Am 15. Oktober 2014 11:05:59 MESZ, schrieb tantaryu <ming...@outlook.com>: >Okay, this might sounds funny. But how do I add a newlines?
I don't know how to do it in your mail client. But generally I would try to configure it to not use html (only). You could try another mal Client or provider. Maybe it has saner defaults. Regards Felix > >Date: Wed, 15 Oct 2014 01:37:42 -0700 >From: ml-node+s10n5023863...@n6.nabble.com >To: ming...@outlook.com >Subject: Re: Tomcat windows authentication domain login issue > > > > Am 15.10.2014 um 10:22 schrieb tantaryu: > >>> Let's hope it works this time. > >If this was your try to add newlines, than I think it failed. > > >Felix > >>> I need some idea on what's wrong with my tomcat configuration for >windows authentication. I followed the tomcat windows authentication >tutorial and uses the "manager" web application comes with tomcat to do >a poc. In my web.xml I change > <auth-method>BASIC</auth-method> > to> ><auth-method>SPNEGO</auth-method>> and also changes the auth-constraint >to the following > <auth-constraint>> <role-name>*</role-name>> ></auth-constraint> > >>> This is my krb5.ini > [libdefaults]> default_realm = ACME> >default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab> >default_tkt_enctypes = >rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> >default_tgs_enctypes = >rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> >forwardable=true> [realms]> ACME = {> kdc = AD-Server:88>}> >[domain_realm]> acme= ACME> .acme= ACME > >>> This is my jaas.conf > com.sun.security.jgss.krb5.initiate {> >com.sun.security.auth.module.Krb5LoginModule required> debug=true> >doNotPrompt=true> principal="HTTP/Client2@ACME"> useKeyTab=true> >keyTab="C:/tomcat/conf/tomcat.keytab"> //useTicketCache=true> >storeKey=true;> };> com.sun.security.jgss.krb5.accept {> >com.sun.security.auth.module.Krb5LoginModule required> debug=true> >doNotPrompt=true> principal="HTTP/Client2@ACME"> useKeyTab=true> >keyTab="C:/tomcat/conf/tomcat.keytab"> //useTicketCache=true> >storeKey=true;>}; > >>> The weird thing is regardless of what username and password I put in >when I accessed the tomcat manager web-app the debug message shown is >the same. > >>> Debug is true storeKey true useTicketCache false useKeyTab true >doNotPrompt true ticketCache is null isInitiator true KeyTab is >C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is >HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass >is false clearPass is false> >>> KeyTabInputStream, readName(): acme> >>>> KeyTabInputStream, readName(): HTTP> >>> KeyTabInputStream, >readName(): Client2> >>> KeyTab: load() entry length: 52; type: 23> >Looking for keys for: HTTP/Client2@ACME> Java config name: >C:\tomcat\conf\krb5.ini> Loaded from Java config> Added key: 23version: >0> >>> KdcAccessibility: reset> Looking for keys for: >HTTP/Client2@ACME> Added key: 23version: 0> default etypes for >default_tkt_enctypes: 23 17.> >>> KrbAsReq creating message> >>> >KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000, number of retries >=3, #> bytes=124> >>> KDCCommunication: kdc=AD-Server UDP:88, >timeout=30000,Attempt =1, #bytes=124 > >>>>>> KrbKdcReq send: #bytes read=538> >>> KdcAccessibility: remove >AD-Server:88> Looking for keys for: HTTP/Client2@ACME> Added key: >23version: 0> >>> EType: >sun.security.krb5.internal.crypto.ArcFourHmacEType> >>> KrbAsRep cons >in KrbAsReq.getReply HTTP/Client2> principal is HTTP/Client2@ACME> Will >use keytab> Commit Succeeded > >>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, >sun.security.jgss.spnego.SpNegoCredElement)> Search Subject for >Kerberos V5 ACCEPT cred (<<DEF>>, >sun.security.jgss.krb5.Krb5AcceptCredential)> Found KeyTab >C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found KeyTab >C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found ticket for >HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 >02:49:29 CST 2014> [Krb5LoginModule]: Entering logout> > [Krb5LoginModule]: logged out Subject > >>> I added this in my server.xml > <Realm >className="org.apache.catalina.realm.LockOutRealm">> <Realm >className="org.apache.catalina.realm.JAASRealm" >appName="JspKerberosDemo" allRolesMode="strictAuthOnly" />> </Realm> > >>> When I tried login, it doesn't seem to recognize the valid >credential. The app keeps on asking me to enter a valid credential. >What do I need to change to make it work? > >> Date: Wed, 15 Oct 2014 00:56:33 -0700 > >> From: [hidden email] > >> To: [hidden email] > >> Subject: Re: Tomcat windows authentication domain login issue > >> > >> > >> > >> Am 15.10.2014 um 03:48 schrieb tantaryu: > >> > >>> Okay, now I tried with a email client. Let's see if it works. > >>> I need some idea on what's wrong with my tomcat configuration for >windows authentication. I followed the tomcat windows authentication >tutorial and uses the "manager" web application comes with tomcat to do >a poc. In my web.xml I change <auth-method>BASIC</auth-method> to ><auth-method>SPNEGO</auth-method> and also changes the auth-constraint >to the following <auth-constraint> ><role-name>*</role-name></auth-constraint>. > >>> This is my krb5.ini [libdefaults]default_realm = >ACMEdefault_keytab_name = >FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = >rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes >= >rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME >= { kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME > >>> This is my jaas.conf com.sun.security.jgss.krb5.initiate { >com.sun.security.auth.module.Krb5LoginModule required debug=true >doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true >keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true >storeKey=true;};com.sun.security.jgss.krb5.accept { >com.sun.security.auth.module.Krb5LoginModule required debug=true >doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true >keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true >storeKey=true;}; > >>> The weird thing is regardless of what username and password I put in >when I accessed the tomcat manager web-app the debug message shown is >the same. Debug is true storeKey true useTicketCache false useKeyTab >true doNotPrompt true ticketCache is null isInitiator true KeyTab is >C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is >HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass >is false clearPass is false>>> KeyTabInputStream, readName(): acme>>> >KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): >Client2>>> KeyTab: load() entry length: 52; type: 23Looking for keys >for: HTTP/Client2@ACMEJava config name: C:\tomcat\conf\krb5.iniLoaded >from Java configAdded key: 23version: 0>>> KdcAccessibility: >resetLooking for keys for: HTTP/Client2@ACMEAdded key: 23version: >0default etypes for default_tkt_enctypes: 23 17.>>> KrbAsReq creating >message>>> KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000, number >of retries =3, #bytes=124>>> KDCCommunication: kdc=AD-Server UDP:88, >timeout=30000,Attempt =1, #bytes=124 > >> Could you try to add the missing newlines? It is really hard to read >the > >> > >> text without them. > >> > >> > >> Regards Felix > >> > >> > >>>>>> KrbKdcReq send: #bytes read=538>>> KdcAccessibility: remove >AD-Server:88Looking for keys for: HTTP/Client2@ACMEAdded key: >23version: 0>>> EType: >sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsRep cons in >KrbAsReq.getReply HTTP/Client2principal is HTTP/Client2@ACMEWill use >keytabCommit Succeeded > >>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, >sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos >V5 ACCEPT cred (<<DEF>>, >sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab >C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab >C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound ticket for >HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 >02:49:29 CST 2014 [Krb5LoginModule]: Entering logout > [Krb5LoginModule]: logged out Subject > >>> I added this in my server.xml <Realm >className="org.apache.catalina.realm.LockOutRealm"> <Realm >className="org.apache.catalina.realm.JAASRealm" >appName="JspKerberosDemo" allRolesMode="strictAuthOnly" /> </Realm> > >>> When I tried login, it doesn't seem to recognize the valid >credential. The app keeps on asking me to enter a valid credential. >What do I need to change to make it work? > >>> Date: Tue, 14 Oct 2014 18:03:07 -0700 > >>> From: [hidden email] > >>> To: [hidden email] > >>> Subject: RE: Tomcat windows authentication domain login issue > >>> > From: tantaryu [mailto:[hidden email]] > >>>> Subject: Re: Tomcat windows authentication domain login issue > >>>> Let me know if you can read it still. I didn't checked the "Message >is in > >>>> HTML Format" option. > >>> It didn't help. Don't use Nabble - post to the user's list directly >from an e-mail client. > >>> - Chuck > >>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE >PROPRIETARY MATERIAL and is thus for use only by the intended >recipient. If you received this in error, please contact the sender and >delete the e-mail and its attachments from all computers. > >>> >--------------------------------------------------------------------- > >>> To unsubscribe, e-mail: [hidden email] > >>> For additional commands, e-mail: [hidden email] > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> If you reply to this email, your message will be added to the >discussion below: > >>> > > http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html >>> > >>> > >>> > >>> To unsubscribe from Tomcat windows authentication domain login >issue, click here. > >>> NAML > >>> > >>> -- > >>> View this message in context: >http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023855.html >>> Sent from the Tomcat - User mailing list archive at Nabble.com. > >> > >> > >> --------------------------------------------------------------------- > >> > >> To unsubscribe, e-mail: [hidden email] > >> > >> For additional commands, e-mail: [hidden email] > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> If you reply to this email, your message will be added to the >discussion below: > >> > > http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023861.html >> > >> > >> > >> To unsubscribe from Tomcat windows authentication domain login >issue, click here. > >> > >> NAML > >> > >> > >> > >> > >> -- > >> View this message in context: >http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023862.html >> Sent from the Tomcat - User mailing list archive at Nabble.com. > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [hidden email] > >For additional commands, e-mail: [hidden email] > > > > > > > > > > > > > > If you reply to this email, your message will be added to the >discussion below: > > http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023863.html > > > > To unsubscribe from Tomcat windows authentication domain login > issue, >click here. > > NAML > > > > >-- >View this message in context: >http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023866.html >Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org