Okay, this might sounds funny. But how do I add a newlines? Date: Wed, 15 Oct 2014 01:37:42 -0700 From: ml-node+s10n5023863...@n6.nabble.com To: ming...@outlook.com Subject: Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 10:22 schrieb tantaryu: >> Let's hope it works this time. If this was your try to add newlines, than I think it failed. Felix >> I need some idea on what's wrong with my tomcat configuration for windows >> authentication. I followed the tomcat windows authentication tutorial and >> uses the "manager" web application comes with tomcat to do a poc. In my >> web.xml I change > <auth-method>BASIC</auth-method> > to> >> <auth-method>SPNEGO</auth-method>> and also changes the auth-constraint to >> the following > <auth-constraint>> <role-name>*</role-name>> >> </auth-constraint> >> This is my krb5.ini > [libdefaults]> default_realm = ACME> >> default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab> >> default_tkt_enctypes = >> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> >> default_tgs_enctypes = >> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> forwardable=true> >> [realms]> ACME = {> kdc = AD-Server:88>}> [domain_realm]> acme= ACME> >> .acme= ACME >> This is my jaas.conf > com.sun.security.jgss.krb5.initiate {> >> com.sun.security.auth.module.Krb5LoginModule required> debug=true> >> doNotPrompt=true> principal="HTTP/Client2@ACME"> useKeyTab=true> >> keyTab="C:/tomcat/conf/tomcat.keytab"> //useTicketCache=true> >> storeKey=true;> };> com.sun.security.jgss.krb5.accept {> >> com.sun.security.auth.module.Krb5LoginModule required> debug=true> >> doNotPrompt=true> principal="HTTP/Client2@ACME"> useKeyTab=true> >> keyTab="C:/tomcat/conf/tomcat.keytab"> //useTicketCache=true> >> storeKey=true;>}; >> The weird thing is regardless of what username and password I put in when I >> accessed the tomcat manager web-app the debug message shown is the same. >> Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt >> true ticketCache is null isInitiator true KeyTab is >> C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is >> HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is >> false clearPass is false> >>> KeyTabInputStream, readName(): acme> >>> >> KeyTabInputStream, readName(): HTTP> >>> KeyTabInputStream, readName(): >> Client2> >>> KeyTab: load() entry length: 52; type: 23> Looking for keys >> for: HTTP/Client2@ACME> Java config name: C:\tomcat\conf\krb5.ini> Loaded >> from Java config> Added key: 23version: 0> >>> KdcAccessibility: reset> >> Looking for keys for: HTTP/Client2@ACME> Added key: 23version: 0> default >> etypes for default_tkt_enctypes: 23 17.> >>> KrbAsReq creating message> >>> >> KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000, number of retries =3, >> #> bytes=124> >>> KDCCommunication: kdc=AD-Server UDP:88, >> timeout=30000,Attempt =1, #bytes=124 >>>>> KrbKdcReq send: #bytes read=538> >>> KdcAccessibility: remove >>>>> AD-Server:88> Looking for keys for: HTTP/Client2@ACME> Added key: >>>>> 23version: 0> >>> EType: >>>>> sun.security.krb5.internal.crypto.ArcFourHmacEType> >>> KrbAsRep cons in >>>>> KrbAsReq.getReply HTTP/Client2> principal is HTTP/Client2@ACME> Will use >>>>> keytab> Commit Succeeded >> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, >> sun.security.jgss.spnego.SpNegoCredElement)> Search Subject for Kerberos V5 >> ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)> Found >> KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found KeyTab >> C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found ticket for >> HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 >> CST 2014> [Krb5LoginModule]: Entering logout> >> [Krb5LoginModule]: logged out Subject >> I added this in my server.xml > <Realm >> className="org.apache.catalina.realm.LockOutRealm">> <Realm >> className="org.apache.catalina.realm.JAASRealm" appName="JspKerberosDemo" >> allRolesMode="strictAuthOnly" />> </Realm> >> When I tried login, it doesn't seem to recognize the valid credential. The >> app keeps on asking me to enter a valid credential. What do I need to change >> to make it work? > Date: Wed, 15 Oct 2014 00:56:33 -0700 > From: [hidden email] > To: [hidden email] > Subject: Re: Tomcat windows authentication domain login issue > > > > Am 15.10.2014 um 03:48 schrieb tantaryu: > >> Okay, now I tried with a email client. Let's see if it works. >> I need some idea on what's wrong with my tomcat configuration for windows >> authentication. I followed the tomcat windows authentication tutorial and >> uses the "manager" web application comes with tomcat to do a poc. In my >> web.xml I change <auth-method>BASIC</auth-method> to >> <auth-method>SPNEGO</auth-method> and also changes the auth-constraint to >> the following <auth-constraint> <role-name>*</role-name></auth-constraint>. >> This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = >> FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = >> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes >> = >> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME >> = { kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME >> This is my jaas.conf com.sun.security.jgss.krb5.initiate { >> com.sun.security.auth.module.Krb5LoginModule required debug=true >> doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true >> keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true >> storeKey=true;};com.sun.security.jgss.krb5.accept { >> com.sun.security.auth.module.Krb5LoginModule required debug=true >> doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true >> keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true >> storeKey=true;}; >> The weird thing is regardless of what username and password I put in when I >> accessed the tomcat manager web-app the debug message shown is the same. >> Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt >> true ticketCache is null isInitiator true KeyTab is >> C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is >> HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is >> false clearPass is false>>> KeyTabInputStream, readName(): acme>>> >> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): >> Client2>>> KeyTab: load() entry length: 52; type: 23Looking for keys for: >> HTTP/Client2@ACMEJava config name: C:\tomcat\conf\krb5.iniLoaded from Java >> configAdded key: 23version: 0>>> KdcAccessibility: resetLooking for keys >> for: HTTP/Client2@ACMEAdded key: 23version: 0default etypes for >> default_tkt_enctypes: 23 17.>>> KrbAsReq creating message>>> KrbKdcReq send: >> kdc=AD-Server UDP:88, timeout=30000, number of retries =3, #bytes=124>>> >> KDCCommunication: kdc=AD-Server UDP:88, timeout=30000,Attempt =1, #bytes=124 > Could you try to add the missing newlines? It is really hard to read the > > text without them. > > > Regards Felix > > >>>>> KrbKdcReq send: #bytes read=538>>> KdcAccessibility: remove >>>>> AD-Server:88Looking for keys for: HTTP/Client2@ACMEAdded key: 23version: >>>>> 0>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType>>> >>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/Client2principal is >>>>> HTTP/Client2@ACMEWill use keytabCommit Succeeded >> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, >> sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 >> ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)Found >> KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab >> C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound ticket for >> HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 >> CST 2014 [Krb5LoginModule]: Entering logout >> [Krb5LoginModule]: logged out Subject >> I added this in my server.xml <Realm >> className="org.apache.catalina.realm.LockOutRealm"> <Realm >> className="org.apache.catalina.realm.JAASRealm" appName="JspKerberosDemo" >> allRolesMode="strictAuthOnly" /> </Realm> >> When I tried login, it doesn't seem to recognize the valid credential. The >> app keeps on asking me to enter a valid credential. What do I need to change >> to make it work? >> Date: Tue, 14 Oct 2014 18:03:07 -0700 >> From: [hidden email] >> To: [hidden email] >> Subject: RE: Tomcat windows authentication domain login issue >> > From: tantaryu [mailto:[hidden email]] >>> Subject: Re: Tomcat windows authentication domain login issue >>> Let me know if you can read it still. I didn't checked the "Message is in >>> HTML Format" option. >> It didn't help. Don't use Nabble - post to the user's list directly from an >> e-mail client. >> - Chuck >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY >> MATERIAL and is thus for use only by the intended recipient. If you received >> this in error, please contact the sender and delete the e-mail and its >> attachments from all computers. >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [hidden email] >> For additional commands, e-mail: [hidden email] >> >> >> >> >> >> >> >> If you reply to this email, your message will be added to the >> discussion below: >> >> http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html >> >> >> >> To unsubscribe from Tomcat windows authentication domain login >> issue, click here. >> NAML >> >> -- >> View this message in context: >> http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023855.html >> Sent from the Tomcat - User mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [hidden email] > > For additional commands, e-mail: [hidden email] > > > > > > > > > > > > > > If you reply to this email, your message will be added to the > discussion below: > > http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023861.html > > > > To unsubscribe from Tomcat windows authentication domain login > issue, click here. > > NAML > > > > > -- > View this message in context: > http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023862.html > Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email] If you reply to this email, your message will be added to the discussion below: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023863.html To unsubscribe from Tomcat windows authentication domain login issue, click here. NAML -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023866.html Sent from the Tomcat - User mailing list archive at Nabble.com.