Please don't respond to this email. I was able to figure out the issue. The server hosting devexample.domain.com was using a canonicalized hostname. This was throwing tomcat off when reading over the token and keytab file. I only wish there was a better way for this error to pick up on that.
On Fri, Feb 23, 2024 at 11:36 AM Thomas Delaney <tdelaney....@gmail.com> wrote: > > > Hi all, > > I have a redhat 9.2 server hosting a web application on 5 seperate > instances of Apache Tomcat. I have configured SPNEGO on instances 1,2,3 and > 4. These instances are behind an apache proxy load balancer on version > 2.4.57. Instance 1,2, and 3 are load balanced. While 4 and 5 are not. The > application is hosted on Tomcat 9.0.54. > > Domain: domain.com > Site: devexample.domain.com > > URL hit: https://devexample.domain.com/webclient_devex/exclient.jsp > > *I keep getting this when accessing the application on instance 5:* > HTTP Status 500 – Internal Server Error > Type Exception Report > > Message GSSException: Failure unspecified at GSS-API level (Mechanism > level: Checksum failed) > Description The server encountered an unexpected condition that prevented > it from fulfilling the request. > Exception > javax.servlet.ServletException: GSSException: Failure unspecified at > GSS-API level (Mechanism level: Checksum failed) > net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:287) > Root Cause > GSSException: Failure unspecified at GSS-API level (Mechanism level: > Checksum failed) > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source) > sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > > net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487) > > net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327) > net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283) > Root Cause > KrbException: Checksum failed > sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown > Source) > sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown > Source) > sun.security.krb5.EncryptedData.decrypt(Unknown Source) > sun.security.krb5.KrbApReq.authenticate(Unknown Source) > sun.security.krb5.KrbApReq.<init>(Unknown Source) > sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source) > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source) > sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > > net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487) > > net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327) > net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283) > Root Cause > java.security.GeneralSecurityException: Checksum failed > sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(Unknown Source) > sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(Unknown Source) > sun.security.krb5.internal.crypto.Aes256.decrypt(Unknown Source) > sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown > Source) > sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown > Source) > sun.security.krb5.EncryptedData.decrypt(Unknown Source) > sun.security.krb5.KrbApReq.authenticate(Unknown Source) > sun.security.krb5.KrbApReq.<init>(Unknown Source) > sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source) > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source) > sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) > > net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487) > > net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327) > net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283) > > > In the catalina logs: > Entered SpNegoContext.acceptSecContext with state=STATE_NEW > SpNegoContext.acceptSecContext: receiving token = a0 82 07 f1 30 82 07 ed > a0 30 30 2e 06 09 2a 86 48 82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02 > 02 06 0a 2b 06 01 04 01 82 37 02 02 1e 06 0a 2b 06 01 04 01 82 37 02 02 0a > a2 82 07 b7 04 82 07 b3 60 82 07 af 06 09 2a 86 48 86 f7 12 01 02 02 01 00 > 6e 82 07 9e 30 82 07 9a a0 03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 20 00 > 00 00 a3 82 05 a4 61 82 05 a0 30 82 05 9c a0 03 02 01 05 a1 15 1b 13 52 45 > 41 4c 4c 59 47 4f 4f 44 53 54 55 46 46 2e 43 4f 4d a2 30 30 2e a0 03 02 01 > 02 a1 27 30 25 1b 04 48 54 54 50 1b 1d 72 67 73 64 65 76 62 6f 78 2e 72 65 > 61 6c 6c 79 67 6f 6f 64 73 74 75 66 66 2e 63 6f 6d a3 82 05 4a 30 82 05 46 > a0 03 02 01 12 a1 03 02 01 06 a2 82 05 38 04 82 05 34 03 22 5c aa 4a 2b f8 > 2a 56 5b 7b 2b 02 90 d4 25 17 b7 34 83 0c 5a 31 4a b0 87 68 6d 37 c6 24 69 > ee 2e cb 65 d9 89 8e bf 0f 35 8c c2 01 7f d0 70 51 a9 19 b1 e6 51 a9 0d a5 > c0 6f c1 94 99 52 8f dd 5a 39 ff 77 f0 ee 82 35 2e de b6 a1 f4 76 b5 db d7 > 96 01 d7 c8 a1 1f d4 55 1e 25 bd 09 aa 10 0b c8 a6 e3 1a b1 d7 62 ff 33 00 > ad 3d 65 7b 48 95 03 d5 54 df c3 3e 43 95 ab bb 62 f1 84 85 b2 e6 d0 2a d7 > 24 63 a9 ed 77 13 1c 90 bc 88 ac f1 e2 26 4f ea ea 6b b2 a8 ab 8c 39 f5 4b > d2 97 79 6e d0 79 6e d3 6b 13 50 71 9e 31 de 73 e6 a6 e7 86 7e c1 16 2e 4e > ca 3e 73 f4 99 ed de c7 01 48 75 b2 6a e2 a4 1a c9 cd 72 c1 cb 1e d2 c0 39 > 9d a3 f6 10 77 7f c7 f8 de fc 75 16 49 1f aa 45 e6 2d da 8b 68 30 7f eb ee > a1 33 8b 2d 74 3d 33 b8 6c a8 13 fa 54 58 6c 53 8a 57 ce 0d 4c 06 63 35 cd > 23 d1 29 43 d7 23 ea 73 d9 89 08 21 25 88 06 22 94 69 34 39 12 45 31 7f 4c > b2 69 9f d8 ef 4f 0b 2f 9c 88 11 21 fc 50 62 8f 1b 6e 00 06 a0 0e 1f e2 0f > 9b 63 73 63 2a a7 62 d9 5c 7d d9 93 f8 be 34 2c b4 18 a0 60 af b5 96 c4 75 > 6d 89 46 d1 16 33 66 37 bf 83 30 50 3a fa de 07 97 50 4d a4 3e 2f c4 21 bf > 76 69 cd e2 6b a3 30 91 04 a0 6c dd c5 60 eb 1d cc 7d 9e 51 4d 97 02 2a c6 > 30 1c 4c 4f 17 65 69 10 66 ad 3b b7 1b e5 c4 c0 3d 58 cc 1a f6 70 8d 89 5e > 0a 8a da 73 d9 e9 da ea 1a 7c 76 97 9f 27 0e 5b c5 c2 45 0e 0c 87 5b e3 ef > 13 26 34 04 84 70 75 85 43 77 68 51 2e a3 20 83 44 5f 39 cf 87 6b 88 4a f1 > d5 42 eb d5 45 c2 07 ea e7 77 93 4a 09 0d 0d 81 e3 50 df c2 42 72 e7 92 6c > 99 99 10 42 87 86 27 7e 82 23 c6 8c b4 0b 33 88 fd b3 26 a1 89 bc 37 de e5 > a7 8c 1b f4 c6 ab 9a d1 e1 ce ee 9e 9e 72 ec 7a 36 4a 93 61 6e 41 40 69 61 > aa 6f 49 03 25 23 f6 89 c1 27 63 1f c5 31 75 34 2a 90 a7 45 34 44 64 a7 59 > fc c1 7e e3 dc b9 cd 13 54 f9 e8 fe 20 66 13 37 27 fc 91 f6 75 5c 12 c6 ee > e8 70 55 2b 21 ac 66 ee 16 e7 df 20 e5 fd 3d 79 5c c7 5c a8 b1 c6 5b 7b 3b > cd 2a 53 4c 3c 73 7e 14 5b c2 15 cb 35 33 85 8b 2b c4 a4 62 e6 32 23 14 eb > 70 87 20 76 af e2 f8 9a c1 d2 3f dd fd c2 bf ad 15 fd 97 ef 8e b1 ac 8f 91 > 39 18 94 2b b6 9a a6 be 5e bb a5 c6 25 d4 80 d3 df ff 86 10 58 f3 23 b0 79 > f2 33 f3 5d f4 64 cd c2 00 52 54 81 72 5b bb 17 b5 00 50 1b b4 37 13 ce 22 > 91 5f 72 0c 92 bf f8 24 15 3b 46 70 bd df 9c ce 3d d4 6d 87 53 6d a4 74 15 > 8b d3 79 7b 7f e8 2e 5d c3 7a 5e 33 93 60 ff 4d e6 e9 a1 d9 46 2e 6b 36 74 > d2 4d 2d 01 ff 42 f9 c8 e4 03 27 64 6e 2c 80 2c 2a f7 c0 31 2c f2 7b 5e c0 > e5 97 e2 36 3e a0 57 d9 30 74 13 69 7d f9 e6 98 8e f9 86 7b 57 ab c2 d0 67 > 25 f7 2b 8a 8d b4 6f 4e 1a 11 ee df f3 bc 1f ea e6 c7 0e cd eb 64 3b f6 d8 > 24 9e 97 4d 77 3a 69 a0 9a 16 b9 40 c5 8f e9 9e 7c 2a 70 c0 f3 25 61 6f 1a > 93 21 d3 2c 54 1d 94 1a 19 51 4b 3e 95 75 85 13 b1 f6 20 38 77 78 a4 35 2a > 86 0b af f4 c6 08 f9 81 97 37 5b ee 7d ef c7 ed f4 2c b8 72 01 17 f1 dc b7 > d1 a7 69 95 e1 11 38 b1 e7 3b 39 2f a8 e0 da 47 82 55 7b b5 ce d2 d4 d1 15 > 43 a9 05 3a 52 88 9b d9 83 49 03 32 e8 c6 34 02 bc 34 63 53 af 32 e1 29 64 > 99 ba ec 9b 41 03 5b 7d ea 0a 66 9a f1 7e 0e fd da 3d 51 9f 3b be 52 77 84 > 71 8c 7c b0 34 1d fc 25 4f 4a 46 ce e4 8b 9a 60 7d 20 20 3c 5c c7 46 fe af > 21 2e 3b 23 d8 d3 30 79 14 4b e6 b8 54 90 f9 3e 06 4a 41 50 37 b7 e9 65 d7 > e1 11 d3 7f 84 86 c7 bf ff 4f 3c 5b d4 dd 28 03 d3 c1 bb a9 6d 7f 64 c4 5a > 5c e8 ce 9a fc 62 eb d0 6e bf 54 6d 89 f8 5f ab 9b 7d 3b 00 d2 db b8 01 ba > 6f 30 b7 01 b1 d5 7a d2 54 8f 49 c0 58 68 c1 f6 ce c4 f2 79 c7 51 d1 ca 77 > f0 6b 83 63 53 2a 85 e6 55 74 5b 15 4b 8d 0d ce 1f f9 d5 9f 28 0e a6 90 a4 > 03 c1 d4 da 28 91 fa 2e 60 85 e5 d8 73 7b 1d 57 11 dc 7f 10 88 4b 01 db 83 > 49 70 e6 5a 1d 9f 3a 13 1b ee ba 09 9f 8b 1d 74 e4 80 d7 d5 b0 f3 45 01 60 > 1a 51 f0 4e 66 93 16 34 39 fe 1c b7 6a 3f 19 63 5a cc 50 eb 47 8a 58 d3 62 > 3a 42 9b 8c 36 75 03 d7 1a 64 ad dc 4f 35 55 f3 03 be 7f 68 60 9f eb 8a 48 > ca 5f cb fe bd 54 52 83 03 96 28 9c a1 3f ba 4f d1 14 5b aa 80 51 8e e5 00 > 6a 0c ab b0 0c e2 26 20 05 54 fa 2a 51 8b e1 bc 0d 94 54 37 cf 88 60 60 be > d1 9b da 7a ab 4c ed 4f 51 f9 4f cd a2 57 b3 74 ed cf 79 a0 a5 1a 66 49 18 > b7 5e ce 0b 0e d0 5b b8 78 37 7e 2e 82 de c2 52 7e 74 fb 1d a9 0a b4 3c 20 > a4 82 01 db 30 82 01 d7 a0 03 02 01 12 a2 82 01 ce 04 82 01 ca e7 e4 3d 5e > f1 ae 49 86 4f 9f 2f 49 cd 4d 16 cc da 33 90 02 0a ae fd ff 5f 90 3b 98 ce > 89 cd a0 91 80 89 0d e1 2e 0d fd 2c 2b a9 b1 cb fd d0 55 f6 07 0c 10 bb ff > b1 19 4b a4 4c ef f5 8c 21 ad d8 eb 50 3b fc e9 f4 b6 8d 31 e6 11 f7 03 60 > 99 7a 1b e4 2a aa 21 ea e5 cc e0 ff 2a d9 7b 5f e6 8f 83 26 45 f1 a0 a7 ad > 93 b3 3e 3e 19 f7 cb a0 55 84 df ae 4d e5 61 fb d5 ae 02 1f 7b e0 47 bc 96 > d7 7c 3c 65 7d ce c1 34 cd c6 02 05 4e 9f 78 af 70 86 8c 3f 8d c5 ff fe 0e > 4e d7 87 b7 c3 16 8f 0f 1f 1e 37 ac b3 9d f2 37 a9 52 fc 6e b4 49 6a 33 73 > d4 e1 61 fc 78 d1 ff 9a 42 0b 37 cd 3e 1c 83 e7 6d 9c cb 20 63 94 fe bd 9d > a6 74 72 a2 2b c3 b5 52 a3 51 d6 8d 28 f4 9f 46 15 e1 02 49 95 c0 e5 59 14 > 61 a7 f9 9f 67 9f 78 c3 b0 f7 dd 08 82 dd e6 fc 34 1e 69 53 6b 08 38 f7 fe > e8 50 20 4a 25 c3 62 7c 0a d2 56 0c 25 6d 42 e1 12 31 be b0 15 17 f9 01 67 > f6 ee e4 c0 92 44 07 37 0b 9d aa a2 49 6d aa 43 a4 42 b0 39 13 e3 2b f6 52 > 25 2f db 82 e7 7a cd 94 47 a2 d2 40 aa 4e 39 3c 27 30 df fe 5a 4c b5 e8 dd > 60 cc 6e e1 18 a1 1f 79 32 df 51 ff 18 0e de f6 5f 99 3b 78 47 33 4e 80 80 > 3e 1c 17 6f 19 78 15 4a 7b e0 35 05 b3 bc f3 43 f1 cc 89 2f 3f 91 b1 3b cd > 03 17 aa c6 a1 f5 9c b0 2c 4d 3e 69 68 c6 7d 97 21 6f 76 ed 74 e9 94 6f 44 > 57 4e fe 45 36 52 57 01 ff d3 b0 d8 65 51 4f ee 4c 70 3c b0 c0 12 20 d1 5c > 74 14 7c 91 ca 9b d8 8a 4b 8d dc c1 6d 6e b4 20 b6 f7 40 63 d6 59 a9 1c 47 > d1 33 c4 3b > SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2 > SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2 > SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30 > SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10 > SpNegoToken NegTokenInit: reading Mech Token > SpNegoContext.acceptSecContext: received token of type = SPNEGO > NegTokenInit > SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2 > SpNegoContext.acceptSecContext: negotiated mech adjusted to > 1.2.840.48018.1.2.2 > Entered Krb5Context.acceptSecContext with state=STATE_NEW > Looking for keys for: HTTP/devexample.domain....@domain.com > Added key: 18version: 4 > >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType > > ==> /usr/local/tomcat.base5/logs/catalina.2024-02-23.log <== > 23-Feb-2024 11:13:14.539 SEVERE [ajp-nio-127.0.0.1-8509-exec-8] > net.sourceforge.spnego.SpnegoHttpFilter.doFilter HTTP Authorization > Header=Negotiate > YIIH/QYGKwYBBQUCoIIH8TCCB+2gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCB7cEggezYIIHrwYJKoZIhvcSAQICAQBuggeeMIIHmqADAgEFoQMCAQ6iBwMFACAAAACjggWkYYIFoDCCBZygAwIBBaEVGxNSRUFMTFlHT09EU1RVRkYuQ09NojAwLqADAgECoScwJRsESFRUUBsdcmdzZGV2Ym94LnJlYWxseWdvb2RzdHVmZi5jb22jggVKMIIFRqADAgESoQMCAQaiggU4BIIFNAMiXKpKK/gqVlt7KwKQ1CUXtzSDDFoxSrCHaG03xiRp7i7LZdmJjr8PNYzCAX/QcFGpGbHmUakNpcBvwZSZUo/dWjn/d/DugjUu3rah9Ha129eWAdfIoR/UVR4lvQmqEAvIpuMasddi/zMArT1le0iVA9VU38M+Q5Wru2LxhIWy5tAq1yRjqe13ExyQvIis8eImT+rqa7Koq4w59UvSl3lu0Hlu02sTUHGeMd5z5qbnhn7BFi5Oyj5z9Jnt3scBSHWyauKkGsnNcsHLHtLAOZ2j9hB3f8f43vx1FkkfqkXmLdqLaDB/6+6hM4stdD0zuGyoE/pUWGxTilfODUwGYzXNI9EpQ9cj6nPZiQghJYgGIpRpNDkSRTF/TLJpn9jvTwsvnIgRIfxQYo8bbgAGoA4f4g+bY3NjKqdi2Vx92ZP4vjQstBigYK+1lsR1bYlG0RYzZje/gzBQOvreB5dQTaQ+L8Qhv3ZpzeJrozCRBKBs3cVg6x3MfZ5RTZcCKsYwHExPF2VpEGatO7cb5cTAPVjMGvZwjYleCorac9np2uoafHaXnycOW8XCRQ4Mh1vj7xMmNASEcHWFQ3doUS6jIINEXznPh2uISvHVQuvVRcIH6ud3k0oJDQ2B41DfwkJy55JsmZkQQoeGJ36CI8aMtAsziP2zJqGJvDfe5aeMG/TGq5rR4c7unp5y7Ho2SpNhbkFAaWGqb0kDJSP2icEnYx/FMXU0KpCnRTREZKdZ/MF+49y5zRNU+ej+IGYTNyf8kfZ1XBLG7uhwVSshrGbuFuffIOX9PXlcx1yoscZbezvNKlNMPHN+FFvCFcs1M4WLK8SkYuYyIxTrcIcgdq/i+JrB0j/d/cK/rRX9l++OsayPkTkYlCu2mqa+XrulxiXUgNPf/4YQWPMjsHnyM/Nd9GTNwgBSVIFyW7sXtQBQG7Q3E84ikV9yDJK/+CQVO0Zwvd+czj3UbYdTbaR0FYvTeXt/6C5dw3peM5Ng/03m6aHZRi5rNnTSTS0B/0L5yOQDJ2RuLIAsKvfAMSzye17A5ZfiNj6gV9kwdBNpffnmmI75hntXq8LQZyX3K4qNtG9OGhHu3/O8H+rmxw7N62Q79tgknpdNdzppoJoWuUDFj+mefCpwwPMlYW8akyHTLFQdlBoZUUs+lXWFE7H2IDh3eKQ1KoYLr/TGCPmBlzdb7n3vx+30LLhyARfx3LfRp2mV4RE4sec7OS+o4NpHglV7tc7S1NEVQ6kFOlKIm9mDSQMy6MY0Arw0Y1OvMuEpZJm67JtBA1t96gpmmvF+Dv3aPVGfO75Sd4RxjHywNB38JU9KRs7ki5pgfSAgPFzHRv6vIS47I9jTMHkUS+a4VJD5PgZKQVA3t+ll1+ER03+Ehse//088W9TdKAPTwbupbX9kxFpc6M6a/GLr0G6/VG2J+F+rm307ANLbuAG6bzC3AbHVetJUj0nAWGjB9s7E8nnHUdHKd/Brg2NTKoXmVXRbFUuNDc4f+dWfKA6mkKQDwdTaKJH6LmCF5dhzex1XEdx/EIhLAduDSXDmWh2fOhMb7roJn4sddOSA19Ww80UBYBpR8E5mkxY0Of4ct2o/GWNazFDrR4pY02I6QpuMNnUD1xpkrdxPNVXzA75/aGCf64pIyl/L/r1UUoMDliicoT+6T9EUW6qAUY7lAGoMq7AM4iYgBVT6KlGL4bwNlFQ3z4hgYL7Rm9p6q0ztT1H5T82iV7N07c95oKUaZkkYt17OCw7QW7h4N34ugt7CUn50+x2pCrQ8IKSCAdswggHXoAMCARKiggHOBIIByufkPV7xrkmGT58vSc1NFszaM5ACCq79/1+QO5jOic2gkYCJDeEuDf0sK6mxy/3QVfYHDBC7/7EZS6RM7/WMIa3Y61A7/On0to0x5hH3A2CZehvkKqoh6uXM4P8q2Xtf5o+DJkXxoKetk7M+Phn3y6BVhN+uTeVh+9WuAh974Ee8ltd8PGV9zsE0zcYCBU6feK9whow/jcX//g5O14e3wxaPDx8eN6yznfI3qVL8brRJajNz1OFh/HjR/5pCCzfNPhyD522cyyBjlP69naZ0cqIrw7VSo1HWjSj0n0YV4QJJlcDlWRRhp/mfZ594w7D33QiC3eb8NB5pU2sIOPf+6FAgSiXDYnwK0lYMJW1C4RIxvrAVF/kBZ/bu5MCSRAc3C52qokltqkOkQrA5E+Mr9lIlL9uC53rNlEei0kCqTjk8JzDf/lpMtejdYMxu4RihH3ky31H/GA7e9l+ZO3hHM06AgD4cF28ZeBVKe+A1BbO880PxzIkvP5GxO80DF6rGofWcsCxNPmloxn2XIW927XTplG9EV07+RTZSVwH/07DYZVFP7kxwPLDAEiDRXHQUfJHKm9iKS43cwW1utCC290Bj1lmpHEfRM8Q7 > > *Here is my setup:* > > Tomcat bin/lib directory exist in /usr/local/tomcat/ > Each instance lives in /usr/local/ > /usr/local/tomcat.base1/ > /usr/local/tomcat.base2/ > /usr/local/tomcat.base3/ > /usr/local/tomcat.base4/ > /usr/local/tomcat.base5/ --> Where there is an issue > > > *SPNEGO Filter =====* > /usr/local/tomcat.base5/conf/web.xml > > <filter> > <filter-name>SpnegoHttpFilter_devexample</filter-name> > <filter-class>net.sourceforge.spnego.SpnegoHttpFilter</filter-class> > <init-param> > <param-name>spnego.allow.delegation</param-name> > <param-value>true</param-value> > </init-param> > <init-param> > <param-name>spnego.allow.basic</param-name> > <param-value>true</param-value> > </init-param> > <init-param> > <param-name>spnego.allow.localhost</param-name> > <param-value>true</param-value> > </init-param> > <init-param> > <param-name>spnego.allow.unsecure.basic</param-name> > <param-value>true</param-value> > </init-param> > <init-param> > <param-name>spnego.login.client.module</param-name> > <param-value>spnego-client_devexample</param-value> > </init-param> > <init-param> > <param-name>spnego.krb5.conf</param-name> > <param-value>/usr/local/tomcat/spnego.krb5.conf</param-value> > </init-param> > <init-param> > <param-name>spnego.login.conf</param-name> > <param-value>/usr/local/tomcat/login_devexample.conf</param-value> > </init-param> > <init-param> > <param-name>spnego.login.server.module</param-name> > <param-value>spnego-server_devexample</param-value> > </init-param> > <init-param> > <param-name>spnego.prompt.ntlm</param-name> > <param-value>true</param-value> > </init-param> > <init-param> > <param-name>spnego.logger.level</param-name> > <param-value>1</param-value> > </init-param> > </filter> > <filter-mapping> > <filter-name>SpnegoHttpFilter_devexample</filter-name> > <url-pattern>*.jsp</url-pattern> > </filter-mapping> > <Connector port="8585" protocol="HTTP/1.1" connectionTimeout="2000" > redirectPort="8443" maxHttpHeaderSize="1048576"/> > > *Server XML =====* > /usr/local/tomcat.base5/conf/server.xml > <Connector port="8085" protocol="HTTP/1.1" > relaxedQueryChars="^{}[]|"" > connectionTimeout="20000" > redirectPort="8443" /> > > > <!-- Define an AJP 1.3 Connector on port 8009 --> > <Connector port="8509" protocol="AJP/1.3" redirectPort="8509" > address="127.0.0.1" secretRequired="" tomcatAuthentication="false"/> > > *Login Configuration =====* > login_devexample.conf > > > spnego-client_devexample { > com.sun.security.auth.module.Krb5LoginModule required; > }; > spnego-server_devexample { > com.sun.security.auth.module.Krb5LoginModule required > useKeyTab=true > keyTab="/usr/local/tomcat/krb5.keytab" > storeKey=true > principal="HTTP/devexample.domain....@domain.com" > isInitiator=false > forwardable=true > debug=true; > }; > > *KRB5.conf File =====* > > spnego.krb.conf > [libdefaults] > default_realm = DOMAIN.COM > default_tkt_enctypes = aes128-cts arcfour-hmac-md5 des-cbc-crc > des-cbc-md5 des-hmac-sha1 aes256-cts aes256-cts-hmac-sha1-96 > default_tgs_enctypes = aes128-cts arcfour-hmac-md5 des-cbc-crc > des-cbc-md5 des-hmac-sha1 aes256-cts aes256-cts-hmac-sha1-96 > permitted_enctypes = aes128-cts arcfour-hmac-md5 des-cbc-crc > des-cbc-md5 des-hmac-sha1 aes256-cts aes256-cts-hmac-sha1-96 > forwardable=true > [realms] > DOMAIN.COM = { > kdc = example01.domain.com:88 > default_domain = .domain.com > } > [domain_realm] > .domain.com = DOMAIN.COM > > *Keytab was generated on AD domain Controller* > > DSADD user "cn=SA_EXDEV_SSO",cn=users,dc=DOMAIN,dc=COM" -pwd password > -display SA_EXDEV_SSO -pwdneverexpires yes "SSO-EXAMPLE EXDEV SSO" > > Went into AD manager and assigned AES256 Bit Encryption on user and > checked "Do not require pre-authentication" applied changes > > SETSPN -A HTTP/devexample.domain....@domain.com -ptype KRB5_NT_PRINCIPAL > -mapuser SA_EXDEV_SSO -mapOp set -pass password -out C:\SSO\krb5.keytab > -crypto AES256-SHA1 +DumpSalt > > Went into AD manager and selected "Trust this user for delegation > (Kerberos)" > > I've looked all over the web for this error but It's not very clear as to > how to resolve it. I've checked over the configuration too many times to > count. Is there a solution to this or a tool to help me further figure out > why this is occuring for my setup/configuration? The only comparison I've > been able to make between this instance and the other instances is the log > message "Added key: 18version: 4" but the other instances are using a > different SPN and keytab file. Any help is greatly appreciated. > > Thanks, > > Tom >
