Hi, Thank you for the response. The initial setup of the spn and the keytab was without the port-number, the registry key was a suggestion found on internet but this setting does not change the outcome.
The command kinit on the Tomcat server returns the following C:\MyPrograms\Tomcat7\conf>set KRB5_CONFIG=C:\MyPrograms\Tomcat7\conf\krb5.conf C:\MyPrograms\Tomcat7\conf>c:\MyPrograms\Java\jdk1.7.0_60\bin\kinit -J-Djava.sec urity.krb5.conf=C:\MyPrograms\Tomcat7\conf\krb5.conf -J-Djava.security.auth.logi n.config=C:\MyPrograms\Tomcat7\conf\jaas.conf -J-Dsun.security.krb5.debug=true - k -t C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab HTTP/v3tcat4ad.assai.nl:8080@A SSAI.NL >>>KinitOptions cache name is C:\Users\TestUser\krb5cc_testuser Principal is HTTP/v3tcat4ad.assai.nl:8...@assai.nl >>> Kinit using keytab >>> Kinit keytab file name: C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf Loaded from Java config >>> Kinit realm name is ASSAI.NL >>> Creating KrbAsReq >>> KrbKdcReq local addresses for V3TCAT4AD are: V3TCAT4AD/10.1.0.67 IPv4 address V3TCAT4AD/fe80:0:0:0:d815:81c0:97e7:11d2%11 IPv6 address >>> KdcAccessibility: reset >>> KeyTabInputStream, readName(): ASSAI.NL >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080 >>> KeyTab: load() entry length: 72; type: 23 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=198 >>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #byt es=198 >>> KrbKdcReq send: #bytes read=173 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 >>> KdcAccessibility: remove v3dom1.assai.nl:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Thu Oct 23 10:21:31 CEST 2014 1414052491000 suSec is 776700 error code is 25 error Message is Additional pre-authentication required realm is ASSAI.NL sname is krbtgt/ASSAI.NL eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. default etypes for default_tkt_enctypes: 23 18 17. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=283 >>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #byt es=283 >>> KrbKdcReq send: #bytes read=88 >>> KrbKdcReq send: kdc=v3dom1.assai.nl TCP:88, timeout=30000, number of retries =3, #bytes=283 >>> KDCCommunication: kdc=v3dom1.assai.nl TCP:88, timeout=30000,Attempt =1, #byt es=283 >>>DEBUG: TCPClient reading 1496 bytes >>> KrbKdcReq send: #bytes read=1496 >>> KdcAccessibility: remove v3dom1.assai.nl:88 Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 New ticket is stored in cache file C:\Users\TestUser\krb5cc_testuser C:\MyPrograms\Tomcat7\conf>klist Current LogonId is 0:0x13380b5c Cached Tickets: (0) Kind regards, Philippe Wijdh Senior Programmer Assai software services BV, Parallelweg Oost 13a, 4103 NC, Culemborg, The Netherlands P: +31 (0)345 516 663, E: p.wi...@assai.nl, W: www.assai-software.com -----Original Message----- From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Sent: donderdag 23 oktober 2014 7:53 To: Tomcat Users List Subject: Re: Built-in Tomcat Support for Windows Authentication Am 22. Oktober 2014 11:40:56 MESZ, schrieb Philippe Wijdh <p.wi...@assai.nl>: >Hello, > >We have spent a long time now, trying to set up Apache Tomcat with >Windows Authentication. >We followed the instructions as per >http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we >cannot make it work properly, the logon dialog keeps appearing and >trying to log on fails. >Additional to that we tried suggestions, like adding the registry key >AllowTgtSessionKey and setting it to 0x01 Haven't seen that recommendation in the tomcat documentation. >Seems like we are close but we are missing something (see tomcat output >below) >Does anyone have a more complete documentation or have any suggestions >on how to make this work. > > >Kind regards, > >Philippe Wijdh > > > >Extra information on the setup: > >Windows 2008 r2 sp1 >Apache Tomcat 7.0.54 >jdk1.7.0_60 > >Tomcat is running as a service using account >HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the >port number, does not make a difference) You will have to use the spn without the port. > >Test is done with user testu...@assai.nl<mailto:testu...@assai.nl> in >IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly >added to the Intranet sites. > > > >Tomcat Output: > >>>> KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, >>>> readName(): HTTP KeyTabInputStream, readName(): >>>> v3tcat4ad.assai.nl:8080 What is inside your keytab? >>>> KeyTab: load() entry length: 72; type: 23 >Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf >Loaded from Java config >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >>>> KdcAccessibility: reset >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >default etypes for default_tkt_enctypes: 23 18 17. >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >of retries =3, #bytes=152 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >=1, #bytes=152 >>>> KrbKdcReq send: #bytes read=173 >>>>Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>>Pre-Authentication Data: > PA-DATA type = 16 > >>>>Pre-Authentication Data: > PA-DATA type = 15 > >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>KRBError: > sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000 > suSec is 403143 > error code is 25 > error Message is Additional pre-authentication required > realm is ASSAI.NL > sname is krbtgt/ASSAI.NL > eData provided. > msgType is 30 >>>>Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>>Pre-Authentication Data: > PA-DATA type = 16 > >>>>Pre-Authentication Data: > PA-DATA type = 15 > >KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for >default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >of retries =3, #bytes=235 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >=1, #bytes=235 >>>> KrbKdcReq send: #bytes read=1446 >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 This is the wrong spn. The port number should not be there. Regards Felix >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >Search Subject for SPNEGO ACCEPT cred (<<DEF>>, >sun.security.jgss.spnego.SpNegoCredElement) >Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, >sun.security.jgss.krb5.Krb5AcceptCredential) >Found KeyTab >Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >default etypes for default_tkt_enctypes: 23 18 17. >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >of retries =3, #bytes=152 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >=1, #bytes=152 >>>> KrbKdcReq send: #bytes read=173 >>>>Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>>Pre-Authentication Data: > PA-DATA type = 16 > >>>>Pre-Authentication Data: > PA-DATA type = 15 > >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>KRBError: > sTime is Wed Oct 22 09:54:12 CEST 2014 1413964452000 > suSec is 996893 > error code is 25 > error Message is Additional pre-authentication required > realm is ASSAI.NL > sname is krbtgt/ASSAI.NL > eData provided. > msgType is 30 >>>>Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>>Pre-Authentication Data: > PA-DATA type = 16 > >>>>Pre-Authentication Data: > PA-DATA type = 15 > >KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for >default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >of retries =3, #bytes=235 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >=1, #bytes=235 >>>> KrbKdcReq send: #bytes read=1446 >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >Search Subject for SPNEGO ACCEPT cred (<<DEF>>, >sun.security.jgss.spnego.SpNegoCredElement) >Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, >sun.security.jgss.krb5.Krb5AcceptCredential) >Found KeyTab >Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl >Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key: >23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes >for default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >default etypes for default_tkt_enctypes: 23 18 17. >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >of retries =3, #bytes=152 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >=1, #bytes=152 >>>> KrbKdcReq send: #bytes read=173 >>>>Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>>Pre-Authentication Data: > PA-DATA type = 16 > >>>>Pre-Authentication Data: > PA-DATA type = 15 > >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>KRBError: > sTime is Wed Oct 22 09:54:56 CEST 2014 1413964496000 > suSec is 543768 > error code is 25 > error Message is Additional pre-authentication required > realm is ASSAI.NL > sname is krbtgt/ASSAI.NL > eData provided. > msgType is 30 >>>>Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>>Pre-Authentication Data: > PA-DATA type = 16 > >>>>Pre-Authentication Data: > PA-DATA type = 15 > >KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for >default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >of retries =3, #bytes=235 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >=1, #bytes=235 >>>> KrbKdcReq send: #bytes read=1446 >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >Search Subject for SPNEGO ACCEPT cred (<<DEF>>, >sun.security.jgss.spnego.SpNegoCredElement) >Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, >sun.security.jgss.krb5.Krb5AcceptCredential) >Found KeyTab >Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl >09:55:00.008 [QuartzScheduler_Worker-1] DEBUG >org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob >09:55:00.008 [QuartzScheduler_Worker-1] DEBUG >org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob >Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list >default etypes for default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >default etypes for default_tkt_enctypes: 23 18 17. >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >of retries =3, #bytes=152 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >=1, #bytes=152 >>>> KrbKdcReq send: #bytes read=173 >>>>Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>>Pre-Authentication Data: > PA-DATA type = 16 > >>>>Pre-Authentication Data: > PA-DATA type = 15 > >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>KRBError: > sTime is Wed Oct 22 09:55:15 CEST 2014 1413964515000 > suSec is 715643 > error code is 25 > error Message is Additional pre-authentication required > realm is ASSAI.NL > sname is krbtgt/ASSAI.NL > eData provided. > msgType is 30 >>>>Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>>Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>>Pre-Authentication Data: > PA-DATA type = 16 > >>>>Pre-Authentication Data: > PA-DATA type = 15 > >KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for >default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >of retries =3, #bytes=235 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >=1, #bytes=235 >>>> KrbKdcReq send: #bytes read=1446 >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 >Added key: 23version: 0 >Ordering keys wrt default_tkt_enctypes list default etypes for >default_tkt_enctypes: 23 18 17. >Search Subject for SPNEGO ACCEPT cred (<<DEF>>, >sun.security.jgss.spnego.SpNegoCredElement) >Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, >sun.security.jgss.krb5.Krb5AcceptCredential) >Found KeyTab >Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl >Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key: >23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes >for default_tkt_enctypes: 23 18 17. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org