Re: Questions about Integrated Windows Authentication

2021-06-28 Thread Carsten Klein

Sorry Mark, I've clicked the wrong button in my mail client :(


On 28.06.2021 15:29, Mark Thomas wrote:


Note that Tomcat 7 is no longer supported.

I guess it's nearly the same for all versions of Tomcat.


That looks more like some form of configuration issue but I always found the 
Kerberos error message rather hard to decipher.


AFAIK, the Kerberos is working fine. This error occurs in JNDIRealm's 
getPrincipal method. One log line before, Kerberos reports


Found ticket for HTTP/apps.atlas-03t.gvsn.local@GVSN.LOCAL to go to 
krbtgt/GVSN.LOCAL@GVSN.LOCAL expiring on Thu Jun 24 18:26:05 CEST 2021


So, there is a ticket. However, JNDIRealm cannot use it or the ticket 
does not allow binding to the directory with that user. I'm not 
understanding the whole process, so I was asking if someone has more 
glue on that.



2. Fallback Authenticator



It has been mentioned before. There is this on the Wiki:
https://cwiki.apache.org/confluence/display/TOMCAT/SSLWithFORMFallback


Will have a look at that. It's basically what I was thinking about 
adding a fallback to SpnegoAuthenticator only.



As with most enhancements, whether it is accepted is going to depend largely on 
the benefit it brings vs how complex / invasive the code is.


For sure.



Rémy mentioned he was looking for a development project. Maybe this could be it.


I guess, Rémy was taking my user attributes Realm extension as 
development project...



You might be able to authenticate external users in a reverse proxy and have it 
pass the user ID to Tomcat rather than have Tomcat do the authentication.



I read about that somewhere some months ago. However, I don't know how 
to get the authentication from the reverse proxy (my Tomcat already runs 
behind an Apache HTTPD using mod_proxy_ajp) to Tomcat?


Finally, Tomcat needs the Principal and a couple of roles for 
authorization (including my additional user attributes). Passing the 
user ID only is likely not sufficient. Could you please describe that in 
more detail or point me to some sites to learn more about that?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Questions about Integrated Windows Authentication

2021-06-28 Thread Mark Thomas

On 28/06/2021 10:36, Carsten Klein wrote:

Hi there,

I have two questions about Tomcat's Integrated Windows Authentication:

Tomcat is stuck on version 7.0.52 on an outdated Ubuntu 14.04 LTS.


Note that Tomcat 7 is no longer supported.


1. useDelegatedCredential = true

I'm using JNDIRealm together with the SPNEGO authenticator. If the 
Realm's option 'useDelegatedCredential' is set to true, I'm getting 
exception:


javax.naming.AuthenticationException: GSSAPI [Root exception is 
javax.security.sasl.SaslException: GSS initiate failed [Caused by 
GSSException: No valid credentials provided (Mechanism level: Failed to 
find any Kerberos tgt)]]; remaining name 'xxx.yyy.zzz...'


Everything works fine when not using delegated credentials, but 
configured connectionName and connectionPassword.


What's the reason for that? Is it a Tomcat configuration issue? Or, is 
the client (Google Chrome) not sending enough (credential?) information:


There is Chrome's Policy option 'AuthNegotiateDelegateWhitelist' 
(deprecated, replaced by 'AuthNegotiateDelegateAllowlist') which must be 
configured in order to delegate the user's identity. However, setting 
any of these policy settings to true does not help.


See 
https://www.chromium.org/developers/design-documents/http-authentication


Is it a limitation/setting in Active Directory Server? The exception 
occurs after SpnegoAuthenticator has contacted ADS trough Kerberos. Is 
the response obtained from that Kerberos call not suitable for using 
delegated credentials?


That looks more like some form of configuration issue but I always found 
the Kerberos error message rather hard to decipher.



2. Fallback Authenticator

We have some clients connected through VPN, whose Windows sessions are 
not logged on to the Active Directory's Windows Domain, so Integrated 
Windows Authentication cannot work. SpnegoAuthenticator reports 'No 
authorization header sent by client'. However, I've not yet found a way 
to fall back to e. g. FORM authentication for those clients.


AFAIK, there is no way to do this with Tomcat, since a Context can only 
have one single authenticator valve.


Oracle's WebLogic Server support configuring more than one 
authentication method, by adding something like


CLIENT-CERT,BASIC into web.xml.

What about adding support for that or something similar in Tomcat? A 
CombinedAuthenticator (like with CombinedRealm) could be a solution. 
That could instantiate other required Authenticator valves and pass the 
request from one to the other until authentication succeeds. Those 
valves must not necessarily be queued in the container's pipeline, but 
could be called by the CombinedAuthenticator valve.


Thats likely not too simple but it could be done. Are you open to such a 
solution?


It has been mentioned before. There is this on the Wiki:
https://cwiki.apache.org/confluence/display/TOMCAT/SSLWithFORMFallback

As with most enhancements, whether it is accepted is going to depend 
largely on the benefit it brings vs how complex / invasive the code is.


Rémy mentioned he was looking for a development project. Maybe this 
could be it.


I believe that only the SpnegoAuthenticator needs such a fallback, as it 
uses mechanisms that you can't just add to any client. (In contrast, you 
could always distribute a X509 certificate or use FORM, BASIC, or DIGEST 
login. But you can't add your client to a Windows Domain just in order 
to log in to an application.) Adding a fallback mechanism to 
SpnegoAuthenticator only may be much easier.


What other solutions do you know?


You might be able to authenticate external users in a reverse proxy and 
have it pass the user ID to Tomcat rather than have Tomcat do the 
authentication.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Questions about Integrated Windows Authentication

2021-06-28 Thread Carsten Klein

Hi there,

I have two questions about Tomcat's Integrated Windows Authentication:

Tomcat is stuck on version 7.0.52 on an outdated Ubuntu 14.04 LTS.

1. useDelegatedCredential = true

I'm using JNDIRalm together with the SPNEGO authenticator. If the 
Realm's option 'useDelegatedCredential' is set to true, I'm getting 
exception:


javax.naming.AuthenticationException: GSSAPI [Root exception is 
javax.security.sasl.SaslException: GSS initiate failed [Caused by 
GSSException: No valid credentials provided (Mechanism level: Failed to 
find any Kerberos tgt)]]; remaining name 'xxx.yyy.zzz...'


Everything works fine when not using delegated credentials, but 
configured connectionName and connectionPassword.


What's the reason for that? Is it a Tomcat configuration issue? Or, is 
the client (Google Chrome) not sending enough (credential?) information:


There is Chrome's Policy option 'AuthNegotiateDelegateWhitelist' 
(deprecated, replaced by 'AuthNegotiateDelegateAllowlist') which must be 
configured in order to delegate the user's identity. However, setting 
any of these policy settings to true does not help.


See 
https://www.chromium.org/developers/design-documents/http-authentication


Is it a limitation/setting in Active Directory Server? The exception 
occurs after SpnegoAuthenticator has contacted ADS trough Kerberos. Is 
the response obtained from that Kerberos call not suitable for using 
delegated credentials?



2. Fallback Authenticator

We have some clients connected through VPN, whose Windows sessions are 
not logged on to the Active Directory's Windows Domain, so Integrated 
Windows Authentication cannot work. SpnegoAuthenticator reports 'No 
authorization header sent by client'. However, I've not yet found a way 
to fall back to e. g. FORM authentication for those clients.


AFAIK, there is no way to do this with Tomcat, since a Context can only 
have one single authenticator valve.


Oracle's WebLogic Server support configuring more than one 
authentication method, by adding something like


CLIENT-CERT,BASIC into web.xml.

What about adding support for that or something similar in Tomcat? A 
CombinedAuthenticator (like with CombinedRealm) could be a solution. 
That could instantiate other required Authenticator valves and pass the 
request from one to the other until authentication succeeds. Those 
valves must not necessarily be queued in the container's pipeline, but 
could be called by the CombinedAuthenticator valve.


Thats likely not too simple but it could be done. Are you open to such a 
solution?


I believe that only the SpnegoAuthenticator needs such a fallback, as it 
uses mechanisms that you can't just add to any client. (In contrast, you 
could always distribute a X509 certificate or use FORM, BASIC, or DIGEST 
login. But you can't add your client to a Windows Domain just in order 
to log in to an application.) Adding a fallback mechanism to 
SpnegoAuthenticator only may be much easier.


What other solutions do you know?

Carsten

What other solutions do you know?



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



SSO using Reverse Proxy from IIS to Apache Tomcat 8.0.22 (Use Windows Authentication NTLM)

2018-05-15 Thread Agrawal, Suraj (CORP)
Hi Team,

We are trying to do implement SSO using windows integrated authentication 
(NTLM) on Apache Tomcat 8.0.22 for Rest API calls.

We are following "Windows Authentication How To" --> Reverse Proxies --> 
Microsoft IIS. We configured ISAPI_Redirect.dll for reverse proxy.

But facing some issues with it, can you please help us with the below :

1.   Our application (Siebel) listens to HTTP protocol but seems like 
ISAPI_Redirect reverse proxy uses AJP connector Protocol, Is there any document 
which can help us configure reverse proxy with HTTP protocol?

2.   We are using Windows Authentication NTLM approach (We cannot use 
Kerberos as per the company guidelines), are there any known issue using WIA 
with Apache

3.   Please suggest if there is any better approach to achieve SSO for Rest 
calls using Windows Integrated Authentication on windows server.

Any help would be very much appreciated, thanks again for your time.

Thanks & Regards,
Suraj Agrawal

--
This message and any attachments are intended only for the use of the addressee 
and may contain information that is privileged and confidential. If the reader 
of the message is not the intended recipient or an authorized representative of 
the intended recipient, you are hereby notified that any dissemination of this 
communication is strictly prohibited. If you have received this communication 
in error, notify the sender immediately by return email and delete the message 
and any attachments from your system.


Re: Integrated Windows Authentication for TomCat 7

2016-05-25 Thread Mark Thomas
On 25/05/2016 07:02, Clinton Breed wrote:
> Good day All
> 
> We are running a web app named n-able Helpdesk Manager via TomCat 7 on a
> Windows Server 2008.
> 
> The Tomcat gets installed via the n-able helpdesk installation. I have
> been assigned a task to get the Helpdesk Webapp to login automatically
> gathering the information from the windows login. (automatic LDAP
> authentication)
> 
> I have done some research and found out that it is possible to integrate
> the windows authentication  through Tomcat (SPNEGO), but my question is,
> how to I get past the Login on the Webapp (n-able Helpdesk)
> 
> The authentication options I have on n-able Helpdesk is:
> 
> n-able Help Desk Manager (Where you create user login details)
> 
> CAS 2.0
> 
> SAML 2.0
> 
> Servlet Authentication

I'd guess this is the option you need.

I'd start with a simple web application and make sure that SPNEGO is
working correctly. A JSP that displays the current value of
HttpServletRequest.getRemoteUser() with an appropriate security
constraint should be enough to test with.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Integrated Windows Authentication for TomCat 7

2016-05-25 Thread Clinton Breed
Good day All

We are running a web app named n-able Helpdesk Manager via TomCat 7 on a 
Windows Server 2008.
The Tomcat gets installed via the n-able helpdesk installation. I have been 
assigned a task to get the Helpdesk Webapp to login automatically gathering the 
information from the windows login. (automatic LDAP authentication)
I have done some research and found out that it is possible to integrate the 
windows authentication  through Tomcat (SPNEGO), but my question is, how to I 
get past the Login on the Webapp (n-able Helpdesk)
The authentication options I have on n-able Helpdesk is:

n-able Help Desk Manager (Where you create user login details)
CAS 2.0
SAML 2.0
Servlet Authentication
HTTP Header
HTTP form value

I have little experience in regards with the above authentication aswell as 
tomcat, proper guidance will be appreciated. Please feel free to ask for more 
information if you need it.

Thanks,

Clinton Breed
Systems Analyst
Lonrho Group
Corner of Webb and Jones Roads
Jet Park
Boksburg,
Johannesburg1459
South Africa
Tel: +27 11 571 9869
clinton.br...@lonrho.com
www.lonrho.com
Lonrho Group
 Please consider the Environment before printing this email
This e-mail (and any attachment) is strictly confidential and intended solely 
for the ordinary use of the e-mail address to which it was addressed. It may 
contain legally privileged and/or confidential information. If you are not the 
intended recipient of this e-mail, please notify the sender by e-mail or 
telephone +44 (0) 207 016 5105, quoting the name of the sender and the e-mail 
address to which it has been sent, then delete it. The unauthorised use, 
disclosure, distribution and/or copying of this e-mail or any information it 
contains is strictly prohibited and could, in certain circumstances, constitute 
a criminal offence. Please note that neither Lonrho nor the sender accepts any 
responsibility for viruses and it is your responsibility to scan or otherwise 
check this e-mail and any attachments.

The contents of this e-mail message and any attachments to it are written for 
and on behalf of the Lonrho Group company to which the subject matter expressly 
relates and no other company. No employee, agent, consultant or other 
representative of a Lonrho Group company is authorised to conclude any binding 
agreement on behalf of a Lonrho Group company without express written 
confirmation of the board of directors of the relevant Lonrho Group company. 
The Lonrho Group of companies accepts no liability for the content of this 
email or for the consequences of any actions taken on the basis of the 
information provided unless that information is subsequently confirmed in 
writing as specified above. A list of the Lonrho Group of companies is 
available for inspection at the registered office of Lonrho. Lonrho is 
registered in England & Wales under Company Number 02805337 and its registered 
office address is 2nd Floor, 25 Berkeley Square, London W1J 6HB.


Re: Windows Authentication

2016-03-07 Thread tomcat

On 07.03.2016 11:39, André Warnier (tomcat) wrote:

On 07.03.2016 06:10, Chanchal Kariwala wrote:

The article which suggested that NTLM is being used by Winlogon instead of
Kerberos :

http://stackoverflow.com/questions/5597573/how-to-find-if-ntlm-or-kerberos-is-used-from-www-authenticate-negotiate-header


So the token browser sends on first 401 starts from YHkG...
And the second token begins with YIIK1QYG



Check also this one :
https://blogs.msdn.microsoft.com/friis/2009/12/31/things-to-check-when-kerberos-authentication-fails-using-iisie/



As you see, there are a lot of things to check, one by one.  That is because WIA (and 
Kerberos) are very fiddly, and even one little setting or circumstance can result in the 
thing not working (as in your case).


P.S. The mere volume of articles on this subject in Google (e.g. "kerberos and wia" or 
"kerberos and IE")

1) by itself makes it difficult to know which one to read and believe
2) indicates that this is a complex subject, with which a lot of people have 
problems

This list here is about Tomcat issues.  There is an SPNEGO authentication Valve in Tomcat, 
and there are certainly some people on this list with some knowledge of WIA/Kerberos, but 
such issues are probably not their main focus, or their main area of expertise.
You may have a bit more luck (or at least find more people focused on Windows 
authentication) on the Samba list for example.

Maybe try here : https://lists.samba.org/mailman/listinfo/samba
and supply all your previous information again, including the captured headers.
That would definitely increase your chances of receiving a helpful response.

It is not that we don't /want/ to help, but there are just too many external factors and 
settings which can play a role, that it is a bit overwhelming to try this one step remote 
from the problem.
If you do in the end identify a specific problem with the Tomcat SPNEGO Valve, don't 
hesitate to come back and ask for help here again.
Also, if you do find the solution, please post a short message to this list, so that maybe 
other people here with a similar issue could in the future find the solution in the list 
archives.

(I presume you have already searched these archives for similar issues ?)

Another thing, at a different level : if your main aim is to solve this issue quickly, 
then have a look at Jespa (https://www.ioplex.com/).

I can testify that Jespa works fautlessly in several installations which I did.
And just reading the User Manual may already give you some useful tips.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Windows Authentication

2016-03-07 Thread tomcat

On 07.03.2016 06:10, Chanchal Kariwala wrote:

The article which suggested that NTLM is being used by Winlogon instead of
Kerberos :

http://stackoverflow.com/questions/5597573/how-to-find-if-ntlm-or-kerberos-is-used-from-www-authenticate-negotiate-header

So the token browser sends on first 401 starts from YHkG...
And the second token begins with YIIK1QYG



Check also this one :
https://blogs.msdn.microsoft.com/friis/2009/12/31/things-to-check-when-kerberos-authentication-fails-using-iisie/




Thanks,
Chanchal R. Kariwala
Product Engineer
Seclore Technology
chanchal.kariw...@seclore.com
www.seclore.com



On Mon, Mar 7, 2016 at 10:19 AM, Chanchal Kariwala <
chanchal.kariw...@seclore.com> wrote:


In response to *George Stanchev*,
I tried with Chrome and IE 11, same behavior in both. And yes I tried
waffle, but in another webapp. Waffle does not prompt for the credentials..

In response to *André Warnier*,
I tired that to no avail :(

In response to *Felix Schumacher*,
It is not a problem with the webapp. I have tried both of what you asked.
Tomcat Keytab is authenticated successfully. And KRB debug
shows success for the keytab.

So here are my additional findings over the weekend.
Background - My test AD is virtual. My Domain Controller and client are
VMS.

1. *Windows Logon was using NTLM instead of Kerberos*

Some article led me to the following assumption :

When the browser receives WWW-Authenticate: Negotiate, it asks for the
token from the OS Cache. The OS Cache provides it a token that was obtained
via NTLM. The Server does not accept that since it specifically wants
Kerberos. And hence the browser asks for Credentials again and this time
the user is authenticated via Kerberos. And this token is accepted by the
Server.


2. *Windows Logon by IP Address uses NTLM*

I access the client machine (with tomcat) using RDP via the IP Address.
The following question on StackExchange indicates that in
such a scenario NTLM is used to logon to the system.

See :
http://serverfault.com/questions/357975/is-it-possible-to-switch-to-kerberos-only-windows-domain


3. *Kerberos Event Logging*

The next thing I was trying to figure was why Windows logon was using
NTLM. The above link suggests that there was no way of forcing
LSA to use Kerberos only. So now I am looking at the System events, which
might suggest which protocol is being used.

Also I enabled Kerberos event logging to see if there were any Kerberos
Errors.

See : https://support.microsoft.com/en-us/kb/262177


Thanks,
Chanchal R. Kariwala
Product Engineer
Seclore Technology
chanchal.kariw...@seclore.com
​​
www.seclore.com



On Sat, Mar 5, 2016 at 3:57 PM, Felix Schumacher <
felix.schumac...@internetallee.de> wrote:


Am 04.03.2016 um 10:11 schrieb Chanchal Kariwala:


I tries what you asked and I have observed the following

1. Browser sends a request for the resource
Server replies with HTTP 401 and WWW-Authenticate: Negotiate in Response
Headers

2. Browser sends a new request with the following in Request Headers
Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg

Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in
Response Headers

3. At this point the browser shows HTTP Basic Auth form and sends the
following in Headers
Authorization: Negotiate
YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS (*Really huge
value, much much longer than the first one*)

Now the Server replies with HTTP 200 and the following in headers
WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0
Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly

So yes WIA is failing..
Can you help me out with the next step in debugging?


You can enable debugging for kerberos in the jvm and you can enable debug
logs for the SpnegoAuthenticator in tomcat to get more information.

To enable debug log messages in the jvm add

-Dsun.security.krb5.debug=true

to CATALINA_OPTS. The log messages will appear in catalina.out and are
quite verbose.

To enable debug log messages for SpnegoAuthenticator, add

org.apache.catalina.authenticator.SpnegoAuthenticator.level = FINE

to conf/logging.properties in your CATALINA_BASE directory.

Regards,
  Felix






Thanks,
Chanchal R. Kariwala
Product Engineer
Seclore Technology
chanchal.kariw...@seclore.com
www.seclore.com



On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat) 
wrote:

On 04.03.2016 07:16, Chanchal Kariwala wrote:


I am using Tomcat 8.0.32 and I have followed the guide given at


  -


https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server)
  -


https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w

Windows AD Auth is working i.e. when I access the site, I am asked for
credentials and when I enter the correct credentials, the restricted
resource is displayed.

However my question is why the browser is asking for credentials? Why
isn't
it accessing TGT Cache in the OS 

Re: Windows Authentication

2016-03-06 Thread Chanchal Kariwala
The article which suggested that NTLM is being used by Winlogon instead of
Kerberos :

http://stackoverflow.com/questions/5597573/how-to-find-if-ntlm-or-kerberos-is-used-from-www-authenticate-negotiate-header

So the token browser sends on first 401 starts from YHkG...
And the second token begins with YIIK1QYG

Thanks,
Chanchal R. Kariwala
Product Engineer
Seclore Technology
chanchal.kariw...@seclore.com
www.seclore.com



On Mon, Mar 7, 2016 at 10:19 AM, Chanchal Kariwala <
chanchal.kariw...@seclore.com> wrote:

> In response to *George Stanchev*,
> I tried with Chrome and IE 11, same behavior in both. And yes I tried
> waffle, but in another webapp. Waffle does not prompt for the credentials.
>
> In response to *André Warnier*,
> I tired that to no avail :(
>
> In response to *Felix Schumacher*,
> It is not a problem with the webapp. I have tried both of what you asked.
> Tomcat Keytab is authenticated successfully. And KRB debug
> shows success for the keytab.
>
> So here are my additional findings over the weekend.
> Background - My test AD is virtual. My Domain Controller and client are
> VMS.
>
> 1. *Windows Logon was using NTLM instead of Kerberos*
>
> Some article led me to the following assumption :
>
> When the browser receives WWW-Authenticate: Negotiate, it asks for the
> token from the OS Cache. The OS Cache provides it a token that was obtained
> via NTLM. The Server does not accept that since it specifically wants
> Kerberos. And hence the browser asks for Credentials again and this time
> the user is authenticated via Kerberos. And this token is accepted by the
> Server.
>
>
> 2. *Windows Logon by IP Address uses NTLM*
>
> I access the client machine (with tomcat) using RDP via the IP Address.
> The following question on StackExchange indicates that in
> such a scenario NTLM is used to logon to the system.
>
> See :
> http://serverfault.com/questions/357975/is-it-possible-to-switch-to-kerberos-only-windows-domain
>
>
> 3. *Kerberos Event Logging*
>
> The next thing I was trying to figure was why Windows logon was using
> NTLM. The above link suggests that there was no way of forcing
> LSA to use Kerberos only. So now I am looking at the System events, which
> might suggest which protocol is being used.
>
> Also I enabled Kerberos event logging to see if there were any Kerberos
> Errors.
>
> See : https://support.microsoft.com/en-us/kb/262177
>
>
> Thanks,
> Chanchal R. Kariwala
> Product Engineer
> Seclore Technology
> chanchal.kariw...@seclore.com
> ​​
> www.seclore.com
>
>
>
> On Sat, Mar 5, 2016 at 3:57 PM, Felix Schumacher <
> felix.schumac...@internetallee.de> wrote:
>
>> Am 04.03.2016 um 10:11 schrieb Chanchal Kariwala:
>>
>>> I tries what you asked and I have observed the following
>>>
>>> 1. Browser sends a request for the resource
>>> Server replies with HTTP 401 and WWW-Authenticate: Negotiate in Response
>>> Headers
>>>
>>> 2. Browser sends a new request with the following in Request Headers
>>> Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg
>>>
>>> Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in
>>> Response Headers
>>>
>>> 3. At this point the browser shows HTTP Basic Auth form and sends the
>>> following in Headers
>>> Authorization: Negotiate
>>> YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS (*Really huge
>>> value, much much longer than the first one*)
>>>
>>> Now the Server replies with HTTP 200 and the following in headers
>>> WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0
>>> Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly
>>>
>>> So yes WIA is failing..
>>> Can you help me out with the next step in debugging?
>>>
>> You can enable debugging for kerberos in the jvm and you can enable debug
>> logs for the SpnegoAuthenticator in tomcat to get more information.
>>
>> To enable debug log messages in the jvm add
>>
>> -Dsun.security.krb5.debug=true
>>
>> to CATALINA_OPTS. The log messages will appear in catalina.out and are
>> quite verbose.
>>
>> To enable debug log messages for SpnegoAuthenticator, add
>>
>> org.apache.catalina.authenticator.SpnegoAuthenticator.level = FINE
>>
>> to conf/logging.properties in your CATALINA_BASE directory.
>>
>> Regards,
>>  Felix
>>
>>
>>>
>>>
>>>
>>> Thanks,
>>> Chanchal R. Kariwala
>>> Product Engineer
>>> Seclore Technology
>>> chanchal.kariw...@seclore.com
>>> www.seclore.com
>>>
>>>
>>>
>>> On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat) 
>>> wrote:
>>>
>>> On 04.03.2016 07:16, Chanchal Kariwala wrote:

 I am using Tomcat 8.0.32 and I have followed the guide given at
>
>  -
>
>
> https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server)
>  -
>
>
> https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w
>
> Windows AD Auth is working i.e. when I access the site, I am asked for
> credentials and 

Re: Windows Authentication

2016-03-06 Thread Chanchal Kariwala
In response to *George Stanchev*,
I tried with Chrome and IE 11, same behavior in both. And yes I tried
waffle, but in another webapp. Waffle does not prompt for the credentials.

In response to *André Warnier*,
I tired that to no avail :(

In response to *Felix Schumacher*,
It is not a problem with the webapp. I have tried both of what you asked.
Tomcat Keytab is authenticated successfully. And KRB debug
shows success for the keytab.

So here are my additional findings over the weekend.
Background - My test AD is virtual. My Domain Controller and client are VMS.

1. *Windows Logon was using NTLM instead of Kerberos*

Some article led me to the following assumption :

When the browser receives WWW-Authenticate: Negotiate, it asks for the
token from the OS Cache. The OS Cache provides it a token that was obtained
via NTLM. The Server does not accept that since it specifically wants
Kerberos. And hence the browser asks for Credentials again and this time
the user is authenticated via Kerberos. And this token is accepted by the
Server.


2. *Windows Logon by IP Address uses NTLM*

I access the client machine (with tomcat) using RDP via the IP Address. The
following question on StackExchange indicates that in
such a scenario NTLM is used to logon to the system.

See :
http://serverfault.com/questions/357975/is-it-possible-to-switch-to-kerberos-only-windows-domain


3. *Kerberos Event Logging*

The next thing I was trying to figure was why Windows logon was using NTLM.
The above link suggests that there was no way of forcing
LSA to use Kerberos only. So now I am looking at the System events, which
might suggest which protocol is being used.

Also I enabled Kerberos event logging to see if there were any Kerberos
Errors.

See : https://support.microsoft.com/en-us/kb/262177


Thanks,
Chanchal R. Kariwala
Product Engineer
Seclore Technology
chanchal.kariw...@seclore.com
​​
www.seclore.com



On Sat, Mar 5, 2016 at 3:57 PM, Felix Schumacher <
felix.schumac...@internetallee.de> wrote:

> Am 04.03.2016 um 10:11 schrieb Chanchal Kariwala:
>
>> I tries what you asked and I have observed the following
>>
>> 1. Browser sends a request for the resource
>> Server replies with HTTP 401 and WWW-Authenticate: Negotiate in Response
>> Headers
>>
>> 2. Browser sends a new request with the following in Request Headers
>> Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg
>>
>> Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in
>> Response Headers
>>
>> 3. At this point the browser shows HTTP Basic Auth form and sends the
>> following in Headers
>> Authorization: Negotiate
>> YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS (*Really huge
>> value, much much longer than the first one*)
>>
>> Now the Server replies with HTTP 200 and the following in headers
>> WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0
>> Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly
>>
>> So yes WIA is failing..
>> Can you help me out with the next step in debugging?
>>
> You can enable debugging for kerberos in the jvm and you can enable debug
> logs for the SpnegoAuthenticator in tomcat to get more information.
>
> To enable debug log messages in the jvm add
>
> -Dsun.security.krb5.debug=true
>
> to CATALINA_OPTS. The log messages will appear in catalina.out and are
> quite verbose.
>
> To enable debug log messages for SpnegoAuthenticator, add
>
> org.apache.catalina.authenticator.SpnegoAuthenticator.level = FINE
>
> to conf/logging.properties in your CATALINA_BASE directory.
>
> Regards,
>  Felix
>
>
>>
>>
>>
>> Thanks,
>> Chanchal R. Kariwala
>> Product Engineer
>> Seclore Technology
>> chanchal.kariw...@seclore.com
>> www.seclore.com
>>
>>
>>
>> On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat) 
>> wrote:
>>
>> On 04.03.2016 07:16, Chanchal Kariwala wrote:
>>>
>>> I am using Tomcat 8.0.32 and I have followed the guide given at

  -


 https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server)
  -


 https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w

 Windows AD Auth is working i.e. when I access the site, I am asked for
 credentials and when I enter the correct credentials, the restricted
 resource is displayed.

 However my question is why the browser is asking for credentials? Why
 isn't
 it accessing TGT Cache in the OS to fetch the user's credentials?

 I have enabled Integrated Windows Auth in IE Settings. I have added the
 site in Intranet Sites and set "Logon by Current User" in Custom Level
 setting for Intranet.



 Hi.
>>>
>>> The real *key* to debugging such issues, is to use some plugin or add-on
>>> to the browser, to enable the capture and visualisation of the HTTP
>>> dialog
>>> back and forth between the browser and the server.
>>> Since you are using IE, I 

Re: Windows Authentication

2016-03-05 Thread Felix Schumacher

Am 04.03.2016 um 10:11 schrieb Chanchal Kariwala:

I tries what you asked and I have observed the following

1. Browser sends a request for the resource
Server replies with HTTP 401 and WWW-Authenticate: Negotiate in Response
Headers

2. Browser sends a new request with the following in Request Headers
Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg

Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in
Response Headers

3. At this point the browser shows HTTP Basic Auth form and sends the
following in Headers
Authorization: Negotiate
YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS (*Really huge
value, much much longer than the first one*)

Now the Server replies with HTTP 200 and the following in headers
WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0
Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly

So yes WIA is failing..
Can you help me out with the next step in debugging?
You can enable debugging for kerberos in the jvm and you can enable 
debug logs for the SpnegoAuthenticator in tomcat to get more information.


To enable debug log messages in the jvm add

-Dsun.security.krb5.debug=true

to CATALINA_OPTS. The log messages will appear in catalina.out and are 
quite verbose.


To enable debug log messages for SpnegoAuthenticator, add

org.apache.catalina.authenticator.SpnegoAuthenticator.level = FINE

to conf/logging.properties in your CATALINA_BASE directory.

Regards,
 Felix






Thanks,
Chanchal R. Kariwala
Product Engineer
Seclore Technology
chanchal.kariw...@seclore.com
www.seclore.com



On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat) 
wrote:


On 04.03.2016 07:16, Chanchal Kariwala wrote:


I am using Tomcat 8.0.32 and I have followed the guide given at

 -

https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server)
 -

https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w

Windows AD Auth is working i.e. when I access the site, I am asked for
credentials and when I enter the correct credentials, the restricted
resource is displayed.

However my question is why the browser is asking for credentials? Why
isn't
it accessing TGT Cache in the OS to fetch the user's credentials?

I have enabled Integrated Windows Auth in IE Settings. I have added the
site in Intranet Sites and set "Logon by Current User" in Custom Level
setting for Intranet.




Hi.

The real *key* to debugging such issues, is to use some plugin or add-on
to the browser, to enable the capture and visualisation of the HTTP dialog
back and forth between the browser and the server.
Since you are using IE, I suggest "Fiddler2".
Install it, close your browser, re-open the browser, start Fiddler2 in
capture mode, and then do an access to the webserver.  When prompted for an
id/pw, enter them.
Then stop Fiddler2 and examine the HTTP exchanges, starting with your
initial request to the webserver.

You are correct in thinking that, normally, the login should happen
automatically in the background, and you should never see this browser
login dialog.
WIA authentication is a multiple-step process between the browser and the
webserver, and in the background between the webserver and a Domain
Controller.
That the login dialog appears in your case, means :
1) that the integrated WIA failed
2) that the Domain is configured to allow HTTP Basic authentication in a
second step, after WIA fails.  That is the login dialog that you see.

So, something is not working as it should in the WIA step.
But to know exactly what, requires examining the HTTP exchanges.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Windows Authentication

2016-03-04 Thread tomcat

On 04.03.2016 14:40, George Stanchev wrote:

It does not look like HTTP Basic. Did you try different browsers? IE, Chrome, 
FF? Do you get same behavior with all? Is the user logging in member of the 
domain your IWA is set up to?



Did you try /un/-checking the "Enable WIA authentication" checkbox in IE ?
(I know it sounds counter-intuitive, but try it).


If you set up a 3rd party IWA provider (such as Waffle), does it act the same 
on all 3 browsers? There was a recent issue with Waffle that one of my 
developers submitted that was dealing with similar issues [1]. You might want 
to go over that thread to see it can give you pointers.


[1] https://github.com/dblock/waffle/issues/268

-Original Message-
From: Chanchal Kariwala [mailto:chanchal.kariw...@seclore.com]
Sent: Friday, March 04, 2016 2:52 AM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Windows Authentication

But how does the browser decide on Basic Auth?

Usually 401 Response contains WWW-Authenticate: Basic realm="MyREALM" to 
indicate Basic Auth

Thanks,
Chanchal R. Kariwala
Product Engineer
Seclore Technology
chanchal.kariw...@seclore.com
www.seclore.com



On Fri, Mar 4, 2016 at 3:16 PM, André Warnier (tomcat) <a...@ice-sa.com>
wrote:


On 04.03.2016 10:11, Chanchal Kariwala wrote:


I tries what you asked and I have observed the following

1. Browser sends a request for the resource Server replies with HTTP
401 and WWW-Authenticate: Negotiate in Response Headers



Fine.



2. Browser sends a new request with the following in Request Headers
Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg



Also seems fine. (But difficult to tell, as these tokens are "opaque" by
design).

Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in

Response Headers



But this does not seem ok. It seems that the browser and server are
failing to agree on an authentication method, and dropping down to HTTP
Basic.


3. At this point the browser shows HTTP Basic Auth form and sends the

following in Headers
Authorization: Negotiate
YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS (*Really huge
value, much much longer than the first one*)

Now the Server replies with HTTP 200 and the following in headers
WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0
Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly

So yes WIA is failing..
Can you help me out with the next step in debugging?



I think at this point, you need to go to your Windows network sysadmins,
with the information above, and ask them what is going on.
There are just too many possible reasons, in the Windows Domain
environment, why this could fail. (browser, browser version, workstation OS
version, browser settings, Domain Controller settings, Domain networkn
policies, membership of Domain or not, etc.).





Thanks,
Chanchal R. Kariwala
Product Engineer
Seclore Technology
chanchal.kariw...@seclore.com
www.seclore.com



On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat) <a...@ice-sa.com>
wrote:

On 04.03.2016 07:16, Chanchal Kariwala wrote:


I am using Tomcat 8.0.32 and I have followed the guide given at


  -


https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server)
  -


https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w

Windows AD Auth is working i.e. when I access the site, I am asked for
credentials and when I enter the correct credentials, the restricted
resource is displayed.

However my question is why the browser is asking for credentials? Why
isn't
it accessing TGT Cache in the OS to fetch the user's credentials?

I have enabled Integrated Windows Auth in IE Settings. I have added the
site in Intranet Sites and set "Logon by Current User" in Custom Level
setting for Intranet.



Hi.


The real *key* to debugging such issues, is to use some plugin or add-on
to the browser, to enable the capture and visualisation of the HTTP
dialog
back and forth between the browser and the server.
Since you are using IE, I suggest "Fiddler2".
Install it, close your browser, re-open the browser, start Fiddler2 in
capture mode, and then do an access to the webserver.  When prompted for
an
id/pw, enter them.
Then stop Fiddler2 and examine the HTTP exchanges, starting with your
initial request to the webserver.

You are correct in thinking that, normally, the login should happen
automatically in the background, and you should never see this browser
login dialog.
WIA authentication is a multiple-step process between the browser and the
webserver, and in the background between the webserver and a Domain
Controller.
That the login dialog appears in your case, means :
1) that the integrated WIA failed
2) that the Domain is configured to allow HTTP Basic authentication in a
second step, after WIA fails.  That is the login dialog that you see.

So, something is not work

RE: Windows Authentication

2016-03-04 Thread George Stanchev
It does not look like HTTP Basic. Did you try different browsers? IE, Chrome, 
FF? Do you get same behavior with all? Is the user logging in member of the 
domain your IWA is set up to?

If you set up a 3rd party IWA provider (such as Waffle), does it act the same 
on all 3 browsers? There was a recent issue with Waffle that one of my 
developers submitted that was dealing with similar issues [1]. You might want 
to go over that thread to see it can give you pointers.


[1] https://github.com/dblock/waffle/issues/268

-Original Message-
From: Chanchal Kariwala [mailto:chanchal.kariw...@seclore.com] 
Sent: Friday, March 04, 2016 2:52 AM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Windows Authentication

But how does the browser decide on Basic Auth?

Usually 401 Response contains WWW-Authenticate: Basic realm="MyREALM" to 
indicate Basic Auth

Thanks,
Chanchal R. Kariwala
Product Engineer
Seclore Technology
chanchal.kariw...@seclore.com
www.seclore.com



On Fri, Mar 4, 2016 at 3:16 PM, André Warnier (tomcat) <a...@ice-sa.com>
wrote:

> On 04.03.2016 10:11, Chanchal Kariwala wrote:
>
>> I tries what you asked and I have observed the following
>>
>> 1. Browser sends a request for the resource Server replies with HTTP 
>> 401 and WWW-Authenticate: Negotiate in Response Headers
>>
>
> Fine.
>
>
>> 2. Browser sends a new request with the following in Request Headers
>> Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg
>>
>>
> Also seems fine. (But difficult to tell, as these tokens are "opaque" by
> design).
>
> Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in
>> Response Headers
>>
>>
> But this does not seem ok. It seems that the browser and server are
> failing to agree on an authentication method, and dropping down to HTTP
> Basic.
>
>
> 3. At this point the browser shows HTTP Basic Auth form and sends the
>> following in Headers
>> Authorization: Negotiate
>> YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS (*Really huge
>> value, much much longer than the first one*)
>>
>> Now the Server replies with HTTP 200 and the following in headers
>> WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0
>> Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly
>>
>> So yes WIA is failing..
>> Can you help me out with the next step in debugging?
>>
>>
> I think at this point, you need to go to your Windows network sysadmins,
> with the information above, and ask them what is going on.
> There are just too many possible reasons, in the Windows Domain
> environment, why this could fail. (browser, browser version, workstation OS
> version, browser settings, Domain Controller settings, Domain networkn
> policies, membership of Domain or not, etc.).
>
>
>>
>>
>> Thanks,
>> Chanchal R. Kariwala
>> Product Engineer
>> Seclore Technology
>> chanchal.kariw...@seclore.com
>> www.seclore.com
>>
>>
>>
>> On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat) <a...@ice-sa.com>
>> wrote:
>>
>> On 04.03.2016 07:16, Chanchal Kariwala wrote:
>>>
>>> I am using Tomcat 8.0.32 and I have followed the guide given at
>>>>
>>>>  -
>>>>
>>>>
>>>> https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server)
>>>>  -
>>>>
>>>>
>>>> https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w
>>>>
>>>> Windows AD Auth is working i.e. when I access the site, I am asked for
>>>> credentials and when I enter the correct credentials, the restricted
>>>> resource is displayed.
>>>>
>>>> However my question is why the browser is asking for credentials? Why
>>>> isn't
>>>> it accessing TGT Cache in the OS to fetch the user's credentials?
>>>>
>>>> I have enabled Integrated Windows Auth in IE Settings. I have added the
>>>> site in Intranet Sites and set "Logon by Current User" in Custom Level
>>>> setting for Intranet.
>>>>
>>>>
>>>>
>>>> Hi.
>>>
>>> The real *key* to debugging such issues, is to use some plugin or add-on
>>> to the browser, to enable the capture and visualisation of the HTTP
>>> dialog
>>> back and forth between the browser and the server.
>>> Since you are using IE, I suggest "Fiddler2".
>>> Install it, close your browser, re-open

Re: Windows Authentication

2016-03-04 Thread Chanchal Kariwala
But how does the browser decide on Basic Auth?

Usually 401 Response contains WWW-Authenticate: Basic realm="MyREALM" to
indicate Basic Auth

Thanks,
Chanchal R. Kariwala
Product Engineer
Seclore Technology
chanchal.kariw...@seclore.com
www.seclore.com



On Fri, Mar 4, 2016 at 3:16 PM, André Warnier (tomcat) 
wrote:

> On 04.03.2016 10:11, Chanchal Kariwala wrote:
>
>> I tries what you asked and I have observed the following
>>
>> 1. Browser sends a request for the resource
>> Server replies with HTTP 401 and WWW-Authenticate: Negotiate in Response
>> Headers
>>
>
> Fine.
>
>
>> 2. Browser sends a new request with the following in Request Headers
>> Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg
>>
>>
> Also seems fine. (But difficult to tell, as these tokens are "opaque" by
> design).
>
> Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in
>> Response Headers
>>
>>
> But this does not seem ok. It seems that the browser and server are
> failing to agree on an authentication method, and dropping down to HTTP
> Basic.
>
>
> 3. At this point the browser shows HTTP Basic Auth form and sends the
>> following in Headers
>> Authorization: Negotiate
>> YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS (*Really huge
>> value, much much longer than the first one*)
>>
>> Now the Server replies with HTTP 200 and the following in headers
>> WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0
>> Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly
>>
>> So yes WIA is failing..
>> Can you help me out with the next step in debugging?
>>
>>
> I think at this point, you need to go to your Windows network sysadmins,
> with the information above, and ask them what is going on.
> There are just too many possible reasons, in the Windows Domain
> environment, why this could fail. (browser, browser version, workstation OS
> version, browser settings, Domain Controller settings, Domain networkn
> policies, membership of Domain or not, etc.).
>
>
>>
>>
>> Thanks,
>> Chanchal R. Kariwala
>> Product Engineer
>> Seclore Technology
>> chanchal.kariw...@seclore.com
>> www.seclore.com
>>
>>
>>
>> On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat) 
>> wrote:
>>
>> On 04.03.2016 07:16, Chanchal Kariwala wrote:
>>>
>>> I am using Tomcat 8.0.32 and I have followed the guide given at

  -


 https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server)
  -


 https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w

 Windows AD Auth is working i.e. when I access the site, I am asked for
 credentials and when I enter the correct credentials, the restricted
 resource is displayed.

 However my question is why the browser is asking for credentials? Why
 isn't
 it accessing TGT Cache in the OS to fetch the user's credentials?

 I have enabled Integrated Windows Auth in IE Settings. I have added the
 site in Intranet Sites and set "Logon by Current User" in Custom Level
 setting for Intranet.



 Hi.
>>>
>>> The real *key* to debugging such issues, is to use some plugin or add-on
>>> to the browser, to enable the capture and visualisation of the HTTP
>>> dialog
>>> back and forth between the browser and the server.
>>> Since you are using IE, I suggest "Fiddler2".
>>> Install it, close your browser, re-open the browser, start Fiddler2 in
>>> capture mode, and then do an access to the webserver.  When prompted for
>>> an
>>> id/pw, enter them.
>>> Then stop Fiddler2 and examine the HTTP exchanges, starting with your
>>> initial request to the webserver.
>>>
>>> You are correct in thinking that, normally, the login should happen
>>> automatically in the background, and you should never see this browser
>>> login dialog.
>>> WIA authentication is a multiple-step process between the browser and the
>>> webserver, and in the background between the webserver and a Domain
>>> Controller.
>>> That the login dialog appears in your case, means :
>>> 1) that the integrated WIA failed
>>> 2) that the Domain is configured to allow HTTP Basic authentication in a
>>> second step, after WIA fails.  That is the login dialog that you see.
>>>
>>> So, something is not working as it should in the WIA step.
>>> But to know exactly what, requires examining the HTTP exchanges.
>>>
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>>
>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: Windows Authentication

2016-03-04 Thread tomcat

On 04.03.2016 10:11, Chanchal Kariwala wrote:

I tries what you asked and I have observed the following

1. Browser sends a request for the resource
Server replies with HTTP 401 and WWW-Authenticate: Negotiate in Response
Headers


Fine.



2. Browser sends a new request with the following in Request Headers
Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg



Also seems fine. (But difficult to tell, as these tokens are "opaque" by 
design).


Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in
Response Headers



But this does not seem ok. It seems that the browser and server are failing to agree on an 
authentication method, and dropping down to HTTP Basic.




3. At this point the browser shows HTTP Basic Auth form and sends the
following in Headers
Authorization: Negotiate
YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS (*Really huge
value, much much longer than the first one*)

Now the Server replies with HTTP 200 and the following in headers
WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0
Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly

So yes WIA is failing..
Can you help me out with the next step in debugging?



I think at this point, you need to go to your Windows network sysadmins, with the 
information above, and ask them what is going on.
There are just too many possible reasons, in the Windows Domain environment, why this 
could fail. (browser, browser version, workstation OS version, browser settings, Domain 
Controller settings, Domain networkn policies, membership of Domain or not, etc.).






Thanks,
Chanchal R. Kariwala
Product Engineer
Seclore Technology
chanchal.kariw...@seclore.com
www.seclore.com



On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat) 
wrote:


On 04.03.2016 07:16, Chanchal Kariwala wrote:


I am using Tomcat 8.0.32 and I have followed the guide given at

 -

https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server)
 -

https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w

Windows AD Auth is working i.e. when I access the site, I am asked for
credentials and when I enter the correct credentials, the restricted
resource is displayed.

However my question is why the browser is asking for credentials? Why
isn't
it accessing TGT Cache in the OS to fetch the user's credentials?

I have enabled Integrated Windows Auth in IE Settings. I have added the
site in Intranet Sites and set "Logon by Current User" in Custom Level
setting for Intranet.




Hi.

The real *key* to debugging such issues, is to use some plugin or add-on
to the browser, to enable the capture and visualisation of the HTTP dialog
back and forth between the browser and the server.
Since you are using IE, I suggest "Fiddler2".
Install it, close your browser, re-open the browser, start Fiddler2 in
capture mode, and then do an access to the webserver.  When prompted for an
id/pw, enter them.
Then stop Fiddler2 and examine the HTTP exchanges, starting with your
initial request to the webserver.

You are correct in thinking that, normally, the login should happen
automatically in the background, and you should never see this browser
login dialog.
WIA authentication is a multiple-step process between the browser and the
webserver, and in the background between the webserver and a Domain
Controller.
That the login dialog appears in your case, means :
1) that the integrated WIA failed
2) that the Domain is configured to allow HTTP Basic authentication in a
second step, after WIA fails.  That is the login dialog that you see.

So, something is not working as it should in the WIA step.
But to know exactly what, requires examining the HTTP exchanges.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Windows Authentication

2016-03-04 Thread Chanchal Kariwala
I tries what you asked and I have observed the following

1. Browser sends a request for the resource
Server replies with HTTP 401 and WWW-Authenticate: Negotiate in Response
Headers

2. Browser sends a new request with the following in Request Headers
Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg

Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in
Response Headers

3. At this point the browser shows HTTP Basic Auth form and sends the
following in Headers
Authorization: Negotiate
YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS (*Really huge
value, much much longer than the first one*)

Now the Server replies with HTTP 200 and the following in headers
WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0
Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly

So yes WIA is failing..
Can you help me out with the next step in debugging?




Thanks,
Chanchal R. Kariwala
Product Engineer
Seclore Technology
chanchal.kariw...@seclore.com
www.seclore.com



On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat) 
wrote:

> On 04.03.2016 07:16, Chanchal Kariwala wrote:
>
>> I am using Tomcat 8.0.32 and I have followed the guide given at
>>
>> -
>>
>> https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server)
>> -
>>
>> https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w
>>
>> Windows AD Auth is working i.e. when I access the site, I am asked for
>> credentials and when I enter the correct credentials, the restricted
>> resource is displayed.
>>
>> However my question is why the browser is asking for credentials? Why
>> isn't
>> it accessing TGT Cache in the OS to fetch the user's credentials?
>>
>> I have enabled Integrated Windows Auth in IE Settings. I have added the
>> site in Intranet Sites and set "Logon by Current User" in Custom Level
>> setting for Intranet.
>>
>>
>>
> Hi.
>
> The real *key* to debugging such issues, is to use some plugin or add-on
> to the browser, to enable the capture and visualisation of the HTTP dialog
> back and forth between the browser and the server.
> Since you are using IE, I suggest "Fiddler2".
> Install it, close your browser, re-open the browser, start Fiddler2 in
> capture mode, and then do an access to the webserver.  When prompted for an
> id/pw, enter them.
> Then stop Fiddler2 and examine the HTTP exchanges, starting with your
> initial request to the webserver.
>
> You are correct in thinking that, normally, the login should happen
> automatically in the background, and you should never see this browser
> login dialog.
> WIA authentication is a multiple-step process between the browser and the
> webserver, and in the background between the webserver and a Domain
> Controller.
> That the login dialog appears in your case, means :
> 1) that the integrated WIA failed
> 2) that the Domain is configured to allow HTTP Basic authentication in a
> second step, after WIA fails.  That is the login dialog that you see.
>
> So, something is not working as it should in the WIA step.
> But to know exactly what, requires examining the HTTP exchanges.
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Re: Windows Authentication

2016-03-03 Thread tomcat

On 04.03.2016 07:16, Chanchal Kariwala wrote:

I am using Tomcat 8.0.32 and I have followed the guide given at

-

https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server)
-

https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w

Windows AD Auth is working i.e. when I access the site, I am asked for
credentials and when I enter the correct credentials, the restricted
resource is displayed.

However my question is why the browser is asking for credentials? Why isn't
it accessing TGT Cache in the OS to fetch the user's credentials?

I have enabled Integrated Windows Auth in IE Settings. I have added the
site in Intranet Sites and set "Logon by Current User" in Custom Level
setting for Intranet.




Hi.

The real *key* to debugging such issues, is to use some plugin or add-on to the browser, 
to enable the capture and visualisation of the HTTP dialog back and forth between the 
browser and the server.

Since you are using IE, I suggest "Fiddler2".
Install it, close your browser, re-open the browser, start Fiddler2 in capture mode, and 
then do an access to the webserver.  When prompted for an id/pw, enter them.
Then stop Fiddler2 and examine the HTTP exchanges, starting with your initial request to 
the webserver.


You are correct in thinking that, normally, the login should happen automatically in the 
background, and you should never see this browser login dialog.
WIA authentication is a multiple-step process between the browser and the webserver, and 
in the background between the webserver and a Domain Controller.

That the login dialog appears in your case, means :
1) that the integrated WIA failed
2) that the Domain is configured to allow HTTP Basic authentication in a second step, 
after WIA fails.  That is the login dialog that you see.


So, something is not working as it should in the WIA step.
But to know exactly what, requires examining the HTTP exchanges.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Windows Authentication

2016-03-03 Thread Chanchal Kariwala
I am using Tomcat 8.0.32 and I have followed the guide given at

   -
   
https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server)
   -
   https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w

Windows AD Auth is working i.e. when I access the site, I am asked for
credentials and when I enter the correct credentials, the restricted
resource is displayed.

However my question is why the browser is asking for credentials? Why isn't
it accessing TGT Cache in the OS to fetch the user's credentials?

I have enabled Integrated Windows Auth in IE Settings. I have added the
site in Intranet Sites and set "Logon by Current User" in Custom Level
setting for Intranet.


Thanks,
Chanchal R. Kariwala
Product Engineer
Seclore Technology
chanchal.kariw...@seclore.com
www.seclore.com


Re: Windows authentication : outdated link

2015-03-13 Thread Konstantin Kolinko
2015-03-13 15:04 GMT+03:00 André Warnier a...@ice-sa.com:
 Hi.

 Errata :

 In the page
 http://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#References
 (and also in the corresponding Tomcat 7 page), the link to

 Geronimo configuration for Windows authentication

 leads to :

 https://cwiki.apache.org/GMOxDOC21/using-spengo-in-geronimo.html#UsingSpengoingeronimo-SettinguptheActiveDirectoryDomainController

 which returns :

 The requested URL
 /confluence/display/GMOxDOC21/using-spengo-in-geronimo.html was not found on
 this server.

 (neither does it work if one replaces the spengo parts by spnego..)


Apparently they replaced '-' with '+' and have lost the .html suffix.

https://cwiki.apache.org/confluence/display/GMOxDOC21/Using+SPNEGO+in+Geronimo#UsingSPNEGOinGeronimo-SettinguptheDomainControllerMachine

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Windows authentication : outdated link

2015-03-13 Thread André Warnier

Hi.

Errata :

In the page 
http://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#References
(and also in the corresponding Tomcat 7 page), the link to

Geronimo configuration for Windows authentication

leads to :

https://cwiki.apache.org/GMOxDOC21/using-spengo-in-geronimo.html#UsingSpengoingeronimo-SettinguptheActiveDirectoryDomainController

which returns :

The requested URL /confluence/display/GMOxDOC21/using-spengo-in-geronimo.html was not 
found on this server.


(neither does it work if one replaces the spengo parts by spnego..)


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Windows authentication : outdated link

2015-03-13 Thread Konstantin Kolinko
2015-03-13 15:13 GMT+03:00 Konstantin Kolinko knst.koli...@gmail.com:
 2015-03-13 15:04 GMT+03:00 André Warnier a...@ice-sa.com:
 Hi.

 Errata :

 In the page
 http://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#References
 (and also in the corresponding Tomcat 7 page), the link to

 Geronimo configuration for Windows authentication

 leads to :

 https://cwiki.apache.org/GMOxDOC21/using-spengo-in-geronimo.html#UsingSpengoingeronimo-SettinguptheActiveDirectoryDomainController

 which returns :

 The requested URL
 /confluence/display/GMOxDOC21/using-spengo-in-geronimo.html was not found on
 this server.

 (neither does it work if one replaces the spengo parts by spnego..)


 Apparently they replaced '-' with '+' and have lost the .html suffix.

 https://cwiki.apache.org/confluence/display/GMOxDOC21/Using+SPNEGO+in+Geronimo#UsingSPNEGOinGeronimo-SettinguptheDomainControllerMachine

I updated the docs in Tomcat 9/8/7.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: Built-in Tomcat Support for Windows Authentication

2014-10-24 Thread Philippe Wijdh
Alright, thanks. We will try once more from scratch.

-Original Message-
From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] 
Sent: donderdag 23 oktober 2014 20:42
To: Tomcat Users List
Subject: Re: Built-in Tomcat Support for Windows Authentication

Am 23.10.2014 um 11:07 schrieb Philippe Wijdh:
 Hi,

 Thank you for the response.
 The initial setup of the spn and the keytab was without the port-number, the 
 registry key was a suggestion found on internet but this setting does not 
 change the outcome.

 The command kinit on the Tomcat server returns the following


 C:\MyPrograms\Tomcat7\confset 
 KRB5_CONFIG=C:\MyPrograms\Tomcat7\conf\krb5.conf


 C:\MyPrograms\Tomcat7\confc:\MyPrograms\Java\jdk1.7.0_60\bin\kinit 
 -J-Djava.sec urity.krb5.conf=C:\MyPrograms\Tomcat7\conf\krb5.conf 
 -J-Djava.security.auth.logi 
 n.config=C:\MyPrograms\Tomcat7\conf\jaas.conf 
 -J-Dsun.security.krb5.debug=true - k -t 
 C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab 
 HTTP/v3tcat4ad.assai.nl:8080@A SSAI.NL

HTTP/v3tcat4ad.assai.nl:8...@assai.nl is the wrong spn. You have to use one 
without the port number (as described in the docs).

Maybe it would be best to follow Mark's advice and start with a fresh system 
and follow step for step the documentation.

Felix
 KinitOptions cache name is C:\Users\TestUser\krb5cc_testuser
 Principal is HTTP/v3tcat4ad.assai.nl:8...@assai.nl
 Kinit using keytab
 Kinit keytab file name: 
 C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab
 Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
 Loaded from Java config
 Kinit realm name is ASSAI.NL
 Creating KrbAsReq
 KrbKdcReq local addresses for V3TCAT4AD are:
  V3TCAT4AD/10.1.0.67
 IPv4 address

  V3TCAT4AD/fe80:0:0:0:d815:81c0:97e7:11d2%11
 IPv6 address
 KdcAccessibility: reset
 KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, 
 readName(): HTTP KeyTabInputStream, readName(): 
 v3tcat4ad.assai.nl:8080
 KeyTab: load() entry length: 72; type: 23
 Added key: 23version: 0
 Ordering keys wrt default_tkt_enctypes list default etypes for 
 default_tkt_enctypes: 23 18 17.
 default etypes for default_tkt_enctypes: 23 18 17.
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number 
 of retries
   =3, #bytes=198
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt 
 =1, #byt
 es=198
 KrbKdcReq send: #bytes read=173
 Pre-Authentication Data:
   PA-DATA type = 11
   PA-ETYPE-INFO etype = 23, salt =

 Pre-Authentication Data:
   PA-DATA type = 19
   PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

 Pre-Authentication Data:
   PA-DATA type = 2
   PA-ENC-TIMESTAMP
 Pre-Authentication Data:
   PA-DATA type = 16

 Pre-Authentication Data:
   PA-DATA type = 15

 KdcAccessibility: remove v3dom1.assai.nl:88
 KDCRep: init() encoding tag is 126 req type is 11
 KRBError:
   sTime is Thu Oct 23 10:21:31 CEST 2014 1414052491000
   suSec is 776700
   error code is 25
   error Message is Additional pre-authentication required
   realm is ASSAI.NL
   sname is krbtgt/ASSAI.NL
   eData provided.
   msgType is 30
 Pre-Authentication Data:
   PA-DATA type = 11
   PA-ETYPE-INFO etype = 23, salt =

 Pre-Authentication Data:
   PA-DATA type = 19
   PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

 Pre-Authentication Data:
   PA-DATA type = 2
   PA-ENC-TIMESTAMP
 Pre-Authentication Data:
   PA-DATA type = 16

 Pre-Authentication Data:
   PA-DATA type = 15

 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for 
 default_tkt_enctypes: 23 18 17.
 Added key: 23version: 0
 Ordering keys wrt default_tkt_enctypes list default etypes for 
 default_tkt_enctypes: 23 18 17.
 Added key: 23version: 0
 Ordering keys wrt default_tkt_enctypes list default etypes for 
 default_tkt_enctypes: 23 18 17.
 default etypes for default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number 
 of retries
   =3, #bytes=283
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt 
 =1, #byt
 es=283
 KrbKdcReq send: #bytes read=88
 KrbKdcReq send: kdc=v3dom1.assai.nl TCP:88, timeout=3, number 
 of retries
   =3, #bytes=283
 KDCCommunication: kdc=v3dom1.assai.nl TCP:88, timeout=3,Attempt 
 =1, #byt
 es=283
 DEBUG: TCPClient reading 1496 bytes KrbKdcReq send: #bytes 
 read=1496
 KdcAccessibility: remove v3dom1.assai.nl:88
 Added key: 23version: 0
 Ordering keys wrt default_tkt_enctypes list default etypes for 
 default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
 New ticket is stored in cache file C:\Users\TestUser\krb5cc_testuser

 C:\MyPrograms

RE: Built-in Tomcat Support for Windows Authentication

2014-10-24 Thread Philippe Wijdh
Thanks Terrence,

We will have a look at Waffle as well.


Kind regards,

Philippe Wijdh
Senior Programmer

Assai software services BV, Parallelweg Oost 13a, 4103 NC, Culemborg, The 
Netherlands
P:  +31 (0)345 516 663, E:  p.wi...@assai.nl, W: www.assai-software.com 

-Original Message-
From: Terence M. Bandoian [mailto:tere...@tmbsw.com] 
Sent: woensdag 22 oktober 2014 18:56
To: Tomcat Users List
Subject: Built-in Tomcat Support for Windows Authentication

On 10/22/2014 4:40 AM, Philippe Wijdh wrote:
 Hello,

 We have spent a long time now, trying to set up Apache Tomcat with Windows 
 Authentication.
 We followed the instructions as per 
 http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot 
 make it work properly, the logon dialog keeps appearing and trying to log on 
 fails.
 Additional to that we tried suggestions, like adding the registry key 
 AllowTgtSessionKey and setting it to 0x01 Seems like we are close but 
 we are missing something (see tomcat output below) Does anyone have a more 
 complete documentation or have any suggestions on how to make this work.


 Kind regards,

 Philippe Wijdh



 Extra information on the setup:

 Windows 2008 r2 sp1
 Apache Tomcat 7.0.54
 jdk1.7.0_60

 Tomcat is running as a service using account  
 HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the 
 port number, does not make a difference)

 Test is done with user testu...@assai.nlmailto:testu...@assai.nl in IE11 on 
 different machines, with http://v3tcat4ad.assai.nl explicitly added to the 
 Intranet sites.


Hi, Philippe-

I have not used the built-in Tomcat Windows authentication but have had success 
using Waffle in a similar configuration.  You might try that if all else fails.

-Terence Bandoian





 Tomcat Output:

 KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, 
 readName(): HTTP KeyTabInputStream, readName(): 
 v3tcat4ad.assai.nl:8080
 KeyTab: load() entry length: 72; type: 23
 Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
 Loaded from Java config
 Added key: 23version: 0
 Ordering keys wrt default_tkt_enctypes list default etypes for 
 default_tkt_enctypes: 23 18 17.
 KdcAccessibility: reset
 Added key: 23version: 0
 Ordering keys wrt default_tkt_enctypes list default etypes for 
 default_tkt_enctypes: 23 18 17.
 default etypes for default_tkt_enctypes: 23 18 17.
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number 
 of retries =3, #bytes=152
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt 
 =1, #bytes=152 KrbKdcReq send: #bytes read=173 Pre-Authentication 
 Data:
  PA-DATA type = 11
  PA-ETYPE-INFO etype = 23, salt =

 Pre-Authentication Data:
  PA-DATA type = 19
  PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

 Pre-Authentication Data:
  PA-DATA type = 2
  PA-ENC-TIMESTAMP
 Pre-Authentication Data:
  PA-DATA type = 16

 Pre-Authentication Data:
  PA-DATA type = 15

 KdcAccessibility: remove v3dom1.assai.nl:88
 KDCRep: init() encoding tag is 126 req type is 11
 KRBError:
  sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
  suSec is 403143
  error code is 25
  error Message is Additional pre-authentication required
  realm is ASSAI.NL
  sname is krbtgt/ASSAI.NL
  eData provided.
  msgType is 30
 Pre-Authentication Data:
  PA-DATA type = 11
  PA-ETYPE-INFO etype = 23, salt =

 Pre-Authentication Data:
  PA-DATA type = 19
  PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

 Pre-Authentication Data:
  PA-DATA type = 2
  PA-ENC-TIMESTAMP
 Pre-Authentication Data:
  PA-DATA type = 16

 Pre-Authentication Data:
  PA-DATA type = 15

 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for 
 default_tkt_enctypes: 23 18 17.
 Added key: 23version: 0
 Ordering keys wrt default_tkt_enctypes list default etypes for 
 default_tkt_enctypes: 23 18 17.
 Added key: 23version: 0
 Ordering keys wrt default_tkt_enctypes list default etypes for 
 default_tkt_enctypes: 23 18 17.
 default etypes for default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number 
 of retries =3, #bytes=235
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt 
 =1, #bytes=235 KrbKdcReq send: #bytes read=1446
 KdcAccessibility: remove v3dom1.assai.nl:88
 Added key: 23version: 0
 Ordering keys wrt default_tkt_enctypes list default etypes for 
 default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
 Added key: 23version: 0
 Ordering keys wrt

Re: Built-in Tomcat Support for Windows Authentication

2014-10-23 Thread Mark Thomas
On 22/10/2014 10:40, Philippe Wijdh wrote:
 Hello,
 
 We have spent a long time now, trying to set up Apache Tomcat with Windows 
 Authentication.
 We followed the instructions as per 
 http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot 
 make it work properly, the logon dialog keeps appearing and trying to log on 
 fails.
 Additional to that we tried suggestions, like adding the registry key 
 AllowTgtSessionKey and setting it to 0x01
 Seems like we are close but we are missing something (see tomcat output below)
 Does anyone have a more complete documentation or have any suggestions on how 
 to make this work.

The documentation is complete. If you follow the steps in that document
then you will end up with a working system.

Either you aren't following the documentation or something in your
environment differs from that described in the document.

 Kind regards,
 
 Philippe Wijdh
 
 
 
 Extra information on the setup:
 
 Windows 2008 r2 sp1
 Apache Tomcat 7.0.54
 jdk1.7.0_60
 
 Tomcat is running as a service using account  HTTP/v3tcat4ad.assai.nl:8080 
 (have created spn with and without the port number, does not make a 
 difference)
 
 Test is done with user testu...@assai.nlmailto:testu...@assai.nl in IE11 on 
 different machines, with http://v3tcat4ad.assai.nl explicitly added to the 
 Intranet sites.

You haven't provided any information on the Realm configuration or how
you have secured the page you are trying to test with.

You might have hit https://issues.apache.org/bugzilla/show_bug.cgi?id=57022

There are lots of configuration steps listed in the docs you haven't
mentioned.

Mark

 
 
 
 Tomcat Output:
 
 KeyTabInputStream, readName(): ASSAI.NL
 KeyTabInputStream, readName(): HTTP
 KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080
 KeyTab: load() entry length: 72; type: 23
 Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
 Loaded from Java config
 Added key: 23version: 0
 Ordering keys wrt default_tkt_enctypes list
 default etypes for default_tkt_enctypes: 23 18 17.
 KdcAccessibility: reset
 Added key: 23version: 0
 Ordering keys wrt default_tkt_enctypes list
 default etypes for default_tkt_enctypes: 23 18 17.
 default etypes for default_tkt_enctypes: 23 18 17.
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of 
 retries =3, #bytes=152
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, 
 #bytes=152
 KrbKdcReq send: #bytes read=173
 Pre-Authentication Data:
 PA-DATA type = 11
 PA-ETYPE-INFO etype = 23, salt =
 
 Pre-Authentication Data:
 PA-DATA type = 19
 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
 
 Pre-Authentication Data:
 PA-DATA type = 2
 PA-ENC-TIMESTAMP
 Pre-Authentication Data:
 PA-DATA type = 16
 
 Pre-Authentication Data:
 PA-DATA type = 15
 
 KdcAccessibility: remove v3dom1.assai.nl:88
 KDCRep: init() encoding tag is 126 req type is 11
 KRBError:
 sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
 suSec is 403143
 error code is 25
 error Message is Additional pre-authentication required
 realm is ASSAI.NL
 sname is krbtgt/ASSAI.NL
 eData provided.
 msgType is 30
 Pre-Authentication Data:
 PA-DATA type = 11
 PA-ETYPE-INFO etype = 23, salt =
 
 Pre-Authentication Data:
 PA-DATA type = 19
 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
 
 Pre-Authentication Data:
 PA-DATA type = 2
 PA-ENC-TIMESTAMP
 Pre-Authentication Data:
 PA-DATA type = 16
 
 Pre-Authentication Data:
 PA-DATA type = 15
 
 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
 default etypes for default_tkt_enctypes: 23 18 17.
 Added key: 23version: 0
 Ordering keys wrt default_tkt_enctypes list
 default etypes for default_tkt_enctypes: 23 18 17.
 Added key: 23version: 0
 Ordering keys wrt default_tkt_enctypes list
 default etypes for default_tkt_enctypes: 23 18 17.
 default etypes for default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of 
 retries =3, #bytes=235
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, 
 #bytes=235
 KrbKdcReq send: #bytes read=1446
 KdcAccessibility: remove v3dom1.assai.nl:88
 Added key: 23version: 0
 Ordering keys wrt default_tkt_enctypes list
 default etypes for default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
 Added key: 23version: 0
 Ordering keys wrt default_tkt_enctypes list
 default etypes for default_tkt_enctypes: 23 18 17.
 Search Subject for SPNEGO ACCEPT cred (DEF, 
 sun.security.jgss.spnego.SpNegoCredElement

RE: Built-in Tomcat Support for Windows Authentication

2014-10-23 Thread Philippe Wijdh
Hi,

Thank you for the response.
The initial setup of the spn and the keytab was without the port-number, the 
registry key was a suggestion found on internet but this setting does not 
change the outcome.

The command kinit on the Tomcat server returns the following


C:\MyPrograms\Tomcat7\confset KRB5_CONFIG=C:\MyPrograms\Tomcat7\conf\krb5.conf


C:\MyPrograms\Tomcat7\confc:\MyPrograms\Java\jdk1.7.0_60\bin\kinit -J-Djava.sec
urity.krb5.conf=C:\MyPrograms\Tomcat7\conf\krb5.conf -J-Djava.security.auth.logi
n.config=C:\MyPrograms\Tomcat7\conf\jaas.conf -J-Dsun.security.krb5.debug=true -
k -t C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab HTTP/v3tcat4ad.assai.nl:8080@A
SSAI.NL
KinitOptions cache name is C:\Users\TestUser\krb5cc_testuser
Principal is HTTP/v3tcat4ad.assai.nl:8...@assai.nl
 Kinit using keytab
 Kinit keytab file name: C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab
Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
Loaded from Java config
 Kinit realm name is ASSAI.NL
 Creating KrbAsReq
 KrbKdcReq local addresses for V3TCAT4AD are:

V3TCAT4AD/10.1.0.67
IPv4 address

V3TCAT4AD/fe80:0:0:0:d815:81c0:97e7:11d2%11
IPv6 address
 KdcAccessibility: reset
 KeyTabInputStream, readName(): ASSAI.NL
 KeyTabInputStream, readName(): HTTP
 KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080
 KeyTab: load() entry length: 72; type: 23
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries
 =3, #bytes=198
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #byt
es=198
 KrbKdcReq send: #bytes read=173
Pre-Authentication Data:
 PA-DATA type = 11
 PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:
 PA-DATA type = 19
 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:
 PA-DATA type = 2
 PA-ENC-TIMESTAMP
Pre-Authentication Data:
 PA-DATA type = 16

Pre-Authentication Data:
 PA-DATA type = 15

 KdcAccessibility: remove v3dom1.assai.nl:88
 KDCRep: init() encoding tag is 126 req type is 11
KRBError:
 sTime is Thu Oct 23 10:21:31 CEST 2014 1414052491000
 suSec is 776700
 error code is 25
 error Message is Additional pre-authentication required
 realm is ASSAI.NL
 sname is krbtgt/ASSAI.NL
 eData provided.
 msgType is 30
Pre-Authentication Data:
 PA-DATA type = 11
 PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:
 PA-DATA type = 19
 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:
 PA-DATA type = 2
 PA-ENC-TIMESTAMP
Pre-Authentication Data:
 PA-DATA type = 16

Pre-Authentication Data:
 PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries
 =3, #bytes=283
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #byt
es=283
 KrbKdcReq send: #bytes read=88
 KrbKdcReq send: kdc=v3dom1.assai.nl TCP:88, timeout=3, number of retries
 =3, #bytes=283
 KDCCommunication: kdc=v3dom1.assai.nl TCP:88, timeout=3,Attempt =1, #byt
es=283
DEBUG: TCPClient reading 1496 bytes
 KrbKdcReq send: #bytes read=1496
 KdcAccessibility: remove v3dom1.assai.nl:88
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
New ticket is stored in cache file C:\Users\TestUser\krb5cc_testuser

C:\MyPrograms\Tomcat7\confklist

Current LogonId is 0:0x13380b5c

Cached Tickets: (0)




Kind regards,

Philippe Wijdh
Senior Programmer

Assai software services BV, Parallelweg Oost 13a, 4103 NC, Culemborg, The 
Netherlands
P:  +31 (0)345 516 663, E:  p.wi...@assai.nl, W: www.assai-software.com 

-Original Message-
From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] 
Sent: donderdag 23 oktober 2014 7:53
To: Tomcat Users List
Subject: Re: Built-in Tomcat Support for Windows Authentication



Am 22. Oktober 2014 11:40:56 MESZ, schrieb Philippe Wijdh p.wi...@assai.nl:
Hello,

We have spent a long time now, trying to set up Apache Tomcat with 
Windows Authentication.
We followed the instructions as per
http

Re: Built-in Tomcat Support for Windows Authentication

2014-10-23 Thread Felix Schumacher
...@internetallee.de]
Sent: donderdag 23 oktober 2014 7:53
To: Tomcat Users List
Subject: Re: Built-in Tomcat Support for Windows Authentication



Am 22. Oktober 2014 11:40:56 MESZ, schrieb Philippe Wijdh p.wi...@assai.nl:

Hello,

We have spent a long time now, trying to set up Apache Tomcat with
Windows Authentication.
We followed the instructions as per
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we
cannot make it work properly, the logon dialog keeps appearing and
trying to log on fails.
Additional to that we tried suggestions, like adding the registry key
AllowTgtSessionKey and setting it to 0x01

Haven't seen that recommendation in the tomcat documentation.



Seems like we are close but we are missing something (see tomcat output
below)
Does anyone have a more complete documentation or have any suggestions
on how to make this work.


Kind regards,

Philippe Wijdh



Extra information on the setup:

Windows 2008 r2 sp1
Apache Tomcat 7.0.54
jdk1.7.0_60

Tomcat is running as a service using account
HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the
port number, does not make a difference)

You will have to use the spn without the port.


Test is done with user testu...@assai.nlmailto:testu...@assai.nl in
IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly
added to the Intranet sites.



Tomcat Output:


KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream,
readName(): HTTP KeyTabInputStream, readName():
v3tcat4ad.assai.nl:8080

What is inside your keytab?


KeyTab: load() entry length: 72; type: 23

Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
Loaded from Java config
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.

KdcAccessibility: reset

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.

KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number

of retries =3, #bytes=152

KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt

=1, #bytes=152

KrbKdcReq send: #bytes read=173
Pre-Authentication Data:

PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =


Pre-Authentication Data:

PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null


Pre-Authentication Data:

PA-DATA type = 2
PA-ENC-TIMESTAMP

Pre-Authentication Data:

PA-DATA type = 16


Pre-Authentication Data:

PA-DATA type = 15


KdcAccessibility: remove v3dom1.assai.nl:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:

sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
suSec is 403143
error code is 25
error Message is Additional pre-authentication required
realm is ASSAI.NL
sname is krbtgt/ASSAI.NL
eData provided.
msgType is 30

Pre-Authentication Data:

PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =


Pre-Authentication Data:

PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null


Pre-Authentication Data:

PA-DATA type = 2
PA-ENC-TIMESTAMP

Pre-Authentication Data:

PA-DATA type = 16


Pre-Authentication Data:

PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for
default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number

of retries =3, #bytes=235

KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt

=1, #bytes=235

KrbKdcReq send: #bytes read=1446
KdcAccessibility: remove v3dom1.assai.nl:88

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080

This is the wrong spn. The port number should not be there.

Regards
Felix


Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (DEF,
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (DEF,
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default

Built-in Tomcat Support for Windows Authentication

2014-10-22 Thread Philippe Wijdh
Hello,

We have spent a long time now, trying to set up Apache Tomcat with Windows 
Authentication.
We followed the instructions as per 
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot 
make it work properly, the logon dialog keeps appearing and trying to log on 
fails.
Additional to that we tried suggestions, like adding the registry key 
AllowTgtSessionKey and setting it to 0x01
Seems like we are close but we are missing something (see tomcat output below)
Does anyone have a more complete documentation or have any suggestions on how 
to make this work.


Kind regards,

Philippe Wijdh



Extra information on the setup:

Windows 2008 r2 sp1
Apache Tomcat 7.0.54
jdk1.7.0_60

Tomcat is running as a service using account  HTTP/v3tcat4ad.assai.nl:8080 
(have created spn with and without the port number, does not make a difference)

Test is done with user testu...@assai.nlmailto:testu...@assai.nl in IE11 on 
different machines, with http://v3tcat4ad.assai.nl explicitly added to the 
Intranet sites.



Tomcat Output:

 KeyTabInputStream, readName(): ASSAI.NL
 KeyTabInputStream, readName(): HTTP
 KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080
 KeyTab: load() entry length: 72; type: 23
Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
Loaded from Java config
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
 KdcAccessibility: reset
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of 
 retries =3, #bytes=152
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, 
 #bytes=152
 KrbKdcReq send: #bytes read=173
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16

Pre-Authentication Data:
PA-DATA type = 15

 KdcAccessibility: remove v3dom1.assai.nl:88
 KDCRep: init() encoding tag is 126 req type is 11
KRBError:
sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
suSec is 403143
error code is 25
error Message is Additional pre-authentication required
realm is ASSAI.NL
sname is krbtgt/ASSAI.NL
eData provided.
msgType is 30
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16

Pre-Authentication Data:
PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of 
 retries =3, #bytes=235
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, 
 #bytes=235
 KrbKdcReq send: #bytes read=1446
 KdcAccessibility: remove v3dom1.assai.nl:88
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (DEF, 
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (DEF, 
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of 
 retries =3, #bytes=152
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, 
 #bytes=152
 KrbKdcReq send

Built-in Tomcat Support for Windows Authentication

2014-10-22 Thread Terence M. Bandoian

On 10/22/2014 4:40 AM, Philippe Wijdh wrote:

Hello,

We have spent a long time now, trying to set up Apache Tomcat with Windows 
Authentication.
We followed the instructions as per 
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot 
make it work properly, the logon dialog keeps appearing and trying to log on 
fails.
Additional to that we tried suggestions, like adding the registry key 
AllowTgtSessionKey and setting it to 0x01
Seems like we are close but we are missing something (see tomcat output below)
Does anyone have a more complete documentation or have any suggestions on how 
to make this work.


Kind regards,

Philippe Wijdh



Extra information on the setup:

Windows 2008 r2 sp1
Apache Tomcat 7.0.54
jdk1.7.0_60

Tomcat is running as a service using account  HTTP/v3tcat4ad.assai.nl:8080 
(have created spn with and without the port number, does not make a difference)

Test is done with user testu...@assai.nlmailto:testu...@assai.nl in IE11 on 
different machines, with http://v3tcat4ad.assai.nl explicitly added to the Intranet 
sites.



Hi, Philippe-

I have not used the built-in Tomcat Windows authentication but have had 
success using Waffle in a similar configuration.  You might try that if 
all else fails.


-Terence Bandoian






Tomcat Output:


KeyTabInputStream, readName(): ASSAI.NL
KeyTabInputStream, readName(): HTTP
KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080
KeyTab: load() entry length: 72; type: 23

Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
Loaded from Java config
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.

KdcAccessibility: reset

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.

KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries 
=3, #bytes=152
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, 
#bytes=152
KrbKdcReq send: #bytes read=173
Pre-Authentication Data:

 PA-DATA type = 11
 PA-ETYPE-INFO etype = 23, salt =


Pre-Authentication Data:

 PA-DATA type = 19
 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null


Pre-Authentication Data:

 PA-DATA type = 2
 PA-ENC-TIMESTAMP

Pre-Authentication Data:

 PA-DATA type = 16


Pre-Authentication Data:

 PA-DATA type = 15


KdcAccessibility: remove v3dom1.assai.nl:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:

 sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
 suSec is 403143
 error code is 25
 error Message is Additional pre-authentication required
 realm is ASSAI.NL
 sname is krbtgt/ASSAI.NL
 eData provided.
 msgType is 30

Pre-Authentication Data:

 PA-DATA type = 11
 PA-ETYPE-INFO etype = 23, salt =


Pre-Authentication Data:

 PA-DATA type = 19
 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null


Pre-Authentication Data:

 PA-DATA type = 2
 PA-ENC-TIMESTAMP

Pre-Authentication Data:

 PA-DATA type = 16


Pre-Authentication Data:

 PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries 
=3, #bytes=235
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, 
#bytes=235
KrbKdcReq send: #bytes read=1446
KdcAccessibility: remove v3dom1.assai.nl:88

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (DEF, 
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (DEF, 
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23

Auto-Re: Built-in Tomcat Support for Windows Authentication

2014-10-22 Thread WLICSMB2014
ëN8ãx×}ëÝüߝøÔ*'µéíO*^µìmþ™ZŠw!j»

Re: Built-in Tomcat Support for Windows Authentication

2014-10-22 Thread Felix Schumacher


Am 22. Oktober 2014 11:40:56 MESZ, schrieb Philippe Wijdh p.wi...@assai.nl:
Hello,

We have spent a long time now, trying to set up Apache Tomcat with
Windows Authentication.
We followed the instructions as per
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we
cannot make it work properly, the logon dialog keeps appearing and
trying to log on fails.
Additional to that we tried suggestions, like adding the registry key
AllowTgtSessionKey and setting it to 0x01
Haven't seen that recommendation in the tomcat documentation.


Seems like we are close but we are missing something (see tomcat output
below)
Does anyone have a more complete documentation or have any suggestions
on how to make this work.


Kind regards,

Philippe Wijdh



Extra information on the setup:

Windows 2008 r2 sp1
Apache Tomcat 7.0.54
jdk1.7.0_60

Tomcat is running as a service using account 
HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the
port number, does not make a difference)
You will have to use the spn without the port.


Test is done with user testu...@assai.nlmailto:testu...@assai.nl in
IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly
added to the Intranet sites.



Tomcat Output:

 KeyTabInputStream, readName(): ASSAI.NL
 KeyTabInputStream, readName(): HTTP
 KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080

What is inside your keytab?

 KeyTab: load() entry length: 72; type: 23
Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
Loaded from Java config
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
 KdcAccessibility: reset
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number
of retries =3, #bytes=152
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt
=1, #bytes=152
 KrbKdcReq send: #bytes read=173
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16

Pre-Authentication Data:
PA-DATA type = 15

 KdcAccessibility: remove v3dom1.assai.nl:88
 KDCRep: init() encoding tag is 126 req type is 11
KRBError:
sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
suSec is 403143
error code is 25
error Message is Additional pre-authentication required
realm is ASSAI.NL
sname is krbtgt/ASSAI.NL
eData provided.
msgType is 30
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16

Pre-Authentication Data:
PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number
of retries =3, #bytes=235
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt
=1, #bytes=235
 KrbKdcReq send: #bytes read=1446
 KdcAccessibility: remove v3dom1.assai.nl:88
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080

This is the wrong spn. The port number should not be there. 

Regards
Felix

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (DEF,
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (DEF,
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18

Re: Tomcat windows authentication domain login issue

2014-10-16 Thread André Warnier

Tantaryu,

The problem currently is that you messages appear to the list readers, as pretty 
unreadable blobs of text.  Not many of the busy people here will feel motivated enough 
to decrypt/reformat them, before they understand even the basics of your questions.


Since you are the one who needs help, making it easier for someone to provide it is the 
way to go.


If such an option is available in your email client, please select send messages as plain 
text.  If it is not available, install Thunderbird or similar and try again.


If everything else fails, inserting a blank line between each of the real lines of text 
/may/ help.


Next, do not send your configuration snippets as attachments.  Paste them directly in the 
email to the list (also as plain text of course).


Next, do not top-post.
Respond below the message portion to which you are responding.  It helps keeping a natural 
flow to the the conversation.


Thanks


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: Tomcat windows authentication domain login issue

2014-10-15 Thread tantaryu
By the way, this is using tomcat 8 and it's running on Linux. Windows
machines are the AD server and the client.



--
View this message in context: 
http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023860.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat windows authentication domain login issue

2014-10-15 Thread Felix Schumacher

Am 15.10.2014 um 03:48 schrieb tantaryu:

Okay, now I tried with a email client. Let's see if it works.
I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication 
tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change 
auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the 
following auth-constraint  role-name*/role-name/auth-constraint.
This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = 
FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
 = {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate {com.sun.security.auth.module.Krb5LoginModule required
debug=truedoNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true;};com.sun.security.jgss.krb5.accept {com.sun.security.auth.module.Krb5LoginModule required
debug=truedoNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=truestoreKey=true;};
The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. 
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is 
C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false 
clearPass is false KeyTabInputStream, readName(): acme KeyTabInputStream, readName(): HTTP KeyTabInputStream, 
readName(): Client2 KeyTab: load() entry length: 52; type: 23Looking for keys for: HTTP/Client2@ACMEJava config name: 
C:\tomcat\conf\krb5.iniLoaded from Java configAdded key: 23version: 0 KdcAccessibility: resetLooking for keys for: HTTP/Client2@ACMEAdded 
key: 23version: 0default etypes for default_tkt_enctypes: 23 17. KrbAsReq creating message KrbKdcReq send: kdc=AD-Server 
UDP:88, timeout=3, number of retries =3, #bytes=124 KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt =1, #bytes=124
Could you try to add the missing newlines? It is really hard to read the 
text without them.


Regards Felix


KrbKdcReq send: #bytes read=538 KdcAccessibility: remove AD-Server:88Looking for keys for: 
HTTP/Client2@ACMEAdded key: 23version: 0 EType: 
sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep cons in KrbAsReq.getReply 
HTTP/Client2principal is HTTP/Client2@ACMEWill use keytabCommit Succeeded

Search Subject for SPNEGO ACCEPT cred (DEF, 
sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred 
(DEF, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab 
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab C:\tomcat\conf\tomcat.keytab for 
HTTP/Client2@ACMEFound ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 
02:49:29 CST 2014[Krb5LoginModule]: Entering logout[Krb5LoginModule]: 
logged out Subject
I added this in my server.xml Realm className=org.apache.catalina.realm.LockOutRealmRealm 
className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo allRolesMode=strictAuthOnly 
/ /Realm
When I tried login, it doesn't seem to recognize the valid credential. The app 
keeps on asking me to enter a valid credential. What do I need to change to 
make it work?
Date: Tue, 14 Oct 2014 18:03:07 -0700
From: ml-node+s10n5023854...@n6.nabble.com
To: ming...@outlook.com
Subject: RE: Tomcat windows authentication domain login issue



 From: tantaryu [mailto:[hidden email]]


Subject: Re: Tomcat windows authentication domain login issue



Let me know if you can read it still. I didn't checked the Message is in
HTML Format  option.


It didn't help.  Don't use Nabble - post to the user's list directly from an 
e-mail client.


  - Chuck



THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.



-

To unsubscribe, e-mail: [hidden email]

For additional commands, e-mail: [hidden email]













If you reply to this email, your message will be added to the 
discussion below:

http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html

RE: Tomcat windows authentication domain login issue

2014-10-15 Thread tantaryu
 Let's hope it works this time.
 I need some idea on what's wrong with my tomcat configuration for windows 
 authentication. I followed the tomcat windows authentication tutorial and 
 uses the manager web application comes with tomcat to do a poc. In my 
 web.xml I change  auth-methodBASIC/auth-method  to 
 auth-methodSPNEGO/auth-method and also changes the auth-constraint to 
 the following  auth-constraint  role-name*/role-name 
 /auth-constraint
 This is my krb5.ini  [libdefaults] default_realm = ACME 
 default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab default_tkt_enctypes 
 = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 
 default_tgs_enctypes = 
 rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true 
 [realms] ACME = {kdc = AD-Server:88} [domain_realm] acme= ACME 
 .acme= ACME
 This is my jaas.conf  com.sun.security.jgss.krb5.initiate {
 com.sun.security.auth.module.Krb5LoginModule requireddebug=true
 doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
 keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
 storeKey=true; }; com.sun.security.jgss.krb5.accept {
 com.sun.security.auth.module.Krb5LoginModule requireddebug=true
 doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
 keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
 storeKey=true;};
 The weird thing is regardless of what username and password I put in when I 
 accessed the tomcat manager web-app the debug message shown is the same. 
 Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt 
 true ticketCache is null isInitiator true KeyTab is 
 C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is 
 HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is 
 false clearPass is false  KeyTabInputStream, readName(): acme  
 KeyTabInputStream, readName(): HTTP  KeyTabInputStream, readName(): 
 Client2  KeyTab: load() entry length: 52; type: 23 Looking for keys for: 
 HTTP/Client2@ACME Java config name: C:\tomcat\conf\krb5.ini Loaded from 
 Java config Added key: 23version: 0  KdcAccessibility: reset Looking 
 for keys for: HTTP/Client2@ACME Added key: 23version: 0 default etypes for 
 default_tkt_enctypes: 23 17.  KrbAsReq creating message  KrbKdcReq 
 send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, # 
 bytes=124  KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt 
 =1, #bytes=124
  KrbKdcReq send: #bytes read=538  KdcAccessibility: remove 
  AD-Server:88 Looking for keys for: HTTP/Client2@ACME Added key: 
  23version: 0  EType: 
  sun.security.krb5.internal.crypto.ArcFourHmacEType  KrbAsRep cons in 
  KrbAsReq.getReply HTTP/Client2 principal is HTTP/Client2@ACME Will use 
  keytab Commit Succeeded
 Search Subject for SPNEGO ACCEPT cred (DEF, 
 sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 
 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found 
 KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found KeyTab 
 C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found ticket for 
 HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 
 CST 2014[Krb5LoginModule]: Entering logout
 [Krb5LoginModule]: logged out Subject
 I added this in my server.xml  Realm 
 className=org.apache.catalina.realm.LockOutRealm   Realm 
 className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo 
 allRolesMode=strictAuthOnly / /Realm
 When I tried login, it doesn't seem to recognize the valid credential. The 
 app keeps on asking me to enter a valid credential. What do I need to change 
 to make it work?
Date: Wed, 15 Oct 2014 00:56:33 -0700
From: ml-node+s10n5023861...@n6.nabble.com
To: ming...@outlook.com
Subject: Re: Tomcat windows authentication domain login issue



Am 15.10.2014 um 03:48 schrieb tantaryu:

 Okay, now I tried with a email client. Let's see if it works.

 I need some idea on what's wrong with my tomcat configuration for windows 
 authentication. I followed the tomcat windows authentication tutorial and 
 uses the manager web application comes with tomcat to do a poc. In my 
 web.xml I change auth-methodBASIC/auth-method to 
 auth-methodSPNEGO/auth-method and also changes the auth-constraint to the 
 following auth-constraint  role-name*/role-name/auth-constraint.

 This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = 
 FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = 
 rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes 
 = 
 rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
  = {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME

 This is my jaas.conf com.sun.security.jgss.krb5.initiate {
 com.sun.security.auth.module.Krb5LoginModule requireddebug=true
 doNotPrompt=trueprincipal=HTTP/Client2@ACME

Re: Tomcat windows authentication domain login issue

2014-10-15 Thread Felix Schumacher

Am 15.10.2014 um 10:22 schrieb tantaryu:

Let's hope it works this time.

If this was your try to add newlines, than I think it failed.

Felix

I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the 
manager web application comes with tomcat to do a poc. In my web.xml I change  auth-methodBASIC/auth-method  to 
auth-methodSPNEGO/auth-method and also changes the auth-constraint to the following  auth-constraint  
role-name*/role-name /auth-constraint
This is my krb5.ini  [libdefaults] default_realm = ACME default_keytab_name = 
FILE:C:\tomcat\conf\tomcat.keytab default_tkt_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] ACME = {kdc 
= AD-Server:88} [domain_realm] acme= ACME .acme= ACME
This is my jaas.conf  com.sun.security.jgss.krb5.initiate {com.sun.security.auth.module.Krb5LoginModule requireddebug=truedoNotPrompt=true
principal=HTTP/Client2@ACMEuseKeyTab=truekeyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=truestoreKey=true; }; 
com.sun.security.jgss.krb5.accept {com.sun.security.auth.module.Krb5LoginModule requireddebug=truedoNotPrompt=true
principal=HTTP/Client2@ACMEuseKeyTab=truekeyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=truestoreKey=true;};
The weird thing is regardless of what username and password I put in when I 
accessed the tomcat manager web-app the debug message shown is the same.
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is 
HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false  KeyTabInputStream, readName(): acme  KeyTabInputStream, 
readName(): HTTP  KeyTabInputStream, readName(): Client2  KeyTab: load() entry length: 52; type: 23 Looking for keys for: HTTP/Client2@ACME Java config name: 
C:\tomcat\conf\krb5.ini Loaded from Java config Added key: 23version: 0  KdcAccessibility: reset Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 
default etypes for default_tkt_enctypes: 23 17.  KrbAsReq creating message  KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, # 
bytes=124  KDCCommunication: kdc=AD-Server UDP:88, timeout=3,Attempt =1, #bytes=124

KrbKdcReq send: #bytes read=538  KdcAccessibility: remove AD-Server:88 Looking for keys for: 
HTTP/Client2@ACME Added key: 23version: 0  EType: sun.security.krb5.internal.crypto.ArcFourHmacEType 
 KrbAsRep cons in KrbAsReq.getReply HTTP/Client2 principal is HTTP/Client2@ACME Will use keytab Commit 
Succeeded

Search Subject for SPNEGO ACCEPT cred (DEF, sun.security.jgss.spnego.SpNegoCredElement) Search 
Subject for Kerberos V5 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab 
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found KeyTab C:\tomcat\conf\tomcat.keytab for 
HTTP/Client2@ACME Found ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 
2014[Krb5LoginModule]: Entering logout[Krb5LoginModule]: logged out Subject
I added this in my server.xml  Realm className=org.apache.catalina.realm.LockOutRealm   Realm 
className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo allRolesMode=strictAuthOnly / 
/Realm
When I tried login, it doesn't seem to recognize the valid credential. The app 
keeps on asking me to enter a valid credential. What do I need to change to 
make it work?

Date: Wed, 15 Oct 2014 00:56:33 -0700
From: ml-node+s10n5023861...@n6.nabble.com
To: ming...@outlook.com
Subject: Re: Tomcat windows authentication domain login issue



Am 15.10.2014 um 03:48 schrieb tantaryu:


Okay, now I tried with a email client. Let's see if it works.
I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication 
tutorial and uses the manager web application comes with tomcat to do a poc. In my web.xml I change 
auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method and also changes the auth-constraint to the 
following auth-constraint  role-name*/role-name/auth-constraint.
This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = 
FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
 = {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate {com.sun.security.auth.module.Krb5LoginModule required
debug=truedoNotPrompt=trueprincipal=HTTP/Client2

RE: Tomcat windows authentication domain login issue

2014-10-15 Thread tantaryu
Okay, this might sounds funny. But how do I add a newlines?

Date: Wed, 15 Oct 2014 01:37:42 -0700
From: ml-node+s10n5023863...@n6.nabble.com
To: ming...@outlook.com
Subject: Re: Tomcat windows authentication domain login issue



Am 15.10.2014 um 10:22 schrieb tantaryu:

 Let's hope it works this time.

If this was your try to add newlines, than I think it failed.


Felix

 I need some idea on what's wrong with my tomcat configuration for windows 
 authentication. I followed the tomcat windows authentication tutorial and 
 uses the manager web application comes with tomcat to do a poc. In my 
 web.xml I change  auth-methodBASIC/auth-method  to 
 auth-methodSPNEGO/auth-method and also changes the auth-constraint to 
 the following  auth-constraint  role-name*/role-name 
 /auth-constraint

 This is my krb5.ini  [libdefaults] default_realm = ACME 
 default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab 
 default_tkt_enctypes = 
 rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 
 default_tgs_enctypes = 
 rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true 
 [realms] ACME = {kdc = AD-Server:88} [domain_realm] acme= ACME 
 .acme= ACME

 This is my jaas.conf  com.sun.security.jgss.krb5.initiate {
 com.sun.security.auth.module.Krb5LoginModule requireddebug=true
 doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
 keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
 storeKey=true; }; com.sun.security.jgss.krb5.accept {
 com.sun.security.auth.module.Krb5LoginModule requireddebug=true
 doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
 keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
 storeKey=true;};

 The weird thing is regardless of what username and password I put in when I 
 accessed the tomcat manager web-app the debug message shown is the same.

 Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt 
 true ticketCache is null isInitiator true KeyTab is 
 C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is 
 HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is 
 false clearPass is false  KeyTabInputStream, readName(): acme  
 KeyTabInputStream, readName(): HTTP  KeyTabInputStream, readName(): 
 Client2  KeyTab: load() entry length: 52; type: 23 Looking for keys 
 for: HTTP/Client2@ACME Java config name: C:\tomcat\conf\krb5.ini Loaded 
 from Java config Added key: 23version: 0  KdcAccessibility: reset 
 Looking for keys for: HTTP/Client2@ACME Added key: 23version: 0 default 
 etypes for default_tkt_enctypes: 23 17.  KrbAsReq creating message  
 KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries =3, 
 # bytes=124  KDCCommunication: kdc=AD-Server UDP:88, 
 timeout=3,Attempt =1, #bytes=124

 KrbKdcReq send: #bytes read=538  KdcAccessibility: remove 
 AD-Server:88 Looking for keys for: HTTP/Client2@ACME Added key: 
 23version: 0  EType: 
 sun.security.krb5.internal.crypto.ArcFourHmacEType  KrbAsRep cons in 
 KrbAsReq.getReply HTTP/Client2 principal is HTTP/Client2@ACME Will use 
 keytab Commit Succeeded

 Search Subject for SPNEGO ACCEPT cred (DEF, 
 sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 
 ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential) Found 
 KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found KeyTab 
 C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found ticket for 
 HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 
 CST 2014[Krb5LoginModule]: Entering logout
 [Krb5LoginModule]: logged out Subject

 I added this in my server.xml  Realm 
 className=org.apache.catalina.realm.LockOutRealm  Realm 
 className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo 
 allRolesMode=strictAuthOnly / /Realm

 When I tried login, it doesn't seem to recognize the valid credential. The 
 app keeps on asking me to enter a valid credential. What do I need to change 
 to make it work?

 Date: Wed, 15 Oct 2014 00:56:33 -0700

 From: [hidden email]

 To: [hidden email]

 Subject: Re: Tomcat windows authentication domain login issue







   Am 15.10.2014 um 03:48 schrieb tantaryu:



 Okay, now I tried with a email client. Let's see if it works.

 I need some idea on what's wrong with my tomcat configuration for windows 
 authentication. I followed the tomcat windows authentication tutorial and 
 uses the manager web application comes with tomcat to do a poc. In my 
 web.xml I change auth-methodBASIC/auth-method to 
 auth-methodSPNEGO/auth-method and also changes the auth-constraint to 
 the following auth-constraint  role-name*/role-name/auth-constraint.

 This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = 
 FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = 
 rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes 
 = 
 rc4

RE: Tomcat windows authentication domain login issue

2014-10-15 Thread Felix Schumacher


Am 15. Oktober 2014 11:05:59 MESZ, schrieb tantaryu ming...@outlook.com:
Okay, this might sounds funny. But how do I add a newlines?

I don't know how to do it in your mail client. But generally I would try to 
configure it to not use html (only).

You could try another mal Client or provider. Maybe it has saner defaults. 

Regards
Felix


Date: Wed, 15 Oct 2014 01:37:42 -0700
From: ml-node+s10n5023863...@n6.nabble.com
To: ming...@outlook.com
Subject: Re: Tomcat windows authentication domain login issue



   Am 15.10.2014 um 10:22 schrieb tantaryu:

 Let's hope it works this time.

If this was your try to add newlines, than I think it failed.


Felix

 I need some idea on what's wrong with my tomcat configuration for
windows authentication. I followed the tomcat windows authentication
tutorial and uses the manager web application comes with tomcat to do
a poc. In my web.xml I change  auth-methodBASIC/auth-method  to
auth-methodSPNEGO/auth-method and also changes the auth-constraint
to the following  auth-constraint  role-name*/role-name
/auth-constraint

 This is my krb5.ini  [libdefaults] default_realm = ACME
default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab
default_tkt_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true [realms] ACME = {kdc = AD-Server:88}
[domain_realm] acme= ACME .acme= ACME

 This is my jaas.conf  com.sun.security.jgss.krb5.initiate {   
com.sun.security.auth.module.Krb5LoginModule requireddebug=true  
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true 
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true   
storeKey=true; }; com.sun.security.jgss.krb5.accept {   
com.sun.security.auth.module.Krb5LoginModule requireddebug=true  
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true 
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true   
storeKey=true;};

 The weird thing is regardless of what username and password I put in
when I accessed the tomcat manager web-app the debug message shown is
the same.

 Debug is  true storeKey true useTicketCache false useKeyTab true
doNotPrompt true ticketCache is null isInitiator true KeyTab is
C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is
HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass
is false clearPass is false  KeyTabInputStream, readName(): acme
 KeyTabInputStream, readName(): HTTP  KeyTabInputStream,
readName(): Client2  KeyTab: load() entry length: 52; type: 23
Looking for keys for: HTTP/Client2@ACME Java config name:
C:\tomcat\conf\krb5.ini Loaded from Java config Added key: 23version:
0  KdcAccessibility: reset Looking for keys for:
HTTP/Client2@ACME Added key: 23version: 0 default etypes for
default_tkt_enctypes: 23 17.  KrbAsReq creating message 
KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number of retries
=3, # bytes=124  KDCCommunication: kdc=AD-Server UDP:88,
timeout=3,Attempt =1, #bytes=124

 KrbKdcReq send: #bytes read=538  KdcAccessibility: remove
AD-Server:88 Looking for keys for: HTTP/Client2@ACME Added key:
23version: 0  EType:
sun.security.krb5.internal.crypto.ArcFourHmacEType  KrbAsRep cons
in KrbAsReq.getReply HTTP/Client2 principal is HTTP/Client2@ACME Will
use keytab Commit Succeeded

 Search Subject for SPNEGO ACCEPT cred (DEF,
sun.security.jgss.spnego.SpNegoCredElement) Search Subject for
Kerberos V5 ACCEPT cred (DEF,
sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found KeyTab
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME Found ticket for
HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14
02:49:29 CST 2014[Krb5LoginModule]: Entering logout  
 [Krb5LoginModule]: logged out Subject

 I added this in my server.xml  Realm
className=org.apache.catalina.realm.LockOutRealm   Realm
className=org.apache.catalina.realm.JAASRealm
appName=JspKerberosDemo allRolesMode=strictAuthOnly / /Realm

 When I tried login, it doesn't seem to recognize the valid
credential. The app keeps on asking me to enter a valid credential.
What do I need to change to make it work?

 Date: Wed, 15 Oct 2014 00:56:33 -0700

 From: [hidden email]

 To: [hidden email]

 Subject: Re: Tomcat windows authentication domain login issue







  Am 15.10.2014 um 03:48 schrieb tantaryu:



 Okay, now I tried with a email client. Let's see if it works.

 I need some idea on what's wrong with my tomcat configuration for
windows authentication. I followed the tomcat windows authentication
tutorial and uses the manager web application comes with tomcat to do
a poc. In my web.xml I change auth-methodBASIC/auth-method to
auth-methodSPNEGO/auth-method and also changes the auth-constraint
to the following auth-constraint 
role-name*/role-name/auth-constraint.

 This is my krb5.ini [libdefaults]default_realm

Re: Tomcat windows authentication domain login issue

2014-10-14 Thread Felix Schumacher

Am 14.10.2014 um 05:32 schrieb tantaryu:

I need some idea on what's wrong with my tomcat configuration for windows
authentication. I followed the tomcat windows authentication tutorial and
uses the manager web application comes with tomcat to do a poc. In my
web.xml I change  and also changes the auth-constraint to the following
Maybe it is just me, but I can't see, what you have added. Did you send 
your mail as html? If so, try to send it as text again.


Regards
 Felix


.

This is my krb5.ini


This is my jaas.conf


The weird thing is regardless of what username and password I put in when I
accessed the tomcat manager web-app the debug message shown is the same.



I added this in my server.xml



When I tried login, it doesn't seem to recognize the valid credential. The
app keeps on asking me to enter a valid credential. What do I need to change
to make it work?



--
View this message in context: 
http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat windows authentication domain login issue

2014-10-14 Thread tantaryu
Oh, let me try again.

I need some idea on what's wrong with my tomcat configuration for windows
authentication. I followed the tomcat windows authentication tutorial and
uses the manager web application comes with tomcat to do a poc. In my
web.xml I change
to
 and also changes the auth-constraint to the following 

. 

This is my krb5.ini 

This is my jaas.conf 

The weird thing is regardless of what username and password I put in when I
accessed the tomcat manager web-app the debug message shown is the same. 

I added this in my server.xml 

When I tried login, it doesn't seem to recognize the valid credential. The
app keeps on asking me to enter a valid credential. What do I need to change
to make it work?



--
View this message in context: 
http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023851.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Tomcat windows authentication domain login issue

2014-10-14 Thread tantaryu
Let me know if you can read it still. I didn't checked the Message is in
HTML Format  option.



--
View this message in context: 
http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023853.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: Tomcat windows authentication domain login issue

2014-10-14 Thread Caldarale, Charles R
 From: tantaryu [mailto:ming...@outlook.com] 
 Subject: Re: Tomcat windows authentication domain login issue

 Let me know if you can read it still. I didn't checked the Message is in
 HTML Format  option.

It didn't help.  Don't use Nabble - post to the user's list directly from an 
e-mail client.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: Tomcat windows authentication domain login issue

2014-10-14 Thread tantaryu
Okay, now I tried with a email client. Let's see if it works.
I need some idea on what's wrong with my tomcat configuration for windows 
authentication. I followed the tomcat windows authentication tutorial and uses 
the manager web application comes with tomcat to do a poc. In my web.xml I 
change auth-methodBASIC/auth-method to auth-methodSPNEGO/auth-method 
and also changes the auth-constraint to the following auth-constraint  
role-name*/role-name/auth-constraint. 
This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = 
FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
 = {kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true;};com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule requireddebug=true
doNotPrompt=trueprincipal=HTTP/Client2@ACMEuseKeyTab=true
keyTab=C:/tomcat/conf/tomcat.keytab//useTicketCache=true
storeKey=true;};
The weird thing is regardless of what username and password I put in when I 
accessed the tomcat manager web-app the debug message shown is the same. Debug 
is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true 
ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab 
refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false 
useFirstPass is false storePass is false clearPass is false 
KeyTabInputStream, readName(): acme KeyTabInputStream, readName(): HTTP 
KeyTabInputStream, readName(): Client2 KeyTab: load() entry length: 52; 
type: 23Looking for keys for: HTTP/Client2@ACMEJava config name: 
C:\tomcat\conf\krb5.iniLoaded from Java configAdded key: 23version: 0 
KdcAccessibility: resetLooking for keys for: HTTP/Client2@ACMEAdded key: 
23version: 0default etypes for default_tkt_enctypes: 23 17. KrbAsReq 
creating message KrbKdcReq send: kdc=AD-Server UDP:88, timeout=3, number 
of retries =3, #bytes=124 KDCCommunication: kdc=AD-Server UDP:88, 
timeout=3,Attempt =1, #bytes=124
 KrbKdcReq send: #bytes read=538 KdcAccessibility: remove 
 AD-Server:88Looking for keys for: HTTP/Client2@ACMEAdded key: 23version: 
 0 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbAsRep 
 cons in KrbAsReq.getReply HTTP/Client2principal is HTTP/Client2@ACMEWill 
 use keytabCommit Succeeded
Search Subject for SPNEGO ACCEPT cred (DEF, 
sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 
ACCEPT cred (DEF, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab 
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab 
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound ticket for 
HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 
2014[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
I added this in my server.xml Realm 
className=org.apache.catalina.realm.LockOutRealmRealm 
className=org.apache.catalina.realm.JAASRealm appName=JspKerberosDemo 
allRolesMode=strictAuthOnly / /Realm
When I tried login, it doesn't seem to recognize the valid credential. The app 
keeps on asking me to enter a valid credential. What do I need to change to 
make it work?
Date: Tue, 14 Oct 2014 18:03:07 -0700
From: ml-node+s10n5023854...@n6.nabble.com
To: ming...@outlook.com
Subject: RE: Tomcat windows authentication domain login issue



 From: tantaryu [mailto:[hidden email]] 

 Subject: Re: Tomcat windows authentication domain login issue


 Let me know if you can read it still. I didn't checked the Message is in

 HTML Format  option.


It didn't help.  Don't use Nabble - post to the user's list directly from an 
e-mail client.


 - Chuck



THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.



-

To unsubscribe, e-mail: [hidden email]

For additional commands, e-mail: [hidden email]













If you reply to this email, your message will be added to the 
discussion below:

http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html



To unsubscribe from Tomcat windows authentication domain login 
issue, click here

Tomcat windows authentication domain login issue

2014-10-13 Thread tantaryu
I need some idea on what's wrong with my tomcat configuration for windows
authentication. I followed the tomcat windows authentication tutorial and
uses the manager web application comes with tomcat to do a poc. In my
web.xml I change  and also changes the auth-constraint to the following 

.

This is my krb5.ini


This is my jaas.conf


The weird thing is regardless of what username and password I put in when I
accessed the tomcat manager web-app the debug message shown is the same.



I added this in my server.xml



When I tried login, it doesn't seem to recognize the valid credential. The
app keeps on asking me to enter a valid credential. What do I need to change
to make it work?



--
View this message in context: 
http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: I need help in configuring windows authentication in tomcat 7.0

2013-03-22 Thread Mark Thomas
On 21/03/2013 23:49, chris derham wrote:
 Context
 RealmclassName=org.apache.catalina.realm.JNDIRealm
   adCompat=true
allRolesMode=authOnly
   referrals=follow
  connectionURL=ldap://dc01.mydom.local:389;
 connectionName=mydom\tcuser
 connectionPassword=Pa55w0rd
   userBase=dc=mydom,dc=local
userSubtree=true
 userSearch=(sAMAccountName={0})
   roleBase=ou=groups,ou=myappl,dc=mydom,dc=local
   roleName=cn
 roleSearch=(member={0})
roleSubtree=true
 /
 /Context
 
 This has come up multiple times on the mailing list - essentially it
 can not/should not be done. Please see
 http://wiki.apache.org/tomcat/FAQ/Password for details

While generally that is correct, JNDIRealm plus Windows authentication
is a special case.

It should be possible to remove the connectionName and
connectionPassword attributes from the above configuration. See the JNDI
docs and the useDelegatedCredential attribute in particular.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



I need help in configuring windows authentication in tomcat 7.0

2013-03-21 Thread Roberto Barale
I want to setup windows authentication in my tomcat 7.0.37
I read the user guide
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html and I
follow all the step in Domain Controller and Tomcat Instance

Then I write the $CATALINA_BASE\webapps\myappl\WEB-INF\web.xml
and the $CATALINA_BASE\webapps\myappl\META-INF\context.xml
as below

The question is:
How can I remove connectionName and connectionPassword from the
context.xml file?
Without the 2 element authentication doesn't work but in a production
environment I cannot put password in clear text

 1st file web.xml -
web-app
  display-nameTest Appl/display-name
  descriptionWritten by Bob/description
  security-constraint
display-nameBob Appl Security Constraint/display-name
web-resource-collection
web-resource-namePrivate Zone/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
auth-constraint
   role-namerole1/role-name
/auth-constraint
  /security-constraint
  login-config
auth-methodSPNEGO/auth-method
  /login-config
  security-role
  role-namerole1/role-name
  role-namerole2/role-name
  role-namerole3/role-name
  /security-role
/web-app

 2nd file context.xml -

Context
RealmclassName=org.apache.catalina.realm.JNDIRealm
  adCompat=true
   allRolesMode=authOnly
  referrals=follow
 connectionURL=ldap://dc01.mydom.local:389;
connectionName=mydom\tcuser
connectionPassword=Pa55w0rd
  userBase=dc=mydom,dc=local
   userSubtree=true
userSearch=(sAMAccountName={0})
  roleBase=ou=groups,ou=myappl,dc=mydom,dc=local
  roleName=cn
roleSearch=(member={0})
   roleSubtree=true
/
/Context

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: I need help in configuring windows authentication in tomcat 7.0

2013-03-21 Thread chris derham
 Context
 RealmclassName=org.apache.catalina.realm.JNDIRealm
   adCompat=true
allRolesMode=authOnly
   referrals=follow
  connectionURL=ldap://dc01.mydom.local:389;
 connectionName=mydom\tcuser
 connectionPassword=Pa55w0rd
   userBase=dc=mydom,dc=local
userSubtree=true
 userSearch=(sAMAccountName={0})
   roleBase=ou=groups,ou=myappl,dc=mydom,dc=local
   roleName=cn
 roleSearch=(member={0})
roleSubtree=true
 /
 /Context

This has come up multiple times on the mailing list - essentially it
can not/should not be done. Please see
http://wiki.apache.org/tomcat/FAQ/Password for details

Chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Manager App not working with Windows authentication enabled

2013-03-20 Thread André Warnier

Harris Mark R wrote:

Sorry, guess I was not clear enough.  We are using Microsoft's IIS to front-end 
Tomcat, not the Apache HTTP server.  Apache HTTP server is not an option for 
our environment.  We would prefer to use the Windows authenticated user passed 
to Tomcat by IIS, but are open to anything that works reliably.


It's my turn to apologise.  That was clear in your original post, I just 
misread that.
It is the same however with IIS.  If the user is authenticated by IIS, and you set 
tomcatAuthentication=false, then Tomcat will take the user-id from what the IIS/AJP 
module is passing on from IIS, and it will not redo the user authentication by himself 
(him being Tomcat).




As I said, our custom application is working great in this environment, but the manager app is 
not.  We are having trouble associating the roles that the manager app is expecting with the 
authenticated user.   We have tried altering the tomcat-users file just about every which way 
we could think of.   Essentially we need any way to associate the authenticated user with the 
 manager-gui that the manager app is expecting.  Would we need to implement 
a custom realm to make this work?


Yes, I think that you understand the issue correctly.
Tomcat's standard user access control to an application is based on the concept of 
roles. You tell Tomcat that any users who has a role xxx can access that application.
So Tomcat needs a way, given the present user-id, to find out if that user-id has this 
role (isUserInRole() ?).  Unfortunately, what AJP passes to Tomcat is only a user-id, 
not any kind of roles information that this user has.  I suppose that Tomcat somehow 
must use a Realm to get that kind of information, and I do not know if this Realm is 
capable of providing that information if it has not authenticated this user by itself.


Maybe there is a way to tell Tomcat, for the manager application, to just check the 
user-id, and not the role ? I suppose that the right place to check would be the 
applicable Servlet Specification, in the web.xml/auth-constraints paragraph.

How do you do it for your other application, the one that works ?


On a totally different track, if you want to use WIA anyway, you may want to have a look 
at Jespa, at http://www.ioplex.com.  It's a totally different authentication and security 
approach. based on a servlet filter in Tomcat which authenticates the Windows user 
directly at the Tomcat level, not on the base of the id that IIS determines (and AJP 
passes on).  Jespa is capable of translating the concept of Windows users groups into 
Tomcat roles.  One advantage of that approach is that you would have the various Tomcat 
roles managed at the same place as the other user-management functions (on the Windows 
domain AD server), and not have a different set of user information for Tomcat alone.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Manager App not working with Windows authentication enabled

2013-03-19 Thread Harris Mark R
Environment:
IIS 7.5
Tomcat 7.037
AJP/1.3 connector (redirector.dll) v 1.2
Java 7

We have a requirement for a new intranet application that it use Windows 
authentication.  We have this working in our new application.  We do have IIS, 
the connector and Tomcat serving up the application with no problems.

What did happen is that we discovered that the manager application that comes 
with Tomcat no longer is accessible.  We have some staff that use the manager 
app routinely.
We did try to set up two AJP connectors, one defined in the server.xml with 
tomcatAuthentication=true and another set to false.   In the AJP property 
files we set the second one to only be mapped to the manager URL.  This did not 
work as we expected.

Anyone have any ideas on how to get the manager application working?

Excerpt from server.xml:
___
  GlobalNamingResources
Resource auth=Container description=User database that can be updated 
and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory 
name=UserDatabase pathname=E:\Tomcat\32Bit\7.0.37\conf\tomcat-users.xml 
type=org.apache.catalina.UserDatabase/
  /GlobalNamingResources
  Service name=Catalina
Connector connectionTimeout=12000 maxThreads=300 port=1 
protocol=AJP/1.3 tomcatAuthentication=false/
Connector connectionTimeout=12000 maxThreads=300 
port=10005 protocol=AJP/1.3 tomcatAuthentication=true/
Connector connectionTimeout=2 port=9080 
protocol=HTTP/1.1 redirectPort=8443/
Engine defaultHost=localhost jvmRoute=WA1 name=Catalina
  Realm className=org.apache.catalina.realm.LockOutRealm
Realm className=org.apache.catalina.realm.UserDatabaseRealm 
resourceName=UserDatabase/
  /Realm
  Host appBase=webapps autoDeploy=true name=localhost 
unpackWARs=true
Valve className=org.apache.catalina.valves.AccessLogValve 
directory=logs pattern=%h %l %u %t quot;%rquot; %s %b 
prefix=localhost_access_log. suffix=.txt/
  /Host
/Engine
  /Service


Excerpt from worker.properties file
__
worker.list=WA1,MGR

worker.WA1.type=ajp13
worker.WA1.host=localhost
worker.WA1.port=1
worker.WA1.connection_pool_size=300
worker.WA1.connection_pool_timeout=12

worker.MGR.type=ajp13
worker.MGR.host=localhost
worker.MGR.port=10005
worker.MGR.connection_pool_size=300
worker.MGR.connection_pool_timeout=12

Excerpt from uriworkermap.properties:
___
/manager|/*=MGR

R. Mark Harris



Re: Manager App not working with Windows authentication enabled

2013-03-19 Thread André Warnier

Harris Mark R wrote:

Environment:
IIS 7.5
Tomcat 7.037
AJP/1.3 connector (redirector.dll) v 1.2
Java 7

We have a requirement for a new intranet application that it use Windows 
authentication.  We have this working in our new application.  We do have IIS, 
the connector and Tomcat serving up the application with no problems.

What did happen is that we discovered that the manager application that comes 
with Tomcat no longer is accessible.  We have some staff that use the manager 
app routinely.
We did try to set up two AJP connectors, one defined in the server.xml with 
tomcatAuthentication=true and another set to false.   In the AJP property 
files we set the second one to only be mapped to the manager URL.  This did not work as 
we expected.


Setting tomcatAuthentication=false in this case means that Tomcat is going to rely on 
the authenticated user-id sent to it by the front-end, through AJP.

So you should authenticate the user at the Apache httpd front-end level.



Anyone have any ideas on how to get the manager application working?


How would you like the users of the manager application to be authenticated ?  also via 
Windows Integrated Authentication, or at the Apache httpd level, via some other mechanism ?


For a simple case, you could for example do this at the Apache httpd level :

Location /manager
  setHandler jakarta-servlet
  AuthType Basic
  AuthName tomcat-manager
  require user x y z ...
  ...
/Location

(and set tomcatAuthentication=false)

(setHandler jakarta-servlet in that Location section is roughly equivalent to JkMount 
/manager worker1)


This syntax is explained in one of the on-line AJP connector's info pages on the tomcat 
website, at the very end of the page.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: Manager App not working with Windows authentication enabled

2013-03-19 Thread Harris Mark R
Sorry, guess I was not clear enough.  We are using Microsoft's IIS to front-end 
Tomcat, not the Apache HTTP server.  Apache HTTP server is not an option for 
our environment.  We would prefer to use the Windows authenticated user passed 
to Tomcat by IIS, but are open to anything that works reliably.

As I said, our custom application is working great in this environment, but the 
manager app is not.  We are having trouble associating the roles that the 
manager app is expecting with the authenticated user.   We have tried altering 
the tomcat-users file just about every which way we could think of.   
Essentially we need any way to associate the authenticated user with the  
manager-gui that the manager app is expecting.  Would we need to implement a 
custom realm to make this work?

- Mark Harris
- 

-Original Message-
From: André Warnier [mailto:a...@ice-sa.com] 
Sent: Tuesday, March 19, 2013 3:28 PM
To: Tomcat Users List
Subject: Re: Manager App not working with Windows authentication enabled

Harris Mark R wrote:
 Environment:
 IIS 7.5
 Tomcat 7.037
 AJP/1.3 connector (redirector.dll) v 1.2 Java 7
 
 We have a requirement for a new intranet application that it use Windows 
 authentication.  We have this working in our new application.  We do have 
 IIS, the connector and Tomcat serving up the application with no problems.
 
 What did happen is that we discovered that the manager application that comes 
 with Tomcat no longer is accessible.  We have some staff that use the manager 
 app routinely.
 We did try to set up two AJP connectors, one defined in the server.xml with 
 tomcatAuthentication=true and another set to false.   In the AJP property 
 files we set the second one to only be mapped to the manager URL.  This did 
 not work as we expected.

Setting tomcatAuthentication=false in this case means that Tomcat is going to 
rely on the authenticated user-id sent to it by the front-end, through AJP.
So you should authenticate the user at the Apache httpd front-end level.

 
 Anyone have any ideas on how to get the manager application working?

How would you like the users of the manager application to be authenticated ?  
also via Windows Integrated Authentication, or at the Apache httpd level, via 
some other mechanism ?

For a simple case, you could for example do this at the Apache httpd level :

Location /manager
   setHandler jakarta-servlet
   AuthType Basic
   AuthName tomcat-manager
   require user x y z ...
   ...
/Location

(and set tomcatAuthentication=false)

(setHandler jakarta-servlet in that Location section is roughly equivalent 
to JkMount /manager worker1)

This syntax is explained in one of the on-line AJP connector's info pages on 
the tomcat website, at the very end of the page.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit

2013-03-01 Thread Chris Fors


All systems are  domain-joined to a mature IT Lab and the issue is with the 
Tomcat server configuration as it should load the krb5.ini and or jaas.conf and 
activity should be observable on the Web server - whether or not any error is 
generated.  It is not clear to me what the design load process / order of the 
call stack should be in the SPNEGO Authentication design.  This would help 
focus on where the issue is. I ran Process Monitor
during a Network Client PC TCP session to the Tomcat Web Server as well as
during start of the Tomcat Web service.  

During either of these  I don’t observe any calls to jaas.conf, or
krb5.ini.

What should initiate loading
of these and at what point should they load?



Observation Notes:

Process Monitor for Tomcat7.exe when browsing to 
http://server/SPNEGOAuthTest.jsp shows in summary

TCP Accept: Server - PC


TCP Receive: Server -
PC

CreateFile:  .\Tomcat7.0\webapps\ROOT\SPNEGOAuthTest.jsp

QueryNetworkOpenInformationFile:

CloseFile:

CreateFile:...

CreateFile: .\ \_\org\apache\jsp\SPNEGOAuthTest_jsp.class

CloseFole . \ \_\org\apache\jsp\SPNEGOAuthTest_jsp.class

...

TCP Send:  Server - PC

In the SPNEGOAuthTest.jsp
HTML response: 

  request.getRemoteUser()
response shows value of “Nul”

  request.getRemoteAddr()
does show the IP address of the PC



Process Monitor during Tomcat
Service start - 

Calls are shown to 

   .\conf\server.xml

   mbeans-descriptors.xml

   .\conf\tomcat-users.xml

   .\conf\context.xml

   .\conf\web.xml

Again no calls to
jaas.conf, or krb5.ini


  Date: Thu, 28 Feb 2013 06:42:35 -0800
 From: ma...@apache.org
 To: users@tomcat.apache.org
 Subject: Re: Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit
 
 On 28/02/2013 02:18, Chris Fors wrote:
  Trying to get Windows
  Authentication operational using the Tomcat Built-in method.  Implemented 
  the following but not
  observed any Windows / Kerberos authentication occuring:
 
  -
  Domain joined
  windows member server
 
  -
  Domain service
  account
 
  -
  Delegated SPN for
  HTTP protocol on the member server to the service account
 
  -
  Generated keytab
  file for the service account and saved in $catalina.base\conf folder
 
  -
  Created Valve in context.xml of className 
  org.apache.catalina.authenticator.SpnegoAuthenticator
 
  -
  Created krb5.ini and
  saved in $catalina.base\conf folder
 
  -
  Created jaas.conf and
  saved in $catalina.base\conf folder
 
 
 
  After this still no observed
  effect on logon authentications – all still apparently anonymous.
 
 As expected from what you have described.
 
 If there are no security constraints on a resource, Tomcat isn't going 
 to require authentication.
 
 
Anyone had success with this ?
 
 Yes. I have a set of test VMs (1 domain controller, 1 Tomcat server and 
 1 client) where this feature works.
 
  Any ideas on what is missing?Is there a good way to
  debug the process?
 
 See above. I'd expect to see some changes to the webapp.
 
 Mark
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 
  

Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit

2013-02-28 Thread Chris Fors


Trying to get Windows
Authentication operational using the Tomcat Built-in method.  Implemented the 
following but not
observed any Windows / Kerberos authentication occuring: 

-  
Domain joined
windows member server

-  
Domain service
account

-  
Delegated SPN for
HTTP protocol on the member server to the service account

-  
Generated keytab
file for the service account and saved in $catalina.base\conf folder

-  
Created Valve in context.xml of className 
org.apache.catalina.authenticator.SpnegoAuthenticator 

-  
Created krb5.ini and
saved in $catalina.base\conf folder 

-  
Created jaas.conf and
saved in $catalina.base\conf folder 

 

After this still no observed
effect on logon authentications – all still apparently anonymous.  

 Anyone had success with this ? Any ideas on what is missing?Is there a good 
way to
debug the process? 


Thanks
  

Re: Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit

2013-02-28 Thread André Warnier

Chris Fors wrote:


Trying to get Windows
Authentication operational using the Tomcat Built-in method.  Implemented the 
following but not
observed any Windows / Kerberos authentication occuring: 

-  
Domain joined

windows member server

-  
Domain service

account

-  
Delegated SPN for

HTTP protocol on the member server to the service account

-  
Generated keytab

file for the service account and saved in $catalina.base\conf folder

-  
Created Valve in context.xml of className org.apache.catalina.authenticator.SpnegoAuthenticator 

-  
Created krb5.ini and
saved in $catalina.base\conf folder 

-  
Created jaas.conf and
saved in $catalina.base\conf folder 

 


After this still no observed
effect on logon authentications – all still apparently anonymous.  


 Anyone had success with this ? Any ideas on what is missing?Is there a good 
way to
debug the process? 





What is the OS platform ?

To debug the process : other than what you already did above, a network trace  with 
Wireshark or similar ? (should be SMB exchanges I suppose)


Another couple of questions :
- is the client workstation that accesses the Tomcat server, itself in the Domain to which 
you are trying to authenticate ?
- from the point of view of that workstation and its browser, is that Tomcat server 
considered as inside the Domain, or at least trusted ?

(because if not, then the browser will not even /try/ to use WIA authentication)



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit

2013-02-28 Thread Mark Thomas

On 28/02/2013 02:18, Chris Fors wrote:

Trying to get Windows
Authentication operational using the Tomcat Built-in method.  Implemented the 
following but not
observed any Windows / Kerberos authentication occuring:

-
Domain joined
windows member server

-
Domain service
account

-
Delegated SPN for
HTTP protocol on the member server to the service account

-
Generated keytab
file for the service account and saved in $catalina.base\conf folder

-
Created Valve in context.xml of className 
org.apache.catalina.authenticator.SpnegoAuthenticator

-
Created krb5.ini and
saved in $catalina.base\conf folder

-
Created jaas.conf and
saved in $catalina.base\conf folder



After this still no observed
effect on logon authentications – all still apparently anonymous.


As expected from what you have described.

If there are no security constraints on a resource, Tomcat isn't going 
to require authentication.




  Anyone had success with this ?


Yes. I have a set of test VMs (1 domain controller, 1 Tomcat server and 
1 client) where this feature works.



Any ideas on what is missing?Is there a good way to
debug the process?


See above. I'd expect to see some changes to the webapp.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Does windows authentication works on Tomcat under Linux.

2013-02-25 Thread André Warnier

Denis wrote:

Hello,

I want to use Tomcat's Windows Authentication 
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Third_party_libraries 
feature to have a reliable domain user name via 
HTTPServletRequest.getRemoteUser() within my servlet.


Questions:

1) Is Tomcat's Windows authentication supposed to work in my env?

 * Application Server: apache-tomcat-7.0.21
 * JDK version: 1.6.0_26
 * OS: Red Hat Enterprise Linux Server release 5.5 (Tikanga)

2) Any additional setup required to be able to access domain 
username via HTTPServletRequest.getRemoteUser() within my servlet?




Hi.
I do not know either if the above is supposed to work also under Linux as a 
platform.
It is not very clear in the Tomcat docs, and I have asked a couple of times on the list 
without getting much of an answer.  (Probably because few people know).


Now just in case it doesn't work, the following works fine under Linux as well as under 
Windows :

Jespa , at www.ioplex.com

You can download it and test it for 60 days free, and the final license costs are very 
moderate.

(I have no commercial interest in that, I just use it happily).

For Jespa, the answers to your questions are :
1) yes, it will work
2) apart from the setup of Jespa itself, no additional setup or change in the 
app is required.
The setup of Jespa does require the intervention of a sysadmin at the site though, because 
it requires creating a Windows machine account for Jespa. See the doc, also available 
for download.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Does windows authentication works on Tomcat under Linux.

2013-02-25 Thread Mark Thomas

On 25/02/2013 10:48, André Warnier wrote:

Denis wrote:

Hello,

I want to use Tomcat's Windows Authentication
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Third_party_libraries
feature to have a reliable domain user name via
HTTPServletRequest.getRemoteUser() within my servlet.

Questions:

1) Is Tomcat's Windows authentication supposed to work in my env?

 * Application Server: apache-tomcat-7.0.21
 * JDK version: 1.6.0_26
 * OS: Red Hat Enterprise Linux Server release 5.5 (Tikanga)

2) Any additional setup required to be able to access domain
username via HTTPServletRequest.getRemoteUser() within my servlet?



Hi.
I do not know either if the above is supposed to work also under Linux
as a platform.
It is not very clear in the Tomcat docs, and I have asked a couple of
times on the list without getting much of an answer.  (Probably because
few people know).


It should work but I haven't tested it.

I suggest opening an enhancement request for the docs to be updated to 
include a known working Linux config. I should be able to take a look at 
doing that once I get back from ApacheCon next week.


Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Does windows authentication works on Tomcat under Linux.

2013-02-25 Thread Denis

It will be helpful for those who don't have time to try-and-fail.

On 2/25/2013 2:10 PM, Mark Thomas wrote:

On 25/02/2013 10:48, André Warnier wrote:

Denis wrote:

Hello,

I want to use Tomcat's Windows Authentication
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Third_party_libraries 


feature to have a reliable domain user name via
HTTPServletRequest.getRemoteUser() within my servlet.

Questions:

1) Is Tomcat's Windows authentication supposed to work in my env?

 * Application Server: apache-tomcat-7.0.21
 * JDK version: 1.6.0_26
 * OS: Red Hat Enterprise Linux Server release 5.5 (Tikanga)

2) Any additional setup required to be able to access domain
username via HTTPServletRequest.getRemoteUser() within my servlet?



Hi.
I do not know either if the above is supposed to work also under Linux
as a platform.
It is not very clear in the Tomcat docs, and I have asked a couple of
times on the list without getting much of an answer.  (Probably because
few people know).


It should work but I haven't tested it.

I suggest opening an enhancement request for the docs to be updated to 
include a known working Linux config. I should be able to take a look 
at doing that once I get back from ApacheCon next week.


Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Windows Authentication: Issue 49318 vs 47679

2011-04-11 Thread Tim Whittington
On Mon, Mar 28, 2011 at 7:26 AM, Stefan Mayr ste...@mayr-stefan.de wrote:
 Hello everybody,

 as many others before we wanted to do single-sign-on for intranet web
 applications using integrated windows authentication (negotiate because IE
 sometimes tries NTLM instead of using plain kerberos - breaking all our
 kerberos-only experiments).

 We thought that IIS would be the best choice for integrated windows
 authentication and we could pass the user via AJP (using mod_jk) to our
 tomcat instances.

 Our setup:
 - Windows 2008 R2 using IIS 7.5 (64bit)
 - mod_jk 1.2.31
 - Oracle Java 1.6 U24
 - Tomcat 6.0.32

 At first glance using tomcatAuthentication=false worked as expected. We got
 the remote user and started deploying an application. End of happiness - the
 application complained about a missing user-agent. That header was not
 passed to tomcat when authentication was enabled on IIS.

 Some research revealed Bug 47679 - Not all headers get passed to Tomcat
 server from isapi_redirect.dll
 (https://issues.apache.org/bugzilla/show_bug.cgi?id=47679)

 Today I've found Bug 49318 - add a Negotiate (Kerberos/NTLM) authenticator /
 integrate Waffle (https://issues.apache.org/bugzilla/show_bug.cgi?id=49318).
 The last comment links a new Windows Authentication How-To from Mark Thomas.
 Looks like we have already tried almost all proposed solutions:

 - IIS + mod_jk:
  tried but stuck in Bug 47679. Also tried ARR to pass the user name
  as a request header from IIS to Tomcat without success
 - Apache mod_ntlm: used it and we replaced it by the much more stable
  mod_auth_ntlm_winbind. NTLMv1 is also disabled on Windows 7 (default)
 - Apache mod_auth_ntlm: in heavy use but stuck to Apache 2.0 and 32bit
  plattform - we couldn't get stability problems solved on Apache 2.2
  and 64bit Linux. No ongoing development.
 - Apache mod_auth_sspi: till now in internal use for a very small
  project (works just fine), not sure about the future. Although
  there seems to be some new activity on 1.0.5 beta
 - Waffle: found it on thursday and it is on my our todo-list for
  testing it next week

 Any chances to get Bug 47679 solved? How can we help (we are admins, no
 devs)?
 What solutions have you deployed? Recommendations?

I've committed a fix for Bug 47679, which I hope will resolve the
issues people have been having using the ISAPI redirector in an
extension only mode.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Windows Authentication: Issue 49318 vs 47679

2011-04-04 Thread André Warnier

Stefan Mayr wrote:


Native SPNEGO in Tomcat sounds great. Waiting a little while depends on 
your scale of little. Is there already some development we can follow? 
Will this use Java GSS? I never figured out how to configure this with 
Tomcat.



If you are in a hurry, you may want to have a look at Jespa : www.ioplex.com.
Have it installed at numerous customers sites and works great.

About the sequence of rewrite/forward with IIS, have a look at isapi_rewrite :
http://www.helicontech.com/isapi_rewrite/doc/

It can pick up the user's Windows domain user-id, and pass it on as a HTTP 
header.
You would then need a simple servlet filter at the Tomcat level, to pick up the content of 
this header and use it as the authenticated Tomcat user-id.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Windows Authentication: Issue 49318 vs 47679

2011-03-29 Thread Mark Thomas
On 28/03/2011 22:31, Stefan Mayr wrote:
 Native SPNEGO in Tomcat sounds great. Waiting a little while depends on
 your scale of little. Is there already some development we can follow?
 Will this use Java GSS? I never figured out how to configure this with
 Tomcat.

little hopefully means the next week or so in a 7.0.12 release. I have
a handful of things I need/want to get into 7.0.12 and SPNEGO is one of
them.

Having spent more time than I want to think about and having lost count
of the number of times I re-installed Windows 2k8 server to test this, I
finally got this working a few minutes ago. The current code is *very*
rough and ready and it only does authentication, not authorisation so I
still have some work to do.

The solution is based on ideas from Spring Security's Kerberos extension
and the most recent patches attached to bug 48685.

I'll be committing an initial implementation once I have cleaned up the
code a bit and then I'll build on that to add authorisation, more
configuration etc.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Windows Authentication: Issue 49318 vs 47679

2011-03-29 Thread Mark Thomas
On 29/03/2011 15:20, Mark Thomas wrote:
 On 28/03/2011 22:31, Stefan Mayr wrote:
 Native SPNEGO in Tomcat sounds great. Waiting a little while depends on
 your scale of little. Is there already some development we can follow?
 Will this use Java GSS? I never figured out how to configure this with
 Tomcat.
 
 little hopefully means the next week or so in a 7.0.12 release. I have
 a handful of things I need/want to get into 7.0.12 and SPNEGO is one of
 them.
 
 Having spent more time than I want to think about and having lost count
 of the number of times I re-installed Windows 2k8 server to test this, I
 finally got this working a few minutes ago. The current code is *very*
 rough and ready and it only does authentication, not authorisation so I
 still have some work to do.
 
 The solution is based on ideas from Spring Security's Kerberos extension
 and the most recent patches attached to bug 48685.
 
 I'll be committing an initial implementation once I have cleaned up the
 code a bit and then I'll build on that to add authorisation, more
 configuration etc.

The first part just got committed [1]. More to follow over the next day
or so.

Mark

[1] http://svn.apache.org/viewvc?rev=1086683view=rev

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Windows Authentication: Issue 49318 vs 47679

2011-03-29 Thread Borut Hadžialić
Would adding support for client credential delegation be out of scope
for this implementation or not?

Client credential delegation is when you use the spnego token
construct a javax.security.auth.Subject instance that represents the
client - which the server side application can use this to impersonate
the client (eg. connect to some Kerberized database as the client that
sent the request, or consume some other kerberized service as the
client).

The code for creating such a Subject would be something like this:

GSSContext context =
GSSManager.getInstance().createContext((GSSCredential) null);
context.acceptSecContext(...);

//check if the credentials can be delegated
if (!context.getCredDelegState()) {

  //get the delegated credentials from the calling peer...
  GSSCredential clientCred = context.getDelegCred();

  //Create a Subject out of the delegated credentials.
  //With this Subject the application server can impersonate the
client that sent the request.
  Subject clientSubject =
com.sun.security.jgss.GSSUtil.createSubject(context.getSrcName(),
clientCred);
}

//Store the clientSubject somewhere - maybe to the HttpServletRequest?

I am sure this would be useful for some applications - for example the
one that we are currently developing needs functionality like this.

On Tue, Mar 29, 2011 at 9:09 PM, Mark Thomas ma...@apache.org wrote:
 On 29/03/2011 15:20, Mark Thomas wrote:
 On 28/03/2011 22:31, Stefan Mayr wrote:
 Native SPNEGO in Tomcat sounds great. Waiting a little while depends on
 your scale of little. Is there already some development we can follow?
 Will this use Java GSS? I never figured out how to configure this with
 Tomcat.

 little hopefully means the next week or so in a 7.0.12 release. I have
 a handful of things I need/want to get into 7.0.12 and SPNEGO is one of
 them.

 Having spent more time than I want to think about and having lost count
 of the number of times I re-installed Windows 2k8 server to test this, I
 finally got this working a few minutes ago. The current code is *very*
 rough and ready and it only does authentication, not authorisation so I
 still have some work to do.

 The solution is based on ideas from Spring Security's Kerberos extension
 and the most recent patches attached to bug 48685.

 I'll be committing an initial implementation once I have cleaned up the
 code a bit and then I'll build on that to add authorisation, more
 configuration etc.

 The first part just got committed [1]. More to follow over the next day
 or so.

 Mark

 [1] http://svn.apache.org/viewvc?rev=1086683view=rev

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org





-- 
Why?
Because YES!

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Windows Authentication: Issue 49318 vs 47679

2011-03-29 Thread Borut Hadžialić
Whoops, i reversed the condition of the if statement, it should be:

//check if the credentials can be delegated
if (context.getCredDelegState()) {
...
}

On Tue, Mar 29, 2011 at 9:47 PM, Borut Hadžialić
borut.hadzia...@gmail.com wrote:
 Would adding support for client credential delegation be out of scope
 for this implementation or not?

 Client credential delegation is when you use the spnego token
 construct a javax.security.auth.Subject instance that represents the
 client - which the server side application can use this to impersonate
 the client (eg. connect to some Kerberized database as the client that
 sent the request, or consume some other kerberized service as the
 client).

 The code for creating such a Subject would be something like this:

 GSSContext context =
 GSSManager.getInstance().createContext((GSSCredential) null);
 context.acceptSecContext(...);

 //check if the credentials can be delegated
 if (!context.getCredDelegState()) {

  //get the delegated credentials from the calling peer...
  GSSCredential clientCred = context.getDelegCred();

  //Create a Subject out of the delegated credentials.
  //With this Subject the application server can impersonate the
 client that sent the request.
  Subject clientSubject =
 com.sun.security.jgss.GSSUtil.createSubject(context.getSrcName(),
 clientCred);
 }

 //Store the clientSubject somewhere - maybe to the HttpServletRequest?

 I am sure this would be useful for some applications - for example the
 one that we are currently developing needs functionality like this.

 On Tue, Mar 29, 2011 at 9:09 PM, Mark Thomas ma...@apache.org wrote:
 On 29/03/2011 15:20, Mark Thomas wrote:
 On 28/03/2011 22:31, Stefan Mayr wrote:
 Native SPNEGO in Tomcat sounds great. Waiting a little while depends on
 your scale of little. Is there already some development we can follow?
 Will this use Java GSS? I never figured out how to configure this with
 Tomcat.

 little hopefully means the next week or so in a 7.0.12 release. I have
 a handful of things I need/want to get into 7.0.12 and SPNEGO is one of
 them.

 Having spent more time than I want to think about and having lost count
 of the number of times I re-installed Windows 2k8 server to test this, I
 finally got this working a few minutes ago. The current code is *very*
 rough and ready and it only does authentication, not authorisation so I
 still have some work to do.

 The solution is based on ideas from Spring Security's Kerberos extension
 and the most recent patches attached to bug 48685.

 I'll be committing an initial implementation once I have cleaned up the
 code a bit and then I'll build on that to add authorisation, more
 configuration etc.

 The first part just got committed [1]. More to follow over the next day
 or so.

 Mark

 [1] http://svn.apache.org/viewvc?rev=1086683view=rev

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org





 --
 Why?
 Because YES!




-- 
Why?
Because YES!

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Windows Authentication: Issue 49318 vs 47679

2011-03-29 Thread Mark Thomas
On 29/03/2011 20:47, Borut Hadžialić wrote:
 Would adding support for client credential delegation be out of scope
 for this implementation or not?

It is in scope with the caveat - as always - that it depends on what the
final implementation looks like. I do know (from debug logging) that
right now tokens do not allow delegation. I suspect the hardest part of
implementing this will be figuring out what config needs tweaking to
allow that.

 //Store the clientSubject somewhere - maybe to the HttpServletRequest?

That needs a little more thought. I am leaning towards a request
attribute at the moment unless I can find a way to get it into the
result of getUserPrincipal() (which I don't think I can without
requiring a cast to a Tomcat internal class which is just horrible).

 I am sure this would be useful for some applications - for example the
 one that we are currently developing needs functionality like this.

Testing help always appreciated if you are happy running the latest
7.0.x release (this should be in 7.0.12 which I plan to start releasing
just as soon as I finish everything on my todo list).

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Windows Authentication: Issue 49318 vs 47679

2011-03-29 Thread Borut Hadžialić
On Tue, Mar 29, 2011 at 9:57 PM, Mark Thomas ma...@apache.org wrote:
 It is in scope with the caveat - as always - that it depends on what the
 final implementation looks like. I do know (from debug logging) that
 right now tokens do not allow delegation. I suspect the hardest part of
 implementing this will be figuring out what config needs tweaking to
 allow that.

I think that credential delegation is configured at the domain
controller and client side, as this nice article describes:
http://spnego.sourceforge.net/credential_delegation.html

 I am sure this would be useful for some applications - for example the
 one that we are currently developing needs functionality like this.

 Testing help always appreciated if you are happy running the latest
 7.0.x release (this should be in 7.0.12 which I plan to start releasing
 just as soon as I finish everything on my todo list).


We already have some hand written custom code for this. We will not be
switching to 7.0.x (we will be deploying to tcServer in producion, and
it will probably take lots of time for 7.0.12 changes to appear in
some version of tcServer, so we need the custom code we have at the
moment).
I might however try to deploy our app to 7.0.12 when it is out - and
see how much of our custom code will get removed by this spnego
support that you are writing now.

-- 
Why?
Because YES!

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Windows Authentication: Issue 49318 vs 47679

2011-03-29 Thread Mark Thomas
On 29/03/2011 21:18, Borut Hadžialić wrote:
 On Tue, Mar 29, 2011 at 9:57 PM, Mark Thomas ma...@apache.org wrote:
 It is in scope with the caveat - as always - that it depends on what the
 final implementation looks like. I do know (from debug logging) that
 right now tokens do not allow delegation. I suspect the hardest part of
 implementing this will be figuring out what config needs tweaking to
 allow that.
 
 I think that credential delegation is configured at the domain
 controller and client side, as this nice article describes:
 http://spnego.sourceforge.net/credential_delegation.html

Thanks. That is one of the many articles I have read over the last few
days but I had forgotten which ones mentioned what. I'll take a look.

 I am sure this would be useful for some applications - for example the
 one that we are currently developing needs functionality like this.

 Testing help always appreciated if you are happy running the latest
 7.0.x release (this should be in 7.0.12 which I plan to start releasing
 just as soon as I finish everything on my todo list).

 
 We already have some hand written custom code for this. We will not be
 switching to 7.0.x (we will be deploying to tcServer in producion, and
 it will probably take lots of time for 7.0.12 changes to appear in
 some version of tcServer, so we need the custom code we have at the
 moment).

Fair enough.

off-topic
With my VMware hat on that is is probably going to be sooner than you
think it is but I can't give you any firm dates.
/off-topic

 I might however try to deploy our app to 7.0.12 when it is out - and
 see how much of our custom code will get removed by this spnego
 support that you are writing now.

That would be great. Any testing and feedback is always helpful.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Windows Authentication: Issue 49318 vs 47679

2011-03-28 Thread Borut Hadžialić
Hellos Stefan,

if you can't fix your problem with configuration and decide that you
want to solve the problem by programming, then this might help you
http://blog.springsource.com/2009/09/28/spring-security-kerberos/
After understanding that article a developer should be able to add a
SPNEGO implementation (probably not the whole protocol, just as much
it is needed for your app) to your Tomcat application by adding some
filters.
What the implementation needs to do is basically:
 1. If there is a 'Negotiate ..' http header or other authentication,
read it and process it.

 2. Otherwise if there is no authentication, send a spnego challenge
//HttpServletResponse response
response.addHeader(WWW-Authenticate, Negotiate);
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.flushBuffer();


On Sun, Mar 27, 2011 at 8:26 PM, Stefan Mayr ste...@mayr-stefan.de wrote:
 Hello everybody,

 as many others before we wanted to do single-sign-on for intranet web
 applications using integrated windows authentication (negotiate because IE
 sometimes tries NTLM instead of using plain kerberos - breaking all our
 kerberos-only experiments).

 We thought that IIS would be the best choice for integrated windows
 authentication and we could pass the user via AJP (using mod_jk) to our
 tomcat instances.

 Our setup:
 - Windows 2008 R2 using IIS 7.5 (64bit)
 - mod_jk 1.2.31
 - Oracle Java 1.6 U24
 - Tomcat 6.0.32

 At first glance using tomcatAuthentication=false worked as expected. We got
 the remote user and started deploying an application. End of happiness - the
 application complained about a missing user-agent. That header was not
 passed to tomcat when authentication was enabled on IIS.

 Some research revealed Bug 47679 - Not all headers get passed to Tomcat
 server from isapi_redirect.dll
 (https://issues.apache.org/bugzilla/show_bug.cgi?id=47679)

 Today I've found Bug 49318 - add a Negotiate (Kerberos/NTLM) authenticator /
 integrate Waffle (https://issues.apache.org/bugzilla/show_bug.cgi?id=49318).
 The last comment links a new Windows Authentication How-To from Mark Thomas.
 Looks like we have already tried almost all proposed solutions:

 - IIS + mod_jk:
  tried but stuck in Bug 47679. Also tried ARR to pass the user name
  as a request header from IIS to Tomcat without success
 - Apache mod_ntlm: used it and we replaced it by the much more stable
  mod_auth_ntlm_winbind. NTLMv1 is also disabled on Windows 7 (default)
 - Apache mod_auth_ntlm: in heavy use but stuck to Apache 2.0 and 32bit
  plattform - we couldn't get stability problems solved on Apache 2.2
  and 64bit Linux. No ongoing development.
 - Apache mod_auth_sspi: till now in internal use for a very small
  project (works just fine), not sure about the future. Although
  there seems to be some new activity on 1.0.5 beta
 - Waffle: found it on thursday and it is on my our todo-list for
  testing it next week

 Any chances to get Bug 47679 solved? How can we help (we are admins, no
 devs)?
 What solutions have you deployed? Recommendations?

 Thank you,

        Stefan Mayr

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org





-- 
Why?
Because YES!

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Windows Authentication: Issue 49318 vs 47679

2011-03-28 Thread Mark Thomas
On 28/03/2011 08:42, Borut Hadžialić wrote:
 Hellos Stefan,
 
 if you can't fix your problem with configuration and decide that you
 want to solve the problem by programming, then this might help you
 http://blog.springsource.com/2009/09/28/spring-security-kerberos/
 After understanding that article a developer should be able to add a
 SPNEGO implementation (probably not the whole protocol, just as much
 it is needed for your app) to your Tomcat application by adding some
 filters.

Or you could just add Spring Security to your app. I'll add that as an
option to the new How-To.

 Today I've found Bug 49318 - add a Negotiate (Kerberos/NTLM) authenticator /
 integrate Waffle (https://issues.apache.org/bugzilla/show_bug.cgi?id=49318).
 The last comment links a new Windows Authentication How-To from Mark Thomas.
 Looks like we have already tried almost all proposed solutions:

Thanks for the great feedback on the options. I put the existing how-to
together pretty much entirely on some Google searches. I'll add your
feedback to the how-to / maybe remove some options that don't look viable.

 - IIS + mod_jk:
  tried but stuck in Bug 47679. Also tried ARR to pass the user name
  as a request header from IIS to Tomcat without success
 - Apache mod_ntlm: used it and we replaced it by the much more stable
  mod_auth_ntlm_winbind. NTLMv1 is also disabled on Windows 7 (default)
 - Apache mod_auth_ntlm: in heavy use but stuck to Apache 2.0 and 32bit
  plattform - we couldn't get stability problems solved on Apache 2.2
  and 64bit Linux. No ongoing development.
 - Apache mod_auth_sspi: till now in internal use for a very small
  project (works just fine), not sure about the future. Although
  there seems to be some new activity on 1.0.5 beta
 - Waffle: found it on thursday and it is on my our todo-list for
  testing it next week

 Any chances to get Bug 47679 solved? How can we help (we are admins, no
 devs)?
 What solutions have you deployed? Recommendations?

It is tricky to recommend something right now. I'm guessing you want
something that a) works reliably and b) is likely to be supported for
the long term. Right now Waffle probably comes closest to that. It you
can wait a little while, I should have SPNEGO support in Tomcat 7 fairly
soon. It may - or may not - get back-ported to Tomcat 6. It will depend
on the eventual solution.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: Windows Authentication: Issue 49318 vs 47679

2011-03-28 Thread spring
 I should have SPNEGO support in Tomcat 7 fairly soon. 

This would be great!


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Windows Authentication: Issue 49318 vs 47679

2011-03-28 Thread Stefan Mayr

Hi Mark,

Am 28.03.2011 10:49, schrieb Mark Thomas:

On 28/03/2011 08:42, Borut Hadžialić wrote:

Hellos Stefan,

if you can't fix your problem with configuration and decide that you
want to solve the problem by programming, then this might help you
http://blog.springsource.com/2009/09/28/spring-security-kerberos/
After understanding that article a developer should be able to add a
SPNEGO implementation (probably not the whole protocol, just as much
it is needed for your app) to your Tomcat application by adding some
filters.


Or you could just add Spring Security to your app. I'll add that as an
option to the new How-To.


I guess this is the classic kerberos/keytab approach (no NTLM-fallback) 
that many solutions offer.



Today I've found Bug 49318 - add a Negotiate (Kerberos/NTLM) authenticator /
integrate Waffle (https://issues.apache.org/bugzilla/show_bug.cgi?id=49318).
The last comment links a new Windows Authentication How-To from Mark Thomas.
Looks like we have already tried almost all proposed solutions:


Thanks for the great feedback on the options. I put the existing how-to
together pretty much entirely on some Google searches. I'll add your
feedback to the how-to / maybe remove some options that don't look viable.


- IIS + mod_jk:
  tried but stuck in Bug 47679. Also tried ARR to pass the user name
  as a request header from IIS to Tomcat without success
- Apache mod_ntlm: used it and we replaced it by the much more stable
  mod_auth_ntlm_winbind. NTLMv1 is also disabled on Windows 7 (default)
- Apache mod_auth_ntlm: in heavy use but stuck to Apache 2.0 and 32bit
  plattform - we couldn't get stability problems solved on Apache 2.2
  and 64bit Linux. No ongoing development.
- Apache mod_auth_sspi: till now in internal use for a very small
  project (works just fine), not sure about the future. Although
  there seems to be some new activity on 1.0.5 beta
- Waffle: found it on thursday and it is on my our todo-list for
  testing it next week

Any chances to get Bug 47679 solved? How can we help (we are admins, no
devs)?
What solutions have you deployed? Recommendations?


It is tricky to recommend something right now. I'm guessing you want
something that a) works reliably and b) is likely to be supported for
the long term. Right now Waffle probably comes closest to that. It you
can wait a little while, I should have SPNEGO support in Tomcat 7 fairly
soon. It may - or may not - get back-ported to Tomcat 6. It will depend
on the eventual solution.


You're definitely right. We search for the holy grail of intranet 
authentication. a+b is a must.


The idea of using IIS with ARR in reverse proxy mode passing a username 
was dead end: Microsoft pointed us to a nice article describing HTTP 
request processing order. Rewriting a request comes before the 
authentication modul - so nothing to append to a header or request in 
the first place.
See 
http://learn.iis.net/page.aspx/501/iis-70-request-filtering-and-url-rewriting/

Leaves IIS with mod_jk if you can live with Bug 47679.

Our first test with Waffle is promising. Now it needs to be integrated 
and in our application for further testing.


Native SPNEGO in Tomcat sounds great. Waiting a little while depends on 
your scale of little. Is there already some development we can follow? 
Will this use Java GSS? I never figured out how to configure this with 
Tomcat.


   Stefan

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Windows Authentication: Issue 49318 vs 47679

2011-03-27 Thread Stefan Mayr

Hello everybody,

as many others before we wanted to do single-sign-on for intranet web 
applications using integrated windows authentication (negotiate because 
IE sometimes tries NTLM instead of using plain kerberos - breaking all 
our kerberos-only experiments).


We thought that IIS would be the best choice for integrated windows 
authentication and we could pass the user via AJP (using mod_jk) to our 
tomcat instances.


Our setup:
- Windows 2008 R2 using IIS 7.5 (64bit)
- mod_jk 1.2.31
- Oracle Java 1.6 U24
- Tomcat 6.0.32

At first glance using tomcatAuthentication=false worked as expected. We 
got the remote user and started deploying an application. End of 
happiness - the application complained about a missing user-agent. That 
header was not passed to tomcat when authentication was enabled on IIS.


Some research revealed Bug 47679 - Not all headers get passed to Tomcat 
server from isapi_redirect.dll 
(https://issues.apache.org/bugzilla/show_bug.cgi?id=47679)


Today I've found Bug 49318 - add a Negotiate (Kerberos/NTLM) 
authenticator / integrate Waffle 
(https://issues.apache.org/bugzilla/show_bug.cgi?id=49318). The last 
comment links a new Windows Authentication How-To from Mark Thomas. 
Looks like we have already tried almost all proposed solutions:


- IIS + mod_jk:
  tried but stuck in Bug 47679. Also tried ARR to pass the user name
  as a request header from IIS to Tomcat without success
- Apache mod_ntlm: used it and we replaced it by the much more stable
  mod_auth_ntlm_winbind. NTLMv1 is also disabled on Windows 7 (default)
- Apache mod_auth_ntlm: in heavy use but stuck to Apache 2.0 and 32bit
  plattform - we couldn't get stability problems solved on Apache 2.2
  and 64bit Linux. No ongoing development.
- Apache mod_auth_sspi: till now in internal use for a very small
  project (works just fine), not sure about the future. Although
  there seems to be some new activity on 1.0.5 beta
- Waffle: found it on thursday and it is on my our todo-list for
  testing it next week

Any chances to get Bug 47679 solved? How can we help (we are admins, no 
devs)?

What solutions have you deployed? Recommendations?

Thank you,

Stefan Mayr

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Issues with ntlmauth.dll on Apache Tomcat/5.5.26 (SQL server Windows Authentication)‏

2011-02-24 Thread BLEDAR MEMA

Hi,

We have a problem on our production servers . Tomcat was running fine and we 
decided to use the SQL server Window Authentication by adding ntlmauth.dll in 
system32 windows folder and updating the jtds to version jtds1.2.5.jar as 
instructed by the website. This has caused a memory leak in the tomcat process 
i.e. if observed using the Windows Task Manager the memory usage for the 
tomcat6.exe process would go up until restart is required due to OutOfMemory 
exception. Our java application runs fine and no memory leak is reported there 
when observed using JConsole or JProfiler. Are you aware of any problems with 
this procedure? Is this a known issue? I have searched the Internet for a 
solution and have not been able to find anything regarding this for weeks now.

I would really appreciate it if you could get back to me on this, as it is 
causing a lot of problems to our service.

Best regards,

Bledar Mema   

Re: Issues with ntlmauth.dll on Apache Tomcat/5.5.26 (SQL server Windows Authentication)‏

2011-02-24 Thread André Warnier

BLEDAR MEMA wrote:

Hi,

We have a problem on our production servers . Tomcat was running fine and we 
decided to use the SQL server Window Authentication by adding ntlmauth.dll in 
system32 windows folder and updating the jtds to version jtds1.2.5.jar as 
instructed by the website. This has caused a memory leak in the tomcat process 
i.e. if observed using the Windows Task Manager the memory usage for the 
tomcat6.exe process would go up until restart is required due to OutOfMemory 
exception. Our java application runs fine and no memory leak is reported there 
when observed using JConsole or JProfiler. Are you aware of any problems with 
this procedure? Is this a known issue? I have searched the Internet for a 
solution and have not been able to find anything regarding this for weeks now.

I would really appreciate it if you could get back to me on this, as it is 
causing a lot of problems to our service.


This is the same issue as the thread entitled Memory Leak in Tomcat.
Perhaps you want to browse it.
The answer is the same : you should ask the jTDS (jDTS ?) people about it. It does not 
seem to have anything to do with Tomcat per se.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Question regarding IIS Windows Authentication using Tomcat Connector

2010-05-20 Thread Savoy, Melinda
I have a Java web app whereby we have been using the JCIFS open source 
authentication package that uses NTLMv1 over the past 5 years and it's been 
working great.  However, some of our users are now using Windows 7 that does 
not accept NTLMv1 authentication and now I'm looking at IIS in order to 
authenticate our users.  I used the Apache Tomcat Connector and got that setup 
however, I am having issues in retrieving the authentication property for the 
USERID of the client making the request which I understood IIS provides.  On 
the Apache Tomcat Connector documentation it only states how to setup the IIS 
Tomcat integration which is working great but it does NOT provide the 
information, from a Java perspective, on how to retrieve from the request the 
userid info. I have tried the HttpServletRequest object but when I use the 
getRemoteUser() method I get a NULL value.  I realize I must be doing something 
wrong but I have no idea what.
If anyone has accomplished this or can provide information on this it would be 
greatly appreciated.  I've posted on a number of Tomcat forums but cannot get a 
response to this issue.  Any help/direction, again, would be appreciated.
I forgot to mention that I am using my local Windows XP Pro box with IIS v5.1 
in the event that info is needed to answer my question.
Thanks so much.

Melinda Savoy
Sr. Programmer Analyst, ERP Systems
Innovative Technology Solutions
Texas Health Resources
600 E. Lamar Blvd, Ste 301, Arlington TX  76011
melindasa...@texashealth.orgmailto:melindasa...@texashealth.org

Texas Health Resources: Arlington Memorial,
Harris Methodist and Presbyterian Hospitals
A shared mission and now a shared name.





The information contained in this message and any attachments is intended only 
for the use of the individual or entity to which it is addressed, and may 
contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from 
disclosure under applicable law.  If you are not the intended recipient, you 
are prohibited from copying, distributing, or using the information.  Please 
contact the sender immediately by return e-mail and delete the original message 
from your system.

RE: Question regarding IIS Windows Authentication using Tomcat Connector

2010-05-20 Thread dB .
I just posted about this :)

Instead of using IIS, you should take a look at the Waffle Tomcat Authenticator 
(http://waffle.codeplex.com). Currently it stores a Generic principal with the 
user's FQN and all local/domain groups, but that can certainly be extended to a 
much richer principal with all kinds of information that Windows provides (such 
as SID).

dB. @ dblock.org 
Moscow|Geneva|Seattle|New York



-Original Message-
From: Savoy, Melinda [mailto:melindasa...@texashealth.org] 
Sent: Thursday, May 20, 2010 8:45 AM
To: 'users@tomcat.apache.org'
Subject: Question regarding IIS Windows Authentication using Tomcat Connector

I have a Java web app whereby we have been using the JCIFS open source 
authentication package that uses NTLMv1 over the past 5 years and it's been 
working great.  However, some of our users are now using Windows 7 that does 
not accept NTLMv1 authentication and now I'm looking at IIS in order to 
authenticate our users.  I used the Apache Tomcat Connector and got that setup 
however, I am having issues in retrieving the authentication property for the 
USERID of the client making the request which I understood IIS provides.  On 
the Apache Tomcat Connector documentation it only states how to setup the IIS 
Tomcat integration which is working great but it does NOT provide the 
information, from a Java perspective, on how to retrieve from the request the 
userid info. I have tried the HttpServletRequest object but when I use the 
getRemoteUser() method I get a NULL value.  I realize I must be doing something 
wrong but I have no idea what.
If anyone has accomplished this or can provide information on this it would be 
greatly appreciated.  I've posted on a number of Tomcat forums but cannot get a 
response to this issue.  Any help/direction, again, would be appreciated.
I forgot to mention that I am using my local Windows XP Pro box with IIS v5.1 
in the event that info is needed to answer my question.
Thanks so much.

Melinda Savoy
Sr. Programmer Analyst, ERP Systems
Innovative Technology Solutions
Texas Health Resources
600 E. Lamar Blvd, Ste 301, Arlington TX  76011
melindasa...@texashealth.orgmailto:melindasa...@texashealth.org

Texas Health Resources: Arlington Memorial,
Harris Methodist and Presbyterian Hospitals
A shared mission and now a shared name.





The information contained in this message and any attachments is intended only 
for the use of the individual or entity to which it is addressed, and may 
contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from 
disclosure under applicable law.  If you are not the intended recipient, you 
are prohibited from copying, distributing, or using the information.  Please 
contact the sender immediately by return e-mail and delete the original message 
from your system.
No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 9.0.819 / Virus Database: 271.1.1/2884 - Release Date: 05/19/10 
14:26:00

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: Question regarding IIS Windows Authentication using Tomcat Connector

2010-05-20 Thread Savoy, Melinda
I did see your post from Nabble and I appreciate it.  I will hopefully get an 
opp to try it today if I cannot get an answer to my issue.  

A few questions on your post below, and pardon my ignorance, but what is a 
user's FQN, are you stating that Waffle does NOT provide a user id from the 
request, are the WEB.XML settings required?  Why I ask about the web.xml 
settings is because our former team lead created an underlying SECURITY package 
that is the foundation of our web app.  Unfortunately, he is no longer here and 
I do not have time to re-write our app.  He wrote this to do multiple things:

1.  Used as a wrapper around JCIFS.  
2.  Used for other security layers to acquire security info from our legacy 
system.  

I just setup the Apache Tomcat Connector setup on Tuesday and are you stating 
that you've used IIS Tomcat integration (Apache Tomcat Connector) and you could 
not get the userid info either from the client request?

Thanks again for your post.  

-Original Message-
From: dB. [mailto:dbl...@dblock.org] 
Sent: Thursday, May 20, 2010 7:53 AM
To: Tomcat Users List
Subject: RE: Question regarding IIS Windows Authentication using Tomcat 
Connector

I just posted about this :)

Instead of using IIS, you should take a look at the Waffle Tomcat Authenticator 
(http://waffle.codeplex.com). Currently it stores a Generic principal with the 
user's FQN and all local/domain groups, but that can certainly be extended to a 
much richer principal with all kinds of information that Windows provides (such 
as SID).

dB. @ dblock.org 
Moscow|Geneva|Seattle|New York



-Original Message-
From: Savoy, Melinda [mailto:melindasa...@texashealth.org] 
Sent: Thursday, May 20, 2010 8:45 AM
To: 'users@tomcat.apache.org'
Subject: Question regarding IIS Windows Authentication using Tomcat Connector

I have a Java web app whereby we have been using the JCIFS open source 
authentication package that uses NTLMv1 over the past 5 years and it's been 
working great.  However, some of our users are now using Windows 7 that does 
not accept NTLMv1 authentication and now I'm looking at IIS in order to 
authenticate our users.  I used the Apache Tomcat Connector and got that setup 
however, I am having issues in retrieving the authentication property for the 
USERID of the client making the request which I understood IIS provides.  On 
the Apache Tomcat Connector documentation it only states how to setup the IIS 
Tomcat integration which is working great but it does NOT provide the 
information, from a Java perspective, on how to retrieve from the request the 
userid info. I have tried the HttpServletRequest object but when I use the 
getRemoteUser() method I get a NULL value.  I realize I must be doing something 
wrong but I have no idea what.
If anyone has accomplished this or can provide information on this it would be 
greatly appreciated.  I've posted on a number of Tomcat forums but cannot get a 
response to this issue.  Any help/direction, again, would be appreciated.
I forgot to mention that I am using my local Windows XP Pro box with IIS v5.1 
in the event that info is needed to answer my question.
Thanks so much.

Melinda Savoy
Sr. Programmer Analyst, ERP Systems
Innovative Technology Solutions
Texas Health Resources
600 E. Lamar Blvd, Ste 301, Arlington TX  76011
melindasa...@texashealth.orgmailto:melindasa...@texashealth.org

Texas Health Resources: Arlington Memorial,
Harris Methodist and Presbyterian Hospitals
A shared mission and now a shared name.





The information contained in this message and any attachments is intended only 
for the use of the individual or entity to which it is addressed, and may 
contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from 
disclosure under applicable law.  If you are not the intended recipient, you 
are prohibited from copying, distributing, or using the information.  Please 
contact the sender immediately by return e-mail and delete the original message 
from your system.
No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 9.0.819 / Virus Database: 271.1.1/2884 - Release Date: 05/19/10 
14:26:00

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



The information contained in this message and any attachments is intended only 
for the use of the individual or entity to which it is addressed, and may 
contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from 
disclosure under applicable law.  If you are not the intended recipient, you 
are prohibited from copying, distributing, or using the information.  Please 
contact the sender immediately by return e-mail and delete the original message 
from your system.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional

RE: Question regarding IIS Windows Authentication using Tomcat Connector

2010-05-20 Thread dB .
FQN = fully qualified name (it's unambiguous, usually machine-name\username or 
domain-name\username). It's there and returned by the Waffle tomcat 
authenticator.

But names may change (people get married, groups renamed), so Windows has a 
concept of SID, it's a binary identifier (S-xyz), that never changes and is 
unique. So permissions are typically done with that rather than with fully 
qualified names. There's a bit of work left in Waffle to expose SIDs in the 
principal object(s).

I have no idea what JCIFS can or cannot do for you, but mixing IIS and Tomcat 
seems like a suboptimal way to go, to say the least. Waffle theoretically 
should resolve this, but your specific application is what really matters.

dB. @ dblock.org 
Moscow|Geneva|Seattle|New York


-Original Message-
From: Savoy, Melinda [mailto:melindasa...@texashealth.org] 
Sent: Thursday, May 20, 2010 9:16 AM
To: 'Tomcat Users List'
Subject: RE: Question regarding IIS Windows Authentication using Tomcat 
Connector

I did see your post from Nabble and I appreciate it.  I will hopefully get an 
opp to try it today if I cannot get an answer to my issue.  

A few questions on your post below, and pardon my ignorance, but what is a 
user's FQN, are you stating that Waffle does NOT provide a user id from the 
request, are the WEB.XML settings required?  Why I ask about the web.xml 
settings is because our former team lead created an underlying SECURITY package 
that is the foundation of our web app.  Unfortunately, he is no longer here and 
I do not have time to re-write our app.  He wrote this to do multiple things:

1.  Used as a wrapper around JCIFS.  
2.  Used for other security layers to acquire security info from our legacy 
system.  

I just setup the Apache Tomcat Connector setup on Tuesday and are you stating 
that you've used IIS Tomcat integration (Apache Tomcat Connector) and you could 
not get the userid info either from the client request?

Thanks again for your post.  

-Original Message-
From: dB. [mailto:dbl...@dblock.org] 
Sent: Thursday, May 20, 2010 7:53 AM
To: Tomcat Users List
Subject: RE: Question regarding IIS Windows Authentication using Tomcat 
Connector

I just posted about this :)

Instead of using IIS, you should take a look at the Waffle Tomcat Authenticator 
(http://waffle.codeplex.com). Currently it stores a Generic principal with the 
user's FQN and all local/domain groups, but that can certainly be extended to a 
much richer principal with all kinds of information that Windows provides (such 
as SID).

dB. @ dblock.org 
Moscow|Geneva|Seattle|New York



-Original Message-
From: Savoy, Melinda [mailto:melindasa...@texashealth.org] 
Sent: Thursday, May 20, 2010 8:45 AM
To: 'users@tomcat.apache.org'
Subject: Question regarding IIS Windows Authentication using Tomcat Connector

I have a Java web app whereby we have been using the JCIFS open source 
authentication package that uses NTLMv1 over the past 5 years and it's been 
working great.  However, some of our users are now using Windows 7 that does 
not accept NTLMv1 authentication and now I'm looking at IIS in order to 
authenticate our users.  I used the Apache Tomcat Connector and got that setup 
however, I am having issues in retrieving the authentication property for the 
USERID of the client making the request which I understood IIS provides.  On 
the Apache Tomcat Connector documentation it only states how to setup the IIS 
Tomcat integration which is working great but it does NOT provide the 
information, from a Java perspective, on how to retrieve from the request the 
userid info. I have tried the HttpServletRequest object but when I use the 
getRemoteUser() method I get a NULL value.  I realize I must be doing something 
wrong but I have no idea what.
If anyone has accomplished this or can provide information on this it would be 
greatly appreciated.  I've posted on a number of Tomcat forums but cannot get a 
response to this issue.  Any help/direction, again, would be appreciated.
I forgot to mention that I am using my local Windows XP Pro box with IIS v5.1 
in the event that info is needed to answer my question.
Thanks so much.

Melinda Savoy
Sr. Programmer Analyst, ERP Systems
Innovative Technology Solutions
Texas Health Resources
600 E. Lamar Blvd, Ste 301, Arlington TX  76011
melindasa...@texashealth.orgmailto:melindasa...@texashealth.org

Texas Health Resources: Arlington Memorial,
Harris Methodist and Presbyterian Hospitals
A shared mission and now a shared name.





The information contained in this message and any attachments is intended only 
for the use of the individual or entity to which it is addressed, and may 
contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from 
disclosure under applicable law.  If you are not the intended recipient, you 
are prohibited from copying, distributing, or using the information.  Please 
contact the sender immediately by return e-mail and delete the original

RE: Question regarding IIS Windows Authentication using Tomcat Connector

2010-05-20 Thread Savoy, Melinda
Thanks for the reply.  2 more questions if you don't mind:

1.  Just wanted to confirm that Waffle does support NTLMv2?  We do not use 
Kerberos on our network.  
2.  Are the web.xml settings required?  Again, we have our own custom 
security package and it is defined in the web.xml file.  As stated previously, 
I do not have time to rewrite the security code in order to accommodate a 
product that requires that we use their setting in web.xml.

Just an FYI, in JCIFS, we are able to acquire the domain and user from the 
Type3Message class.  JCIFS uses the challenge-response paradigm.

Thanks for the work that you're doing.  More and more java web teams will need 
something like this as their companies move over to products like Windows 7 
where NTLMv1 is no longer acceptable.

Regards.

-Original Message-
From: dB. [mailto:dbl...@dblock.org] 
Sent: Thursday, May 20, 2010 9:10 AM
To: Tomcat Users List
Subject: RE: Question regarding IIS Windows Authentication using Tomcat 
Connector

FQN = fully qualified name (it's unambiguous, usually machine-name\username or 
domain-name\username). It's there and returned by the Waffle tomcat 
authenticator.

But names may change (people get married, groups renamed), so Windows has a 
concept of SID, it's a binary identifier (S-xyz), that never changes and is 
unique. So permissions are typically done with that rather than with fully 
qualified names. There's a bit of work left in Waffle to expose SIDs in the 
principal object(s).

I have no idea what JCIFS can or cannot do for you, but mixing IIS and Tomcat 
seems like a suboptimal way to go, to say the least. Waffle theoretically 
should resolve this, but your specific application is what really matters.

dB. @ dblock.org 
Moscow|Geneva|Seattle|New York


-Original Message-
From: Savoy, Melinda [mailto:melindasa...@texashealth.org] 
Sent: Thursday, May 20, 2010 9:16 AM
To: 'Tomcat Users List'
Subject: RE: Question regarding IIS Windows Authentication using Tomcat 
Connector

I did see your post from Nabble and I appreciate it.  I will hopefully get an 
opp to try it today if I cannot get an answer to my issue.  

A few questions on your post below, and pardon my ignorance, but what is a 
user's FQN, are you stating that Waffle does NOT provide a user id from the 
request, are the WEB.XML settings required?  Why I ask about the web.xml 
settings is because our former team lead created an underlying SECURITY package 
that is the foundation of our web app.  Unfortunately, he is no longer here and 
I do not have time to re-write our app.  He wrote this to do multiple things:

1.  Used as a wrapper around JCIFS.  
2.  Used for other security layers to acquire security info from our legacy 
system.  

I just setup the Apache Tomcat Connector setup on Tuesday and are you stating 
that you've used IIS Tomcat integration (Apache Tomcat Connector) and you could 
not get the userid info either from the client request?

Thanks again for your post.  

-Original Message-
From: dB. [mailto:dbl...@dblock.org] 
Sent: Thursday, May 20, 2010 7:53 AM
To: Tomcat Users List
Subject: RE: Question regarding IIS Windows Authentication using Tomcat 
Connector

I just posted about this :)

Instead of using IIS, you should take a look at the Waffle Tomcat Authenticator 
(http://waffle.codeplex.com). Currently it stores a Generic principal with the 
user's FQN and all local/domain groups, but that can certainly be extended to a 
much richer principal with all kinds of information that Windows provides (such 
as SID).

dB. @ dblock.org 
Moscow|Geneva|Seattle|New York



-Original Message-
From: Savoy, Melinda [mailto:melindasa...@texashealth.org] 
Sent: Thursday, May 20, 2010 8:45 AM
To: 'users@tomcat.apache.org'
Subject: Question regarding IIS Windows Authentication using Tomcat Connector

I have a Java web app whereby we have been using the JCIFS open source 
authentication package that uses NTLMv1 over the past 5 years and it's been 
working great.  However, some of our users are now using Windows 7 that does 
not accept NTLMv1 authentication and now I'm looking at IIS in order to 
authenticate our users.  I used the Apache Tomcat Connector and got that setup 
however, I am having issues in retrieving the authentication property for the 
USERID of the client making the request which I understood IIS provides.  On 
the Apache Tomcat Connector documentation it only states how to setup the IIS 
Tomcat integration which is working great but it does NOT provide the 
information, from a Java perspective, on how to retrieve from the request the 
userid info. I have tried the HttpServletRequest object but when I use the 
getRemoteUser() method I get a NULL value.  I realize I must be doing something 
wrong but I have no idea what.
If anyone has accomplished this or can provide information on this it would be 
greatly appreciated.  I've posted on a number of Tomcat forums but cannot get a 
response

RE: Question regarding IIS Windows Authentication using Tomcat Connector

2010-05-20 Thread dB .
1. Yes. It will support whatever your Windows box supports since it calls the 
native Windows API. Smartcards, retinal scans, etc.
2. They are not, your code should be fine.

dB. @ dblock.org 
Moscow|Geneva|Seattle|New York



-Original Message-
From: Savoy, Melinda [mailto:melindasa...@texashealth.org] 
Sent: Thursday, May 20, 2010 10:34 AM
To: 'Tomcat Users List'
Subject: RE: Question regarding IIS Windows Authentication using Tomcat 
Connector

Thanks for the reply.  2 more questions if you don't mind:

1.  Just wanted to confirm that Waffle does support NTLMv2?  We do not use 
Kerberos on our network.  
2.  Are the web.xml settings required?  Again, we have our own custom 
security package and it is defined in the web.xml file.  As stated previously, 
I do not have time to rewrite the security code in order to accommodate a 
product that requires that we use their setting in web.xml.

Just an FYI, in JCIFS, we are able to acquire the domain and user from the 
Type3Message class.  JCIFS uses the challenge-response paradigm.

Thanks for the work that you're doing.  More and more java web teams will need 
something like this as their companies move over to products like Windows 7 
where NTLMv1 is no longer acceptable.

Regards.

-Original Message-
From: dB. [mailto:dbl...@dblock.org] 
Sent: Thursday, May 20, 2010 9:10 AM
To: Tomcat Users List
Subject: RE: Question regarding IIS Windows Authentication using Tomcat 
Connector

FQN = fully qualified name (it's unambiguous, usually machine-name\username or 
domain-name\username). It's there and returned by the Waffle tomcat 
authenticator.

But names may change (people get married, groups renamed), so Windows has a 
concept of SID, it's a binary identifier (S-xyz), that never changes and is 
unique. So permissions are typically done with that rather than with fully 
qualified names. There's a bit of work left in Waffle to expose SIDs in the 
principal object(s).

I have no idea what JCIFS can or cannot do for you, but mixing IIS and Tomcat 
seems like a suboptimal way to go, to say the least. Waffle theoretically 
should resolve this, but your specific application is what really matters.

dB. @ dblock.org 
Moscow|Geneva|Seattle|New York


-Original Message-
From: Savoy, Melinda [mailto:melindasa...@texashealth.org] 
Sent: Thursday, May 20, 2010 9:16 AM
To: 'Tomcat Users List'
Subject: RE: Question regarding IIS Windows Authentication using Tomcat 
Connector

I did see your post from Nabble and I appreciate it.  I will hopefully get an 
opp to try it today if I cannot get an answer to my issue.  

A few questions on your post below, and pardon my ignorance, but what is a 
user's FQN, are you stating that Waffle does NOT provide a user id from the 
request, are the WEB.XML settings required?  Why I ask about the web.xml 
settings is because our former team lead created an underlying SECURITY package 
that is the foundation of our web app.  Unfortunately, he is no longer here and 
I do not have time to re-write our app.  He wrote this to do multiple things:

1.  Used as a wrapper around JCIFS.  
2.  Used for other security layers to acquire security info from our legacy 
system.  

I just setup the Apache Tomcat Connector setup on Tuesday and are you stating 
that you've used IIS Tomcat integration (Apache Tomcat Connector) and you could 
not get the userid info either from the client request?

Thanks again for your post.  

-Original Message-
From: dB. [mailto:dbl...@dblock.org] 
Sent: Thursday, May 20, 2010 7:53 AM
To: Tomcat Users List
Subject: RE: Question regarding IIS Windows Authentication using Tomcat 
Connector

I just posted about this :)

Instead of using IIS, you should take a look at the Waffle Tomcat Authenticator 
(http://waffle.codeplex.com). Currently it stores a Generic principal with the 
user's FQN and all local/domain groups, but that can certainly be extended to a 
much richer principal with all kinds of information that Windows provides (such 
as SID).

dB. @ dblock.org 
Moscow|Geneva|Seattle|New York



-Original Message-
From: Savoy, Melinda [mailto:melindasa...@texashealth.org] 
Sent: Thursday, May 20, 2010 8:45 AM
To: 'users@tomcat.apache.org'
Subject: Question regarding IIS Windows Authentication using Tomcat Connector

I have a Java web app whereby we have been using the JCIFS open source 
authentication package that uses NTLMv1 over the past 5 years and it's been 
working great.  However, some of our users are now using Windows 7 that does 
not accept NTLMv1 authentication and now I'm looking at IIS in order to 
authenticate our users.  I used the Apache Tomcat Connector and got that setup 
however, I am having issues in retrieving the authentication property for the 
USERID of the client making the request which I understood IIS provides.  On 
the Apache Tomcat Connector documentation it only states how to setup the IIS 
Tomcat integration which is working great but it does

Re: Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )

2009-05-21 Thread Rainer Jung
On 20.05.2009 07:20, pappu wrote:
 Chuck,
 
 ---
 
 If by Tomcat 5 you really mean Tomcat 5.0, please be aware that 5.0 has
 not been supported for quite some time.  You do need to move up.
 
 ---
 
 Yes I do mean Tomcat 5.0. The reason why we are having this version is
 because we have Business Objects (Analytics Tool) configured to run on
 tomcat and it only supports for Tomcat 5.0 and Tomcat 5.5. When we did this
 about 3 yrs ago i believe only 5.0 would have been supported.
 
 Could you let me know if there is an option to resolve this error without
 doing the upgrade?

The necessary feature (bigger AJP packet sizes) has been backported to
Tomcat 5.5.

Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )

2009-05-21 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Pappu,

On 5/20/2009 1:20 AM, pappu wrote:
 Yes I do mean Tomcat 5.0. The reason why we are having this version is
 because we have Business Objects (Analytics Tool) configured to run on
 tomcat and it only supports for Tomcat 5.0 and Tomcat 5.5. When we did this
 about 3 yrs ago i believe only 5.0 would have been supported.

Tomcat 5.5 is still supported by the community. You should be able to
move up to 5.5.27 (the current 5.5.x version) and still be covered for
Business Objects.

 Could you let me know if there is an option to resolve this error without
 doing the upgrade?

Probably not.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkoVjv8ACgkQ9CaO5/Lv0PAAcQCghOtEUZRe7InvnLscAcWxnEam
Y30AoKL49Gcs49HzsRhzkhE+jd11/bTr
=84M5
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )

2009-05-19 Thread pappu

Hi,

We are running our application on Tomcat 5 and have authorization done by
IIS and have configured the IIS to tomcat communication using the
iisapi_Redirect.

We are facing this issue where we get the Request Entity too Large error
when we try for certain ids.

Since we are running on Tomcat 5 we can't do the mod_jk change. Could you
please suggest how to resolve this issue?

Thanks in Advance.
AM


baumar wrote:
 
 Hi,
 
 We are running an application on Tomcat 6. The authorization is down by
 IIS with Integrated Windows authentication selected. 
 
 Whenever we try to access any page (with IE6), we get a request entity
 too large response. 
 
 We switched IIS to Basic authentication, then it works. By analyzing the
 network traffic, we saw that IIS is adding a kerberos header with
 encrypted data and guess this data cannot be handled by the jconnector or
 tomcat. we made a test where we switched off tomcat and still got the same
 error, so unless we didn't get some cached reply, this means the error
 might be thrown by the jconnector, but we have no clear evidence. 
 
 Did anybody encounter a similar case or know how to resolve this?
 
 Thanks 
 
 Markus
 
 
 

-- 
View this message in context: 
http://www.nabble.com/%22Request-entity-too-large%22-when-using-SSO-%28IIS-Integrated-Windows-authentication--Tomcat-%29-tp23099072p23613947.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )

2009-05-19 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

AM,

On 5/19/2009 6:59 AM, pappu wrote:
 We are running our application on Tomcat 5 and have authorization done by
 IIS and have configured the IIS to tomcat communication using the
 iisapi_Redirect.
 
 We are facing this issue where we get the Request Entity too Large error
 when we try for certain ids.
 
 Since we are running on Tomcat 5 we can't do the mod_jk change.

What mod_jk change? What does running Tomcat 5 (specifically) have to do
with it?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkoSr8sACgkQ9CaO5/Lv0PBddACeLeKML7YPoRglm8pIfbsFE9t6
5LIAn0RLmCW6ajV3ki6C/lsdpglfU8PD
=HudA
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )

2009-05-19 Thread pappu

Chris,



What mod_jk change? What does running Tomcat 5 (specifically) have to do
with it?

-
The link of tomcat below gives instructions on how to increase the
max_packet_size for AJP. This mentions that this is available only from
Tomcat 5.5.20+ and 6.0.2+. So we having Tomcat 5 means that we cannot change
this.
http://tomcat.apache.org/connectors-doc/reference/workers.html

I checked in the isapi logs and i see the error that the HTTP method does
not allow the data transmitted, or the data volume exceeds the capacity
limit

I somehow need to be able to pass the URL from IIS to Tomcat. If I remove
the setting for isapi_Redirect and directly use response.redirect(tomcat
url) in the asp page it works fine but I need the requests to be serviced
only via iis.

-AM
-- 
View this message in context: 
http://www.nabble.com/%22Request-entity-too-large%22-when-using-SSO-%28IIS-Integrated-Windows-authentication--Tomcat-%29-tp23099072p23628364.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )

2009-05-19 Thread Caldarale, Charles R
 From: pappu [mailto:anaga_mahade...@infosys.com]
 Subject: Re: Request entity too large when using SSO (IIS Integrated
 Windows authentication -Tomcat )
 
 So we having Tomcat 5 means that we cannot change this.

If by Tomcat 5 you really mean Tomcat 5.0, please be aware that 5.0 has not 
been supported for quite some time.  You do need to move up.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )

2009-05-19 Thread pappu

Chuck,

---

If by Tomcat 5 you really mean Tomcat 5.0, please be aware that 5.0 has
not been supported for quite some time.  You do need to move up.

---

Yes I do mean Tomcat 5.0. The reason why we are having this version is
because we have Business Objects (Analytics Tool) configured to run on
tomcat and it only supports for Tomcat 5.0 and Tomcat 5.5. When we did this
about 3 yrs ago i believe only 5.0 would have been supported.

Could you let me know if there is an option to resolve this error without
doing the upgrade?

-AM
-- 
View this message in context: 
http://www.nabble.com/%22Request-entity-too-large%22-when-using-SSO-%28IIS-Integrated-Windows-authentication--Tomcat-%29-tp23099072p23629152.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )

2009-04-17 Thread baumar

Hi,

We are running an application on Tomcat 6. The authorization is down by IIS
with Integrated Windows authentication selected. 

Whenever we try to access any page (with IE6), we get a request entity too
large response. 

We switched IIS to Basic authentication, then it works. By analyzing the
network traffic, we saw that IIS is adding a kerberos header with encrypted
data and guess this data cannot be handled by the jconnector or tomcat. we
made a test where we switched off tomcat and still got the same error, so
unless we didn't get some cached reply, this means the error might be thrown
by the jconnector, but we have no clear evidence. 

Did anybody encounter a similar case or know how to resolve this?

Thanks 

Markus


-- 
View this message in context: 
http://www.nabble.com/%22Request-entity-too-large%22-when-using-SSO-%28IIS-Integrated-Windows-authentication--Tomcat-%29-tp23099072p23099072.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )

2009-04-17 Thread Scott Bradshaw
Markus,
  Is the header name called Authentication ?  If so, we had this exact
same issue a few years ago. The length of this HTTP header was too long for
mod_jk to process and the request was getting dropped. I think you might be
able to configure the packet size of mod_jk now to get around this problem.

Our solution a few years ago was I built an ISAPI filter that removed the
Authentication header before it was sent to Tomcat (since this wasn't
needed).

Scott

On Fri, Apr 17, 2009 at 10:46 AM, baumar mbj...@active.ch wrote:


 Hi,

 We are running an application on Tomcat 6. The authorization is down by IIS
 with Integrated Windows authentication selected.

 Whenever we try to access any page (with IE6), we get a request entity too
 large response.

 We switched IIS to Basic authentication, then it works. By analyzing the
 network traffic, we saw that IIS is adding a kerberos header with encrypted
 data and guess this data cannot be handled by the jconnector or tomcat. we
 made a test where we switched off tomcat and still got the same error, so
 unless we didn't get some cached reply, this means the error might be
 thrown
 by the jconnector, but we have no clear evidence.

 Did anybody encounter a similar case or know how to resolve this?

 Thanks

 Markus


 --
 View this message in context:
 http://www.nabble.com/%22Request-entity-too-large%22-when-using-SSO-%28IIS-Integrated-Windows-authentication--Tomcat-%29-tp23099072p23099072.html
 Sent from the Tomcat - User mailing list archive at Nabble.com.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org




Re: Request entity too large when using SSO (IIS Integrated Windows authentication -Tomcat )

2009-04-17 Thread Rainer Jung
On 17.04.2009 16:55, Scott Bradshaw wrote:
 Markus,
   Is the header name called Authentication ?  If so, we had this exact
 same issue a few years ago. The length of this HTTP header was too long for
 mod_jk to process and the request was getting dropped. I think you might be
 able to configure the packet size of mod_jk now to get around this problem.
 
 Our solution a few years ago was I built an ISAPI filter that removed the
 Authentication header before it was sent to Tomcat (since this wasn't
 needed).

What is jconnector? Are you using the isapi redirector to connect IIS
and Tomcat (the IIS relative of mod_jk)?

If so, the whole request including headers is not allowed to exceed 8KB
(excluding any request bodies e.g. when using the POST method).

If you need to send bigger requests, you will need to use a non-standard
configuration to exceed the AJP packet size limitations of the AJP13
protocol.

Look for max_packet_size on the page

   http://tomcat.apache.org/connectors-doc/reference/workers.html

Regards,

Rainer

 On Fri, Apr 17, 2009 at 10:46 AM, baumar mbj...@active.ch wrote:
 
 Hi,

 We are running an application on Tomcat 6. The authorization is down by IIS
 with Integrated Windows authentication selected.

 Whenever we try to access any page (with IE6), we get a request entity too
 large response.

 We switched IIS to Basic authentication, then it works. By analyzing the
 network traffic, we saw that IIS is adding a kerberos header with encrypted
 data and guess this data cannot be handled by the jconnector or tomcat. we
 made a test where we switched off tomcat and still got the same error, so
 unless we didn't get some cached reply, this means the error might be
 thrown
 by the jconnector, but we have no clear evidence.

 Did anybody encounter a similar case or know how to resolve this?

 Thanks

 Markus

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



using windows authentication through JDTS on BIRT on TOMCAT

2009-02-01 Thread hendrik susanto
Hi, I'm newbie with tomcat,

Can somebody help me solving my problem? I really apprciate it, cause it has
made me frustated

Currently I'm working with BIRT, tomcat and MSSQL

I use BIRT to create report as an add-on to our ERP. We tried to using
windows authentication as SSO in all the report, so the roles is described
in MSSQL security and the report's security just based on security from
MSSQL. I'm using JTDS as JDBC Driver because it can integrate Windows
Authentication

When I design the report, the driver works well, so I could using MSSQL
roles as security in my report, for example when I set the domain\user can
access view stock, so in the report the user can access the view, when I
set the user cannot access or execute the view or stored procedure in MSSQL,
so the report cannot retrieve the data. In RCP design all work fine.

But when I copy the report to tomcat webapps, the driver doesn't work. The
error logs said that it couldn't authenticate the domain\user against the
MSSQL. so the connection cannot be open

Does anyone can help me for this problem?

Thanks in advance
Hendrik


Integrated Windows Authentication in Tomcat

2008-07-22 Thread Faris Ahmed
Hi,

 

I want to use Microsoft Integrated Windows Authentication based on Kerberos in 
Tomcat using Microsoft IE browsers.

I found this: http://appliedcrypto.com/files/tomcat_spnego.pdf 

 

Do you know of any other free solutions? Are there better alternatives?

Has anyone tried this before? If yes, is it working 100%? Are there problems? 

 

Mit freundlichen Grüßen / Kind regards

Faris Ahmed | Development Project Manager | Infor | Tel: +49 (0) 6151 866 7814 
| Fax: +49 (0) 6151 866 7088 | mailto:[EMAIL PROTECTED] 

Postanschrift: Infor Global Solutions Darmstadt GmbH | Landwehrstr. 50, 64293 
Darmstadt | Sitz der Gesellschaft ist Darmstadt | Handelsregister: Amtsgericht 
Darmstadt, HRB 5556 | Geschäftsführer: Jochen Kasper,Uwe Richter 

 



Re: Integrated Windows Authentication in Tomcat

2008-07-22 Thread Steve Ochani
Date sent:  Tue, 22 Jul 2008 15:52:34 +0200
From:   Faris Ahmed [EMAIL PROTECTED]
Subject:Integrated Windows Authentication in Tomcat
To: users@tomcat.apache.org
Send reply to:  Tomcat Users List users@tomcat.apache.org

 Hi,



 I want to use Microsoft Integrated Windows Authentication based on
 Kerberos in Tomcat using Microsoft IE browsers.

 I found this: http://appliedcrypto.com/files/tomcat_spnego.pdf



 Do you know of any other free solutions? Are there better
 alternatives?


I haven't used this but it seems to be popular, JCIFS:


http://jcifs.samba.org/src/docs/ntlmhttpauth.html


-Steve O.



 Has anyone tried this before? If yes, is it working 100%? Are there
 problems?



 Mit freundlichen Grüßen / Kind regards

 Faris Ahmed | Development Project Manager | Infor | Tel: +49 (0) 6151
 866 7814 | Fax: +49 (0) 6151 866 7088 | mailto:[EMAIL PROTECTED]

 Postanschrift: Infor Global Solutions Darmstadt GmbH | Landwehrstr.
 50, 64293 Darmstadt | Sitz der Gesellschaft ist Darmstadt |
 Handelsregister: Amtsgericht Darmstadt, HRB 5556 | Geschäftsführer:
 Jochen Kasper,Uwe Richter







-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Problem with tomcat behind IIS and modjk using integrated windows authentication

2008-04-03 Thread Martin Grüneberg
Hello,

I developed a webapplication with tomcat 6.0.14 behind IIS 6 (IIS5 isolation 
mode) using modJK (1.2.25) and integrated wíndows authentication.
I configured IIS and modJK following the descriptions in the connectors 
documentation.
For most of the users (~70%) it works without problems. The rest always gets 
service unavailable
from IIS. Other ASP Applications which are using integrated windows 
authentication work for the affected users. 
I looked in the log files of IIS and modJK and found nothing.
I think it must have something to do with the windows profile because when we 
delete the windows profile
of the user (c:\Documents and Settings\user) and recreate it then all works 
well for this user.
We don't no why this happens, we can't see a difference between working 
profiles and not working ones e.g. the IE settings are the same. 
The problem is we can not kill and recreate all the profiles of the affected 
users.

Thanks in advance, 
Martin
 



Virus checked by G DATA AntiVirusKit
Version: AVKA 18.165 from 02.04.2008
Virus news: www.antiviruslab.com

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Problem with tomcat behind IIS and modjk using integrated windows authentication

2008-04-03 Thread Mark Thomas

Martin Grüneberg wrote:

I think it must have something to do with the windows profile because when we delete 
the windows profile
of the user (c:\Documents and Settings\user) and recreate it then all works 
well for this user.
We don't no why this happens, we can't see a difference between working profiles and not working ones e.g. the IE settings are the same. 
The problem is we can not kill and recreate all the profiles of the affected users.


In this scenario I would suggest using one of the following to look at the 
traffic so see what the difference is because there must be one:

- ieHttpHeaders
- TCPMon from the Apache Axis project

Mark


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Windows Authentication against multiple domains

2007-02-11 Thread Pulkit Singhal

I can't suggest any open-source/free products but allow me to suggest
reading the following article if you want to roll your own solution one of
these days in the windows world:
http://www.microsoft.com/msj/0899/kerberos/kerberos.aspx

Once you read it, I hope you will be able to see how you can put some amount
of work in from your side and leverage Kerberos as a solution across Windows
domains.

But may be I misunderstood your problem, may be you don't want SSO across
multiple domains. Maybe you simply want a piece of code that can connect to
multiple ADs instead of just one? I suggest a bit more clarification so that
the list readers may understand your use-case.

Cheers!

On 2/9/07, Suneet Shah [EMAIL PROTECTED] wrote:


Hello,
We have this capability in our open source identity and access management
solution where you can use more then one use more then one repository for
authentication. You may be able to use just the authentication service as
taking on the rest of it may be more then what you need.  The project is
OpenIAM on sourceforge. We will be putting a new release this weekend. If
you are interested in taking a look, let me know and I can send you a
link.

Regards
Suneet



On 2/9/07, Uwe_77 [EMAIL PROTECTED] wrote:


 Sure, I will let you know. Perhaps we need third party tools. Doese
 someone
 knows a solution?
 --
 View this message in context:

http://www.nabble.com/RE%3A-Windows-Authentication-against-multiple-domains-tf3203321.html#a8895171
 Sent from the Tomcat - User mailing list archive at Nabble.com.


 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]





Windows Authentication against multiple domains

2007-02-09 Thread kbpo4
Hi,
 
I am having a tomcat webapplication and logon needs to be done via
windows-authentication (ldap). I configured authentication against ldap,
that works fine for one domain. The problem is, that we are having users in
multiple domains. Is there a way to configure authentication against the
whole active directory forest?
 
Thanks for your help!
 
Uwe
 


RE: Windows Authentication against multiple domains

2007-02-09 Thread Propes, Barry L [GCG-NAOT]
if you find out, please let me know...I'm barking up that tree, too.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, February 09, 2007 4:50 PM
To: users@tomcat.apache.org
Subject: Windows Authentication against multiple domains


Hi,
 
I am having a tomcat webapplication and logon needs to be done via
windows-authentication (ldap). I configured authentication against ldap,
that works fine for one domain. The problem is, that we are having users in
multiple domains. Is there a way to configure authentication against the
whole active directory forest?
 
Thanks for your help!
 
Uwe
 

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



RE: Windows Authentication against multiple domains

2007-02-09 Thread Uwe_77

Sure, I will let you know. Perhaps we need third party tools. Doese someone
knows a solution?
-- 
View this message in context: 
http://www.nabble.com/RE%3A-Windows-Authentication-against-multiple-domains-tf3203321.html#a8895171
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: Windows Authentication against multiple domains

2007-02-09 Thread Suneet Shah

Hello,
We have this capability in our open source identity and access management
solution where you can use more then one use more then one repository for
authentication. You may be able to use just the authentication service as
taking on the rest of it may be more then what you need.  The project is
OpenIAM on sourceforge. We will be putting a new release this weekend. If
you are interested in taking a look, let me know and I can send you a link.

Regards
Suneet



On 2/9/07, Uwe_77 [EMAIL PROTECTED] wrote:



Sure, I will let you know. Perhaps we need third party tools. Doese
someone
knows a solution?
--
View this message in context:
http://www.nabble.com/RE%3A-Windows-Authentication-against-multiple-domains-tf3203321.html#a8895171
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




RE: Windows Authentication against multiple domains

2007-02-09 Thread John Najarian
I am yet another barking up that tree.
--- Propes, Barry L [GCG-NAOT]
[EMAIL PROTECTED] wrote:

 if you find out, please let me know...I'm barking up
 that tree, too.
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Sent: Friday, February 09, 2007 4:50 PM
 To: users@tomcat.apache.org
 Subject: Windows Authentication against multiple
 domains
 
 
 Hi,
  
 I am having a tomcat webapplication and logon needs
 to be done via
 windows-authentication (ldap). I configured
 authentication against ldap,
 that works fine for one domain. The problem is, that
 we are having users in
 multiple domains. Is there a way to configure
 authentication against the
 whole active directory forest?
  
 Thanks for your help!
  
 Uwe
  
 

-
 To start a new topic, e-mail:
 users@tomcat.apache.org
 To unsubscribe, e-mail:
 [EMAIL PROTECTED]
 For additional commands, e-mail:
 [EMAIL PROTECTED]
 
 



 

Sucker-punch spam with award-winning protection. 
Try the free Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/features_spam.html

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



  1   2   >