Am 25.03.2015 16:09, schrieb David Marsh:
Put keytab in c:\keytab\tomcat.keytab, ensured owner was
tc01@KERTEST.LOCAL, still same symptoms.
Ran klist on client after firefox test and the three 401 responses. :-
C:\Users\test.KERBTEST.000>klist
Current LogonId is 0:0x2fd7a
Cached Tickets: (2)
#0> Client: test @ KERBTEST.LOCAL
Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial
pre_authent nam
e_canonicalize
Start Time: 3/25/2015 14:46:43 (local)
End Time: 3/26/2015 0:46:43 (local)
Renew Time: 4/1/2015 14:46:43 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: 192.168.0.200
#1> Client: test @ KERBTEST.LOCAL
Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
name_canoni
calize
Start Time: 3/25/2015 14:51:21 (local)
End Time: 3/26/2015 0:46:43 (local)
Renew Time: 4/1/2015 14:46:43 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: 192.168.0.200
Looks like I was granted a ticket for the SPN
HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
If I have ticket why do I get 401 ?
Your client has got a service ticket for HTTP/win-tc01... This is used
by firefox for authentication. Firefox transmits
this service ticket to the server (as base64 encoded in the
WWW-Authenticate header).
Your server has to decrypt this ticket using its own ticket to get at
the user information. This is where your problems arise.
It looks like your server has trouble to get its own ticket.
Are you sure, that the password you used for keytab generation (on the
server side), is correct? ktpass will probably accept
any input as a password. Maybe you can check the keytab by using kinit
(though I don't know, if it exists for windows, or how
the java one is used).
Felix
----------------------------------------
Date: Tue, 24 Mar 2015 22:46:15 +0000
From: ma...@apache.org
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
On 24/03/2015 20:47, David Marsh wrote:
Hi Felix,
Thanks fort your help!
I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
startup.bat and also added the same definitions to the Java
parameters in Configure Tomcat tool.I definitely got more information
when using startup.bat, not sure the settings get picked up by the
windows service ?
I do not think authentication completes, certainly authorization does
not as I cant see the site and get 401 http status.
I have not configured a tomcat realm but I have put the test user a
manager-gui group in Active Directory.
I've only given your config a quick scan, but the thing that jumps out
at me is spaces in the some of the paths. I'm not sure how well
krb5.ini
will handle those. It might be fine. It might not be.
Mark
David
Date: Tue, 24 Mar 2015 21:39:38 +0100
From: felix.schumac...@internetallee.de
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
Am 24.03.2015 um 21:25 schrieb David Marsh:
Everything is as described and still not working, except the
jaas.conf is :-
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
In other words the principal is the tomcat server as it should be.
Date: Tue, 24 Mar 2015 21:17:59 +0100
From: felix.schumac...@internetallee.de
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
Am 24.03.2015 um 21:05 schrieb David Marsh:
Sorry thats :-
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
under jaas.conf, it is set to the tomcat server DNS.
Is it working with this configuration, or just to point out, that
you
copied the wrong jaas.conf for the mail?
Felix
----------------------------------------
From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: SPNEGO test configuration with Manager webapp
Date: Tue, 24 Mar 2015 20:02:04 +0000
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've created three Windows VMs :-
Tomcat Server - Windows 8.1 32 bit VM
Test Client - Windows 8.1 32 bit VM
Domain Controller - Windows Server 2012 R2 64 bit VM
The Tomcat Server and the Test Client are joined to the same
domain kerbtest.local, they are logged in with domain logins.
The firewall is disabled on the Tomcat Server VM.
I've followed the guidelines on the Apache Tomcat website.
jaas.conf
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
krb5.ini
[libdefaults]
default_realm = KERBTEST.LOCAL
default_keytab_name = FILE:C:\Program Files\Apache Software
Foundation\Tomcat 8.0\conf\tomcat.keytab
default_tkt_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
[realms]
KERBTEST.LOCAL = {
kdc = win-dc01.kerbtest.local:88
}
I want to use the tomcat manager app to test SPNEGO with Active
Directory.
I have tried to keep the setup as basic and vanilla to the
instructions as possible.
Users were created as instructed.
Spn was created as instructed
setspn -A HTTP/win-tc01.kerbtest.local tc01
keytab was created as instructed
ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno
0
I have tried to test with firefox, chrome and IE, after ensuring
http://win-tc01.kerbtest.local is a trusted site in IE. In
firefox I added http://win-tc01.kerbtest.local to
network.negotiate-auth.delegation-uris and
network.negotiate-auth.trusted-uris.
Tomcat is running as a Windows service under the
tc01@kerbtest.local account.
Visiting URL from the Test Client VM :-
http://win-tc01.kerbtest.local in firefox results in 401 three
times.
Looking at the Network tab in developer tools in firefox shows
401 response with WWW-Authenticate: Negotiate response http
header.
The next has an Authorization request http header with long
encrypted string.
That means, that tomcat is believing, it can use kerberos/SPNEGO and
firefox is able to get a service ticket, for the server and sends it
back. That far it is looking promising. But I assume the
authentication
does not complete, right?
IE still prompts for credentials with a popup, not sure why as
does chrome.
The setting User Authentication, Logon, Automatic Logon only in
Intranet Zone, is selected under trusted sites.
It seems like authentication is never completed ?
There are no errors in tomcat logs.
Any ideas what is happening and what I can do to troubleshoot ?
You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that
should
print out a lot of debug information, which should end up in
catalina.out.
Felix
||
I'm quite happy to help improve the documentation and follow the
instructions, however I have tried that and cannot get a working
basic set up.
many thanks
David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
