Put keytab in c:\keytab\tomcat.keytab, ensured owner was tc01@KERTEST.LOCAL, still same symptoms. Ran klist on client after firefox test and the three 401 responses. :- C:\Users\test.KERBTEST.000>klist
Current LogonId is 0:0x2fd7a Cached Tickets: (2) #0> Client: test @ KERBTEST.LOCAL Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam e_canonicalize Start Time: 3/25/2015 14:46:43 (local) End Time: 3/26/2015 0:46:43 (local) Renew Time: 4/1/2015 14:46:43 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x1 -> PRIMARY Kdc Called: 192.168.0.200 #1> Client: test @ KERBTEST.LOCAL Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canoni calize Start Time: 3/25/2015 14:51:21 (local) End Time: 3/26/2015 0:46:43 (local) Renew Time: 4/1/2015 14:46:43 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0 Kdc Called: 192.168.0.200 Looks like I was granted a ticket for the SPN HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ? If I have ticket why do I get 401 ? ---------------------------------------- > Date: Tue, 24 Mar 2015 22:46:15 +0000 > From: ma...@apache.org > To: users@tomcat.apache.org > Subject: Re: SPNEGO test configuration with Manager webapp > > On 24/03/2015 20:47, David Marsh wrote: >> Hi Felix, >> Thanks fort your help! >> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and >> also added the same definitions to the Java parameters in Configure Tomcat >> tool.I definitely got more information when using startup.bat, not sure the >> settings get picked up by the windows service ? >> I do not think authentication completes, certainly authorization does not as >> I cant see the site and get 401 http status. >> I have not configured a tomcat realm but I have put the test user a >> manager-gui group in Active Directory. > > I've only given your config a quick scan, but the thing that jumps out > at me is spaces in the some of the paths. I'm not sure how well krb5.ini > will handle those. It might be fine. It might not be. > > Mark > > >> David >>> Date: Tue, 24 Mar 2015 21:39:38 +0100 >>> From: felix.schumac...@internetallee.de >>> To: users@tomcat.apache.org >>> Subject: Re: SPNEGO test configuration with Manager webapp >>> >>> Am 24.03.2015 um 21:25 schrieb David Marsh: >>>> Everything is as described and still not working, except the jaas.conf is >>>> :- >>>> >>>> com.sun.security.jgss.krb5.initiate { >>>> com.sun.security.auth.module.Krb5LoginModule required >>>> doNotPrompt=true >>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" >>>> useKeyTab=true >>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>> 8.0/conf/tomcat.keytab" >>>> storeKey=true; >>>> }; >>>> >>>> com.sun.security.jgss.krb5.accept { >>>> com.sun.security.auth.module.Krb5LoginModule required >>>> doNotPrompt=true >>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" >>>> useKeyTab=true >>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>> 8.0/conf/tomcat.keytab" >>>> storeKey=true; >>>> }; >>>> >>>> In other words the principal is the tomcat server as it should be. >>>> >>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100 >>>>> From: felix.schumac...@internetallee.de >>>>> To: users@tomcat.apache.org >>>>> Subject: Re: SPNEGO test configuration with Manager webapp >>>>> >>>>> Am 24.03.2015 um 21:05 schrieb David Marsh: >>>>>> Sorry thats :- >>>>>> >>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" >>>>>> under jaas.conf, it is set to the tomcat server DNS. >>>>> Is it working with this configuration, or just to point out, that you >>>>> copied the wrong jaas.conf for the mail? >>>>> >>>>> Felix >>>>>> ---------------------------------------- >>>>>>> From: dmars...@outlook.com >>>>>>> To: users@tomcat.apache.org >>>>>>> Subject: SPNEGO test configuration with Manager webapp >>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000 >>>>>>> >>>>>>> I'm trying to get SPNEGO authentication working with Tomcat 8. >>>>>>> >>>>>>> I've created three Windows VMs :- >>>>>>> >>>>>>> Tomcat Server - Windows 8.1 32 bit VM >>>>>>> Test Client - Windows 8.1 32 bit VM >>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM >>>>>>> >>>>>>> The Tomcat Server and the Test Client are joined to the same domain >>>>>>> kerbtest.local, they are logged in with domain logins. >>>>>>> >>>>>>> The firewall is disabled on the Tomcat Server VM. >>>>>>> >>>>>>> I've followed the guidelines on the Apache Tomcat website. >>>>>>> >>>>>>> jaas.conf >>>>>>> >>>>>>> com.sun.security.jgss.krb5.initiate { >>>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>>> doNotPrompt=true >>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>> useKeyTab=true >>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>>>>> 8.0/conf/tomcat.keytab" >>>>>>> storeKey=true; >>>>>>> }; >>>>>>> >>>>>>> com.sun.security.jgss.krb5.accept { >>>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>>> doNotPrompt=true >>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>> useKeyTab=true >>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>>>>> 8.0/conf/tomcat.keytab" >>>>>>> storeKey=true; >>>>>>> }; >>>>>>> >>>>>>> krb5.ini >>>>>>> >>>>>>> [libdefaults] >>>>>>> default_realm = KERBTEST.LOCAL >>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software >>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab >>>>>>> default_tkt_enctypes = >>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 >>>>>>> default_tgs_enctypes = >>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 >>>>>>> forwardable=true >>>>>>> >>>>>>> [realms] >>>>>>> KERBTEST.LOCAL = { >>>>>>> kdc = win-dc01.kerbtest.local:88 >>>>>>> } >>>>>>> >>>>>>> I want to use the tomcat manager app to test SPNEGO with Active >>>>>>> Directory. >>>>>>> >>>>>>> I have tried to keep the setup as basic and vanilla to the instructions >>>>>>> as possible. >>>>>>> >>>>>>> Users were created as instructed. >>>>>>> >>>>>>> Spn was created as instructed >>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01 >>>>>>> >>>>>>> keytab was created as instructed >>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ >>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 >>>>>>> >>>>>>> I have tried to test with firefox, chrome and IE, after ensuring >>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I >>>>>>> added http://win-tc01.kerbtest.local to >>>>>>> network.negotiate-auth.delegation-uris and >>>>>>> network.negotiate-auth.trusted-uris. >>>>>>> >>>>>>> Tomcat is running as a Windows service under the tc01@kerbtest.local >>>>>>> account. >>>>>>> >>>>>>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local >>>>>>> in firefox results in 401 three times. >>>>>>> >>>>>>> Looking at the Network tab in developer tools in firefox shows 401 >>>>>>> response with WWW-Authenticate: Negotiate response http header. >>>>>>> >>>>>>> The next has an Authorization request http header with long encrypted >>>>>>> string. >>> That means, that tomcat is believing, it can use kerberos/SPNEGO and >>> firefox is able to get a service ticket, for the server and sends it >>> back. That far it is looking promising. But I assume the authentication >>> does not complete, right? >>> >>> >>>>>>> >>>>>>> IE still prompts for credentials with a popup, not sure why as does >>>>>>> chrome. >>>>>>> The setting User Authentication, Logon, Automatic Logon only in >>>>>>> Intranet Zone, is selected under trusted sites. >>>>>>> >>>>>>> It seems like authentication is never completed ? >>>>>>> >>>>>>> There are no errors in tomcat logs. >>>>>>> >>>>>>> Any ideas what is happening and what I can do to troubleshoot ? >>> You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that should >>> print out a lot of debug information, which should end up in catalina.out. >>> >>> Felix >>> || >>>>>>> >>>>>>> I'm quite happy to help improve the documentation and follow the >>>>>>> instructions, however I have tried that and cannot get a working basic >>>>>>> set up. >>>>>>> >>>>>>> many thanks >>>>>>> >>>>>>> David >>>>>>> >>>>>>> >>>>>>> --------------------------------------------------------------------- >>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>> >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>> >>>> >>> >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >