Built-in Tomcat Support for Windows Authentication

Wed, 22 Oct 2014 02:41:26 -0700 

Hello,

We have spent a long time now, trying to set up Apache Tomcat with Windows 
Authentication.
We followed the instructions as per 
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot 
make it work properly, the logon dialog keeps appearing and trying to log on 
fails.
Additional to that we tried suggestions, like adding the registry key 
AllowTgtSessionKey and setting it to 0x01
Seems like we are close but we are missing something (see tomcat output below)
Does anyone have a more complete documentation or have any suggestions on how 
to make this work.


Kind regards,

Philippe Wijdh



Extra information on the setup:

Windows 2008 r2 sp1
Apache Tomcat 7.0.54
jdk1.7.0_60

Tomcat is running as a service using account  HTTP/v3tcat4ad.assai.nl:8080 
(have created spn with and without the port number, does not make a difference)

Test is done with user testu...@assai.nl<mailto:testu...@assai.nl> in IE11 on 
different machines, with http://v3tcat4ad.assai.nl explicitly added to the 
Intranet sites.



Tomcat Output:

>>> KeyTabInputStream, readName(): ASSAI.NL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080
>>> KeyTab: load() entry length: 72; type: 23
Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
Loaded from Java config
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
>>> KdcAccessibility: reset
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of 
>>> retries =3, #bytes=152
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, 
>>> #bytes=152
>>> KrbKdcReq send: #bytes read=173
>>>Pre-Authentication Data:
            PA-DATA type = 11
            PA-ETYPE-INFO etype = 23, salt =

>>>Pre-Authentication Data:
            PA-DATA type = 19
            PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
            PA-DATA type = 2
            PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
            PA-DATA type = 16

>>>Pre-Authentication Data:
            PA-DATA type = 15

>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
            sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
            suSec is 403143
            error code is 25
            error Message is Additional pre-authentication required
            realm is ASSAI.NL
            sname is krbtgt/ASSAI.NL
            eData provided.
            msgType is 30
>>>Pre-Authentication Data:
            PA-DATA type = 11
            PA-ETYPE-INFO etype = 23, salt =

>>>Pre-Authentication Data:
            PA-DATA type = 19
            PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
            PA-DATA type = 2
            PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
            PA-DATA type = 16

>>>Pre-Authentication Data:
            PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of 
>>> retries =3, #bytes=235
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, 
>>> #bytes=235
>>> KrbKdcReq send: #bytes read=1446
>>> KdcAccessibility: remove v3dom1.assai.nl:88
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, 
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, 
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of 
>>> retries =3, #bytes=152
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, 
>>> #bytes=152
>>> KrbKdcReq send: #bytes read=173
>>>Pre-Authentication Data:
            PA-DATA type = 11
            PA-ETYPE-INFO etype = 23, salt =

>>>Pre-Authentication Data:
            PA-DATA type = 19
            PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
            PA-DATA type = 2
            PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
            PA-DATA type = 16

>>>Pre-Authentication Data:
            PA-DATA type = 15

>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
            sTime is Wed Oct 22 09:54:12 CEST 2014 1413964452000
            suSec is 996893
            error code is 25
            error Message is Additional pre-authentication required
            realm is ASSAI.NL
            sname is krbtgt/ASSAI.NL
            eData provided.
            msgType is 30
>>>Pre-Authentication Data:
            PA-DATA type = 11
            PA-ETYPE-INFO etype = 23, salt =

>>>Pre-Authentication Data:
            PA-DATA type = 19
            PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
            PA-DATA type = 2
            PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
            PA-DATA type = 16

>>>Pre-Authentication Data:
            PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of 
>>> retries =3, #bytes=235
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, 
>>> #bytes=235
>>> KrbKdcReq send: #bytes read=1446
>>> KdcAccessibility: remove v3dom1.assai.nl:88
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, 
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, 
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of 
>>> retries =3, #bytes=152
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, 
>>> #bytes=152
>>> KrbKdcReq send: #bytes read=173
>>>Pre-Authentication Data:
            PA-DATA type = 11
            PA-ETYPE-INFO etype = 23, salt =

>>>Pre-Authentication Data:
            PA-DATA type = 19
            PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
            PA-DATA type = 2
            PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
            PA-DATA type = 16

>>>Pre-Authentication Data:
            PA-DATA type = 15

>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
            sTime is Wed Oct 22 09:54:56 CEST 2014 1413964496000
            suSec is 543768
            error code is 25
            error Message is Additional pre-authentication required
            realm is ASSAI.NL
            sname is krbtgt/ASSAI.NL
            eData provided.
            msgType is 30
>>>Pre-Authentication Data:
            PA-DATA type = 11
            PA-ETYPE-INFO etype = 23, salt =

>>>Pre-Authentication Data:
            PA-DATA type = 19
            PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
            PA-DATA type = 2
            PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
            PA-DATA type = 16

>>>Pre-Authentication Data:
            PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of 
>>> retries =3, #bytes=235
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, 
>>> #bytes=235
>>> KrbKdcReq send: #bytes read=1446
>>> KdcAccessibility: remove v3dom1.assai.nl:88
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, 
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, 
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl
09:55:00.008 [QuartzScheduler_Worker-1] DEBUG org.quartz.core.JobRunShell - 
Calling execute on job DEFAULT.reportsJob
09:55:00.008 [QuartzScheduler_Worker-1] DEBUG org.quartz.core.JobRunShell - 
Calling execute on job DEFAULT.reportsJob
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of 
>>> retries =3, #bytes=152
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, 
>>> #bytes=152
>>> KrbKdcReq send: #bytes read=173
>>>Pre-Authentication Data:
            PA-DATA type = 11
            PA-ETYPE-INFO etype = 23, salt =

>>>Pre-Authentication Data:
            PA-DATA type = 19
            PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
            PA-DATA type = 2
            PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
            PA-DATA type = 16

>>>Pre-Authentication Data:
            PA-DATA type = 15

>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
            sTime is Wed Oct 22 09:55:15 CEST 2014 1413964515000
            suSec is 715643
            error code is 25
            error Message is Additional pre-authentication required
            realm is ASSAI.NL
            sname is krbtgt/ASSAI.NL
            eData provided.
            msgType is 30
>>>Pre-Authentication Data:
            PA-DATA type = 11
            PA-ETYPE-INFO etype = 23, salt =

>>>Pre-Authentication Data:
            PA-DATA type = 19
            PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
            PA-DATA type = 2
            PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
            PA-DATA type = 16

>>>Pre-Authentication Data:
            PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of 
>>> retries =3, #bytes=235
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, 
>>> #bytes=235
>>> KrbKdcReq send: #bytes read=1446
>>> KdcAccessibility: remove v3dom1.assai.nl:88
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, 
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, 
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.

Reply via email to