With the correct keytab and krb5.ini I can get kinit to pass...
Still cannot get SPNEGO in tomcat to work, have the same 401 three times.
C:\Windows>java -Dsun.security.krb5.debug=true
-Djava.security.krb5.conf=c:\windows\krb5.ini
sun.security.krb5.internal.tools.Kinit -k -t c:\keytab\tomcat.keytab
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL>>>KinitOptions cache name is
C:\Users\tc01.KERBTEST\krb5cc_tc01Principal is
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL>>> Kinit using keytab>>> Kinit
keytab file name: c:\keytab\tomcat.keytabJava config name:
c:\windows\krb5.iniLoaded from Java config>>> Kinit realm name is
KERBTEST.LOCAL>>> Creating KrbAsReq>>> KrbKdcReq local addresses for win-tc01
are:
win-tc01/192.168.0.3IPv4 address
win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3IPv6 address
win-tc01/fe80:0:0:0:cd8:21c6:3f57:fffc%5IPv6 address
win-tc01/2001:0:9d38:90d7:cd8:21c6:3f57:fffcIPv6 address>>>
KdcAccessibility: reset>>> KeyTabInputStream, readName(): KERBTEST.LOCAL>>>
KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName():
win-tc01.kerbtest.local>>> KeyTab: load() entry length: 70; type: 1>>>
KeyTabInputStream, readName(): KERBTEST.LOCAL>>> KeyTabInputStream, readName():
HTTP>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local>>> KeyTab:
load() entry length: 70; type: 3>>> KeyTabInputStream, readName():
KERBTEST.LOCAL>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream,
readName(): win-tc01.kerbtest.local>>> KeyTab: load() entry length: 78; type:
23>>> KeyTabInputStream, readName(): KERBTEST.LOCAL>>> KeyTabInputStream,
readName(): HTTP>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local>>>
KeyTab: load() entry length: 94; type: 18>>> KeyTabInputStream, readName():
KERBTEST.LOCAL>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream,
readName(): win-tc01.kerbtest.local>>> KeyTab: load() entry length: 78; type:
17Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key:
17version: 15Added key: 18version: 15Added key: 23version: 15Found unsupported
keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported
keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALdefault etypes for
default_tkt_enctypes: 23 18 17.>>> KrbAsReq creating message>>> KrbKdcReq send:
kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3,
#bytes=272>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
timeout=30000,Attempt=1, #bytes=272>>> KrbKdcReq send: #bytes
read=213>>>Pre-Authentication Data: PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.local,
s2kparams = null PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams =
null
>>>Pre-Authentication Data: PA-DATA type = 2
>>>PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16
>>>Pre-Authentication Data: PA-DATA type = 15
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88>>> KDCRep: init()
>>> encoding tag is 126 req type is 11>>>KRBError: sTime is Thu Mar 26
>>> 00:10:28 GMT 2015 1427328628000 suSec is 635591 error code
>>> is 25 error Message is Additional pre-authentication required
>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided.
>>> msgType is 30>>>Pre-Authentication Data: PA-DATA type = 19
>>> PA-ETYPE-INFO2 etype = 18, salt =
>>> KERBTEST.LOCALHTTPwin-tc01.kerbtest.local, s2kparams = null
>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data: PA-DATA type = 2
>>>PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16
>>>Pre-Authentication Data: PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQdefault etypes for
default_tkt_enctypes: 23 18 17.Looking for keys for:
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version: 15Added key:
18version: 15Added key: 23version: 15Found unsupported keytype (3) for
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported keytype (1) for
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALLooking for keys for:
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version: 15Added key:
18version: 15Added key: 23version: 15Found unsupported keytype (3) for
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported keytype (1) for
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALdefault etypes for
default_tkt_enctypes: 23 18 17.>>> EType:
sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType>>> KrbAsReq creating
message>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
number of retries =3, #bytes=359>>> KDCCommunication:
kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt=1, #bytes=359>>>
KrbKdcReq send: #bytes read=100>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local
TCP:88, timeout=30000, number of retries =3, #bytes=359>>> KDCCommunication:
kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt=1,
#bytes=359>>>DEBUG: TCPClient reading 1653 bytes>>> KrbKdcReq send: #bytes
read=1653>>> KdcAccessibility: remove win-dc01.kerbtest.local:88Looking for
keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version:
15Added key: 18version: 15Added key: 23version: 15Found unsupported keytype (3)
for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported keytype (1)
for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL>>> EType:
sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType>>> KrbAsRep cons in
KrbAsReq.getReply HTTP/win-tc01.kerbtest.localNew ticket is stored in cache
file C:\Users\tc01.KERBTEST\krb5cc_tc01
> From: dmars...@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: SPNEGO test configuration with Manager webapp
> Date: Wed, 25 Mar 2015 22:26:22 +0000
>
> Turns out to use the Java kinit I need a krb5.conf inside the jdk/jre
> lib/secrutiy folder.
>
> Now I get :-
>
>
> C:\>java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit
> k -t c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01
> Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>> Kinit using keytab
> >>> Kinit keytab file name: c:\keytab\tomcat.keytab
> Java config name: null
> LSA: Found Ticket
> LSA: Made NewWeakGlobalRef
> LSA: Found PrincipalName
> LSA: Made NewWeakGlobalRef
> LSA: Found DerValue
> LSA: Made NewWeakGlobalRef
> LSA: Found EncryptionKey
> LSA: Made NewWeakGlobalRef
> LSA: Found TicketFlags
> LSA: Made NewWeakGlobalRef
> LSA: Found KerberosTime
> LSA: Made NewWeakGlobalRef
> LSA: Found String
> LSA: Made NewWeakGlobalRef
> LSA: Found DerValue constructor
> LSA: Found Ticket constructor
> LSA: Found PrincipalName constructor
> LSA: Found EncryptionKey constructor
> LSA: Found TicketFlags constructor
> LSA: Found KerberosTime constructor
> LSA: Finished OnLoad processing
> Native config name: C:\Windows\krb5.ini
> Loaded from native config
> >>> Kinit realm name is KERBTEST.LOCAL
> >>> Creating KrbAsReq
> >>> KrbKdcReq local addresses for win-tc01 are:
>
> win-tc01/192.168.0.3
> IPv4 address
>
> win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3
> IPv6 address
> >>> KdcAccessibility: reset
> >>> KeyTabInputStream, readName(): kerbtest.local
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>> KeyTab: load() entry length: 70; type: 1
> >>> KeyTabInputStream, readName(): kerbtest.local
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>> KeyTab: load() entry length: 70; type: 3
> >>> KeyTabInputStream, readName(): kerbtest.local
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>> KeyTab: load() entry length: 78; type: 23
> >>> KeyTabInputStream, readName(): kerbtest.local
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>> KeyTab: load() entry length: 94; type: 18
> >>> KeyTabInputStream, readName(): kerbtest.local
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>> KeyTab: load() entry length: 78; type: 17
> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> Added key: 17version: 5
> Added key: 18version: 5
> Added key: 23version: 5
> Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> default etypes for default_tkt_enctypes: 23 18 17.
> >>> KrbAsReq creating message
> >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number
> >>> o
> retries =3, #bytes=216
> >>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
> >>> timeout=30000,Attempt
> =1, #bytes=216
> >>> KrbKdcReq send: #bytes read=100
> >>> KdcAccessibility: remove win-dc01.kerbtest.local:88
> >>> KDCRep: init() encoding tag is 126 req type is 11
> >>>KRBError:
> sTime is Wed Mar 25 22:24:32 GMT 2015 1427322272000
> suSec is 681217
> error code is 6
> error Message is Client not found in Kerberos database
> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
> msgType is 30
> Exception: krb_error 6 Client not found in Kerberos database (6) Client not
> fou
> d in Kerberos database
> KrbException: Client not found in Kerberos database (6)
> at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
> at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
> at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
> at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
> at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
> Caused by: KrbException: Identifier doesn't match expected value (906)
> at sun.security.krb5.internal.KDCRep.init(Unknown Source)
> at sun.security.krb5.internal.ASRep.init(Unknown Source)
> at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
> ... 5 more
>
>
> ----------------------------------------
> > From: dmars...@outlook.com
> > To: users@tomcat.apache.org
> > Subject: RE: SPNEGO test configuration with Manager webapp
> > Date: Wed, 25 Mar 2015 21:19:30 +0000
> >
> >
> >
> >
> > Thanks for all the help guys, I managed to find the correct way to call
> > kinit for Java on windows :-
> >
> > I get the following :-
> >
> > C:\>java -Dsun.security.krb5.debug=true
> > sun.security.krb5.internal.tools.Kinit -
> > k -t c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > tc01pas
> > s
> >>>>KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01
> > Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>> Kinit using keytab
> >>>> Kinit keytab file name: c:\keytab\tomcat.keytab
> > Java config name: null
> > LSA: Found Ticket
> > LSA: Made NewWeakGlobalRef
> > LSA: Found PrincipalName
> > LSA: Made NewWeakGlobalRef
> > LSA: Found DerValue
> > LSA: Made NewWeakGlobalRef
> > LSA: Found EncryptionKey
> > LSA: Made NewWeakGlobalRef
> > LSA: Found TicketFlags
> > LSA: Made NewWeakGlobalRef
> > LSA: Found KerberosTime
> > LSA: Made NewWeakGlobalRef
> > LSA: Found String
> > LSA: Made NewWeakGlobalRef
> > LSA: Found DerValue constructor
> > LSA: Found Ticket constructor
> > LSA: Found PrincipalName constructor
> > LSA: Found EncryptionKey constructor
> > LSA: Found TicketFlags constructor
> > LSA: Found KerberosTime constructor
> > LSA: Finished OnLoad processing
> > Native config name: C:\Windows\krb5.ini
> > Loaded from native config
> >>>> Kinit realm name is KERBTEST.LOCAL
> >>>> Creating KrbAsReq
> >>>> KrbKdcReq local addresses for win-tc01 are:
> >
> > win-tc01/192.168.0.3
> > IPv4 address
> >
> > win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3
> > IPv6 address
> >>>> KdcAccessibility: reset
> >>>> KeyTabInputStream, readName(): kerbtest.local
> >>>> KeyTabInputStream, readName(): HTTP
> >>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>>> KeyTab: load() entry length: 70; type: 1
> >>>> KeyTabInputStream, readName(): kerbtest.local
> >>>> KeyTabInputStream, readName(): HTTP
> >>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>>> KeyTab: load() entry length: 70; type: 3
> >>>> KeyTabInputStream, readName(): kerbtest.local
> >>>> KeyTabInputStream, readName(): HTTP
> >>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>>> KeyTab: load() entry length: 78; type: 23
> >>>> KeyTabInputStream, readName(): kerbtest.local
> >>>> KeyTabInputStream, readName(): HTTP
> >>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>>> KeyTab: load() entry length: 94; type: 18
> >>>> KeyTabInputStream, readName(): kerbtest.local
> >>>> KeyTabInputStream, readName(): HTTP
> >>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>>> KeyTab: load() entry length: 78; type: 17
> > Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Added key: 17version: 5
> > Added key: 18version: 5
> > Added key: 23version: 5
> > Found unsupported keytype (3) for
> > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Found unsupported keytype (1) for
> > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > default etypes for default_tkt_enctypes: 23 18 17.
> >>>> KrbAsReq creating message
> >>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
> >>>> number of
> > retries =3, #bytes=216
> >>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
> >>>> timeout=30000,Attempt
> > =1, #bytes=216
> >>>> KrbKdcReq send: #bytes read=213
> >>>>Pre-Authentication Data:
> > PA-DATA type = 19
> > PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
> > ocal, s2kparams = null
> > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >
> >>>>Pre-Authentication Data:
> > PA-DATA type = 2
> > PA-ENC-TIMESTAMP
> >>>>Pre-Authentication Data:
> > PA-DATA type = 16
> >
> >>>>Pre-Authentication Data:
> > PA-DATA type = 15
> >
> >>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
> >>>> KDCRep: init() encoding tag is 126 req type is 11
> >>>>KRBError:
> > sTime is Wed Mar 25 21:09:04 GMT 2015 1427317744000
> > suSec is 382562
> > error code is 25
> > error Message is Additional pre-authentication required
> > sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
> > eData provided.
> > msgType is 30
> >>>>Pre-Authentication Data:
> > PA-DATA type = 19
> > PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
> > ocal, s2kparams = null
> > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >
> >>>>Pre-Authentication Data:
> > PA-DATA type = 2
> > PA-ENC-TIMESTAMP
> >>>>Pre-Authentication Data:
> > PA-DATA type = 16
> >
> >>>>Pre-Authentication Data:
> > PA-DATA type = 15
> >
> > KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> > default etypes for default_tkt_enctypes: 23 18 17.
> > Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Added key: 17version: 5
> > Added key: 18version: 5
> > Added key: 23version: 5
> > Found unsupported keytype (3) for
> > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Found unsupported keytype (1) for
> > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Added key: 17version: 5
> > Added key: 18version: 5
> > Added key: 23version: 5
> > Found unsupported keytype (3) for
> > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Found unsupported keytype (1) for
> > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > default etypes for default_tkt_enctypes: 23 18 17.
> >>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
> >>>> KrbAsReq creating message
> >>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
> >>>> number of
> > retries =3, #bytes=305
> >>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
> >>>> timeout=30000,Attempt
> > =1, #bytes=305
> >>>> KrbKdcReq send: #bytes read=180
> >>>>Pre-Authentication Data:
> > PA-DATA type = 19
> > PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
> > ocal, s2kparams = null
> > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >
> >>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
> >>>> KDCRep: init() encoding tag is 126 req type is 11
> >>>>KRBError:
> > sTime is Wed Mar 25 21:09:08 GMT 2015 1427317748000
> > suSec is 600802
> > error code is 24
> > error Message is Pre-authentication information was invalid
> > sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
> > eData provided.
> > msgType is 30
> >>>>Pre-Authentication Data:
> > PA-DATA type = 19
> > PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
> > ocal, s2kparams = null
> > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >
> > Exception: krb_error 24 Pre-authentication information was invalid (24)
> > Pre-auth
> > entication information was invalid
> > KrbException: Pre-authentication information was invalid (24)
> > at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
> > at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
> > at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
> > at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
> > at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
> > Caused by: KrbException: Identifier doesn't match expected value (906)
> > at sun.security.krb5.internal.KDCRep.init(Unknown Source)
> > at sun.security.krb5.internal.ASRep.init(Unknown Source)
> > at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
> > ... 5 more
> >
> >
> >
> >> Date: Wed, 25 Mar 2015 22:00:13 +0100
> >> From: a...@ice-sa.com
> >> To: users@tomcat.apache.org
> >> Subject: Re: SPNEGO test configuration with Manager webapp
> >>
> >> Felix Schumacher wrote:
> >>> Am 25.03.2015 um 20:19 schrieb André Warnier:
> >>>> David Marsh wrote:
> >>>>> Javas version of kinit seems to report issue ?
> >>>>>
> >>>>> C:\Program Files\Apache Software Foundation\Tomcat
> >>>>> 8.0\conf>"C:\Program Files\Ja
> >>>>> va\jdk1.8.0_40\bin\kinit" -t -k c:\keytab\tomcat.keytab
> >>>>> Exception: krb_error 0 Do not have keys of types listed in
> >>>>> default_tkt_enctypes
> >>>>> available; only have keys of following type: No error
> >>>>> KrbException: Do not have keys of types listed in
> >>>>> default_tkt_enctypes available
> >>>>> ; only have keys of following type:
> >>>>> at
> >>>>> sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
> >>>>> at
> >>>>> sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
> >>>>> at
> >>>>> sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
> >>>>> at
> >>>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
> >>>>> at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
> >>>>> at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
> >>>>
> >>>> That seems to indicate that between the Java Kerberos module in
> >>>> Tomcat, and the KDC's Kerberos software, there is a mismatch in the
> >>>> types of keys used (type of encryption), so they do not understand
> >>>> eachother.
> >>>> This may be relevant : https://community.igniterealtime.org/thread/49913
> >>>>
> >>>> It is also a bit strange that it says :
> >>>> only have keys of following type:
> >>>> (with nothing behind the :.. )
> >>>>
> >>>> From what I keep browsing on the WWW, it also seems that the types of
> >>>> key encryptions that might match between Java Kerberos and Windows
> >>>> Kerberos, depend on the versions of both Java and Windows Server..
> >>>>
> >>> +1 (read your answer to late, I found the same link and posted it :)
> >>>> Man, this thing is really a nightmare, isn't it ?
> >>> I especially like the error messages.
> >>>
> >>
> >> Yes, and the thing is : there are a lot of pages on the www that describe
> >> the "correct"
> >> procedure, step by step, some even with screenshots etc..
> >> But they always leave something out, and you don't know what they left
> >> out..
> >>
> >>
> >>> Felix
> >>>>
> >>>>
> >>>>>
> >>>>> ----------------------------------------
> >>>>>> From: dmars...@outlook.com
> >>>>>> To: users@tomcat.apache.org
> >>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
> >>>>>> Date: Wed, 25 Mar 2015 16:50:47 +0000
> >>>>>>
> >>>>>> Its possible I guess, although I would not expect that.
> >>>>>>
> >>>>>> The test is :-
> >>>>>>
> >>>>>> Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM
> >>>>>>
> >>>>>> Firefox is not configured to use a proxy, its all in Vmware
> >>>>>> Workstation 10 using the Vmnet01 virtual network.
> >>>>>>
> >>>>>> Firefox has three 401 responses with headers "Authorization" and
> >>>>>> "WWW-Authenticate" :-
> >>>>>>
> >>>>>> 1 :- Reponse WWW-Authenticate: "Negotiate"
> >>>>>>
> >>>>>> 2 :- Request Authorization: "Negotiate
> >>>>>> YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxD
> >>>>>>
> >>>> yCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1b
> >> HVkm
> >>>>
> >>>> muJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4="
> >>>>
> >>>>>>
> >>>>>> Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg==
> >>>>>>
> >>>>>> 3 :- Request Authorization: "Negotiate
> >>>>>> oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkco
> >>>>>>
> >>>> Kk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zw
> >> m+qh
> >>>>
> >>>> PF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E="
> >>>>
> >>>>>>
> >>>>>> Reponse WWW-Authenticate: "Negotiate"
> >>>>>>
> >>>>>> I'm not sure how long they should be, but they all end "=" so expect
> >>>>>> not truncated ?
> >>>>>>
> >>>>>> ----------------------------------------
> >>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
> >>>>>>> From: felix.schumac...@internetallee.de
> >>>>>>> Date: Wed, 25 Mar 2015 17:31:51 +0100
> >>>>>>> To: users@tomcat.apache.org
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh
> >>>>>>> <dmars...@outlook.com>:
> >>>>>>>> This is how the keytab was created :-
> >>>>>>>>
> >>>>>>>> ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
> >>>>>>>> tc01@KERBTEST.LOCAL /princ
> >>>>>>>> HTTP/win-tc01.kerbtest.local@kerbtest.local
> >>>>>>>> /pass tc01pass
> >>>>>>>>
> >>>>>>>> The password is the correct password for the user tc01 associated
> >>>>>>>> with
> >>>>>>>> the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local
> >>>>>>>>
> >>>>>>>> I managed to turn on some more logging around JAAS, see the error
> >>>>>>>> :- java.security.PrivilegedActionException: GSSException: Defective
> >>>>>>>> token detected
> >>>>>>> Do you talk directly to Tomcat, or is there any kind of proxy in
> >>>>>>> between?
> >>>>>>> Could the header be truncated?
> >>>>>>>
> >>>>>>> Felix
> >>>>>>>> 25-Mar-2015 15:46:22.131 INFO [main]
> >>>>>>>> org.apache.catalina.core.StandardService.startInternal Starting
> >>>>>>>> service Catalina
> >>>>>>>> 25-Mar-2015 15:46:22.133 INFO [main]
> >>>>>>>> org.apache.catalina.core.StandardEngine.startInternal Starting
> >>>>>>>> Servlet Engine: Apache Tomcat/8.0.20
> >>>>>>>> 25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
> >>>>>>>> org.apache.catalina.startup.HostConfig.deployD
> >>>>>>>> irectory Deploying web application directory C:\Program Files\Apache
> >>>>>>>> Software Foundation\Tomcat 8.0\
> >>>>>>>> webapps\docs
> >>>>>>>> 25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
> >>>>>>>> org.apache.catalina.startup.HostConfig.deployD
> >>>>>>>> irectory Deployment of web application directory C:\Program
> >>>>>>>> Files\Apache Software Foundation\Tomcat
> >>>>>>>> 8.0\webapps\docs has finished in 380 ms
> >>>>>>>> 25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
> >>>>>>>> org.apache.catalina.startup.HostConfig.deployD
> >>>>>>>> irectory Deploying web application directory C:\Program Files\Apache
> >>>>>>>> Software Foundation\Tomcat 8.0\
> >>>>>>>> webapps\manager
> >>>>>>>> 25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
> >>>>>>>> org.apache.catalina.authenticator.Authenticato
> >>>>>>>> rBase.startInternal No SingleSignOn Valve is present
> >>>>>>>> 25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
> >>>>>>>> org.apache.catalina.startup.HostConfig.deployD
> >>>>>>>> irectory Deployment of web application directory C:\Program
> >>>>>>>> Files\Apache Software Foundation\Tomcat
> >>>>>>>> 8.0\webapps\manager has finished in 93 ms
> >>>>>>>> 25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
> >>>>>>>> org.apache.catalina.startup.HostConfig.deployD
> >>>>>>>> irectory Deploying web application directory C:\Program Files\Apache
> >>>>>>>> Software Foundation\Tomcat 8.0\
> >>>>>>>> webapps\ROOT
> >>>>>>>> 25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
> >>>>>>>> org.apache.catalina.startup.HostConfig.deployD
> >>>>>>>> irectory Deployment of web application directory C:\Program
> >>>>>>>> Files\Apache Software Foundation\Tomcat
> >>>>>>>> 8.0\webapps\ROOT has finished in 59 ms
> >>>>>>>> 25-Mar-2015 15:46:22.797 INFO [main]
> >>>>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
> >>>>>>>> er ["http-nio-80"]
> >>>>>>>> 25-Mar-2015 15:46:22.806 INFO [main]
> >>>>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
> >>>>>>>> er ["ajp-nio-8009"]
> >>>>>>>> 25-Mar-2015 15:46:22.808 INFO [main]
> >>>>>>>> org.apache.catalina.startup.Catalina.start Server startup in 72
> >>>>>>>> 1 ms
> >>>>>>>> 25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Security checking request GET /manager/html
> >>>>>>>> 25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
> >>>>>>>> against GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
> >>>>>>>> interface]' against GET /html --> fal
> >>>>>>>> se
> >>>>>>>> 25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
> >>>>>>>> interface (for scripts)]' against
> >>>>>>>> GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
> >>>>>>>> interface (for humans)]' against G
> >>>>>>>> ET /html --> true
> >>>>>>>> 25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
> >>>>>>>> against GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
> >>>>>>>> interface]' against GET /html --> fal
> >>>>>>>> se
> >>>>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
> >>>>>>>> interface (for scripts)]' against
> >>>>>>>> GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
> >>>>>>>> interface (for humans)]' against G
> >>>>>>>> ET /html --> true
> >>>>>>>> 25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Calling hasUserDataPermission()
> >>>>>>>> 25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
> >>>>>>>> rmission User data constraint has no restrictions
> >>>>>>>> 25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Calling authenticate()
> >>>>>>>> 25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.authenticator.SpnegoAuthentic
> >>>>>>>> ator.authenticate No authorization header sent by client
> >>>>>>>> 25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Failed authenticate() test
> >>>>>>>> 25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Security checking request GET /manager/html
> >>>>>>>> 25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
> >>>>>>>> against GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
> >>>>>>>> interface]' against GET /html --> fal
> >>>>>>>> se
> >>>>>>>> 25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
> >>>>>>>> interface (for scripts)]' against
> >>>>>>>> GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
> >>>>>>>> interface (for humans)]' against G
> >>>>>>>> ET /html --> true
> >>>>>>>> 25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
> >>>>>>>> against GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
> >>>>>>>> interface]' against GET /html --> fal
> >>>>>>>> se
> >>>>>>>> 25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
> >>>>>>>> interface (for scripts)]' against
> >>>>>>>> GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
> >>>>>>>> interface (for humans)]' against G
> >>>>>>>> ET /html --> true
> >>>>>>>> 25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Calling hasUserDataPermission()
> >>>>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
> >>>>>>>> rmission User data constraint has no restrictions
> >>>>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Calling authenticate()
> >>>>>>>> Debug is true storeKey true useTicketCache false useKeyTab true
> >>>>>>>> doNotPrompt true ticketCache is nul
> >>>>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab
> >>>>>>>> refreshKrb5Config
> >>>>>>>> is false principal is HTTP/wi
> >>>>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false
> >>>>>>>> useFirstPass
> >>>>>>>> is false storePass is false
> >>>>>>>> clearPass is false
> >>>>>>>>>>> KeyTabInputStream, readName(): kerbtest.local
> >>>>>>>>>>> KeyTabInputStream, readName(): HTTP
> >>>>>>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>>>>>>>>>> KeyTab: load() entry length: 78; type: 23
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Java config name: C:\Program Files\Apache Software Foundation\Tomcat
> >>>>>>>> 8.0\conf\krb5.ini
> >>>>>>>> Loaded from Java config
> >>>>>>>> Added key: 23version: 3
> >>>>>>>>>>> KdcAccessibility: reset
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Added key: 23version: 3
> >>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
> >>>>>>>>>>> KrbAsReq creating message
> >>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
> >>>>>>>> number of retries =3, #bytes=
> >>>>>>>> 164
> >>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
> >>>>>>>> timeout=30000,Attempt =1, #bytes=164
> >>>>>>>>>>> KrbKdcReq send: #bytes read=185
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 11
> >>>>>>>> PA-ETYPE-INFO etype = 23, salt =
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 19
> >>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 2
> >>>>>>>> PA-ENC-TIMESTAMP
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 16
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 15
> >>>>>>>>
> >>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
> >>>>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
> >>>>>>>>>>> KRBError:
> >>>>>>>> sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
> >>>>>>>> suSec is 701709
> >>>>>>>> error code is 25
> >>>>>>>> error Message is Additional pre-authentication required
> >>>>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
> >>>>>>>> eData provided.
> >>>>>>>> msgType is 30
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 11
> >>>>>>>> PA-ETYPE-INFO etype = 23, salt =
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 19
> >>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 2
> >>>>>>>> PA-ENC-TIMESTAMP
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 16
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 15
> >>>>>>>>
> >>>>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> >>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Added key: 23version: 3
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Added key: 23version: 3
> >>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
> >>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> >>>>>>>>>>> KrbAsReq creating message
> >>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
> >>>>>>>> number of retries =3, #bytes=
> >>>>>>>> 247
> >>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
> >>>>>>>> timeout=30000,Attempt =1, #bytes=247
> >>>>>>>>>>> KrbKdcReq send: #bytes read=100
> >>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
> >>>>>>>> number of retries =3, #bytes=
> >>>>>>>> 247
> >>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
> >>>>>>>> timeout=30000,Attempt =1, #bytes=247
> >>>>>>>>>>> DEBUG: TCPClient reading 1475 bytes
> >>>>>>>>>>> KrbKdcReq send: #bytes read=1475
> >>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Added key: 23version: 3
> >>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> >>>>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
> >>>>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Will use keytab
> >>>>>>>> Commit Succeeded
> >>>>>>>>
> >>>>>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
> >>>>>>>> sun.security.jgss.spnego.SpNegoCredElement)
> >>>>>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
> >>>>>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
> >>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
> >>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
> >>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
> >>>>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
> >>>>>>>> .LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
> >>>>>>>> [Krb5LoginModule]: Entering logout
> >>>>>>>> [Krb5LoginModule]: logged out Subject
> >>>>>>>> 25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Failed authenticate() test
> >>>>>>>> 25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Security checking request GET /manager/html
> >>>>>>>> 25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
> >>>>>>>> against GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
> >>>>>>>> interface]' against GET /html --> fal
> >>>>>>>> se
> >>>>>>>> 25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
> >>>>>>>> interface (for scripts)]' against
> >>>>>>>> GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
> >>>>>>>> interface (for humans)]' against G
> >>>>>>>> ET /html --> true
> >>>>>>>> 25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
> >>>>>>>> against GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
> >>>>>>>> interface]' against GET /html --> fal
> >>>>>>>> se
> >>>>>>>> 25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
> >>>>>>>> interface (for scripts)]' against
> >>>>>>>> GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
> >>>>>>>> interface (for humans)]' against G
> >>>>>>>> ET /html --> true
> >>>>>>>> 25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Calling hasUserDataPermission()
> >>>>>>>> 25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
> >>>>>>>> rmission User data constraint has no restrictions
> >>>>>>>> 25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Calling authenticate()
> >>>>>>>> Debug is true storeKey true useTicketCache false useKeyTab true
> >>>>>>>> doNotPrompt true ticketCache is nul
> >>>>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab
> >>>>>>>> refreshKrb5Config
> >>>>>>>> is false principal is HTTP/wi
> >>>>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false
> >>>>>>>> useFirstPass
> >>>>>>>> is false storePass is false
> >>>>>>>> clearPass is false
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Added key: 23version: 3
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Added key: 23version: 3
> >>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
> >>>>>>>>>>> KrbAsReq creating message
> >>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
> >>>>>>>> number of retries =3, #bytes=
> >>>>>>>> 164
> >>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
> >>>>>>>> timeout=30000,Attempt =1, #bytes=164
> >>>>>>>>>>> KrbKdcReq send: #bytes read=185
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 11
> >>>>>>>> PA-ETYPE-INFO etype = 23, salt =
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 19
> >>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 2
> >>>>>>>> PA-ENC-TIMESTAMP
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 16
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 15
> >>>>>>>>
> >>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
> >>>>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
> >>>>>>>>>>> KRBError:
> >>>>>>>> sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
> >>>>>>>> suSec is 935731
> >>>>>>>> error code is 25
> >>>>>>>> error Message is Additional pre-authentication required
> >>>>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
> >>>>>>>> eData provided.
> >>>>>>>> msgType is 30
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 11
> >>>>>>>> PA-ETYPE-INFO etype = 23, salt =
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 19
> >>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 2
> >>>>>>>> PA-ENC-TIMESTAMP
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 16
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 15
> >>>>>>>>
> >>>>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> >>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Added key: 23version: 3
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Added key: 23version: 3
> >>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
> >>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> >>>>>>>>>>> KrbAsReq creating message
> >>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
> >>>>>>>> number of retries =3, #bytes=
> >>>>>>>> 247
> >>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
> >>>>>>>> timeout=30000,Attempt =1, #bytes=247
> >>>>>>>>>>> KrbKdcReq send: #bytes read=100
> >>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
> >>>>>>>> number of retries =3, #bytes=
> >>>>>>>> 247
> >>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
> >>>>>>>> timeout=30000,Attempt =1, #bytes=247
> >>>>>>>>>>> DEBUG: TCPClient reading 1475 bytes
> >>>>>>>>>>> KrbKdcReq send: #bytes read=1475
> >>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Added key: 23version: 3
> >>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> >>>>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
> >>>>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Will use keytab
> >>>>>>>> Commit Succeeded
> >>>>>>>>
> >>>>>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
> >>>>>>>> sun.security.jgss.spnego.SpNegoCredElement)
> >>>>>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
> >>>>>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
> >>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
> >>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
> >>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
> >>>>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
> >>>>>>>> .LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
> >>>>>>>> 25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.authenticator.SpnegoAuthentic
> >>>>>>>> ator.authenticate Unable to login as the service principal
> >>>>>>>> java.security.PrivilegedActionException: GSSException: Defective
> >>>>>>>> token
> >>>>>>>> detected (Mechanism level: G
> >>>>>>>> SSHeader did not find the right tag)
> >>>>>>>> at java.security.AccessController.doPrivileged(Native Method)
> >>>>>>>> at javax.security.auth.Subject.doAs(Subject.java:422)
> >>>>>>>> at
> >>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
> >>>>>>>>
> >>>>>>>> va:243)
> >>>>>>>> at
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
> >>>>>>>>
> >>>>>>>> 6)
> >>>>>>>> at
> >>>>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
> >>>>>>>>
> >>>>>>>> a:659)
> >>>>>>>> at
> >>>>>>>> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
> >>>>>>>>
> >>>>>>>> col.java:223)
> >>>>>>>> at
> >>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> >>>>>>>>
> >>>>>>>> at java.lang.Thread.run(Thread.java:745)
> >>>>>>>> Caused by: GSSException: Defective token detected (Mechanism level:
> >>>>>>>> GSSHeader did not find the right
> >>>>>>>> tag)
> >>>>>>>> at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
> >>>>>>>> at
> >>>>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
> >>>>>>>>
> >>>>>>>> r.java:336)
> >>>>>>>> at
> >>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
> >>>>>>>>
> >>>>>>>> r.java:323)
> >>>>>>>> ... 18 more
> >>>>>>>>
> >>>>>>>> [Krb5LoginModule]: Entering logout
> >>>>>>>> [Krb5LoginModule]: logged out Subject
> >>>>>>>> 25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Failed authenticate() test
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>> Date: Wed, 25 Mar 2015 16:48:10 +0100
> >>>>>>>>> From: felix.schumac...@internetallee.de
> >>>>>>>>> To: users@tomcat.apache.org
> >>>>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
> >>>>>>>>>
> >>>>>>>>> Am 25.03.2015 16:09, schrieb David Marsh:
> >>>>>>>>>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
> >>>>>>>>>> tc01@KERTEST.LOCAL, still same symptoms.
> >>>>>>>>>>
> >>>>>>>>>> Ran klist on client after firefox test and the three 401 responses.
> >>>>>>>> :-
> >>>>>>>>>> C:\Users\test.KERBTEST.000>klist
> >>>>>>>>>>
> >>>>>>>>>> Current LogonId is 0:0x2fd7a
> >>>>>>>>>>
> >>>>>>>>>> Cached Tickets: (2)
> >>>>>>>>>>
> >>>>>>>>>> #0> Client: test @ KERBTEST.LOCAL
> >>>>>>>>>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
> >>>>>>>>>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
> >>>>>>>>>> Ticket Flags 0x40e10000 -> forwardable renewable initial
> >>>>>>>>>> pre_authent nam
> >>>>>>>>>> e_canonicalize
> >>>>>>>>>> Start Time: 3/25/2015 14:46:43 (local)
> >>>>>>>>>> End Time: 3/26/2015 0:46:43 (local)
> >>>>>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
> >>>>>>>>>> Session Key Type: AES-256-CTS-HMAC-SHA1-96
> >>>>>>>>>> Cache Flags: 0x1 -> PRIMARY
> >>>>>>>>>> Kdc Called: 192.168.0.200
> >>>>>>>>>>
> >>>>>>>>>> #1> Client: test @ KERBTEST.LOCAL
> >>>>>>>>>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
> >>>>>>>>>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
> >>>>>>>>>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
> >>>>>>>>>> name_canoni
> >>>>>>>>>> calize
> >>>>>>>>>> Start Time: 3/25/2015 14:51:21 (local)
> >>>>>>>>>> End Time: 3/26/2015 0:46:43 (local)
> >>>>>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
> >>>>>>>>>> Session Key Type: RSADSI RC4-HMAC(NT)
> >>>>>>>>>> Cache Flags: 0
> >>>>>>>>>> Kdc Called: 192.168.0.200
> >>>>>>>>>>
> >>>>>>>>>> Looks like I was granted a ticket for the SPN
> >>>>>>>>>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
> >>>>>>>>>>
> >>>>>>>>>> If I have ticket why do I get 401 ?
> >>>>>>>>> Your client has got a service ticket for HTTP/win-tc01... This is
> >>>>>>>> used
> >>>>>>>>> by firefox for authentication. Firefox transmits
> >>>>>>>>> this service ticket to the server (as base64 encoded in the
> >>>>>>>>> WWW-Authenticate header).
> >>>>>>>>>
> >>>>>>>>> Your server has to decrypt this ticket using its own ticket to
> >>>>>>>>> get at
> >>>>>>>>> the user information. This is where your problems arise.
> >>>>>>>>> It looks like your server has trouble to get its own ticket.
> >>>>>>>>>
> >>>>>>>>> Are you sure, that the password you used for keytab generation (on
> >>>>>>>> the
> >>>>>>>>> server side), is correct? ktpass will probably accept
> >>>>>>>>> any input as a password. Maybe you can check the keytab by using
> >>>>>>>> kinit
> >>>>>>>>> (though I don't know, if it exists for windows, or how
> >>>>>>>>> the java one is used).
> >>>>>>>>>
> >>>>>>>>> Felix
> >>>>>>>>>
> >>>>>>>>>> ----------------------------------------
> >>>>>>>>>>> Date: Tue, 24 Mar 2015 22:46:15 +0000
> >>>>>>>>>>> From: ma...@apache.org
> >>>>>>>>>>> To: users@tomcat.apache.org
> >>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
> >>>>>>>>>>>
> >>>>>>>>>>> On 24/03/2015 20:47, David Marsh wrote:
> >>>>>>>>>>>> Hi Felix,
> >>>>>>>>>>>> Thanks fort your help!
> >>>>>>>>>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
> >>>>>>>>>>>> startup.bat and also added the same definitions to the Java
> >>>>>>>>>>>> parameters in Configure Tomcat tool.I definitely got more
> >>>>>>>> information
> >>>>>>>>>>>> when using startup.bat, not sure the settings get picked up by
> >>>>>>>>>>>> the
> >>>>>>>>>>>> windows service ?
> >>>>>>>>>>>> I do not think authentication completes, certainly authorization
> >>>>>>>> does
> >>>>>>>>>>>> not as I cant see the site and get 401 http status.
> >>>>>>>>>>>> I have not configured a tomcat realm but I have put the test user
> >>>>>>>> a
> >>>>>>>>>>>> manager-gui group in Active Directory.
> >>>>>>>>>>> I've only given your config a quick scan, but the thing that jumps
> >>>>>>>> out
> >>>>>>>>>>> at me is spaces in the some of the paths. I'm not sure how well
> >>>>>>>>>>> krb5.ini
> >>>>>>>>>>> will handle those. It might be fine. It might not be.
> >>>>>>>>>>>
> >>>>>>>>>>> Mark
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>> David
> >>>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
> >>>>>>>>>>>>> From: felix.schumac...@internetallee.de
> >>>>>>>>>>>>> To: users@tomcat.apache.org
> >>>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
> >>>>>>>>>>>>>> Everything is as described and still not working, except the
> >>>>>>>>>>>>>> jaas.conf is :-
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
> >>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>>>>>>>>>>>> doNotPrompt=true
> >>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> >>>>>>>>>>>>>> useKeyTab=true
> >>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
> >>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
> >>>>>>>>>>>>>> storeKey=true;
> >>>>>>>>>>>>>> };
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
> >>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>>>>>>>>>>>> doNotPrompt=true
> >>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> >>>>>>>>>>>>>> useKeyTab=true
> >>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
> >>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
> >>>>>>>>>>>>>> storeKey=true;
> >>>>>>>>>>>>>> };
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> In other words the principal is the tomcat server as it should
> >>>>>>>> be.
> >>>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
> >>>>>>>>>>>>>>> From: felix.schumac...@internetallee.de
> >>>>>>>>>>>>>>> To: users@tomcat.apache.org
> >>>>>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
> >>>>>>>>>>>>>>>> Sorry thats :-
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> >>>>>>>>>>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
> >>>>>>>>>>>>>>> Is it working with this configuration, or just to point out,
> >>>>>>>> that
> >>>>>>>>>>>>>>> you
> >>>>>>>>>>>>>>> copied the wrong jaas.conf for the mail?
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Felix
> >>>>>>>>>>>>>>>> ----------------------------------------
> >>>>>>>>>>>>>>>>> From: dmars...@outlook.com
> >>>>>>>>>>>>>>>>> To: users@tomcat.apache.org
> >>>>>>>>>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
> >>>>>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat
> >>>>>>>> 8.
> >>>>>>>>>>>>>>>>> I've created three Windows VMs :-
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
> >>>>>>>>>>>>>>>>> Test Client - Windows 8.1 32 bit VM
> >>>>>>>>>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> The Tomcat Server and the Test Client are joined to the same
> >>>>>>>>>>>>>>>>> domain kerbtest.local, they are logged in with domain
> >>>>>>>>>>>>>>>>> logins.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> The firewall is disabled on the Tomcat Server VM.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> jaas.conf
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
> >>>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>>>>>>>>>>>>>>> doNotPrompt=true
> >>>>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
> >>>>>>>>>>>>>>>>> useKeyTab=true
> >>>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
> >>>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
> >>>>>>>>>>>>>>>>> storeKey=true;
> >>>>>>>>>>>>>>>>> };
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
> >>>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>>>>>>>>>>>>>>> doNotPrompt=true
> >>>>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
> >>>>>>>>>>>>>>>>> useKeyTab=true
> >>>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
> >>>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
> >>>>>>>>>>>>>>>>> storeKey=true;
> >>>>>>>>>>>>>>>>> };
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> krb5.ini
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> [libdefaults]
> >>>>>>>>>>>>>>>>> default_realm = KERBTEST.LOCAL
> >>>>>>>>>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
> >>>>>>>>>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
> >>>>>>>>>>>>>>>>> default_tkt_enctypes =
> >>>>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> >>>>>>>>>>>>>>>>> default_tgs_enctypes =
> >>>>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> >>>>>>>>>>>>>>>>> forwardable=true
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> [realms]
> >>>>>>>>>>>>>>>>> KERBTEST.LOCAL = {
> >>>>>>>>>>>>>>>>> kdc = win-dc01.kerbtest.local:88
> >>>>>>>>>>>>>>>>> }
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with
> >>>>>>>> Active
> >>>>>>>>>>>>>>>>> Directory.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> I have tried to keep the setup as basic and vanilla to the
> >>>>>>>>>>>>>>>>> instructions as possible.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Users were created as instructed.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Spn was created as instructed
> >>>>>>>>>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> keytab was created as instructed
> >>>>>>>>>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL
> >>>>>>>> /princ
> >>>>>>>>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass
> >>>>>>>> /kvno
> >>>>>>>>>>>>>>>>> 0
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> I have tried to test with firefox, chrome and IE, after
> >>>>>>>> ensuring
> >>>>>>>>>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In
> >>>>>>>>>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to
> >>>>>>>>>>>>>>>>> network.negotiate-auth.delegation-uris and
> >>>>>>>>>>>>>>>>> network.negotiate-auth.trusted-uris.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Tomcat is running as a Windows service under the
> >>>>>>>>>>>>>>>>> tc01@kerbtest.local account.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Visiting URL from the Test Client VM :-
> >>>>>>>>>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401
> >>>>>>>> three
> >>>>>>>>>>>>>>>>> times.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Looking at the Network tab in developer tools in firefox
> >>>>>>>> shows
> >>>>>>>
> >>>>>>> ---------------------------------------------------------------------
> >>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>>>>>
> >>>>>> ---------------------------------------------------------------------
> >>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>>>>
> >>>>> ---------------------------------------------------------------------
> >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>>
> >>>
> >>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>
> >>>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
