Re: SPNEGO GSSCaller {UNKNOWN} No Delegated Creds

Fri, 03 May 2024 06:43:09 -0700 

Thanks for the reply Michael,

I'm trying to achieve retrieving delegated credentials. I'm confused by the
debug output because I'm being told that authentication succeeded but no
indication of why I'm not receiving delegated credentials other than there
are none.I have looked over the delegation rules for the service account
and SPN multiple times. When you mentioned "S4U is tried, but not
configured for that account. Totally fine" What does that mean? Is there a
specific place on Tomcat or Windows I need to look for this?

What I'm expecting to see outputted "Delegated Creds have pname=
tdela...@subdomain.domain.com sname=krbtgt/SUBDOMAIN.DOMAIN.COM
authtime=null starttime={date/timestamp} endtime={date/timestamp}"

P.S
I see in my ktpass command I made a typo and meant to put SA_EX_VAISSO
instead of "SA_EX_SSO"

On Fri, May 3, 2024 at 8:26 AM Michael Osipov <micha...@apache.org> wrote:

> On 2024/05/02 19:20:59 Tom Delaney wrote:
> > Hi All,
> >
> > Sorry for the duplicate requests. The first one was accidentally flagged
> > for Google's new Confidential Mode which happened to be flagged.
> > I have a red hat 9.2 server hosting a web application on a single
> instance
> > of Apache Tomcat. This instance is behind an apache HTTP server on
> version
> > 2.4.57.The application is hosted on Tomcat 9.0.54.
> >
> > Domain: subdomain.domain.com
> > Site: devexample.domain.com
> >
> > URL hit: https://example.subdomain.domain.com/webclient/
> > <https://devexample.domain.com/webclient_devex/exclient.jsp>exclient.jsp
> >
> > *I keep getting this in the Tomcat Logs when accessing the application:*
> > *>>> Constrained deleg from GSSCaller{UNKNOWN}*
>
> You should first try to describe what you are trying to achieve and not
> what the debug output is. The debug message comes from:
> https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L540
> The message is obviously caused by this call:
> https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L254-L263
>
> S4U is tried, but not configured for that account. Totally fine.
>
> BTW: The filter you use isn't from us.
>
> M
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Reply via email to