Hi Mark, Thanks for that, yes I've got 30 years windows experience, I can use Linux at a push but its not really my area expertise.
I'm a Java / Windows programmer so I should be able to understand it, but not kerberos or Active Directory expert. I have used Waffle in the past with success and used JAAS/GSS-API in Java thick clients. I made the IE settings you outlined but it seems to still prompt. IE has win-tc01.kerbtest.local as a trusted site. Enable Windows Integrated Authentication is on Auto logon only in Intranet Zone is on I've been using Firefox to test and that does send 401 and negotiate, but causes the GSS token error mentioned. Active directory and krb5.ini are using eType 23 which is rc4-hmac The windows client OS and tomcat server OS has registry setting for allowtgtsessionkey set to 1 (enabled). Java kinit test works and stores a ticket in the Java session cache. So problem seems to be either :- 1. Browser sends bad token 2. Token is good but Oracle JDK 8 GSS-API cannot handle it many thanks David > Date: Thu, 26 Mar 2015 11:32:39 +0100 > From: a...@ice-sa.com > To: users@tomcat.apache.org > Subject: Re: SPNEGO test configuration with Manager webapp > > David Marsh wrote: >> Hi Mark, >> Thanks that would be great ! >> Do you have a good mechanism to test and ensure kerberos token is passed to >> tomcat and not NTLM token ? > > I believe that I can answer that. > > And the basic answer is no. > > First the basic principle, valid for this and many many other areas : the > server cannot > "impose" anything on the browser. The local user can always override anything > received > from the server, by a setting in the browser. And a hacker can of course do > anything. > All the server can do, is tell the browser what it will accept, and the > browser can tell > the server ditto. > So, never assume the opposite, and you will save yourself a lot of fruitless > searches and > dead-ends. > > Now more specific : > 1) For Kerberos to be used at all at the browser level, the server must send > a 401 > response with "Negociate" as the requested authentication method. Unless it > does that, > the browser will never even attempt to send a Kerberos "Authorization" back. > 2) for the browser to consider returning a Kerberos Authorization header to > the server, > additional conditions depend on the browser. > For IE : > a) the "enable Windows Integrated Authentication" setting must be on > (checked), whether > this is done locally by the user, or part of the standard IE settings > company-wide, or > imposed by some "network policy" at corporate level. > b) the server to which the browser is talking, must be known to IE as either > - part of the "Intranet" > - or at least a "trusted" server > That is defined in IE's "security zones" (which again can be local, or > corporation-wide). > > If condition (a) is not met, when the server sends a 401 "Negociate", IE will > fall back to > NTLM, always. And there is nothing you can do about that at the server level. > (Funnily enough, disabling the "enable Windows Integrated Authentication" at > the IE level, > has the effect of disabling Kerberos, but not NTLM). > > If condition (b) is not met, IE will try neither Kerberos nor NTLM, and it > /might/ fall > back to Basic authentication, if its other settings allow that. That's when > you see the > browser popup login dialog; and in an SSO context, this is a sure sign that > something > isn't working as expected. > > Some authentication modules, at the server level, are able to adapt to what > the browser > sends, others not. I believe that Waffle can accept either browser NTLM or > Kerberos > authentication. Waffle works only on a Windows Tomcat server, not on a Linux > Tomcat server. > I do not know about the SPNEGO thing in Tomcat (from the name, it should). > The Jespa module from www.ioplex.com does not handle Kerberos, just NTLM, but > it works > under both Windows and Linux. > > And finally, about your problems : it seems that you have fallen in a very > specific kind > of hell, because you are trying to talk to a Windows-based Kerberos KDC > (which is using > Windows Kerberos libraries and encryption method choices and hostname formats > etc..), from > a Java JVM-based "client" (in this case the Tomcat server, whatever its > underlying > platform is), which is using Java Kerberos libraries and encryption method > choices etc... > And it seems that between this Java Kerberos part and the Windows Kerberos > part, there > are a number of areas of mutual incomprehension (such as which key encryption > methods they > each implement, or which ones are the "default" ones for each). > > And I am sure that the issue can be resolved. But it is probably a question > of finding > out which among the 25 or more settings one can alter on each side, overlap > and either > agree or contradict eachother. > > One underlying issue is that, as well in corporations as on the WWW, the > "Windows people" > and the "Linux people" tend to be 2 separate groups. If you ask the "Windows > people" how > to set this up, they will tell you "just do this and it works" (assuming that > all the > moving parts are Windows-based); and if you ask the "Linux people", they will > tell you > "just do this and it works" (assuming that all the moving parts are > Linux-based). > And there are very few people (and web pages) which span both worlds with > their various > combinations. > > >> David >> >>> Date: Thu, 26 Mar 2015 09:00:22 +0000 >>> From: ma...@apache.org >>> To: users@tomcat.apache.org >>> Subject: Re: SPNEGO test configuration with Manager webapp >>> >>> On 26/03/2015 00:36, David Marsh wrote: >>>> Still getting :- >>>> java.security.PrivilegedActionException: GSSException: Defective token >>>> detected (Mechanism level: G >>>> SSHeader did not find the right tag) >>>> >>>> Folks here mention lack of NegoEx support or bugs in GSS-APi ? >>>> >>>> http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1 >>>> >>>> Does Tomcat 8 work with NegoEx ? >>>> >>>> Is Windows 8.1 and Windows Server 2012 RC2 supported ? >>> My test environment is Windows 2008 R2 server and Windows 7. It is >>> certainly possibly security has been tightened between those versions >>> and 2012/R2 + 8 that means things don't work by default with Java. >>> >>> I'll see if I can find some time in the next few weeks to update my test >>> environment and do some more testing. >>> >>> Mark >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
