On 22/10/2014 10:40, Philippe Wijdh wrote: > Hello, > > We have spent a long time now, trying to set up Apache Tomcat with Windows > Authentication. > We followed the instructions as per > http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot > make it work properly, the logon dialog keeps appearing and trying to log on > fails. > Additional to that we tried suggestions, like adding the registry key > AllowTgtSessionKey and setting it to 0x01 > Seems like we are close but we are missing something (see tomcat output below) > Does anyone have a more complete documentation or have any suggestions on how > to make this work.
The documentation is complete. If you follow the steps in that document then you will end up with a working system. Either you aren't following the documentation or something in your environment differs from that described in the document. > Kind regards, > > Philippe Wijdh > > > > Extra information on the setup: > > Windows 2008 r2 sp1 > Apache Tomcat 7.0.54 > jdk1.7.0_60 > > Tomcat is running as a service using account HTTP/v3tcat4ad.assai.nl:8080 > (have created spn with and without the port number, does not make a > difference) > > Test is done with user testu...@assai.nl<mailto:testu...@assai.nl> in IE11 on > different machines, with http://v3tcat4ad.assai.nl explicitly added to the > Intranet sites. You haven't provided any information on the Realm configuration or how you have secured the page you are trying to test with. You might have hit https://issues.apache.org/bugzilla/show_bug.cgi?id=57022 There are lots of configuration steps listed in the docs you haven't mentioned. Mark > > > > Tomcat Output: > >>>> KeyTabInputStream, readName(): ASSAI.NL >>>> KeyTabInputStream, readName(): HTTP >>>> KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080 >>>> KeyTab: load() entry length: 72; type: 23 > Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf > Loaded from Java config > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. >>>> KdcAccessibility: reset > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > default etypes for default_tkt_enctypes: 23 18 17. >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of >>>> retries =3, #bytes=152 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, >>>> #bytes=152 >>>> KrbKdcReq send: #bytes read=173 >>>> Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>> Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>> Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>> Pre-Authentication Data: > PA-DATA type = 16 > >>>> Pre-Authentication Data: > PA-DATA type = 15 > >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >>>> KDCRep: init() encoding tag is 126 req type is 11 >>>> KRBError: > sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000 > suSec is 403143 > error code is 25 > error Message is Additional pre-authentication required > realm is ASSAI.NL > sname is krbtgt/ASSAI.NL > eData provided. > msgType is 30 >>>> Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>> Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>> Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>> Pre-Authentication Data: > PA-DATA type = 16 > >>>> Pre-Authentication Data: > PA-DATA type = 15 > > KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ > default etypes for default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of >>>> retries =3, #bytes=235 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, >>>> #bytes=235 >>>> KrbKdcReq send: #bytes read=1446 >>>> KdcAccessibility: remove v3dom1.assai.nl:88 > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > Search Subject for SPNEGO ACCEPT cred (<<DEF>>, > sun.security.jgss.spnego.SpNegoCredElement) > Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, > sun.security.jgss.krb5.Krb5AcceptCredential) > Found KeyTab > Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > default etypes for default_tkt_enctypes: 23 18 17. >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of >>>> retries =3, #bytes=152 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, >>>> #bytes=152 >>>> KrbKdcReq send: #bytes read=173 >>>> Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>> Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>> Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>> Pre-Authentication Data: > PA-DATA type = 16 > >>>> Pre-Authentication Data: > PA-DATA type = 15 > >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >>>> KDCRep: init() encoding tag is 126 req type is 11 >>>> KRBError: > sTime is Wed Oct 22 09:54:12 CEST 2014 1413964452000 > suSec is 996893 > error code is 25 > error Message is Additional pre-authentication required > realm is ASSAI.NL > sname is krbtgt/ASSAI.NL > eData provided. > msgType is 30 >>>> Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>> Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>> Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>> Pre-Authentication Data: > PA-DATA type = 16 > >>>> Pre-Authentication Data: > PA-DATA type = 15 > > KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ > default etypes for default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of >>>> retries =3, #bytes=235 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, >>>> #bytes=235 >>>> KrbKdcReq send: #bytes read=1446 >>>> KdcAccessibility: remove v3dom1.assai.nl:88 > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > Search Subject for SPNEGO ACCEPT cred (<<DEF>>, > sun.security.jgss.spnego.SpNegoCredElement) > Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, > sun.security.jgss.krb5.Krb5AcceptCredential) > Found KeyTab > Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl > Entered Krb5Context.acceptSecContext with state=STATE_NEW > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > default etypes for default_tkt_enctypes: 23 18 17. >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of >>>> retries =3, #bytes=152 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, >>>> #bytes=152 >>>> KrbKdcReq send: #bytes read=173 >>>> Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>> Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>> Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>> Pre-Authentication Data: > PA-DATA type = 16 > >>>> Pre-Authentication Data: > PA-DATA type = 15 > >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >>>> KDCRep: init() encoding tag is 126 req type is 11 >>>> KRBError: > sTime is Wed Oct 22 09:54:56 CEST 2014 1413964496000 > suSec is 543768 > error code is 25 > error Message is Additional pre-authentication required > realm is ASSAI.NL > sname is krbtgt/ASSAI.NL > eData provided. > msgType is 30 >>>> Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>> Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>> Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>> Pre-Authentication Data: > PA-DATA type = 16 > >>>> Pre-Authentication Data: > PA-DATA type = 15 > > KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ > default etypes for default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of >>>> retries =3, #bytes=235 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, >>>> #bytes=235 >>>> KrbKdcReq send: #bytes read=1446 >>>> KdcAccessibility: remove v3dom1.assai.nl:88 > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > Search Subject for SPNEGO ACCEPT cred (<<DEF>>, > sun.security.jgss.spnego.SpNegoCredElement) > Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, > sun.security.jgss.krb5.Krb5AcceptCredential) > Found KeyTab > Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl > 09:55:00.008 [QuartzScheduler_Worker-1] DEBUG org.quartz.core.JobRunShell - > Calling execute on job DEFAULT.reportsJob > 09:55:00.008 [QuartzScheduler_Worker-1] DEBUG org.quartz.core.JobRunShell - > Calling execute on job DEFAULT.reportsJob > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > default etypes for default_tkt_enctypes: 23 18 17. >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of >>>> retries =3, #bytes=152 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, >>>> #bytes=152 >>>> KrbKdcReq send: #bytes read=173 >>>> Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>> Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>> Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>> Pre-Authentication Data: > PA-DATA type = 16 > >>>> Pre-Authentication Data: > PA-DATA type = 15 > >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >>>> KDCRep: init() encoding tag is 126 req type is 11 >>>> KRBError: > sTime is Wed Oct 22 09:55:15 CEST 2014 1413964515000 > suSec is 715643 > error code is 25 > error Message is Additional pre-authentication required > realm is ASSAI.NL > sname is krbtgt/ASSAI.NL > eData provided. > msgType is 30 >>>> Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>> Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>> Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>> Pre-Authentication Data: > PA-DATA type = 16 > >>>> Pre-Authentication Data: > PA-DATA type = 15 > > KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ > default etypes for default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of >>>> retries =3, #bytes=235 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, >>>> #bytes=235 >>>> KrbKdcReq send: #bytes read=1446 >>>> KdcAccessibility: remove v3dom1.assai.nl:88 > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > Search Subject for SPNEGO ACCEPT cred (<<DEF>>, > sun.security.jgss.spnego.SpNegoCredElement) > Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, > sun.security.jgss.krb5.Krb5AcceptCredential) > Found KeyTab > Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl > Entered Krb5Context.acceptSecContext with state=STATE_NEW > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list > default etypes for default_tkt_enctypes: 23 18 17. > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
