RE: SPNEGO test configuration with Manager webapp

Felix Schumacher Wed, 25 Mar 2015 09:33:12 -0700


Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh <dmars...@outlook.com>:
>This is how the keytab was created :-
>
>ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
>tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@kerbtest.local
>/pass tc01pass
>
>The password is the correct password for the user tc01 associated with
>the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local
>
>I managed to turn on some more logging around JAAS, see the error
>:- java.security.PrivilegedActionException: GSSException: Defective
>token detected
Do you talk directly to Tomcat, or is there any kind of proxy in between? 
Could the header be truncated?


Felix
>
>25-Mar-2015 15:46:22.131 INFO [main]
>org.apache.catalina.core.StandardService.startInternal Starting
>service Catalina
>25-Mar-2015 15:46:22.133 INFO [main]
>org.apache.catalina.core.StandardEngine.startInternal Starting
>Servlet Engine: Apache Tomcat/8.0.20
>25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
>org.apache.catalina.startup.HostConfig.deployD
>irectory Deploying web application directory C:\Program Files\Apache
>Software Foundation\Tomcat 8.0\
>webapps\docs
>25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
>org.apache.catalina.startup.HostConfig.deployD
>irectory Deployment of web application directory C:\Program
>Files\Apache Software Foundation\Tomcat
>8.0\webapps\docs has finished in 380 ms
>25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
>org.apache.catalina.startup.HostConfig.deployD
>irectory Deploying web application directory C:\Program Files\Apache
>Software Foundation\Tomcat 8.0\
>webapps\manager
>25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
>org.apache.catalina.authenticator.Authenticato
>rBase.startInternal No SingleSignOn Valve is present
>25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
>org.apache.catalina.startup.HostConfig.deployD
>irectory Deployment of web application directory C:\Program
>Files\Apache Software Foundation\Tomcat
>8.0\webapps\manager has finished in 93 ms
>25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
>org.apache.catalina.startup.HostConfig.deployD
>irectory Deploying web application directory C:\Program Files\Apache
>Software Foundation\Tomcat 8.0\
>webapps\ROOT
>25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
>org.apache.catalina.startup.HostConfig.deployD
>irectory Deployment of web application directory C:\Program
>Files\Apache Software Foundation\Tomcat
>8.0\webapps\ROOT has finished in 59 ms
>25-Mar-2015 15:46:22.797 INFO [main]
>org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>er ["http-nio-80"]
>25-Mar-2015 15:46:22.806 INFO [main]
>org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>er ["ajp-nio-8009"]
>25-Mar-2015 15:46:22.808 INFO [main]
>org.apache.catalina.startup.Catalina.start Server startup in 72
>1 ms
>25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Security checking request GET /manager/html
>25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>against GET /html --> false
>25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>interface]' against GET /html --> fal
>se
>25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Text Manager
>interface (for scripts)]' against
>GET /html --> false
>25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>interface (for humans)]' against G
>ET /html --> true
>25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>against GET /html --> false
>25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>interface]' against GET /html --> fal
>se
>25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Text Manager
>interface (for scripts)]' against
>GET /html --> false
>25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>interface (for humans)]' against G
>ET /html --> true
>25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Calling hasUserDataPermission()
>25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1]
>org.apache.catalina.realm.RealmBase.hasUserDataPe
>rmission User data constraint has no restrictions
>25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Calling authenticate()
>25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1]
>org.apache.catalina.authenticator.SpnegoAuthentic
>ator.authenticate No authorization header sent by client
>25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Failed authenticate() test
>25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Security checking request GET /manager/html
>25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>against GET /html --> false
>25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>interface]' against GET /html --> fal
>se
>25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Text Manager
>interface (for scripts)]' against
>GET /html --> false
>25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>interface (for humans)]' against G
>ET /html --> true
>25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>against GET /html --> false
>25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>interface]' against GET /html --> fal
>se
>25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Text Manager
>interface (for scripts)]' against
>GET /html --> false
>25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>interface (for humans)]' against G
>ET /html --> true
>25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Calling hasUserDataPermission()
>25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>org.apache.catalina.realm.RealmBase.hasUserDataPe
>rmission User data constraint has no restrictions
>25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Calling authenticate()
>Debug is true storeKey true useTicketCache false useKeyTab true
>doNotPrompt true ticketCache is nul
>l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config
>is false principal is HTTP/wi
>n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass
>is false storePass is false
>clearPass is false
>>>> KeyTabInputStream, readName(): kerbtest.local
>>>> KeyTabInputStream, readName(): HTTP
>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>> KeyTab: load() entry length: 78; type: 23
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Java config name: C:\Program Files\Apache Software Foundation\Tomcat
>8.0\conf\krb5.ini
>Loaded from Java config
>Added key: 23version: 3
>>>> KdcAccessibility: reset
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Added key: 23version: 3
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>number of retries =3, #bytes=
>164
>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>timeout=30000,Attempt =1, #bytes=164
>>>> KrbKdcReq send: #bytes read=185
>>>>Pre-Authentication Data:
>PA-DATA type = 11
>PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
>PA-DATA type = 19
>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
>PA-DATA type = 2
>PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
>PA-DATA type = 16
>
>>>>Pre-Authentication Data:
>PA-DATA type = 15
>
>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>KRBError:
>sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
>suSec is 701709
>error code is 25
>error Message is Additional pre-authentication required
>sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>eData provided.
>msgType is 30
>>>>Pre-Authentication Data:
>PA-DATA type = 11
>PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
>PA-DATA type = 19
>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
>PA-DATA type = 2
>PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
>PA-DATA type = 16
>
>>>>Pre-Authentication Data:
>PA-DATA type = 15
>
>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>default etypes for default_tkt_enctypes: 23 18 17.
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Added key: 23version: 3
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Added key: 23version: 3
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>number of retries =3, #bytes=
>247
>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>timeout=30000,Attempt =1, #bytes=247
>>>> KrbKdcReq send: #bytes read=100
>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>number of retries =3, #bytes=
>247
>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>timeout=30000,Attempt =1, #bytes=247
>>>>DEBUG: TCPClient reading 1475 bytes
>>>> KrbKdcReq send: #bytes read=1475
>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Added key: 23version: 3
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Will use keytab
>Commit Succeeded
>
>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>sun.security.jgss.spnego.SpNegoCredElement)
>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>sun.security.jgss.krb5.Krb5AcceptCredential)
>Found KeyTab C:\keytab\tomcat.keytab for
>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Found KeyTab C:\keytab\tomcat.keytab for
>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>krbtgt/KERBTEST.LOCAL@KERBTEST
>.LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
>[Krb5LoginModule]: Entering logout
>[Krb5LoginModule]: logged out Subject
>25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Failed authenticate() test
>25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Security checking request GET /manager/html
>25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>against GET /html --> false
>25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>interface]' against GET /html --> fal
>se
>25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Text Manager
>interface (for scripts)]' against
>GET /html --> false
>25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>interface (for humans)]' against G
>ET /html --> true
>25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>against GET /html --> false
>25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>interface]' against GET /html --> fal
>se
>25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Text Manager
>interface (for scripts)]' against
>GET /html --> false
>25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>interface (for humans)]' against G
>ET /html --> true
>25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Calling hasUserDataPermission()
>25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3]
>org.apache.catalina.realm.RealmBase.hasUserDataPe
>rmission User data constraint has no restrictions
>25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Calling authenticate()
>Debug is true storeKey true useTicketCache false useKeyTab true
>doNotPrompt true ticketCache is nul
>l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config
>is false principal is HTTP/wi
>n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass
>is false storePass is false
>clearPass is false
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Added key: 23version: 3
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Added key: 23version: 3
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>number of retries =3, #bytes=
>164
>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>timeout=30000,Attempt =1, #bytes=164
>>>> KrbKdcReq send: #bytes read=185
>>>>Pre-Authentication Data:
>PA-DATA type = 11
>PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
>PA-DATA type = 19
>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
>PA-DATA type = 2
>PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
>PA-DATA type = 16
>
>>>>Pre-Authentication Data:
>PA-DATA type = 15
>
>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>KRBError:
>sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
>suSec is 935731
>error code is 25
>error Message is Additional pre-authentication required
>sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>eData provided.
>msgType is 30
>>>>Pre-Authentication Data:
>PA-DATA type = 11
>PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
>PA-DATA type = 19
>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
>PA-DATA type = 2
>PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
>PA-DATA type = 16
>
>>>>Pre-Authentication Data:
>PA-DATA type = 15
>
>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>default etypes for default_tkt_enctypes: 23 18 17.
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Added key: 23version: 3
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Added key: 23version: 3
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>number of retries =3, #bytes=
>247
>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>timeout=30000,Attempt =1, #bytes=247
>>>> KrbKdcReq send: #bytes read=100
>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>number of retries =3, #bytes=
>247
>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>timeout=30000,Attempt =1, #bytes=247
>>>>DEBUG: TCPClient reading 1475 bytes
>>>> KrbKdcReq send: #bytes read=1475
>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Added key: 23version: 3
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Will use keytab
>Commit Succeeded
>
>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>sun.security.jgss.spnego.SpNegoCredElement)
>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>sun.security.jgss.krb5.Krb5AcceptCredential)
>Found KeyTab C:\keytab\tomcat.keytab for
>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Found KeyTab C:\keytab\tomcat.keytab for
>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>krbtgt/KERBTEST.LOCAL@KERBTEST
>.LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
>25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3]
>org.apache.catalina.authenticator.SpnegoAuthentic
>ator.authenticate Unable to login as the service principal
>java.security.PrivilegedActionException: GSSException: Defective token
>detected (Mechanism level: G
>SSHeader did not find the right tag)
>at java.security.AccessController.doPrivileged(Native Method)
>at javax.security.auth.Subject.doAs(Subject.java:422)
>at
>org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
>va:243)
>at
>org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
>at
>org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
>at
>org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
>at
>org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
>
>at
>org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
>at
>org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
>at
>org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
>6)
>at
>org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
>a:659)
>at
>org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
>col.java:223)
>at
>org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
>at
>org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
>at
>java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>at
>java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>at
>org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>at java.lang.Thread.run(Thread.java:745)
>Caused by: GSSException: Defective token detected (Mechanism level:
>GSSHeader did not find the right
>tag)
>at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
>at
>sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
>at
>sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
>at
>org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>r.java:336)
>at
>org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>r.java:323)
>... 18 more
>
>[Krb5LoginModule]: Entering logout
>[Krb5LoginModule]: logged out Subject
>25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Failed authenticate() test
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>> Date: Wed, 25 Mar 2015 16:48:10 +0100
>> From: felix.schumac...@internetallee.de
>> To: users@tomcat.apache.org
>> Subject: RE: SPNEGO test configuration with Manager webapp
>>
>> Am 25.03.2015 16:09, schrieb David Marsh:
>>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
>>> tc01@KERTEST.LOCAL, still same symptoms.
>>>
>>> Ran klist on client after firefox test and the three 401 responses.
>:-
>>>
>>> C:\Users\test.KERBTEST.000>klist
>>>
>>> Current LogonId is 0:0x2fd7a
>>>
>>> Cached Tickets: (2)
>>>
>>> #0> Client: test @ KERBTEST.LOCAL
>>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
>>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
>>> Ticket Flags 0x40e10000 -> forwardable renewable initial
>>> pre_authent nam
>>> e_canonicalize
>>> Start Time: 3/25/2015 14:46:43 (local)
>>> End Time: 3/26/2015 0:46:43 (local)
>>> Renew Time: 4/1/2015 14:46:43 (local)
>>> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>>> Cache Flags: 0x1 -> PRIMARY
>>> Kdc Called: 192.168.0.200
>>>
>>> #1> Client: test @ KERBTEST.LOCAL
>>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
>>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
>>> name_canoni
>>> calize
>>> Start Time: 3/25/2015 14:51:21 (local)
>>> End Time: 3/26/2015 0:46:43 (local)
>>> Renew Time: 4/1/2015 14:46:43 (local)
>>> Session Key Type: RSADSI RC4-HMAC(NT)
>>> Cache Flags: 0
>>> Kdc Called: 192.168.0.200
>>>
>>> Looks like I was granted a ticket for the SPN
>>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
>>>
>>> If I have ticket why do I get 401 ?
>> Your client has got a service ticket for HTTP/win-tc01... This is
>used
>> by firefox for authentication. Firefox transmits
>> this service ticket to the server (as base64 encoded in the
>> WWW-Authenticate header).
>>
>> Your server has to decrypt this ticket using its own ticket to get at
>> the user information. This is where your problems arise.
>> It looks like your server has trouble to get its own ticket.
>>
>> Are you sure, that the password you used for keytab generation (on
>the
>> server side), is correct? ktpass will probably accept
>> any input as a password. Maybe you can check the keytab by using
>kinit
>> (though I don't know, if it exists for windows, or how
>> the java one is used).
>>
>> Felix
>>
>>>
>>> ----------------------------------------
>>>> Date: Tue, 24 Mar 2015 22:46:15 +0000
>>>> From: ma...@apache.org
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>
>>>> On 24/03/2015 20:47, David Marsh wrote:
>>>>> Hi Felix,
>>>>> Thanks fort your help!
>>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
>>>>> startup.bat and also added the same definitions to the Java
>>>>> parameters in Configure Tomcat tool.I definitely got more
>information
>>>>> when using startup.bat, not sure the settings get picked up by the
>>>>> windows service ?
>>>>> I do not think authentication completes, certainly authorization
>does
>>>>> not as I cant see the site and get 401 http status.
>>>>> I have not configured a tomcat realm but I have put the test user
>a
>>>>> manager-gui group in Active Directory.
>>>>
>>>> I've only given your config a quick scan, but the thing that jumps
>out
>>>> at me is spaces in the some of the paths. I'm not sure how well
>>>> krb5.ini
>>>> will handle those. It might be fine. It might not be.
>>>>
>>>> Mark
>>>>
>>>>
>>>>> David
>>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>>>>> From: felix.schumac...@internetallee.de
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>
>>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>>>>> Everything is as described and still not working, except the
>>>>>>> jaas.conf is :-
>>>>>>>
>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>> doNotPrompt=true
>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>> useKeyTab=true
>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>> storeKey=true;
>>>>>>> };
>>>>>>>
>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>> doNotPrompt=true
>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>> useKeyTab=true
>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>> storeKey=true;
>>>>>>> };
>>>>>>>
>>>>>>> In other words the principal is the tomcat server as it should
>be.
>>>>>>>
>>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>>>>> From: felix.schumac...@internetallee.de
>>>>>>>> To: users@tomcat.apache.org
>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>
>>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>>>>> Sorry thats :-
>>>>>>>>>
>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>>>>> Is it working with this configuration, or just to point out,
>that
>>>>>>>> you
>>>>>>>> copied the wrong jaas.conf for the mail?
>>>>>>>>
>>>>>>>> Felix
>>>>>>>>> ----------------------------------------
>>>>>>>>>> From: dmars...@outlook.com
>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>>>>
>>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat
>8.
>>>>>>>>>>
>>>>>>>>>> I've created three Windows VMs :-
>>>>>>>>>>
>>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>>>>
>>>>>>>>>> The Tomcat Server and the Test Client are joined to the same
>>>>>>>>>> domain kerbtest.local, they are logged in with domain logins.
>>>>>>>>>>
>>>>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>>>>
>>>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>>>>
>>>>>>>>>> jaas.conf
>>>>>>>>>>
>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>> doNotPrompt=true
>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>> useKeyTab=true
>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>> storeKey=true;
>>>>>>>>>> };
>>>>>>>>>>
>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>> doNotPrompt=true
>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>> useKeyTab=true
>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>> storeKey=true;
>>>>>>>>>> };
>>>>>>>>>>
>>>>>>>>>> krb5.ini
>>>>>>>>>>
>>>>>>>>>> [libdefaults]
>>>>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
>>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>>>>> default_tkt_enctypes =
>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>> default_tgs_enctypes =
>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>> forwardable=true
>>>>>>>>>>
>>>>>>>>>> [realms]
>>>>>>>>>> KERBTEST.LOCAL = {
>>>>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with
>Active
>>>>>>>>>> Directory.
>>>>>>>>>>
>>>>>>>>>> I have tried to keep the setup as basic and vanilla to the
>>>>>>>>>> instructions as possible.
>>>>>>>>>>
>>>>>>>>>> Users were created as instructed.
>>>>>>>>>>
>>>>>>>>>> Spn was created as instructed
>>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>>>>
>>>>>>>>>> keytab was created as instructed
>>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL
>/princ
>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass
>/kvno
>>>>>>>>>> 0
>>>>>>>>>>
>>>>>>>>>> I have tried to test with firefox, chrome and IE, after
>ensuring
>>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In
>>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to
>>>>>>>>>> network.negotiate-auth.delegation-uris and
>>>>>>>>>> network.negotiate-auth.trusted-uris.
>>>>>>>>>>
>>>>>>>>>> Tomcat is running as a Windows service under the
>>>>>>>>>> tc01@kerbtest.local account.
>>>>>>>>>>
>>>>>>>>>> Visiting URL from the Test Client VM :-
>>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401
>three
>>>>>>>>>> times.
>>>>>>>>>>
>>>>>>>>>> Looking at the Network tab in developer tools in firefox
>shows


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: SPNEGO test configuration with Manager webapp

Reply via email to