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name/auth-constraint. This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME = {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME This is my jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule requireddebug=true doNotPrompt=trueprincipal=HTTP/Client2@ACME
Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 10:22 schrieb tantaryu: Let's hope it works this time. If this was your try to add newlines, than I think it failed. Felix I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name /auth-constraint This is my krb5.ini [libdefaults] default_realm = ACME default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] ACME = {kdc = AD-Server:88} [domain_realm] acme= ACME .acme= ACME This is my jaas.conf com.sun.security.jgss.krb5.initiate {com.sun.security.auth.module.Krb5LoginModule requireddebug=truedoNotPrompt=true principal=HTTP/Client2@ACMEuseKeyTab=truekeyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=truestoreKey=true; }; com.sun.security.jgss.krb5.accept {com.sun.security.auth.module.Krb5LoginModule requireddebug=truedoNotPrompt=true principal=HTTP/Client2@ACMEuseKeyTab=truekeyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=truestoreKey=true;}; The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false KeyTabInputStream, readName(): acme KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): Client2 KeyTab: load() entry length: 52; type: 23 Looking for keys for: HTTP/Client2@ACME Java config name: C:\tomcat\conf\krb5.ini Loaded from Java config Added key: 23version: 0 KdcAccessibility: reset Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 default etypes for default_tkt_enctypes: 23 17. KrbAsReq creating message KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, # bytes=124 KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt =1, #bytes=124 KrbKdcReq send: #bytes read=538 KdcAccessibility: remove AD-Server:88 Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/Client2 principal is HTTP/Client2@ACME Will use keytab Commit Succeeded Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014[Krb5LoginModule]: Entering logout[Krb5LoginModule]: logged out Subject I added this in my server.xml Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo allRolesMode=strictAuthOnly / /Realm When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? Date: Wed, 15 Oct 2014 00:56:33 -0700 From: ml-node+s10n5023861...@n6.nabble.com To: ming...@outlook.com Subject: Re: Tomcat windows authentication domain login issue Am 15.10.2014 um 03:48 schrieb tantaryu: Okay, now I tried with a email client. Let's see if it works. I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name/auth-constraint. This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME = {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME This is my jaas.conf com.sun.security.jgss.krb5.initiate {com.sun.security.auth.module.Krb5LoginModule required debug=truedoNotPrompt=trueprincipal=HTTP/Client2
RE: Tomcat windows authentication domain login issue
Okay, this might sounds funny. But how do I add a newlines? Date: Wed, 15 Oct 2014 01:37:42 -0700 From: ml-node+s10n5023863...@n6.nabble.com To: ming...@outlook.com Subject: Re: Tomcat windows authentication domain login issue Am 15.10.2014 um 10:22 schrieb tantaryu: Let's hope it works this time. If this was your try to add newlines, than I think it failed. Felix I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name /auth-constraint This is my krb5.ini [libdefaults] default_realm = ACME default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] ACME = {kdc = AD-Server:88} [domain_realm] acme= ACME .acme= ACME This is my jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule requireddebug=true doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule requireddebug=true doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true storeKey=true;}; The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false KeyTabInputStream, readName(): acme KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): Client2 KeyTab: load() entry length: 52; type: 23 Looking for keys for: HTTP/Client2@ACME Java config name: C:\tomcat\conf\krb5.ini Loaded from Java config Added key: 23version: 0 KdcAccessibility: reset Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 default etypes for default_tkt_enctypes: 23 17. KrbAsReq creating message KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, # bytes=124 KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt =1, #bytes=124 KrbKdcReq send: #bytes read=538 KdcAccessibility: remove AD-Server:88 Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/Client2 principal is HTTP/Client2@ACME Will use keytab Commit Succeeded Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014[Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject I added this in my server.xml Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo allRolesMode=strictAuthOnly / /Realm When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? Date: Wed, 15 Oct 2014 00:56:33 -0700 From: [hidden email] To: [hidden email] Subject: Re: Tomcat windows authentication domain login issue Am 15.10.2014 um 03:48 schrieb tantaryu: Okay, now I tried with a email client. Let's see if it works. I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name/auth-constraint. This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4
RE: Tomcat windows authentication domain login issue
Am 15. Oktober 2014 11:05:59 MESZ, schrieb tantaryu ming...@outlook.com: Okay, this might sounds funny. But how do I add a newlines? I don't know how to do it in your mail client. But generally I would try to configure it to not use html (only). You could try another mal Client or provider. Maybe it has saner defaults. Regards Felix Date: Wed, 15 Oct 2014 01:37:42 -0700 From: ml-node+s10n5023863...@n6.nabble.com To: ming...@outlook.com Subject: Re: Tomcat windows authentication domain login issue Am 15.10.2014 um 10:22 schrieb tantaryu: Let's hope it works this time. If this was your try to add newlines, than I think it failed. Felix I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name /auth-constraint This is my krb5.ini [libdefaults] default_realm = ACME default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] ACME = {kdc = AD-Server:88} [domain_realm] acme= ACME .acme= ACME This is my jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule requireddebug=true doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule requireddebug=true doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true storeKey=true;}; The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false KeyTabInputStream, readName(): acme KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): Client2 KeyTab: load() entry length: 52; type: 23 Looking for keys for: HTTP/Client2@ACME Java config name: C:\tomcat\conf\krb5.ini Loaded from Java config Added key: 23version: 0 KdcAccessibility: reset Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 default etypes for default_tkt_enctypes: 23 17. KrbAsReq creating message KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, # bytes=124 KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt =1, #bytes=124 KrbKdcReq send: #bytes read=538 KdcAccessibility: remove AD-Server:88 Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/Client2 principal is HTTP/Client2@ACME Will use keytab Commit Succeeded Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014[Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject I added this in my server.xml Realm className=org.apache.catalina.realm.LockOutRealm Realm className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo allRolesMode=strictAuthOnly / /Realm When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? Date: Wed, 15 Oct 2014 00:56:33 -0700 From: [hidden email] To: [hidden email] Subject: Re: Tomcat windows authentication domain login issue Am 15.10.2014 um 03:48 schrieb tantaryu: Okay, now I tried with a email client. Let's see if it works. I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name/auth-constraint. This is my krb5.ini [libdefaults]default_realm
Re: Tomcat windows authentication domain login issue
Am 14.10.2014 um 05:32 schrieb tantaryu: I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change and also changes the auth-constraint to the following Maybe it is just me, but I can't see, what you have added. Did you send your mail as html? If so, try to send it as text again. Regards Felix . This is my krb5.ini This is my jaas.conf The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. I added this in my server.xml When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat windows authentication domain login issue
Oh, let me try again. I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change to and also changes the auth-constraint to the following . This is my krb5.ini This is my jaas.conf The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. I added this in my server.xml When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023851.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat windows authentication domain login issue
Let me know if you can read it still. I didn't checked the Message is in HTML Format option. -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023853.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat windows authentication domain login issue
From: tantaryu [mailto:ming...@outlook.com] Subject: Re: Tomcat windows authentication domain login issue Let me know if you can read it still. I didn't checked the Message is in HTML Format option. It didn't help. Don't use Nabble - post to the user's list directly from an e-mail client. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat windows authentication domain login issue
Okay, now I tried with a email client. Let's see if it works. I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint role-name*/role-name/auth-constraint. This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME = {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME This is my jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule requireddebug=true doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true storeKey=true;};com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule requireddebug=true doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true storeKey=true;}; The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false KeyTabInputStream, readName(): acme KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName(): Client2 KeyTab: load() entry length: 52; type: 23Looking for keys for: HTTP/Client2@ACMEJava config name: C:\tomcat\conf\krb5.iniLoaded from Java configAdded key: 23version: 0 KdcAccessibility: resetLooking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0default etypes for default_tkt_enctypes: 23 17. KrbAsReq creating message KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, #bytes=124 KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt =1, #bytes=124 KrbKdcReq send: #bytes read=538 KdcAccessibility: remove AD-Server:88Looking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply HTTP/Client2principal is HTTP/Client2@ACMEWill use keytabCommit Succeeded Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014[Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject I added this in my server.xml Realm className=org.apache.catalina.realm.LockOutRealmRealm className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo allRolesMode=strictAuthOnly / /Realm When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? Date: Tue, 14 Oct 2014 18:03:07 -0700 From: ml-node+s10n5023854...@n6.nabble.com To: ming...@outlook.com Subject: RE: Tomcat windows authentication domain login issue From: tantaryu [mailto:[hidden email]] Subject: Re: Tomcat windows authentication domain login issue Let me know if you can read it still. I didn't checked the Message is in HTML Format option. It didn't help. Don't use Nabble - post to the user's list directly from an e-mail client. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email] If you reply to this email, your message will be added to the discussion below: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html To unsubscribe from Tomcat windows authentication domain login issue, click here
Tomcat windows authentication domain login issue
I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change and also changes the auth-constraint to the following . This is my krb5.ini This is my jaas.conf The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. I added this in my server.xml When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org