I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the
"manager" web application comes with tomcat to do a poc. In my web.xml I change > <auth-method>BASIC</auth-method> > to>
<auth-method>SPNEGO</auth-method>> and also changes the auth-constraint to the following > <auth-constraint>>
<role-name>*</role-name>> </auth-constraint>
This is my krb5.ini > [libdefaults]> default_realm = ACME> default_keytab_name =
FILE:C:\tomcat\conf\tomcat.keytab> default_tkt_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> default_tgs_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> forwardable=true> [realms]> ACME = {> kdc
= AD-Server:88>}> [domain_realm]> acme= ACME> .acme= ACME
This is my jaas.conf > com.sun.security.jgss.krb5.initiate {> com.sun.security.auth.module.Krb5LoginModule required> debug=true> doNotPrompt=true>
principal="HTTP/Client2@ACME"> useKeyTab=true> keyTab="C:/tomcat/conf/tomcat.keytab"> //useTicketCache=true> storeKey=true;> };>
com.sun.security.jgss.krb5.accept {> com.sun.security.auth.module.Krb5LoginModule required> debug=true> doNotPrompt=true>
principal="HTTP/Client2@ACME"> useKeyTab=true> keyTab="C:/tomcat/conf/tomcat.keytab"> //useTicketCache=true> storeKey=true;>};
The weird thing is regardless of what username and password I put in when I
accessed the tomcat manager web-app the debug message shown is the same.
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is
HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false> >>> KeyTabInputStream, readName(): acme> >>> KeyTabInputStream,
readName(): HTTP> >>> KeyTabInputStream, readName(): Client2> >>> KeyTab: load() entry length: 52; type: 23> Looking for keys for: HTTP/Client2@ACME> Java config name:
C:\tomcat\conf\krb5.ini> Loaded from Java config> Added key: 23version: 0> >>> KdcAccessibility: reset> Looking for keys for: HTTP/Client2@ACME> Added key: 23version: 0>
default etypes for default_tkt_enctypes: 23 17.> >>> KrbAsReq creating message> >>> KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000, number of retries =3, #>
bytes=124> >>> KDCCommunication: kdc=AD-Server UDP:88, timeout=30000,Attempt =1, #bytes=124
KrbKdcReq send: #bytes read=538> >>> KdcAccessibility: remove AD-Server:88> Looking for keys for:
HTTP/Client2@ACME> Added key: 23version: 0> >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType>
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/Client2> principal is HTTP/Client2@ACME> Will use keytab> Commit
Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)> Search
Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)> Found KeyTab
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found KeyTab C:\tomcat\conf\tomcat.keytab for
HTTP/Client2@ACME> Found ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST
2014> [Krb5LoginModule]: Entering logout> [Krb5LoginModule]: logged out Subject
I added this in my server.xml > <Realm className="org.apache.catalina.realm.LockOutRealm">> <Realm
className="org.apache.catalina.realm.JAASRealm" appName="JspKerberosDemo" allRolesMode="strictAuthOnly" />>
</Realm>
When I tried login, it doesn't seem to recognize the valid credential. The app
keeps on asking me to enter a valid credential. What do I need to change to
make it work?
Date: Wed, 15 Oct 2014 00:56:33 -0700
From: ml-node+s10n5023861...@n6.nabble.com
To: ming...@outlook.com
Subject: Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 03:48 schrieb tantaryu:
Okay, now I tried with a email client. Let's see if it works.
I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication
tutorial and uses the "manager" web application comes with tomcat to do a poc. In my web.xml I change
<auth-method>BASIC</auth-method> to <auth-method>SPNEGO</auth-method> and also changes the auth-constraint to the
following <auth-constraint> <role-name>*</role-name></auth-constraint>.
This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name =
FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
= { kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required
debug=true doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true
keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true
storeKey=true;};com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required
debug=true doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true
keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true storeKey=true;};
The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same.
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is
C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false
clearPass is false>>> KeyTabInputStream, readName(): acme>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream,
readName(): Client2>>> KeyTab: load() entry length: 52; type: 23Looking for keys for: HTTP/Client2@ACMEJava config name:
C:\tomcat\conf\krb5.iniLoaded from Java configAdded key: 23version: 0>>> KdcAccessibility: resetLooking for keys for: HTTP/Client2@ACMEAdded
key: 23version: 0default etypes for default_tkt_enctypes: 23 17.>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=AD-Server
UDP:88, timeout=30000, number of retries =3, #bytes=124>>> KDCCommunication: kdc=AD-Server UDP:88, timeout=30000,Attempt =1, #bytes=124
Could you try to add the missing newlines? It is really hard to read the
text without them.
Regards Felix
KrbKdcReq send: #bytes read=538>>> KdcAccessibility: remove AD-Server:88Looking for keys for:
HTTP/Client2@ACMEAdded key: 23version: 0>>> EType:
sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsRep cons in KrbAsReq.getReply
HTTP/Client2principal is HTTP/Client2@ACMEWill use keytabCommit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred
(<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab
C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab C:\tomcat\conf\tomcat.keytab for
HTTP/Client2@ACMEFound ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14
02:49:29 CST 2014 [Krb5LoginModule]: Entering logout [Krb5LoginModule]:
logged out Subject
I added this in my server.xml <Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm
className="org.apache.catalina.realm.JAASRealm" appName="JspKerberosDemo" allRolesMode="strictAuthOnly"
/> </Realm>
When I tried login, it doesn't seem to recognize the valid credential. The app
keeps on asking me to enter a valid credential. What do I need to change to
make it work?
Date: Tue, 14 Oct 2014 18:03:07 -0700
From: [hidden email]
To: [hidden email]
Subject: RE: Tomcat windows authentication domain login issue
> From: tantaryu [mailto:[hidden email]]
Subject: Re: Tomcat windows authentication domain login issue
Let me know if you can read it still. I didn't checked the "Message is in
HTML Format" option.
It didn't help. Don't use Nabble - post to the user's list directly from an
e-mail client.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
If you reply to this email, your message will be added to the
discussion below:
http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html
To unsubscribe from Tomcat windows authentication domain login
issue, click here.
NAML
--
View this message in context:
http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023855.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
If you reply to this email, your message will be added to the
discussion below:
http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023861.html
To unsubscribe from Tomcat windows authentication domain login
issue, click here.
NAML
--
View this message in context:
http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023862.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
