Re: SPNEGO test configuration with Manager webapp

Wed, 25 Mar 2015 18:22:36 -0700 

On 3/25/2015 2:19 PM, André Warnier wrote:

David Marsh wrote:

Javas version of kinit seems to report issue ?
C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf>"C:\Program Files\Ja 
va\jdk1.8.0_40\bin\kinit" -t -k c:\keytab\tomcat.keytab
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes 
available; only have keys of following type:  No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available 
; only have keys of following type:
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280) at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261) at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) 
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
That seems to indicate that between the Java Kerberos module in Tomcat, and the KDC's Kerberos software, there is a mismatch in the types of keys used (type of encryption), so they do not understand eachother. 
This may be relevant : https://community.igniterealtime.org/thread/49913

It is also a bit strange that it says :
only have keys of following type:
(with nothing behind the :.. )
From what I keep browsing on the WWW, it also seems that the types of key encryptions that might match between Java Kerberos and Windows Kerberos, depend on the versions of both Java and Windows Server.. 

Man, this thing is really a nightmare, isn't it ?




----------------------------------------

From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: RE: SPNEGO test configuration with Manager webapp
Date: Wed, 25 Mar 2015 16:50:47 +0000

Its possible I guess, although I would not expect that.

The test is :-

Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM
Firefox is not configured to use a proxy, its all in Vmware Workstation 10 using the Vmnet01 virtual network.
Firefox has three 401 responses with headers "Authorization" and "WWW-Authenticate" :- 

1 :- Reponse WWW-Authenticate: "Negotiate"
2 :- Request Authorization: "Negotiate YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxD
yCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1bHVkm muJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4=" 

Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg==
3 :- Request Authorization: "Negotiate oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkco
Kk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zwm+qh PF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E=" 

Reponse WWW-Authenticate: "Negotiate"
I'm not sure how long they should be, but they all end "=" so expect not truncated ? 

----------------------------------------

Subject: RE: SPNEGO test configuration with Manager webapp
From: felix.schumac...@internetallee.de
Date: Wed, 25 Mar 2015 17:31:51 +0100
To: users@tomcat.apache.org
Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh <dmars...@outlook.com>: 
This is how the keytab was created :-

ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@kerbtest.local 
/pass tc01pass
The password is the correct password for the user tc01 associated with 
the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local

I managed to turn on some more logging around JAAS, see the error
:- java.security.PrivilegedActionException: GSSException: Defective
token detected
Do you talk directly to Tomcat, or is there any kind of proxy in between? 
Could the header be truncated?

Felix

25-Mar-2015 15:46:22.131 INFO [main]
org.apache.catalina.core.StandardService.startInternal Starting
service Catalina
25-Mar-2015 15:46:22.133 INFO [main]
org.apache.catalina.core.StandardEngine.startInternal Starting
Servlet Engine: Apache Tomcat/8.0.20
25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files\Apache
Software Foundation\Tomcat 8.0\
webapps\docs
25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program
Files\Apache Software Foundation\Tomcat
8.0\webapps\docs has finished in 380 ms
25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files\Apache
Software Foundation\Tomcat 8.0\
webapps\manager
25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
org.apache.catalina.authenticator.Authenticato
rBase.startInternal No SingleSignOn Valve is present
25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program
Files\Apache Software Foundation\Tomcat
8.0\webapps\manager has finished in 93 ms
25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files\Apache
Software Foundation\Tomcat 8.0\
webapps\ROOT
25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program
Files\Apache Software Foundation\Tomcat
8.0\webapps\ROOT has finished in 59 ms
25-Mar-2015 15:46:22.797 INFO [main]
org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
er ["http-nio-80"]
25-Mar-2015 15:46:22.806 INFO [main]
org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
er ["ajp-nio-8009"]
25-Mar-2015 15:46:22.808 INFO [main]
org.apache.catalina.startup.Catalina.start Server startup in 72
1 ms
25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]'
against GET /html --> false
25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy
interface]' against GET /html --> fal
se
25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager
interface (for scripts)]' against
GET /html --> false
25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager
interface (for humans)]' against G
ET /html --> true
25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]'
against GET /html --> false
25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy
interface]' against GET /html --> fal
se
25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager
interface (for scripts)]' against
GET /html --> false
25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager
interface (for humans)]' against G
ET /html --> true
25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling hasUserDataPermission()
25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission User data constraint has no restrictions
25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling authenticate()
25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1]
org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate No authorization header sent by client
25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]'
against GET /html --> false
25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy
interface]' against GET /html --> fal
se
25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager
interface (for scripts)]' against
GET /html --> false
25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager
interface (for humans)]' against G
ET /html --> true
25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]'
against GET /html --> false
25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy
interface]' against GET /html --> fal
se
25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager
interface (for scripts)]' against
GET /html --> false
25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager
interface (for humans)]' against G
ET /html --> true
25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling hasUserDataPermission()
25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission User data constraint has no restrictions
25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling authenticate()
Debug is true storeKey true useTicketCache false useKeyTab true
doNotPrompt true ticketCache is nul
l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config 
is false principal is HTTP/wi
n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass 
is false storePass is false
clearPass is false

KeyTabInputStream, readName(): kerbtest.local
KeyTabInputStream, readName(): HTTP
KeyTabInputStream, readName(): win-tc01.kerbtest.local
KeyTab: load() entry length: 78; type: 23

Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Java config name: C:\Program Files\Apache Software Foundation\Tomcat
8.0\conf\krb5.ini
Loaded from Java config
Added key: 23version: 3

KdcAccessibility: reset

Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.

KrbAsReq creating message
KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,

number of retries =3, #bytes=
164

KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,

timeout=30000,Attempt =1, #bytes=164

KrbKdcReq send: #bytes read=185
Pre-Authentication Data:

PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =


Pre-Authentication Data:

PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null


Pre-Authentication Data:

PA-DATA type = 2
PA-ENC-TIMESTAMP

Pre-Authentication Data:

PA-DATA type = 16


Pre-Authentication Data:

PA-DATA type = 15


KdcAccessibility: remove win-dc01.kerbtest.local:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:

sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
suSec is 701709
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
eData provided.
msgType is 30

Pre-Authentication Data:

PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =


Pre-Authentication Data:

PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null


Pre-Authentication Data:

PA-DATA type = 2
PA-ENC-TIMESTAMP

Pre-Authentication Data:

PA-DATA type = 16


Pre-Authentication Data:

PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq creating message
KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,

number of retries =3, #bytes=
247

KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,

timeout=30000,Attempt =1, #bytes=247

KrbKdcReq send: #bytes read=100
KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,

number of retries =3, #bytes=
247

KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,

timeout=30000,Attempt =1, #bytes=247

DEBUG: TCPClient reading 1475 bytes
KrbKdcReq send: #bytes read=1475
KdcAccessibility: remove win-dc01.kerbtest.local:88

Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local

principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Will use keytab
Commit Succeeded

Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab C:\keytab\tomcat.keytab for
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found KeyTab C:\keytab\tomcat.keytab for
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
krbtgt/KERBTEST.LOCAL@KERBTEST
.LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]'
against GET /html --> false
25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy
interface]' against GET /html --> fal
se
25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager
interface (for scripts)]' against
GET /html --> false
25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager
interface (for humans)]' against G
ET /html --> true
25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]'
against GET /html --> false
25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy
interface]' against GET /html --> fal
se
25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager
interface (for scripts)]' against
GET /html --> false
25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager
interface (for humans)]' against G
ET /html --> true
25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling hasUserDataPermission()
25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission User data constraint has no restrictions
25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling authenticate()
Debug is true storeKey true useTicketCache false useKeyTab true
doNotPrompt true ticketCache is nul
l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config 
is false principal is HTTP/wi
n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass 
is false storePass is false
clearPass is false
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.

KrbAsReq creating message
KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,

number of retries =3, #bytes=
164

KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,

timeout=30000,Attempt =1, #bytes=164

KrbKdcReq send: #bytes read=185
Pre-Authentication Data:

PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =


Pre-Authentication Data:

PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null


Pre-Authentication Data:

PA-DATA type = 2
PA-ENC-TIMESTAMP

Pre-Authentication Data:

PA-DATA type = 16


Pre-Authentication Data:

PA-DATA type = 15


KdcAccessibility: remove win-dc01.kerbtest.local:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:

sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
suSec is 935731
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
eData provided.
msgType is 30

Pre-Authentication Data:

PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =


Pre-Authentication Data:

PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null


Pre-Authentication Data:

PA-DATA type = 2
PA-ENC-TIMESTAMP

Pre-Authentication Data:

PA-DATA type = 16


Pre-Authentication Data:

PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq creating message
KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,

number of retries =3, #bytes=
247

KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,

timeout=30000,Attempt =1, #bytes=247

KrbKdcReq send: #bytes read=100
KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,

number of retries =3, #bytes=
247

KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,

timeout=30000,Attempt =1, #bytes=247

DEBUG: TCPClient reading 1475 bytes
KrbKdcReq send: #bytes read=1475
KdcAccessibility: remove win-dc01.kerbtest.local:88

Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local

principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Will use keytab
Commit Succeeded

Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab C:\keytab\tomcat.keytab for
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found KeyTab C:\keytab\tomcat.keytab for
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
krbtgt/KERBTEST.LOCAL@KERBTEST
.LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3]
org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate Unable to login as the service principal
java.security.PrivilegedActionException: GSSException: Defective token 
detected (Mechanism level: G
SSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja 
va:243)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576) 
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) 
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) 
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) 

at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) 
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) 
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108 
6)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav 
a:659)
at
org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto 
col.java:223)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) 
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) 
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) 
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level:
GSSHeader did not find the right
tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306) 
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) 
at
org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato 
r.java:336)
at
org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato 
r.java:323)
... 18 more

[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test






















































Date: Wed, 25 Mar 2015 16:48:10 +0100
From: felix.schumac...@internetallee.de
To: users@tomcat.apache.org
Subject: RE: SPNEGO test configuration with Manager webapp

Am 25.03.2015 16:09, schrieb David Marsh:

Put keytab in c:\keytab\tomcat.keytab, ensured owner was
tc01@KERTEST.LOCAL, still same symptoms.

Ran klist on client after firefox test and the three 401 responses.

:-

C:\Users\test.KERBTEST.000>klist

Current LogonId is 0:0x2fd7a

Cached Tickets: (2)

#0> Client: test @ KERBTEST.LOCAL
Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial
pre_authent nam
e_canonicalize
Start Time: 3/25/2015 14:46:43 (local)
End Time: 3/26/2015 0:46:43 (local)
Renew Time: 4/1/2015 14:46:43 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: 192.168.0.200

#1> Client: test @ KERBTEST.LOCAL
Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
name_canoni
calize
Start Time: 3/25/2015 14:51:21 (local)
End Time: 3/26/2015 0:46:43 (local)
Renew Time: 4/1/2015 14:46:43 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: 192.168.0.200

Looks like I was granted a ticket for the SPN
HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?

If I have ticket why do I get 401 ?

Your client has got a service ticket for HTTP/win-tc01... This is

used

by firefox for authentication. Firefox transmits
this service ticket to the server (as base64 encoded in the
WWW-Authenticate header).
Your server has to decrypt this ticket using its own ticket to get at 
the user information. This is where your problems arise.
It looks like your server has trouble to get its own ticket.

Are you sure, that the password you used for keytab generation (on

the

server side), is correct? ktpass will probably accept
any input as a password. Maybe you can check the keytab by using

kinit

(though I don't know, if it exists for windows, or how
the java one is used).

Felix


----------------------------------------

Date: Tue, 24 Mar 2015 22:46:15 +0000
From: ma...@apache.org
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp

On 24/03/2015 20:47, David Marsh wrote:

Hi Felix,
Thanks fort your help!
I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
startup.bat and also added the same definitions to the Java
parameters in Configure Tomcat tool.I definitely got more

information
when using startup.bat, not sure the settings get picked up by the 
windows service ?
I do not think authentication completes, certainly authorization

does

not as I cant see the site and get 401 http status.
I have not configured a tomcat realm but I have put the test user

a

manager-gui group in Active Directory.

I've only given your config a quick scan, but the thing that jumps

out

at me is spaces in the some of the paths. I'm not sure how well
krb5.ini
will handle those. It might be fine. It might not be.

Mark



David

Date: Tue, 24 Mar 2015 21:39:38 +0100
From: felix.schumac...@internetallee.de
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp

Am 24.03.2015 um 21:25 schrieb David Marsh:

Everything is as described and still not working, except the
jaas.conf is :-

com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};

com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};

In other words the principal is the tomcat server as it should

be.

Date: Tue, 24 Mar 2015 21:17:59 +0100
From: felix.schumac...@internetallee.de
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp

Am 24.03.2015 um 21:05 schrieb David Marsh:

Sorry thats :-


principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"

under jaas.conf, it is set to the tomcat server DNS.

Is it working with this configuration, or just to point out,

that

you
copied the wrong jaas.conf for the mail?

Felix

----------------------------------------

From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: SPNEGO test configuration with Manager webapp
Date: Tue, 24 Mar 2015 20:02:04 +0000

I'm trying to get SPNEGO authentication working with Tomcat

8.

I've created three Windows VMs :-

Tomcat Server - Windows 8.1 32 bit VM
Test Client - Windows 8.1 32 bit VM
Domain Controller - Windows Server 2012 R2 64 bit VM

The Tomcat Server and the Test Client are joined to the same
domain kerbtest.local, they are logged in with domain logins. 

The firewall is disabled on the Tomcat Server VM.

I've followed the guidelines on the Apache Tomcat website.

jaas.conf

com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};

com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};

krb5.ini

[libdefaults]
default_realm = KERBTEST.LOCAL
default_keytab_name = FILE:C:\Program Files\Apache Software
Foundation\Tomcat 8.0\conf\tomcat.keytab
default_tkt_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes =
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true

[realms]
KERBTEST.LOCAL = {
kdc = win-dc01.kerbtest.local:88
}

I want to use the tomcat manager app to test SPNEGO with

Active

Directory.

I have tried to keep the setup as basic and vanilla to the
instructions as possible.

Users were created as instructed.

Spn was created as instructed
setspn -A HTTP/win-tc01.kerbtest.local tc01

keytab was created as instructed
ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL

/princ

HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass

/kvno

0

I have tried to test with firefox, chrome and IE, after

ensuring

http://win-tc01.kerbtest.local is a trusted site in IE. In
firefox I added http://win-tc01.kerbtest.local to
network.negotiate-auth.delegation-uris and
network.negotiate-auth.trusted-uris.

Tomcat is running as a Windows service under the
tc01@kerbtest.local account.

Visiting URL from the Test Client VM :-
http://win-tc01.kerbtest.local in firefox results in 401

three

times.

Looking at the Network tab in developer tools in firefox

shows



Have you considered using Waffle?

    http://dblock.github.io/waffle/
I've used it successfully with Java7/Tomcat7 and configuration was very simple. 

-Terence Bandoian



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to