Re: Tomcat windows authentication domain login issue
Tantaryu, The problem currently is that you messages appear to the list readers, as pretty unreadable blobs of text. Not many of the busy people here will feel motivated enough to decrypt/reformat them, before they understand even the basics of your questions. Since you are the one who needs help, making it easier for someone to provide it is the way to go. If such an option is available in your email client, please select send messages as plain text. If it is not available, install Thunderbird or similar and try again. If everything else fails, inserting a blank line between each of the real lines of text /may/ help. Next, do not send your configuration snippets as attachments. Paste them directly in the email to the list (also as plain text of course). Next, do not top-post. Respond below the message portion to which you are responding. It helps keeping a natural flow to the the conversation. Thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat windows authentication domain login issue
By the way, this is using tomcat 8 and it's running on Linux. Windows machines are the AD server and the client. -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023860.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 03:48 schrieb tantaryu:
Okay, now I tried with a email client. Let's see if it works.
I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication
tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change
auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the
following auth-constraint role-name*/role-name/auth-constraint.
This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name =
FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
= {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate {com.sun.security.auth.module.Krb5LoginModule required
debug=truedoNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true;};com.sun.security.jgss.krb5.accept {com.sun.security.auth.module.Krb5LoginModule required
debug=truedoNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=truestoreKey=true;};
The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same.
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is
C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false
clearPass is false KeyTabInputStream, readName(): acme KeyTabInputStream, readName(): HTTP KeyTabInputStream,
readName(): Client2 KeyTab: load() entry length: 52; type: 23Looking for keys for: HTTP/Client2@ACMEJava config name:
C:\tomcat\conf\krb5.iniLoaded from Java configAdded key: 23version: 0 KdcAccessibility: resetLooking for keys for: HTTP/Client2@ACMEAdded
key: 23version: 0default etypes for default_tkt_enctypes: 23 17. KrbAsReq creating message KrbKdcReq send: kdc=AD-Server
UDP:88, timeout=3, number of retries =3, #bytes=124 KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt =1, #bytes=124
Could you try to add the missing newlines? It is really hard to read the
text without them.
Regards Felix
KrbKdcReq send: #bytes read=538 KdcAccessibility: remove AD-Server:88Looking for keys for:
HTTP/Client2@ACMEAdded key: 23version: 0 EType:
sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply
HTTP/Client2principal is HTTP/Client2@ACMEWill use keytabCommit Succeeded
Search Subject for SPNEGO ACCEPT cred (DEF,
sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred
(DEF, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab C:\tomcat\conf\tomcat.keytab for
HTTP/Client2@ACMEFound ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14
02:49:29 CST 2014[Krb5LoginModule]: Entering logout[Krb5LoginModule]:
logged out Subject
I added this in my server.xml Realm className=org.apache.catalina.realm.LockOutRealmRealm
className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo allRolesMode=strictAuthOnly
/ /Realm
When I tried login, it doesn't seem to recognize the valid credential. The app
keeps on asking me to enter a valid credential. What do I need to change to
make it work?
Date: Tue, 14 Oct 2014 18:03:07 -0700
From: ml-node+s10n5023854...@n6.nabble.com
To: ming...@outlook.com
Subject: RE: Tomcat windows authentication domain login issue
From: tantaryu [mailto:[hidden email]]
Subject: Re: Tomcat windows authentication domain login issue
Let me know if you can read it still. I didn't checked the Message is in
HTML Format option.
It didn't help. Don't use Nabble - post to the user's list directly from an
e-mail client.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
If you reply to this email, your message will be added to the
discussion below:
http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html
RE: Tomcat windows authentication domain login issue
Let's hope it works this time.
I need some idea on what's wrong with my tomcat configuration for windows
authentication. I followed the tomcat windows authentication tutorial and
uses the manager web application comes with tomcat to do a poc. In my
web.xml I change auth-methodBASIC/auth-method to
auth-methodSPNEGO/auth-method and also changes the auth-constraint to
the following auth-constraint role-name*/role-name
/auth-constraint
This is my krb5.ini [libdefaults] default_realm = ACME
default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab default_tkt_enctypes
= rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true
[realms] ACME = {kdc = AD-Server:88} [domain_realm] acme= ACME
.acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true; }; com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true;};
The weird thing is regardless of what username and password I put in when I
accessed the tomcat manager web-app the debug message shown is the same.
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt
true ticketCache is null isInitiator true KeyTab is
C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is
HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is
false clearPass is false KeyTabInputStream, readName(): acme
KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName():
Client2 KeyTab: load() entry length: 52; type: 23 Looking for keys for:
HTTP/Client2@ACME Java config name: C:\tomcat\conf\krb5.ini Loaded from
Java config Added key: 23version: 0 KdcAccessibility: reset Looking
for keys for: HTTP/Client2@ACME Added key: 23version: 0 default etypes for
default_tkt_enctypes: 23 17. KrbAsReq creating message KrbKdcReq
send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, #
bytes=124 KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt
=1, #bytes=124
KrbKdcReq send: #bytes read=538 KdcAccessibility: remove
AD-Server:88 Looking for keys for: HTTP/Client2@ACME Added key:
23version: 0 EType:
sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in
KrbAsReq.getReply HTTP/Client2 principal is HTTP/Client2@ACME Will use
keytab Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (DEF,
sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5
ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found
KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found KeyTab
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found ticket for
HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29
CST 2014[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
I added this in my server.xml Realm
className=org.apache.catalina.realm.LockOutRealm Realm
className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo
allRolesMode=strictAuthOnly / /Realm
When I tried login, it doesn't seem to recognize the valid credential. The
app keeps on asking me to enter a valid credential. What do I need to change
to make it work?
Date: Wed, 15 Oct 2014 00:56:33 -0700
From: ml-node+s10n5023861...@n6.nabble.com
To: ming...@outlook.com
Subject: Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 03:48 schrieb tantaryu:
Okay, now I tried with a email client. Let's see if it works.
I need some idea on what's wrong with my tomcat configuration for windows
authentication. I followed the tomcat windows authentication tutorial and
uses the manager web application comes with tomcat to do a poc. In my
web.xml I change auth-methodBASIC/auth-method to
auth-methodSPNEGO/auth-method and also changes the auth-constraint to the
following auth-constraint role-name*/role-name/auth-constraint.
This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name =
FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes
=
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
= {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACME
Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 10:22 schrieb tantaryu:
Let's hope it works this time.
If this was your try to add newlines, than I think it failed.
Felix
I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the
manager web application comes with tomcat to do a poc. In my web.xml I change auth-methodBASIC/auth-method to
auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following auth-constraint
role-name*/role-name /auth-constraint
This is my krb5.ini [libdefaults] default_realm = ACME default_keytab_name =
FILE:C:\tomcat\conf\tomcat.keytab default_tkt_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] ACME = {kdc
= AD-Server:88} [domain_realm] acme= ACME .acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate {com.sun.security.auth.module.Krb5LoginModule requireddebug=truedoNotPrompt=true
principal=HTTP/Client2@ACMEuseKeyTab=truekeyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=truestoreKey=true; };
com.sun.security.jgss.krb5.accept {com.sun.security.auth.module.Krb5LoginModule requireddebug=truedoNotPrompt=true
principal=HTTP/Client2@ACMEuseKeyTab=truekeyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=truestoreKey=true;};
The weird thing is regardless of what username and password I put in when I
accessed the tomcat manager web-app the debug message shown is the same.
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is
HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false KeyTabInputStream, readName(): acme KeyTabInputStream,
readName(): HTTP KeyTabInputStream, readName(): Client2 KeyTab: load() entry length: 52; type: 23 Looking for keys for: HTTP/Client2@ACME Java config name:
C:\tomcat\conf\krb5.ini Loaded from Java config Added key: 23version: 0 KdcAccessibility: reset Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17. KrbAsReq creating message KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, #
bytes=124 KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt =1, #bytes=124
KrbKdcReq send: #bytes read=538 KdcAccessibility: remove AD-Server:88 Looking for keys for:
HTTP/Client2@ACME Added key: 23version: 0 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply HTTP/Client2 principal is HTTP/Client2@ACME Will use keytab Commit
Succeeded
Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement) Search
Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found KeyTab C:\tomcat\conf\tomcat.keytab for
HTTP/Client2@ACME Found ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST
2014[Krb5LoginModule]: Entering logout[Krb5LoginModule]: logged out Subject
I added this in my server.xml Realm className=org.apache.catalina.realm.LockOutRealm Realm
className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo allRolesMode=strictAuthOnly /
/Realm
When I tried login, it doesn't seem to recognize the valid credential. The app
keeps on asking me to enter a valid credential. What do I need to change to
make it work?
Date: Wed, 15 Oct 2014 00:56:33 -0700
From: ml-node+s10n5023861...@n6.nabble.com
To: ming...@outlook.com
Subject: Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 03:48 schrieb tantaryu:
Okay, now I tried with a email client. Let's see if it works.
I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication
tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change
auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the
following auth-constraint role-name*/role-name/auth-constraint.
This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name =
FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
= {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate {com.sun.security.auth.module.Krb5LoginModule required
debug=truedoNotPrompt=trueprincipal=HTTP/Client2
RE: Tomcat windows authentication domain login issue
Okay, this might sounds funny. But how do I add a newlines?
Date: Wed, 15 Oct 2014 01:37:42 -0700
From: ml-node+s10n5023863...@n6.nabble.com
To: ming...@outlook.com
Subject: Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 10:22 schrieb tantaryu:
Let's hope it works this time.
If this was your try to add newlines, than I think it failed.
Felix
I need some idea on what's wrong with my tomcat configuration for windows
authentication. I followed the tomcat windows authentication tutorial and
uses the manager web application comes with tomcat to do a poc. In my
web.xml I change auth-methodBASIC/auth-method to
auth-methodSPNEGO/auth-method and also changes the auth-constraint to
the following auth-constraint role-name*/role-name
/auth-constraint
This is my krb5.ini [libdefaults] default_realm = ACME
default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab
default_tkt_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true
[realms] ACME = {kdc = AD-Server:88} [domain_realm] acme= ACME
.acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true; }; com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true;};
The weird thing is regardless of what username and password I put in when I
accessed the tomcat manager web-app the debug message shown is the same.
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt
true ticketCache is null isInitiator true KeyTab is
C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is
HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is
false clearPass is false KeyTabInputStream, readName(): acme
KeyTabInputStream, readName(): HTTP KeyTabInputStream, readName():
Client2 KeyTab: load() entry length: 52; type: 23 Looking for keys
for: HTTP/Client2@ACME Java config name: C:\tomcat\conf\krb5.ini Loaded
from Java config Added key: 23version: 0 KdcAccessibility: reset
Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 default
etypes for default_tkt_enctypes: 23 17. KrbAsReq creating message
KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries =3,
# bytes=124 KDCCommunication: kdc=AD-Server UDP:88,
timeout=3,Attempt =1, #bytes=124
KrbKdcReq send: #bytes read=538 KdcAccessibility: remove
AD-Server:88 Looking for keys for: HTTP/Client2@ACME Added key:
23version: 0 EType:
sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in
KrbAsReq.getReply HTTP/Client2 principal is HTTP/Client2@ACME Will use
keytab Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (DEF,
sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5
ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found
KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found KeyTab
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found ticket for
HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29
CST 2014[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
I added this in my server.xml Realm
className=org.apache.catalina.realm.LockOutRealm Realm
className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo
allRolesMode=strictAuthOnly / /Realm
When I tried login, it doesn't seem to recognize the valid credential. The
app keeps on asking me to enter a valid credential. What do I need to change
to make it work?
Date: Wed, 15 Oct 2014 00:56:33 -0700
From: [hidden email]
To: [hidden email]
Subject: Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 03:48 schrieb tantaryu:
Okay, now I tried with a email client. Let's see if it works.
I need some idea on what's wrong with my tomcat configuration for windows
authentication. I followed the tomcat windows authentication tutorial and
uses the manager web application comes with tomcat to do a poc. In my
web.xml I change auth-methodBASIC/auth-method to
auth-methodSPNEGO/auth-method and also changes the auth-constraint to
the following auth-constraint role-name*/role-name/auth-constraint.
This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name =
FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes
=
rc4
RE: Tomcat windows authentication domain login issue
Am 15. Oktober 2014 11:05:59 MESZ, schrieb tantaryu ming...@outlook.com:
Okay, this might sounds funny. But how do I add a newlines?
I don't know how to do it in your mail client. But generally I would try to
configure it to not use html (only).
You could try another mal Client or provider. Maybe it has saner defaults.
Regards
Felix
Date: Wed, 15 Oct 2014 01:37:42 -0700
From: ml-node+s10n5023863...@n6.nabble.com
To: ming...@outlook.com
Subject: Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 10:22 schrieb tantaryu:
Let's hope it works this time.
If this was your try to add newlines, than I think it failed.
Felix
I need some idea on what's wrong with my tomcat configuration for
windows authentication. I followed the tomcat windows authentication
tutorial and uses the manager web application comes with tomcat to do
a poc. In my web.xml I change auth-methodBASIC/auth-method to
auth-methodSPNEGO/auth-method and also changes the auth-constraint
to the following auth-constraint role-name*/role-name
/auth-constraint
This is my krb5.ini [libdefaults] default_realm = ACME
default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab
default_tkt_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true [realms] ACME = {kdc = AD-Server:88}
[domain_realm] acme= ACME .acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true; }; com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true;};
The weird thing is regardless of what username and password I put in
when I accessed the tomcat manager web-app the debug message shown is
the same.
Debug is true storeKey true useTicketCache false useKeyTab true
doNotPrompt true ticketCache is null isInitiator true KeyTab is
C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is
HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass
is false clearPass is false KeyTabInputStream, readName(): acme
KeyTabInputStream, readName(): HTTP KeyTabInputStream,
readName(): Client2 KeyTab: load() entry length: 52; type: 23
Looking for keys for: HTTP/Client2@ACME Java config name:
C:\tomcat\conf\krb5.ini Loaded from Java config Added key: 23version:
0 KdcAccessibility: reset Looking for keys for:
HTTP/Client2@ACME Added key: 23version: 0 default etypes for
default_tkt_enctypes: 23 17. KrbAsReq creating message
KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries
=3, # bytes=124 KDCCommunication: kdc=AD-Server UDP:88,
timeout=3,Attempt =1, #bytes=124
KrbKdcReq send: #bytes read=538 KdcAccessibility: remove
AD-Server:88 Looking for keys for: HTTP/Client2@ACME Added key:
23version: 0 EType:
sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons
in KrbAsReq.getReply HTTP/Client2 principal is HTTP/Client2@ACME Will
use keytab Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (DEF,
sun.security.jgss.spnego.SpNegoCredElement) Search Subject for
Kerberos V5 ACCEPT cred (DEF,
sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found KeyTab
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found ticket for
HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14
02:49:29 CST 2014[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
I added this in my server.xml Realm
className=org.apache.catalina.realm.LockOutRealm Realm
className=org.apache.catalina.realm.JAASRealm
appName=JspKerberosDemo allRolesMode=strictAuthOnly / /Realm
When I tried login, it doesn't seem to recognize the valid
credential. The app keeps on asking me to enter a valid credential.
What do I need to change to make it work?
Date: Wed, 15 Oct 2014 00:56:33 -0700
From: [hidden email]
To: [hidden email]
Subject: Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 03:48 schrieb tantaryu:
Okay, now I tried with a email client. Let's see if it works.
I need some idea on what's wrong with my tomcat configuration for
windows authentication. I followed the tomcat windows authentication
tutorial and uses the manager web application comes with tomcat to do
a poc. In my web.xml I change auth-methodBASIC/auth-method to
auth-methodSPNEGO/auth-method and also changes the auth-constraint
to the following auth-constraint
role-name*/role-name/auth-constraint.
This is my krb5.ini [libdefaults]default_realm
Re: Tomcat windows authentication domain login issue
Am 14.10.2014 um 05:32 schrieb tantaryu: I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change and also changes the auth-constraint to the following Maybe it is just me, but I can't see, what you have added. Did you send your mail as html? If so, try to send it as text again. Regards Felix . This is my krb5.ini This is my jaas.conf The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. I added this in my server.xml When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat windows authentication domain login issue
Oh, let me try again. I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change to and also changes the auth-constraint to the following . This is my krb5.ini This is my jaas.conf The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. I added this in my server.xml When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023851.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat windows authentication domain login issue
Let me know if you can read it still. I didn't checked the Message is in HTML Format option. -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023853.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat windows authentication domain login issue
From: tantaryu [mailto:ming...@outlook.com] Subject: Re: Tomcat windows authentication domain login issue Let me know if you can read it still. I didn't checked the Message is in HTML Format option. It didn't help. Don't use Nabble - post to the user's list directly from an e-mail client. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat windows authentication domain login issue
Okay, now I tried with a email client. Let's see if it works.
I need some idea on what's wrong with my tomcat configuration for windows
authentication. I followed the tomcat windows authentication tutorial and uses
the manager web application comes with tomcat to do a poc. In my web.xml I
change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method
and also changes the auth-constraint to the following auth-constraint
role-name*/role-name/auth-constraint.
This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name =
FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
= {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true;};com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true;};
The weird thing is regardless of what username and password I put in when I
accessed the tomcat manager web-app the debug message shown is the same. Debug
is true storeKey true useTicketCache false useKeyTab true doNotPrompt true
ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab
refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
KeyTabInputStream, readName(): acme KeyTabInputStream, readName(): HTTP
KeyTabInputStream, readName(): Client2 KeyTab: load() entry length: 52;
type: 23Looking for keys for: HTTP/Client2@ACMEJava config name:
C:\tomcat\conf\krb5.iniLoaded from Java configAdded key: 23version: 0
KdcAccessibility: resetLooking for keys for: HTTP/Client2@ACMEAdded key:
23version: 0default etypes for default_tkt_enctypes: 23 17. KrbAsReq
creating message KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number
of retries =3, #bytes=124 KDCCommunication: kdc=AD-Server UDP:88,
timeout=3,Attempt =1, #bytes=124
KrbKdcReq send: #bytes read=538 KdcAccessibility: remove
AD-Server:88Looking for keys for: HTTP/Client2@ACMEAdded key: 23version:
0 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep
cons in KrbAsReq.getReply HTTP/Client2principal is HTTP/Client2@ACMEWill
use keytabCommit Succeeded
Search Subject for SPNEGO ACCEPT cred (DEF,
sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5
ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound ticket for
HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST
2014[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
I added this in my server.xml Realm
className=org.apache.catalina.realm.LockOutRealmRealm
className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo
allRolesMode=strictAuthOnly / /Realm
When I tried login, it doesn't seem to recognize the valid credential. The app
keeps on asking me to enter a valid credential. What do I need to change to
make it work?
Date: Tue, 14 Oct 2014 18:03:07 -0700
From: ml-node+s10n5023854...@n6.nabble.com
To: ming...@outlook.com
Subject: RE: Tomcat windows authentication domain login issue
From: tantaryu [mailto:[hidden email]]
Subject: Re: Tomcat windows authentication domain login issue
Let me know if you can read it still. I didn't checked the Message is in
HTML Format option.
It didn't help. Don't use Nabble - post to the user's list directly from an
e-mail client.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
If you reply to this email, your message will be added to the
discussion below:
http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html
To unsubscribe from Tomcat windows authentication domain login
issue, click here
Tomcat windows authentication domain login issue
I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change and also changes the auth-constraint to the following . This is my krb5.ini This is my jaas.conf The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. I added this in my server.xml When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work? -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
