KinitOptions cache name is C:\Users\TestUser\krb5cc_testuser
Principal is HTTP/v3tcat4ad.assai.nl:8...@assai.nl
Kinit using keytab
Kinit keytab file name: C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab
Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
Loaded from Java config
Kinit realm name is ASSAI.NL
Creating KrbAsReq
KrbKdcReq local addresses for V3TCAT4AD are:
V3TCAT4AD/10.1.0.67
IPv4 address
V3TCAT4AD/fe80:0:0:0:d815:81c0:97e7:11d2%11
IPv6 address
KdcAccessibility: reset
KeyTabInputStream, readName(): ASSAI.NL
KeyTabInputStream, readName(): HTTP
KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080
KeyTab: load() entry length: 72; type: 23
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries
=3, #bytes=198
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #byt
es=198
KrbKdcReq send: #bytes read=173
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16
Pre-Authentication Data:
PA-DATA type = 15
KdcAccessibility: remove v3dom1.assai.nl:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:
sTime is Thu Oct 23 10:21:31 CEST 2014 1414052491000
suSec is 776700
error code is 25
error Message is Additional pre-authentication required
realm is ASSAI.NL
sname is krbtgt/ASSAI.NL
eData provided.
msgType is 30
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16
Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries
=3, #bytes=283
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #byt
es=283
KrbKdcReq send: #bytes read=88
KrbKdcReq send: kdc=v3dom1.assai.nl TCP:88, timeout=30000, number of retries
=3, #bytes=283
KDCCommunication: kdc=v3dom1.assai.nl TCP:88, timeout=30000,Attempt =1, #byt
es=283
DEBUG: TCPClient reading 1496 bytes
KrbKdcReq send: #bytes read=1496
KdcAccessibility: remove v3dom1.assai.nl:88
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
New ticket is stored in cache file C:\Users\TestUser\krb5cc_testuser
C:\MyPrograms\Tomcat7\conf>klist
Current LogonId is 0:0x13380b5c
Cached Tickets: (0)
Kind regards,
Philippe Wijdh
Senior Programmer
Assai software services BV, Parallelweg Oost 13a, 4103 NC, Culemborg, The
Netherlands
P: +31 (0)345 516 663, E: p.wi...@assai.nl, W: www.assai-software.com
-----Original Message-----
From: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
Sent: donderdag 23 oktober 2014 7:53
To: Tomcat Users List
Subject: Re: Built-in Tomcat Support for Windows Authentication
Am 22. Oktober 2014 11:40:56 MESZ, schrieb Philippe Wijdh <p.wi...@assai.nl>:
Hello,
We have spent a long time now, trying to set up Apache Tomcat with
Windows Authentication.
We followed the instructions as per
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we
cannot make it work properly, the logon dialog keeps appearing and
trying to log on fails.
Additional to that we tried suggestions, like adding the registry key
AllowTgtSessionKey and setting it to 0x01
Haven't seen that recommendation in the tomcat documentation.
Seems like we are close but we are missing something (see tomcat output
below)
Does anyone have a more complete documentation or have any suggestions
on how to make this work.
Kind regards,
Philippe Wijdh
Extra information on the setup:
Windows 2008 r2 sp1
Apache Tomcat 7.0.54
jdk1.7.0_60
Tomcat is running as a service using account
HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the
port number, does not make a difference)
You will have to use the spn without the port.
Test is done with user testu...@assai.nl<mailto:testu...@assai.nl> in
IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly
added to the Intranet sites.
Tomcat Output:
KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream,
readName(): HTTP KeyTabInputStream, readName():
v3tcat4ad.assai.nl:8080
What is inside your keytab?
KeyTab: load() entry length: 72; type: 23
Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
Loaded from Java config
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
KdcAccessibility: reset
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
of retries =3, #bytes=152
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
=1, #bytes=152
KrbKdcReq send: #bytes read=173
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16
Pre-Authentication Data:
PA-DATA type = 15
KdcAccessibility: remove v3dom1.assai.nl:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:
sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
suSec is 403143
error code is 25
error Message is Additional pre-authentication required
realm is ASSAI.NL
sname is krbtgt/ASSAI.NL
eData provided.
msgType is 30
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16
Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for
default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
of retries =3, #bytes=235
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
=1, #bytes=235
KrbKdcReq send: #bytes read=1446
KdcAccessibility: remove v3dom1.assai.nl:88
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
This is the wrong spn. The port number should not be there.
Regards
Felix
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
of retries =3, #bytes=152
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
=1, #bytes=152
KrbKdcReq send: #bytes read=173
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16
Pre-Authentication Data:
PA-DATA type = 15
KdcAccessibility: remove v3dom1.assai.nl:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:
sTime is Wed Oct 22 09:54:12 CEST 2014 1413964452000
suSec is 996893
error code is 25
error Message is Additional pre-authentication required
realm is ASSAI.NL
sname is krbtgt/ASSAI.NL
eData provided.
msgType is 30
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16
Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for
default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
of retries =3, #bytes=235
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
=1, #bytes=235
KrbKdcReq send: #bytes read=1446
KdcAccessibility: remove v3dom1.assai.nl:88
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl
Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key:
23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes
for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
of retries =3, #bytes=152
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
=1, #bytes=152
KrbKdcReq send: #bytes read=173
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16
Pre-Authentication Data:
PA-DATA type = 15
KdcAccessibility: remove v3dom1.assai.nl:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:
sTime is Wed Oct 22 09:54:56 CEST 2014 1413964496000
suSec is 543768
error code is 25
error Message is Additional pre-authentication required
realm is ASSAI.NL
sname is krbtgt/ASSAI.NL
eData provided.
msgType is 30
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16
Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for
default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
of retries =3, #bytes=235
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
=1, #bytes=235
KrbKdcReq send: #bytes read=1446
KdcAccessibility: remove v3dom1.assai.nl:88
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl
09:55:00.008 [QuartzScheduler_Worker-1] DEBUG
org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob
09:55:00.008 [QuartzScheduler_Worker-1] DEBUG
org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob
Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
of retries =3, #bytes=152
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
=1, #bytes=152
KrbKdcReq send: #bytes read=173
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16
Pre-Authentication Data:
PA-DATA type = 15
KdcAccessibility: remove v3dom1.assai.nl:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:
sTime is Wed Oct 22 09:55:15 CEST 2014 1413964515000
suSec is 715643
error code is 25
error Message is Additional pre-authentication required
realm is ASSAI.NL
sname is krbtgt/ASSAI.NL
eData provided.
msgType is 30
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 16
Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for
default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
of retries =3, #bytes=235
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
=1, #bytes=235
KrbKdcReq send: #bytes read=1446
KdcAccessibility: remove v3dom1.assai.nl:88
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl
Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key:
23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes
for default_tkt_enctypes: 23 18 17.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
