Am 22. Oktober 2014 11:40:56 MESZ, schrieb Philippe Wijdh <p.wi...@assai.nl>: >Hello, > >We have spent a long time now, trying to set up Apache Tomcat with >Windows Authentication. >We followed the instructions as per >http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we >cannot make it work properly, the logon dialog keeps appearing and >trying to log on fails. >Additional to that we tried suggestions, like adding the registry key >AllowTgtSessionKey and setting it to 0x01 Haven't seen that recommendation in the tomcat documentation.
>Seems like we are close but we are missing something (see tomcat output >below) >Does anyone have a more complete documentation or have any suggestions >on how to make this work. > > >Kind regards, > >Philippe Wijdh > > > >Extra information on the setup: > >Windows 2008 r2 sp1 >Apache Tomcat 7.0.54 >jdk1.7.0_60 > >Tomcat is running as a service using account >HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the >port number, does not make a difference) You will have to use the spn without the port. > >Test is done with user testu...@assai.nl<mailto:testu...@assai.nl> in >IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly >added to the Intranet sites. > > > >Tomcat Output: > >>>> KeyTabInputStream, readName(): ASSAI.NL >>>> KeyTabInputStream, readName(): HTTP >>>> KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080 What is inside your keytab? >>>> KeyTab: load() entry length: 72; type: 23 >Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf >Loaded from Java config >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >>>> KdcAccessibility: reset >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >default etypes for default_tkt_enctypes: 23 18 17. >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >of retries =3, #bytes=152 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >=1, #bytes=152 >>>> KrbKdcReq send: #bytes read=173 >>>>Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>>Pre-Authentication Data: > PA-DATA type = 16 > >>>>Pre-Authentication Data: > PA-DATA type = 15 > >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>KRBError: > sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000 > suSec is 403143 > error code is 25 > error Message is Additional pre-authentication required > realm is ASSAI.NL > sname is krbtgt/ASSAI.NL > eData provided. > msgType is 30 >>>>Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>>Pre-Authentication Data: > PA-DATA type = 16 > >>>>Pre-Authentication Data: > PA-DATA type = 15 > >KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ >default etypes for default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >of retries =3, #bytes=235 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >=1, #bytes=235 >>>> KrbKdcReq send: #bytes read=1446 >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 This is the wrong spn. The port number should not be there. Regards Felix >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >Search Subject for SPNEGO ACCEPT cred (<<DEF>>, >sun.security.jgss.spnego.SpNegoCredElement) >Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, >sun.security.jgss.krb5.Krb5AcceptCredential) >Found KeyTab >Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >default etypes for default_tkt_enctypes: 23 18 17. >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >of retries =3, #bytes=152 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >=1, #bytes=152 >>>> KrbKdcReq send: #bytes read=173 >>>>Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>>Pre-Authentication Data: > PA-DATA type = 16 > >>>>Pre-Authentication Data: > PA-DATA type = 15 > >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>KRBError: > sTime is Wed Oct 22 09:54:12 CEST 2014 1413964452000 > suSec is 996893 > error code is 25 > error Message is Additional pre-authentication required > realm is ASSAI.NL > sname is krbtgt/ASSAI.NL > eData provided. > msgType is 30 >>>>Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>>Pre-Authentication Data: > PA-DATA type = 16 > >>>>Pre-Authentication Data: > PA-DATA type = 15 > >KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ >default etypes for default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >of retries =3, #bytes=235 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >=1, #bytes=235 >>>> KrbKdcReq send: #bytes read=1446 >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >Search Subject for SPNEGO ACCEPT cred (<<DEF>>, >sun.security.jgss.spnego.SpNegoCredElement) >Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, >sun.security.jgss.krb5.Krb5AcceptCredential) >Found KeyTab >Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl >Entered Krb5Context.acceptSecContext with state=STATE_NEW >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >default etypes for default_tkt_enctypes: 23 18 17. >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >of retries =3, #bytes=152 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >=1, #bytes=152 >>>> KrbKdcReq send: #bytes read=173 >>>>Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>>Pre-Authentication Data: > PA-DATA type = 16 > >>>>Pre-Authentication Data: > PA-DATA type = 15 > >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>KRBError: > sTime is Wed Oct 22 09:54:56 CEST 2014 1413964496000 > suSec is 543768 > error code is 25 > error Message is Additional pre-authentication required > realm is ASSAI.NL > sname is krbtgt/ASSAI.NL > eData provided. > msgType is 30 >>>>Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>>Pre-Authentication Data: > PA-DATA type = 16 > >>>>Pre-Authentication Data: > PA-DATA type = 15 > >KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ >default etypes for default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >of retries =3, #bytes=235 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >=1, #bytes=235 >>>> KrbKdcReq send: #bytes read=1446 >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >Search Subject for SPNEGO ACCEPT cred (<<DEF>>, >sun.security.jgss.spnego.SpNegoCredElement) >Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, >sun.security.jgss.krb5.Krb5AcceptCredential) >Found KeyTab >Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl >09:55:00.008 [QuartzScheduler_Worker-1] DEBUG >org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob >09:55:00.008 [QuartzScheduler_Worker-1] DEBUG >org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >default etypes for default_tkt_enctypes: 23 18 17. >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >of retries =3, #bytes=152 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >=1, #bytes=152 >>>> KrbKdcReq send: #bytes read=173 >>>>Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>>Pre-Authentication Data: > PA-DATA type = 16 > >>>>Pre-Authentication Data: > PA-DATA type = 15 > >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>KRBError: > sTime is Wed Oct 22 09:55:15 CEST 2014 1413964515000 > suSec is 715643 > error code is 25 > error Message is Additional pre-authentication required > realm is ASSAI.NL > sname is krbtgt/ASSAI.NL > eData provided. > msgType is 30 >>>>Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>>Pre-Authentication Data: > PA-DATA type = 16 > >>>>Pre-Authentication Data: > PA-DATA type = 15 > >KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ >default etypes for default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >of retries =3, #bytes=235 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >=1, #bytes=235 >>>> KrbKdcReq send: #bytes read=1446 >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >Search Subject for SPNEGO ACCEPT cred (<<DEF>>, >sun.security.jgss.spnego.SpNegoCredElement) >Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, >sun.security.jgss.krb5.Krb5AcceptCredential) >Found KeyTab >Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl >Entered Krb5Context.acceptSecContext with state=STATE_NEW >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org