Hello, We have spent a long time now, trying to set up Apache Tomcat with Windows Authentication. We followed the instructions as per http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot make it work properly, the logon dialog keeps appearing and trying to log on fails. Additional to that we tried suggestions, like adding the registry key AllowTgtSessionKey and setting it to 0x01 Seems like we are close but we are missing something (see tomcat output below) Does anyone have a more complete documentation or have any suggestions on how to make this work.
Kind regards, Philippe Wijdh Extra information on the setup: Windows 2008 r2 sp1 Apache Tomcat 7.0.54 jdk1.7.0_60 Tomcat is running as a service using account HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the port number, does not make a difference) Test is done with user testu...@assai.nl<mailto:testu...@assai.nl> in IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly added to the Intranet sites. Tomcat Output: >>> KeyTabInputStream, readName(): ASSAI.NL >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080 >>> KeyTab: load() entry length: 72; type: 23 Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf Loaded from Java config Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. >>> KdcAccessibility: reset Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of >>> retries =3, #bytes=152 >>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, >>> #bytes=152 >>> KrbKdcReq send: #bytes read=173 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 >>> KdcAccessibility: remove v3dom1.assai.nl:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000 suSec is 403143 error code is 25 error Message is Additional pre-authentication required realm is ASSAI.NL sname is krbtgt/ASSAI.NL eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of >>> retries =3, #bytes=235 >>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, >>> #bytes=235 >>> KrbKdcReq send: #bytes read=1446 >>> KdcAccessibility: remove v3dom1.assai.nl:88 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of >>> retries =3, #bytes=152 >>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, >>> #bytes=152 >>> KrbKdcReq send: #bytes read=173 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 >>> KdcAccessibility: remove v3dom1.assai.nl:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Wed Oct 22 09:54:12 CEST 2014 1413964452000 suSec is 996893 error code is 25 error Message is Additional pre-authentication required realm is ASSAI.NL sname is krbtgt/ASSAI.NL eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of >>> retries =3, #bytes=235 >>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, >>> #bytes=235 >>> KrbKdcReq send: #bytes read=1446 >>> KdcAccessibility: remove v3dom1.assai.nl:88 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of >>> retries =3, #bytes=152 >>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, >>> #bytes=152 >>> KrbKdcReq send: #bytes read=173 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 >>> KdcAccessibility: remove v3dom1.assai.nl:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Wed Oct 22 09:54:56 CEST 2014 1413964496000 suSec is 543768 error code is 25 error Message is Additional pre-authentication required realm is ASSAI.NL sname is krbtgt/ASSAI.NL eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of >>> retries =3, #bytes=235 >>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, >>> #bytes=235 >>> KrbKdcReq send: #bytes read=1446 >>> KdcAccessibility: remove v3dom1.assai.nl:88 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl 09:55:00.008 [QuartzScheduler_Worker-1] DEBUG org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob 09:55:00.008 [QuartzScheduler_Worker-1] DEBUG org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of >>> retries =3, #bytes=152 >>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, >>> #bytes=152 >>> KrbKdcReq send: #bytes read=173 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 >>> KdcAccessibility: remove v3dom1.assai.nl:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Wed Oct 22 09:55:15 CEST 2014 1413964515000 suSec is 715643 error code is 25 error Message is Additional pre-authentication required realm is ASSAI.NL sname is krbtgt/ASSAI.NL eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of >>> retries =3, #bytes=235 >>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, >>> #bytes=235 >>> KrbKdcReq send: #bytes read=1446 >>> KdcAccessibility: remove v3dom1.assai.nl:88 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17.