David Marsh wrote:
Put keytab in c:\keytab\tomcat.keytab, ensured owner was tc01@KERTEST.LOCAL,
still same symptoms.
Ran klist on client after firefox test and the three 401 responses. :-
C:\Users\test.KERBTEST.000>klist
Current LogonId is 0:0x2fd7a
Cached Tickets: (2)
#0> Client: test @ KERBTEST.LOCAL
Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam
e_canonicalize
Start Time: 3/25/2015 14:46:43 (local)
End Time: 3/26/2015 0:46:43 (local)
Renew Time: 4/1/2015 14:46:43 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: 192.168.0.200
#1> Client: test @ KERBTEST.LOCAL
Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canoni
calize
Start Time: 3/25/2015 14:51:21 (local)
End Time: 3/26/2015 0:46:43 (local)
Renew Time: 4/1/2015 14:46:43 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: 192.168.0.200
Looks like I was granted a ticket for the SPN HTTP/win-tc01.kerbtest.local @
KERBTEST.LOCAL ?
If I have ticket why do I get 401 ?
Maybe because these things come from 2 different places ?
- ticket # 0 is a general "ticket-granting ticket" ("krbtgt") obtained by the client
directly from the KDC
- ticket # 1 is a ticket to access HTTP/Tomcat, obtained by the client directly from the
KDC (after presenting his "ticket-granting ticket")
- the 401 response is a response from Tomcat, when the client tries to access it by
presenting his HTTP/Tomcat ticket
So the problem could be that Tomcat is unable to validate the client ticket, for some
reason proper to Tomcat itself, not to the client ticket per se (which is probably valid)
Again, in your (presumably Tomcat) Kerberos log, it looked as if Tomcat was having trouble
"pre-authenticating" itself, whatever that means. Maybe such a succesful
pre-authentication is a pre-requisite for Tomcat to be able to recognise client tickets to
itself ?
----------------------------------------
Date: Tue, 24 Mar 2015 22:46:15 +0000
From: ma...@apache.org
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
On 24/03/2015 20:47, David Marsh wrote:
Hi Felix,
Thanks fort your help!
I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and
also added the same definitions to the Java parameters in Configure Tomcat
tool.I definitely got more information when using startup.bat, not sure the
settings get picked up by the windows service ?
I do not think authentication completes, certainly authorization does not as I
cant see the site and get 401 http status.
I have not configured a tomcat realm but I have put the test user a manager-gui
group in Active Directory.
I've only given your config a quick scan, but the thing that jumps out
at me is spaces in the some of the paths. I'm not sure how well krb5.ini
will handle those. It might be fine. It might not be.
Mark
David
Date: Tue, 24 Mar 2015 21:39:38 +0100
From: felix.schumac...@internetallee.de
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
Am 24.03.2015 um 21:25 schrieb David Marsh:
Everything is as described and still not working, except the jaas.conf is :-
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
In other words the principal is the tomcat server as it should be.
Date: Tue, 24 Mar 2015 21:17:59 +0100
From: felix.schumac...@internetallee.de
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
Am 24.03.2015 um 21:05 schrieb David Marsh:
Sorry thats :-
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
under jaas.conf, it is set to the tomcat server DNS.
Is it working with this configuration, or just to point out, that you
copied the wrong jaas.conf for the mail?
Felix
----------------------------------------
From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: SPNEGO test configuration with Manager webapp
Date: Tue, 24 Mar 2015 20:02:04 +0000
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've created three Windows VMs :-
Tomcat Server - Windows 8.1 32 bit VM
Test Client - Windows 8.1 32 bit VM
Domain Controller - Windows Server 2012 R2 64 bit VM
The Tomcat Server and the Test Client are joined to the same domain
kerbtest.local, they are logged in with domain logins.
The firewall is disabled on the Tomcat Server VM.
I've followed the guidelines on the Apache Tomcat website.
jaas.conf
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
krb5.ini
[libdefaults]
default_realm = KERBTEST.LOCAL
default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat
8.0\conf\tomcat.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
[realms]
KERBTEST.LOCAL = {
kdc = win-dc01.kerbtest.local:88
}
I want to use the tomcat manager app to test SPNEGO with Active Directory.
I have tried to keep the setup as basic and vanilla to the instructions as
possible.
Users were created as instructed.
Spn was created as instructed
setspn -A HTTP/win-tc01.kerbtest.local tc01
keytab was created as instructed
ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
I have tried to test with firefox, chrome and IE, after ensuring
http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added
http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and
network.negotiate-auth.trusted-uris.
Tomcat is running as a Windows service under the tc01@kerbtest.local account.
Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in
firefox results in 401 three times.
Looking at the Network tab in developer tools in firefox shows 401 response
with WWW-Authenticate: Negotiate response http header.
The next has an Authorization request http header with long encrypted string.
That means, that tomcat is believing, it can use kerberos/SPNEGO and
firefox is able to get a service ticket, for the server and sends it
back. That far it is looking promising. But I assume the authentication
does not complete, right?
IE still prompts for credentials with a popup, not sure why as does chrome.
The setting User Authentication, Logon, Automatic Logon only in Intranet Zone,
is selected under trusted sites.
It seems like authentication is never completed ?
There are no errors in tomcat logs.
Any ideas what is happening and what I can do to troubleshoot ?
You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that should
print out a lot of debug information, which should end up in catalina.out.
Felix
||
I'm quite happy to help improve the documentation and follow the instructions,
however I have tried that and cannot get a working basic set up.
many thanks
David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
