RE: SPNEGO test configuration with Manager webapp

David Marsh Wed, 25 Mar 2015 10:30:32 -0700

Javas version of kinit seems to report issue ?

C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf>"C:\Program Files\Ja
va\jdk1.8.0_40\bin\kinit" -t -k c:\keytab\tomcat.keytab
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes
available; only have keys of following type:  No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available
; only have keys of following type:
        at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
        at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)


----------------------------------------
> From: dmars...@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: SPNEGO test configuration with Manager webapp
> Date: Wed, 25 Mar 2015 16:50:47 +0000
>
> Its possible I guess, although I would not expect that.
>
> The test is :-
>
> Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM
>
> Firefox is not configured to use a proxy, its all in Vmware Workstation 10 
> using the Vmnet01 virtual network.
>
> Firefox has three 401 responses with headers "Authorization" and 
> "WWW-Authenticate" :-
>
> 1 :- Reponse WWW-Authenticate: "Negotiate"
>
> 2 :- Request Authorization: "Negotiate 
> YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1bHVkmmuJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4="
>
> Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg==
>
> 3 :- Request Authorization: "Negotiate 
> oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zwm+qhPF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E="
>
> Reponse WWW-Authenticate: "Negotiate"
>
> I'm not sure how long they should be, but they all end "=" so expect not 
> truncated ?
>
> ----------------------------------------
>> Subject: RE: SPNEGO test configuration with Manager webapp
>> From: felix.schumac...@internetallee.de
>> Date: Wed, 25 Mar 2015 17:31:51 +0100
>> To: users@tomcat.apache.org
>>
>>
>>
>> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh <dmars...@outlook.com>:
>>>This is how the keytab was created :-
>>>
>>>ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
>>>tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>/pass tc01pass
>>>
>>>The password is the correct password for the user tc01 associated with
>>>the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>
>>>I managed to turn on some more logging around JAAS, see the error
>>>:- java.security.PrivilegedActionException: GSSException: Defective
>>>token detected
>> Do you talk directly to Tomcat, or is there any kind of proxy in between?
>> Could the header be truncated?
>>
>> Felix
>>>
>>>25-Mar-2015 15:46:22.131 INFO [main]
>>>org.apache.catalina.core.StandardService.startInternal Starting
>>>service Catalina
>>>25-Mar-2015 15:46:22.133 INFO [main]
>>>org.apache.catalina.core.StandardEngine.startInternal Starting
>>>Servlet Engine: Apache Tomcat/8.0.20
>>>25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
>>>org.apache.catalina.startup.HostConfig.deployD
>>>irectory Deploying web application directory C:\Program Files\Apache
>>>Software Foundation\Tomcat 8.0\
>>>webapps\docs
>>>25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
>>>org.apache.catalina.startup.HostConfig.deployD
>>>irectory Deployment of web application directory C:\Program
>>>Files\Apache Software Foundation\Tomcat
>>>8.0\webapps\docs has finished in 380 ms
>>>25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
>>>org.apache.catalina.startup.HostConfig.deployD
>>>irectory Deploying web application directory C:\Program Files\Apache
>>>Software Foundation\Tomcat 8.0\
>>>webapps\manager
>>>25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
>>>org.apache.catalina.authenticator.Authenticato
>>>rBase.startInternal No SingleSignOn Valve is present
>>>25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
>>>org.apache.catalina.startup.HostConfig.deployD
>>>irectory Deployment of web application directory C:\Program
>>>Files\Apache Software Foundation\Tomcat
>>>8.0\webapps\manager has finished in 93 ms
>>>25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
>>>org.apache.catalina.startup.HostConfig.deployD
>>>irectory Deploying web application directory C:\Program Files\Apache
>>>Software Foundation\Tomcat 8.0\
>>>webapps\ROOT
>>>25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
>>>org.apache.catalina.startup.HostConfig.deployD
>>>irectory Deployment of web application directory C:\Program
>>>Files\Apache Software Foundation\Tomcat
>>>8.0\webapps\ROOT has finished in 59 ms
>>>25-Mar-2015 15:46:22.797 INFO [main]
>>>org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>er ["http-nio-80"]
>>>25-Mar-2015 15:46:22.806 INFO [main]
>>>org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>er ["ajp-nio-8009"]
>>>25-Mar-2015 15:46:22.808 INFO [main]
>>>org.apache.catalina.startup.Catalina.start Server startup in 72
>>>1 ms
>>>25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Security checking request GET /manager/html
>>>25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>against GET /html --> false
>>>25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>interface]' against GET /html --> fal
>>>se
>>>25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>interface (for scripts)]' against
>>>GET /html --> false
>>>25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>interface (for humans)]' against G
>>>ET /html --> true
>>>25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>against GET /html --> false
>>>25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>interface]' against GET /html --> fal
>>>se
>>>25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>interface (for scripts)]' against
>>>GET /html --> false
>>>25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>interface (for humans)]' against G
>>>ET /html --> true
>>>25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Calling hasUserDataPermission()
>>>25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>rmission User data constraint has no restrictions
>>>25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Calling authenticate()
>>>25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.authenticator.SpnegoAuthentic
>>>ator.authenticate No authorization header sent by client
>>>25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Failed authenticate() test
>>>25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Security checking request GET /manager/html
>>>25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>against GET /html --> false
>>>25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>interface]' against GET /html --> fal
>>>se
>>>25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>interface (for scripts)]' against
>>>GET /html --> false
>>>25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>interface (for humans)]' against G
>>>ET /html --> true
>>>25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>against GET /html --> false
>>>25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>interface]' against GET /html --> fal
>>>se
>>>25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>interface (for scripts)]' against
>>>GET /html --> false
>>>25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>interface (for humans)]' against G
>>>ET /html --> true
>>>25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Calling hasUserDataPermission()
>>>25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>rmission User data constraint has no restrictions
>>>25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Calling authenticate()
>>>Debug is true storeKey true useTicketCache false useKeyTab true
>>>doNotPrompt true ticketCache is nul
>>>l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config
>>>is false principal is HTTP/wi
>>>n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass
>>>is false storePass is false
>>>clearPass is false
>>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>>> KeyTabInputStream, readName(): HTTP
>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>> KeyTab: load() entry length: 78; type: 23
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Java config name: C:\Program Files\Apache Software Foundation\Tomcat
>>>8.0\conf\krb5.ini
>>>Loaded from Java config
>>>Added key: 23version: 3
>>>>>> KdcAccessibility: reset
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Added key: 23version: 3
>>>default etypes for default_tkt_enctypes: 23 18 17.
>>>>>> KrbAsReq creating message
>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>number of retries =3, #bytes=
>>>164
>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>timeout=30000,Attempt =1, #bytes=164
>>>>>> KrbKdcReq send: #bytes read=185
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 11
>>>PA-ETYPE-INFO etype = 23, salt =
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 19
>>>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 2
>>>PA-ENC-TIMESTAMP
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 16
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 15
>>>
>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>KRBError:
>>>sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
>>>suSec is 701709
>>>error code is 25
>>>error Message is Additional pre-authentication required
>>>sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>eData provided.
>>>msgType is 30
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 11
>>>PA-ETYPE-INFO etype = 23, salt =
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 19
>>>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 2
>>>PA-ENC-TIMESTAMP
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 16
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 15
>>>
>>>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>default etypes for default_tkt_enctypes: 23 18 17.
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Added key: 23version: 3
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Added key: 23version: 3
>>>default etypes for default_tkt_enctypes: 23 18 17.
>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>> KrbAsReq creating message
>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>number of retries =3, #bytes=
>>>247
>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>timeout=30000,Attempt =1, #bytes=247
>>>>>> KrbKdcReq send: #bytes read=100
>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>number of retries =3, #bytes=
>>>247
>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>timeout=30000,Attempt =1, #bytes=247
>>>>>>DEBUG: TCPClient reading 1475 bytes
>>>>>> KrbKdcReq send: #bytes read=1475
>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Added key: 23version: 3
>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Will use keytab
>>>Commit Succeeded
>>>
>>>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>>sun.security.jgss.spnego.SpNegoCredElement)
>>>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>>sun.security.jgss.krb5.Krb5AcceptCredential)
>>>Found KeyTab C:\keytab\tomcat.keytab for
>>>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Found KeyTab C:\keytab\tomcat.keytab for
>>>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>krbtgt/KERBTEST.LOCAL@KERBTEST
>>>.LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
>>>[Krb5LoginModule]: Entering logout
>>>[Krb5LoginModule]: logged out Subject
>>>25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Failed authenticate() test
>>>25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Security checking request GET /manager/html
>>>25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>against GET /html --> false
>>>25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>interface]' against GET /html --> fal
>>>se
>>>25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>interface (for scripts)]' against
>>>GET /html --> false
>>>25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>interface (for humans)]' against G
>>>ET /html --> true
>>>25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>against GET /html --> false
>>>25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>interface]' against GET /html --> fal
>>>se
>>>25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>interface (for scripts)]' against
>>>GET /html --> false
>>>25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>interface (for humans)]' against G
>>>ET /html --> true
>>>25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Calling hasUserDataPermission()
>>>25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>rmission User data constraint has no restrictions
>>>25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Calling authenticate()
>>>Debug is true storeKey true useTicketCache false useKeyTab true
>>>doNotPrompt true ticketCache is nul
>>>l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config
>>>is false principal is HTTP/wi
>>>n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass
>>>is false storePass is false
>>>clearPass is false
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Added key: 23version: 3
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Added key: 23version: 3
>>>default etypes for default_tkt_enctypes: 23 18 17.
>>>>>> KrbAsReq creating message
>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>number of retries =3, #bytes=
>>>164
>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>timeout=30000,Attempt =1, #bytes=164
>>>>>> KrbKdcReq send: #bytes read=185
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 11
>>>PA-ETYPE-INFO etype = 23, salt =
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 19
>>>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 2
>>>PA-ENC-TIMESTAMP
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 16
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 15
>>>
>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>KRBError:
>>>sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
>>>suSec is 935731
>>>error code is 25
>>>error Message is Additional pre-authentication required
>>>sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>eData provided.
>>>msgType is 30
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 11
>>>PA-ETYPE-INFO etype = 23, salt =
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 19
>>>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 2
>>>PA-ENC-TIMESTAMP
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 16
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 15
>>>
>>>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>default etypes for default_tkt_enctypes: 23 18 17.
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Added key: 23version: 3
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Added key: 23version: 3
>>>default etypes for default_tkt_enctypes: 23 18 17.
>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>> KrbAsReq creating message
>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>number of retries =3, #bytes=
>>>247
>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>timeout=30000,Attempt =1, #bytes=247
>>>>>> KrbKdcReq send: #bytes read=100
>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>number of retries =3, #bytes=
>>>247
>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>timeout=30000,Attempt =1, #bytes=247
>>>>>>DEBUG: TCPClient reading 1475 bytes
>>>>>> KrbKdcReq send: #bytes read=1475
>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Added key: 23version: 3
>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Will use keytab
>>>Commit Succeeded
>>>
>>>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>>sun.security.jgss.spnego.SpNegoCredElement)
>>>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>>sun.security.jgss.krb5.Krb5AcceptCredential)
>>>Found KeyTab C:\keytab\tomcat.keytab for
>>>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Found KeyTab C:\keytab\tomcat.keytab for
>>>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>krbtgt/KERBTEST.LOCAL@KERBTEST
>>>.LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
>>>25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.authenticator.SpnegoAuthentic
>>>ator.authenticate Unable to login as the service principal
>>>java.security.PrivilegedActionException: GSSException: Defective token
>>>detected (Mechanism level: G
>>>SSHeader did not find the right tag)
>>>at java.security.AccessController.doPrivileged(Native Method)
>>>at javax.security.auth.Subject.doAs(Subject.java:422)
>>>at
>>>org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
>>>va:243)
>>>at
>>>org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
>>>at
>>>org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
>>>at
>>>org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
>>>at
>>>org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
>>>
>>>at
>>>org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
>>>at
>>>org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
>>>at
>>>org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
>>>6)
>>>at
>>>org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
>>>a:659)
>>>at
>>>org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
>>>col.java:223)
>>>at
>>>org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
>>>at
>>>org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
>>>at
>>>java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>at
>>>java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>at
>>>org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>>at java.lang.Thread.run(Thread.java:745)
>>>Caused by: GSSException: Defective token detected (Mechanism level:
>>>GSSHeader did not find the right
>>>tag)
>>>at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
>>>at
>>>sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
>>>at
>>>sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
>>>at
>>>org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>r.java:336)
>>>at
>>>org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>r.java:323)
>>>... 18 more
>>>
>>>[Krb5LoginModule]: Entering logout
>>>[Krb5LoginModule]: logged out Subject
>>>25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Failed authenticate() test
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>> Date: Wed, 25 Mar 2015 16:48:10 +0100
>>>> From: felix.schumac...@internetallee.de
>>>> To: users@tomcat.apache.org
>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>
>>>> Am 25.03.2015 16:09, schrieb David Marsh:
>>>>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
>>>>> tc01@KERTEST.LOCAL, still same symptoms.
>>>>>
>>>>> Ran klist on client after firefox test and the three 401 responses.
>>>:-
>>>>>
>>>>> C:\Users\test.KERBTEST.000>klist
>>>>>
>>>>> Current LogonId is 0:0x2fd7a
>>>>>
>>>>> Cached Tickets: (2)
>>>>>
>>>>> #0> Client: test @ KERBTEST.LOCAL
>>>>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
>>>>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
>>>>> Ticket Flags 0x40e10000 -> forwardable renewable initial
>>>>> pre_authent nam
>>>>> e_canonicalize
>>>>> Start Time: 3/25/2015 14:46:43 (local)
>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>>>>> Cache Flags: 0x1 -> PRIMARY
>>>>> Kdc Called: 192.168.0.200
>>>>>
>>>>> #1> Client: test @ KERBTEST.LOCAL
>>>>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
>>>>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>>>>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
>>>>> name_canoni
>>>>> calize
>>>>> Start Time: 3/25/2015 14:51:21 (local)
>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>> Session Key Type: RSADSI RC4-HMAC(NT)
>>>>> Cache Flags: 0
>>>>> Kdc Called: 192.168.0.200
>>>>>
>>>>> Looks like I was granted a ticket for the SPN
>>>>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
>>>>>
>>>>> If I have ticket why do I get 401 ?
>>>> Your client has got a service ticket for HTTP/win-tc01... This is
>>>used
>>>> by firefox for authentication. Firefox transmits
>>>> this service ticket to the server (as base64 encoded in the
>>>> WWW-Authenticate header).
>>>>
>>>> Your server has to decrypt this ticket using its own ticket to get at
>>>> the user information. This is where your problems arise.
>>>> It looks like your server has trouble to get its own ticket.
>>>>
>>>> Are you sure, that the password you used for keytab generation (on
>>>the
>>>> server side), is correct? ktpass will probably accept
>>>> any input as a password. Maybe you can check the keytab by using
>>>kinit
>>>> (though I don't know, if it exists for windows, or how
>>>> the java one is used).
>>>>
>>>> Felix
>>>>
>>>>>
>>>>> ----------------------------------------
>>>>>> Date: Tue, 24 Mar 2015 22:46:15 +0000
>>>>>> From: ma...@apache.org
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>
>>>>>> On 24/03/2015 20:47, David Marsh wrote:
>>>>>>> Hi Felix,
>>>>>>> Thanks fort your help!
>>>>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
>>>>>>> startup.bat and also added the same definitions to the Java
>>>>>>> parameters in Configure Tomcat tool.I definitely got more
>>>information
>>>>>>> when using startup.bat, not sure the settings get picked up by the
>>>>>>> windows service ?
>>>>>>> I do not think authentication completes, certainly authorization
>>>does
>>>>>>> not as I cant see the site and get 401 http status.
>>>>>>> I have not configured a tomcat realm but I have put the test user
>>>a
>>>>>>> manager-gui group in Active Directory.
>>>>>>
>>>>>> I've only given your config a quick scan, but the thing that jumps
>>>out
>>>>>> at me is spaces in the some of the paths. I'm not sure how well
>>>>>> krb5.ini
>>>>>> will handle those. It might be fine. It might not be.
>>>>>>
>>>>>> Mark
>>>>>>
>>>>>>
>>>>>>> David
>>>>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>>>>>>> From: felix.schumac...@internetallee.de
>>>>>>>> To: users@tomcat.apache.org
>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>
>>>>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>>>>>>> Everything is as described and still not working, except the
>>>>>>>>> jaas.conf is :-
>>>>>>>>>
>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>> doNotPrompt=true
>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>> useKeyTab=true
>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>> storeKey=true;
>>>>>>>>> };
>>>>>>>>>
>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>> doNotPrompt=true
>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>> useKeyTab=true
>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>> storeKey=true;
>>>>>>>>> };
>>>>>>>>>
>>>>>>>>> In other words the principal is the tomcat server as it should
>>>be.
>>>>>>>>>
>>>>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>>>>>>> From: felix.schumac...@internetallee.de
>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>
>>>>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>>>>>>> Sorry thats :-
>>>>>>>>>>>
>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>>>>>>> Is it working with this configuration, or just to point out,
>>>that
>>>>>>>>>> you
>>>>>>>>>> copied the wrong jaas.conf for the mail?
>>>>>>>>>>
>>>>>>>>>> Felix
>>>>>>>>>>> ----------------------------------------
>>>>>>>>>>>> From: dmars...@outlook.com
>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>>>>>>
>>>>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat
>>>8.
>>>>>>>>>>>>
>>>>>>>>>>>> I've created three Windows VMs :-
>>>>>>>>>>>>
>>>>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>>>>>>
>>>>>>>>>>>> The Tomcat Server and the Test Client are joined to the same
>>>>>>>>>>>> domain kerbtest.local, they are logged in with domain logins.
>>>>>>>>>>>>
>>>>>>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>>>>>>
>>>>>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>>>>>>
>>>>>>>>>>>> jaas.conf
>>>>>>>>>>>>
>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>> };
>>>>>>>>>>>>
>>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>> };
>>>>>>>>>>>>
>>>>>>>>>>>> krb5.ini
>>>>>>>>>>>>
>>>>>>>>>>>> [libdefaults]
>>>>>>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
>>>>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>>>>>>> default_tkt_enctypes =
>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>> default_tgs_enctypes =
>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>> forwardable=true
>>>>>>>>>>>>
>>>>>>>>>>>> [realms]
>>>>>>>>>>>> KERBTEST.LOCAL = {
>>>>>>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>>>>>>> }
>>>>>>>>>>>>
>>>>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with
>>>Active
>>>>>>>>>>>> Directory.
>>>>>>>>>>>>
>>>>>>>>>>>> I have tried to keep the setup as basic and vanilla to the
>>>>>>>>>>>> instructions as possible.
>>>>>>>>>>>>
>>>>>>>>>>>> Users were created as instructed.
>>>>>>>>>>>>
>>>>>>>>>>>> Spn was created as instructed
>>>>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>>>>>>
>>>>>>>>>>>> keytab was created as instructed
>>>>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL
>>>/princ
>>>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass
>>>/kvno
>>>>>>>>>>>> 0
>>>>>>>>>>>>
>>>>>>>>>>>> I have tried to test with firefox, chrome and IE, after
>>>ensuring
>>>>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In
>>>>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to
>>>>>>>>>>>> network.negotiate-auth.delegation-uris and
>>>>>>>>>>>> network.negotiate-auth.trusted-uris.
>>>>>>>>>>>>
>>>>>>>>>>>> Tomcat is running as a Windows service under the
>>>>>>>>>>>> tc01@kerbtest.local account.
>>>>>>>>>>>>
>>>>>>>>>>>> Visiting URL from the Test Client VM :-
>>>>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401
>>>three
>>>>>>>>>>>> times.
>>>>>>>>>>>>
>>>>>>>>>>>> Looking at the Network tab in developer tools in firefox
>>>shows
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
                                          
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: SPNEGO test configuration with Manager webapp

Reply via email to