You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by tantaryu <mi...@outlook.com> on 2014/10/14 05:32:10 UTC
Tomcat windows authentication domain login issue
I need some idea on what's wrong with my tomcat configuration for windows
authentication. I followed the tomcat windows authentication tutorial and
uses the "manager" web application comes with tomcat to do a poc. In my
web.xml I change and also changes the auth-constraint to the following
.
This is my krb5.ini
This is my jaas.conf
The weird thing is regardless of what username and password I put in when I
accessed the tomcat manager web-app the debug message shown is the same.
I added this in my server.xml
When I tried login, it doesn't seem to recognize the valid credential. The
app keeps on asking me to enter a valid credential. What do I need to change
to make it work?
--
View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat windows authentication domain login issue
Posted by tantaryu <mi...@outlook.com>.
By the way, this is using tomcat 8 and it's running on Linux. Windows
machines are the AD server and the client.
--
View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023860.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat windows authentication domain login issue
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 15. Oktober 2014 11:05:59 MESZ, schrieb tantaryu <mi...@outlook.com>:
>Okay, this might sounds funny. But how do I add a newlines?
I don't know how to do it in your mail client. But generally I would try to configure it to not use html (only).
You could try another mal Client or provider. Maybe it has saner defaults.
Regards
Felix
>
>Date: Wed, 15 Oct 2014 01:37:42 -0700
>From: ml-node+s10n5023863h23@n6.nabble.com
>To: ming.sa@outlook.com
>Subject: Re: Tomcat windows authentication domain login issue
>
>
>
> Am 15.10.2014 um 10:22 schrieb tantaryu:
>
>>> Let's hope it works this time.
>
>If this was your try to add newlines, than I think it failed.
>
>
>Felix
>
>>> I need some idea on what's wrong with my tomcat configuration for
>windows authentication. I followed the tomcat windows authentication
>tutorial and uses the "manager" web application comes with tomcat to do
>a poc. In my web.xml I change > <auth-method>BASIC</auth-method> > to>
><auth-method>SPNEGO</auth-method>> and also changes the auth-constraint
>to the following > <auth-constraint>> <role-name>*</role-name>>
></auth-constraint>
>
>>> This is my krb5.ini > [libdefaults]> default_realm = ACME>
>default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab>
>default_tkt_enctypes =
>rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96>
>default_tgs_enctypes =
>rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96>
>forwardable=true> [realms]> ACME = {> kdc = AD-Server:88>}>
>[domain_realm]> acme= ACME> .acme= ACME
>
>>> This is my jaas.conf > com.sun.security.jgss.krb5.initiate {>
>com.sun.security.auth.module.Krb5LoginModule required> debug=true>
>doNotPrompt=true> principal="HTTP/Client2@ACME"> useKeyTab=true>
>keyTab="C:/tomcat/conf/tomcat.keytab"> //useTicketCache=true>
>storeKey=true;> };> com.sun.security.jgss.krb5.accept {>
>com.sun.security.auth.module.Krb5LoginModule required> debug=true>
>doNotPrompt=true> principal="HTTP/Client2@ACME"> useKeyTab=true>
>keyTab="C:/tomcat/conf/tomcat.keytab"> //useTicketCache=true>
>storeKey=true;>};
>
>>> The weird thing is regardless of what username and password I put in
>when I accessed the tomcat manager web-app the debug message shown is
>the same.
>
>>> Debug is true storeKey true useTicketCache false useKeyTab true
>doNotPrompt true ticketCache is null isInitiator true KeyTab is
>C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is
>HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass
>is false clearPass is false> >>> KeyTabInputStream, readName(): acme>
>>>> KeyTabInputStream, readName(): HTTP> >>> KeyTabInputStream,
>readName(): Client2> >>> KeyTab: load() entry length: 52; type: 23>
>Looking for keys for: HTTP/Client2@ACME> Java config name:
>C:\tomcat\conf\krb5.ini> Loaded from Java config> Added key: 23version:
>0> >>> KdcAccessibility: reset> Looking for keys for:
>HTTP/Client2@ACME> Added key: 23version: 0> default etypes for
>default_tkt_enctypes: 23 17.> >>> KrbAsReq creating message> >>>
>KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000, number of retries
>=3, #> bytes=124> >>> KDCCommunication: kdc=AD-Server UDP:88,
>timeout=30000,Attempt =1, #bytes=124
>
>>>>>> KrbKdcReq send: #bytes read=538> >>> KdcAccessibility: remove
>AD-Server:88> Looking for keys for: HTTP/Client2@ACME> Added key:
>23version: 0> >>> EType:
>sun.security.krb5.internal.crypto.ArcFourHmacEType> >>> KrbAsRep cons
>in KrbAsReq.getReply HTTP/Client2> principal is HTTP/Client2@ACME> Will
>use keytab> Commit Succeeded
>
>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>sun.security.jgss.spnego.SpNegoCredElement)> Search Subject for
>Kerberos V5 ACCEPT cred (<<DEF>>,
>sun.security.jgss.krb5.Krb5AcceptCredential)> Found KeyTab
>C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found KeyTab
>C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found ticket for
>HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14
>02:49:29 CST 2014> [Krb5LoginModule]: Entering logout>
> [Krb5LoginModule]: logged out Subject
>
>>> I added this in my server.xml > <Realm
>className="org.apache.catalina.realm.LockOutRealm">> <Realm
>className="org.apache.catalina.realm.JAASRealm"
>appName="JspKerberosDemo" allRolesMode="strictAuthOnly" />> </Realm>
>
>>> When I tried login, it doesn't seem to recognize the valid
>credential. The app keeps on asking me to enter a valid credential.
>What do I need to change to make it work?
>
>> Date: Wed, 15 Oct 2014 00:56:33 -0700
>
>> From: [hidden email]
>
>> To: [hidden email]
>
>> Subject: Re: Tomcat windows authentication domain login issue
>
>>
>
>>
>
>>
>
>> Am 15.10.2014 um 03:48 schrieb tantaryu:
>
>>
>
>>> Okay, now I tried with a email client. Let's see if it works.
>
>>> I need some idea on what's wrong with my tomcat configuration for
>windows authentication. I followed the tomcat windows authentication
>tutorial and uses the "manager" web application comes with tomcat to do
>a poc. In my web.xml I change <auth-method>BASIC</auth-method> to
><auth-method>SPNEGO</auth-method> and also changes the auth-constraint
>to the following <auth-constraint>
><role-name>*</role-name></auth-constraint>.
>
>>> This is my krb5.ini [libdefaults]default_realm =
>ACMEdefault_keytab_name =
>FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes =
>rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes
>=
>rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
>= { kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
>
>>> This is my jaas.conf com.sun.security.jgss.krb5.initiate {
>com.sun.security.auth.module.Krb5LoginModule required debug=true
>doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true
>keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true
>storeKey=true;};com.sun.security.jgss.krb5.accept {
>com.sun.security.auth.module.Krb5LoginModule required debug=true
>doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true
>keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true
>storeKey=true;};
>
>>> The weird thing is regardless of what username and password I put in
>when I accessed the tomcat manager web-app the debug message shown is
>the same. Debug is true storeKey true useTicketCache false useKeyTab
>true doNotPrompt true ticketCache is null isInitiator true KeyTab is
>C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is
>HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass
>is false clearPass is false>>> KeyTabInputStream, readName(): acme>>>
>KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName():
>Client2>>> KeyTab: load() entry length: 52; type: 23Looking for keys
>for: HTTP/Client2@ACMEJava config name: C:\tomcat\conf\krb5.iniLoaded
>from Java configAdded key: 23version: 0>>> KdcAccessibility:
>resetLooking for keys for: HTTP/Client2@ACMEAdded key: 23version:
>0default etypes for default_tkt_enctypes: 23 17.>>> KrbAsReq creating
>message>>> KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000, number
>of retries =3, #bytes=124>>> KDCCommunication: kdc=AD-Server UDP:88,
>timeout=30000,Attempt =1, #bytes=124
>
>> Could you try to add the missing newlines? It is really hard to read
>the
>
>>
>
>> text without them.
>
>>
>
>>
>
>> Regards Felix
>
>>
>
>>
>
>>>>>> KrbKdcReq send: #bytes read=538>>> KdcAccessibility: remove
>AD-Server:88Looking for keys for: HTTP/Client2@ACMEAdded key:
>23version: 0>>> EType:
>sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsRep cons in
>KrbAsReq.getReply HTTP/Client2principal is HTTP/Client2@ACMEWill use
>keytabCommit Succeeded
>
>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos
>V5 ACCEPT cred (<<DEF>>,
>sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab
>C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab
>C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound ticket for
>HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14
>02:49:29 CST 2014 [Krb5LoginModule]: Entering logout
> [Krb5LoginModule]: logged out Subject
>
>>> I added this in my server.xml <Realm
>className="org.apache.catalina.realm.LockOutRealm"> <Realm
>className="org.apache.catalina.realm.JAASRealm"
>appName="JspKerberosDemo" allRolesMode="strictAuthOnly" /> </Realm>
>
>>> When I tried login, it doesn't seem to recognize the valid
>credential. The app keeps on asking me to enter a valid credential.
>What do I need to change to make it work?
>
>>> Date: Tue, 14 Oct 2014 18:03:07 -0700
>
>>> From: [hidden email]
>
>>> To: [hidden email]
>
>>> Subject: RE: Tomcat windows authentication domain login issue
>
>>> > From: tantaryu [mailto:[hidden email]]
>
>>>> Subject: Re: Tomcat windows authentication domain login issue
>
>>>> Let me know if you can read it still. I didn't checked the "Message
>is in
>
>>>> HTML Format" option.
>
>>> It didn't help. Don't use Nabble - post to the user's list directly
>from an e-mail client.
>
>>> - Chuck
>
>>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
>PROPRIETARY MATERIAL and is thus for use only by the intended
>recipient. If you received this in error, please contact the sender and
>delete the e-mail and its attachments from all computers.
>
>>>
>---------------------------------------------------------------------
>
>>> To unsubscribe, e-mail: [hidden email]
>
>>> For additional commands, e-mail: [hidden email]
>
>>>
>
>>>
>
>>>
>
>>>
>
>>>
>
>>>
>
>>>
>
>>> If you reply to this email, your message will be added to the
>discussion below:
>
>>>
> http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html
>>>
>
>>>
>
>>>
>
>>> To unsubscribe from Tomcat windows authentication domain login
>issue, click here.
>
>>> NAML
>
>>>
>
>>> --
>
>>> View this message in context:
>http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023855.html
>>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>>
>
>>
>
>> ---------------------------------------------------------------------
>
>>
>
>> To unsubscribe, e-mail: [hidden email]
>
>>
>
>> For additional commands, e-mail: [hidden email]
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>>
>
>> If you reply to this email, your message will be added to the
>discussion below:
>
>>
> http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023861.html
>>
>
>>
>
>>
>
>> To unsubscribe from Tomcat windows authentication domain login
>issue, click here.
>
>>
>
>> NAML
>
>>
>
>>
>
>>
>
>>
>
>> --
>
>> View this message in context:
>http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023862.html
>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
>
>---------------------------------------------------------------------
>
>To unsubscribe, e-mail: [hidden email]
>
>For additional commands, e-mail: [hidden email]
>
>
>
>
>
>
>
>
>
>
>
>
>
> If you reply to this email, your message will be added to the
>discussion below:
> http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023863.html
>
>
>
> To unsubscribe from Tomcat windows authentication domain login issue,
>click here.
>
> NAML
>
>
>
>
>--
>View this message in context:
>http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023866.html
>Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat windows authentication domain login issue
Posted by André Warnier <aw...@ice-sa.com>.
Tantaryu,
The problem currently is that you messages appear to the list readers, as pretty
unreadable "blobs" of text. Not many of the busy people here will feel motivated enough
to decrypt/reformat them, before they understand even the basics of your questions.
Since you are the one who needs help, making it easier for someone to provide it is the
way to go.
If such an option is available in your email client, please select "send messages as plain
text". If it is not available, install Thunderbird or similar and try again.
If everything else fails, inserting a blank line between each of the real lines of text
/may/ help.
Next, do not send your configuration snippets as attachments. Paste them directly in the
email to the list (also as plain text of course).
Next, do not "top-post".
Respond below the message portion to which you are responding. It helps keeping a natural
flow to the the conversation.
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat windows authentication domain login issue
Posted by tantaryu <mi...@outlook.com>.
Okay, this might sounds funny. But how do I add a newlines?
Date: Wed, 15 Oct 2014 01:37:42 -0700
From: ml-node+s10n5023863h23@n6.nabble.com
To: ming.sa@outlook.com
Subject: Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 10:22 schrieb tantaryu:
>> Let's hope it works this time.
If this was your try to add newlines, than I think it failed.
Felix
>> I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the "manager" web application comes with tomcat to do a poc. In my web.xml I change > <auth-method>BASIC</auth-method> > to> <auth-method>SPNEGO</auth-method>> and also changes the auth-constraint to the following > <auth-constraint>> <role-name>*</role-name>> </auth-constraint>
>> This is my krb5.ini > [libdefaults]> default_realm = ACME> default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab> default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> forwardable=true> [realms]> ACME = {> kdc = AD-Server:88>}> [domain_realm]> acme= ACME> .acme= ACME
>> This is my jaas.conf > com.sun.security.jgss.krb5.initiate {> com.sun.security.auth.module.Krb5LoginModule required> debug=true> doNotPrompt=true> principal="HTTP/Client2@ACME"> useKeyTab=true> keyTab="C:/tomcat/conf/tomcat.keytab"> //useTicketCache=true> storeKey=true;> };> com.sun.security.jgss.krb5.accept {> com.sun.security.auth.module.Krb5LoginModule required> debug=true> doNotPrompt=true> principal="HTTP/Client2@ACME"> useKeyTab=true> keyTab="C:/tomcat/conf/tomcat.keytab"> //useTicketCache=true> storeKey=true;>};
>> The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same.
>> Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false> >>> KeyTabInputStream, readName(): acme> >>> KeyTabInputStream, readName(): HTTP> >>> KeyTabInputStream, readName(): Client2> >>> KeyTab: load() entry length: 52; type: 23> Looking for keys for: HTTP/Client2@ACME> Java config name: C:\tomcat\conf\krb5.ini> Loaded from Java config> Added key: 23version: 0> >>> KdcAccessibility: reset> Looking for keys for: HTTP/Client2@ACME> Added key: 23version: 0> default etypes for default_tkt_enctypes: 23 17.> >>> KrbAsReq creating message> >>> KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000, number of retries =3, #> bytes=124> >>> KDCCommunication: kdc=AD-Server UDP:88, timeout=30000,Attempt =1, #bytes=124
>>>>> KrbKdcReq send: #bytes read=538> >>> KdcAccessibility: remove AD-Server:88> Looking for keys for: HTTP/Client2@ACME> Added key: 23version: 0> >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType> >>> KrbAsRep cons in KrbAsReq.getReply HTTP/Client2> principal is HTTP/Client2@ACME> Will use keytab> Commit Succeeded
>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)> Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014> [Krb5LoginModule]: Entering logout> [Krb5LoginModule]: logged out Subject
>> I added this in my server.xml > <Realm className="org.apache.catalina.realm.LockOutRealm">> <Realm className="org.apache.catalina.realm.JAASRealm" appName="JspKerberosDemo" allRolesMode="strictAuthOnly" />> </Realm>
>> When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work?
> Date: Wed, 15 Oct 2014 00:56:33 -0700
> From: [hidden email]
> To: [hidden email]
> Subject: Re: Tomcat windows authentication domain login issue
>
>
>
> Am 15.10.2014 um 03:48 schrieb tantaryu:
>
>> Okay, now I tried with a email client. Let's see if it works.
>> I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the "manager" web application comes with tomcat to do a poc. In my web.xml I change <auth-method>BASIC</auth-method> to <auth-method>SPNEGO</auth-method> and also changes the auth-constraint to the following <auth-constraint> <role-name>*</role-name></auth-constraint>.
>> This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME = { kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
>> This is my jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required debug=true doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true storeKey=true;};com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required debug=true doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true storeKey=true;};
>> The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false>>> KeyTabInputStream, readName(): acme>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): Client2>>> KeyTab: load() entry length: 52; type: 23Looking for keys for: HTTP/Client2@ACMEJava config name: C:\tomcat\conf\krb5.iniLoaded from Java configAdded key: 23version: 0>>> KdcAccessibility: resetLooking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0default etypes for default_tkt_enctypes: 23 17.>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000, number of retries =3, #bytes=124>>> KDCCommunication: kdc=AD-Server UDP:88, timeout=30000,Attempt =1, #bytes=124
> Could you try to add the missing newlines? It is really hard to read the
>
> text without them.
>
>
> Regards Felix
>
>
>>>>> KrbKdcReq send: #bytes read=538>>> KdcAccessibility: remove AD-Server:88Looking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsRep cons in KrbAsReq.getReply HTTP/Client2principal is HTTP/Client2@ACMEWill use keytabCommit Succeeded
>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014 [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject
>> I added this in my server.xml <Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.JAASRealm" appName="JspKerberosDemo" allRolesMode="strictAuthOnly" /> </Realm>
>> When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work?
>> Date: Tue, 14 Oct 2014 18:03:07 -0700
>> From: [hidden email]
>> To: [hidden email]
>> Subject: RE: Tomcat windows authentication domain login issue
>> > From: tantaryu [mailto:[hidden email]]
>>> Subject: Re: Tomcat windows authentication domain login issue
>>> Let me know if you can read it still. I didn't checked the "Message is in
>>> HTML Format" option.
>> It didn't help. Don't use Nabble - post to the user's list directly from an e-mail client.
>> - Chuck
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>>
>>
>>
>>
>>
>> If you reply to this email, your message will be added to the discussion below:
>> http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html
>>
>>
>>
>> To unsubscribe from Tomcat windows authentication domain login issue, click here.
>> NAML
>>
>> --
>> View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023855.html
>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: [hidden email]
>
> For additional commands, e-mail: [hidden email]
>
>
>
>
>
>
>
>
>
>
>
>
>
> If you reply to this email, your message will be added to the discussion below:
> http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023861.html
>
>
>
> To unsubscribe from Tomcat windows authentication domain login issue, click here.
>
> NAML
>
>
>
>
> --
> View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023862.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
If you reply to this email, your message will be added to the discussion below:
http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023863.html
To unsubscribe from Tomcat windows authentication domain login issue, click here.
NAML
--
View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023866.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
Re: Tomcat windows authentication domain login issue
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 15.10.2014 um 10:22 schrieb tantaryu:
>> Let's hope it works this time.
If this was your try to add newlines, than I think it failed.
Felix
>> I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the "manager" web application comes with tomcat to do a poc. In my web.xml I change > <auth-method>BASIC</auth-method> > to> <auth-method>SPNEGO</auth-method>> and also changes the auth-constraint to the following > <auth-constraint>> <role-name>*</role-name>> </auth-constraint>
>> This is my krb5.ini > [libdefaults]> default_realm = ACME> default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab> default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> forwardable=true> [realms]> ACME = {> kdc = AD-Server:88>}> [domain_realm]> acme= ACME> .acme= ACME
>> This is my jaas.conf > com.sun.security.jgss.krb5.initiate {> com.sun.security.auth.module.Krb5LoginModule required> debug=true> doNotPrompt=true> principal="HTTP/Client2@ACME"> useKeyTab=true> keyTab="C:/tomcat/conf/tomcat.keytab"> //useTicketCache=true> storeKey=true;> };> com.sun.security.jgss.krb5.accept {> com.sun.security.auth.module.Krb5LoginModule required> debug=true> doNotPrompt=true> principal="HTTP/Client2@ACME"> useKeyTab=true> keyTab="C:/tomcat/conf/tomcat.keytab"> //useTicketCache=true> storeKey=true;>};
>> The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same.
>> Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false> >>> KeyTabInputStream, readName(): acme> >>> KeyTabInputStream, readName(): HTTP> >>> KeyTabInputStream, readName(): Client2> >>> KeyTab: load() entry length: 52; type: 23> Looking for keys for: HTTP/Client2@ACME> Java config name: C:\tomcat\conf\krb5.ini> Loaded from Java config> Added key: 23version: 0> >>> KdcAccessibility: reset> Looking for keys for: HTTP/Client2@ACME> Added key: 23version: 0> default etypes for default_tkt_enctypes: 23 17.> >>> KrbAsReq creating message> >>> KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000, number of retries =3, #> bytes=124> >>> KDCCommunication: kdc=AD-Server UDP:88, timeout=30000,Attempt =1, #bytes=124
>>>>> KrbKdcReq send: #bytes read=538> >>> KdcAccessibility: remove AD-Server:88> Looking for keys for: HTTP/Client2@ACME> Added key: 23version: 0> >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType> >>> KrbAsRep cons in KrbAsReq.getReply HTTP/Client2> principal is HTTP/Client2@ACME> Will use keytab> Commit Succeeded
>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)> Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014> [Krb5LoginModule]: Entering logout> [Krb5LoginModule]: logged out Subject
>> I added this in my server.xml > <Realm className="org.apache.catalina.realm.LockOutRealm">> <Realm className="org.apache.catalina.realm.JAASRealm" appName="JspKerberosDemo" allRolesMode="strictAuthOnly" />> </Realm>
>> When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work?
> Date: Wed, 15 Oct 2014 00:56:33 -0700
> From: ml-node+s10n5023861h61@n6.nabble.com
> To: ming.sa@outlook.com
> Subject: Re: Tomcat windows authentication domain login issue
>
>
>
> Am 15.10.2014 um 03:48 schrieb tantaryu:
>
>> Okay, now I tried with a email client. Let's see if it works.
>> I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the "manager" web application comes with tomcat to do a poc. In my web.xml I change <auth-method>BASIC</auth-method> to <auth-method>SPNEGO</auth-method> and also changes the auth-constraint to the following <auth-constraint> <role-name>*</role-name></auth-constraint>.
>> This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME = { kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
>> This is my jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required debug=true doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true storeKey=true;};com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required debug=true doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true storeKey=true;};
>> The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false>>> KeyTabInputStream, readName(): acme>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): Client2>>> KeyTab: load() entry length: 52; type: 23Looking for keys for: HTTP/Client2@ACMEJava config name: C:\tomcat\conf\krb5.iniLoaded from Java configAdded key: 23version: 0>>> KdcAccessibility: resetLooking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0default etypes for default_tkt_enctypes: 23 17.>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000, number of retries =3, #bytes=124>>> KDCCommunication: kdc=AD-Server UDP:88, timeout=30000,Attempt =1, #bytes=124
> Could you try to add the missing newlines? It is really hard to read the
>
> text without them.
>
>
> Regards Felix
>
>
>>>>> KrbKdcReq send: #bytes read=538>>> KdcAccessibility: remove AD-Server:88Looking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsRep cons in KrbAsReq.getReply HTTP/Client2principal is HTTP/Client2@ACMEWill use keytabCommit Succeeded
>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014 [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject
>> I added this in my server.xml <Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.JAASRealm" appName="JspKerberosDemo" allRolesMode="strictAuthOnly" /> </Realm>
>> When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work?
>> Date: Tue, 14 Oct 2014 18:03:07 -0700
>> From: [hidden email]
>> To: [hidden email]
>> Subject: RE: Tomcat windows authentication domain login issue
>> > From: tantaryu [mailto:[hidden email]]
>>> Subject: Re: Tomcat windows authentication domain login issue
>>> Let me know if you can read it still. I didn't checked the "Message is in
>>> HTML Format" option.
>> It didn't help. Don't use Nabble - post to the user's list directly from an e-mail client.
>> - Chuck
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>>
>>
>>
>>
>>
>> If you reply to this email, your message will be added to the discussion below:
>> http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html
>>
>>
>>
>> To unsubscribe from Tomcat windows authentication domain login issue, click here.
>> NAML
>>
>> --
>> View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023855.html
>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: [hidden email]
>
> For additional commands, e-mail: [hidden email]
>
>
>
>
>
>
>
>
>
>
>
>
>
> If you reply to this email, your message will be added to the discussion below:
> http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023861.html
>
>
>
> To unsubscribe from Tomcat windows authentication domain login issue, click here.
>
> NAML
>
>
>
>
> --
> View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023862.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat windows authentication domain login issue
Posted by tantaryu <mi...@outlook.com>.
> Let's hope it works this time.
> I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the "manager" web application comes with tomcat to do a poc. In my web.xml I change > <auth-method>BASIC</auth-method> > to> <auth-method>SPNEGO</auth-method>> and also changes the auth-constraint to the following > <auth-constraint>> <role-name>*</role-name>> </auth-constraint>
> This is my krb5.ini > [libdefaults]> default_realm = ACME> default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab> default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> forwardable=true> [realms]> ACME = {> kdc = AD-Server:88>}> [domain_realm]> acme= ACME> .acme= ACME
> This is my jaas.conf > com.sun.security.jgss.krb5.initiate {> com.sun.security.auth.module.Krb5LoginModule required> debug=true> doNotPrompt=true> principal="HTTP/Client2@ACME"> useKeyTab=true> keyTab="C:/tomcat/conf/tomcat.keytab"> //useTicketCache=true> storeKey=true;> };> com.sun.security.jgss.krb5.accept {> com.sun.security.auth.module.Krb5LoginModule required> debug=true> doNotPrompt=true> principal="HTTP/Client2@ACME"> useKeyTab=true> keyTab="C:/tomcat/conf/tomcat.keytab"> //useTicketCache=true> storeKey=true;>};
> The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same.
> Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false> >>> KeyTabInputStream, readName(): acme> >>> KeyTabInputStream, readName(): HTTP> >>> KeyTabInputStream, readName(): Client2> >>> KeyTab: load() entry length: 52; type: 23> Looking for keys for: HTTP/Client2@ACME> Java config name: C:\tomcat\conf\krb5.ini> Loaded from Java config> Added key: 23version: 0> >>> KdcAccessibility: reset> Looking for keys for: HTTP/Client2@ACME> Added key: 23version: 0> default etypes for default_tkt_enctypes: 23 17.> >>> KrbAsReq creating message> >>> KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000, number of retries =3, #> bytes=124> >>> KDCCommunication: kdc=AD-Server UDP:88, timeout=30000,Attempt =1, #bytes=124
> >>> KrbKdcReq send: #bytes read=538> >>> KdcAccessibility: remove AD-Server:88> Looking for keys for: HTTP/Client2@ACME> Added key: 23version: 0> >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType> >>> KrbAsRep cons in KrbAsReq.getReply HTTP/Client2> principal is HTTP/Client2@ACME> Will use keytab> Commit Succeeded
> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)> Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014> [Krb5LoginModule]: Entering logout> [Krb5LoginModule]: logged out Subject
> I added this in my server.xml > <Realm className="org.apache.catalina.realm.LockOutRealm">> <Realm className="org.apache.catalina.realm.JAASRealm" appName="JspKerberosDemo" allRolesMode="strictAuthOnly" />> </Realm>
> When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work?
Date: Wed, 15 Oct 2014 00:56:33 -0700
From: ml-node+s10n5023861h61@n6.nabble.com
To: ming.sa@outlook.com
Subject: Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 03:48 schrieb tantaryu:
> Okay, now I tried with a email client. Let's see if it works.
> I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the "manager" web application comes with tomcat to do a poc. In my web.xml I change <auth-method>BASIC</auth-method> to <auth-method>SPNEGO</auth-method> and also changes the auth-constraint to the following <auth-constraint> <role-name>*</role-name></auth-constraint>.
> This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME = { kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
> This is my jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required debug=true doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true storeKey=true;};com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required debug=true doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true storeKey=true;};
> The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false>>> KeyTabInputStream, readName(): acme>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): Client2>>> KeyTab: load() entry length: 52; type: 23Looking for keys for: HTTP/Client2@ACMEJava config name: C:\tomcat\conf\krb5.iniLoaded from Java configAdded key: 23version: 0>>> KdcAccessibility: resetLooking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0default etypes for default_tkt_enctypes: 23 17.>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000, number of retries =3, #bytes=124>>> KDCCommunication: kdc=AD-Server UDP:88, timeout=30000,Attempt =1, #bytes=124
Could you try to add the missing newlines? It is really hard to read the
text without them.
Regards Felix
>>>> KrbKdcReq send: #bytes read=538>>> KdcAccessibility: remove AD-Server:88Looking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsRep cons in KrbAsReq.getReply HTTP/Client2principal is HTTP/Client2@ACMEWill use keytabCommit Succeeded
> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014 [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject
> I added this in my server.xml <Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.JAASRealm" appName="JspKerberosDemo" allRolesMode="strictAuthOnly" /> </Realm>
> When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work?
> Date: Tue, 14 Oct 2014 18:03:07 -0700
> From: [hidden email]
> To: [hidden email]
> Subject: RE: Tomcat windows authentication domain login issue
>
>
>
> > From: tantaryu [mailto:[hidden email]]
>
>> Subject: Re: Tomcat windows authentication domain login issue
>
>> Let me know if you can read it still. I didn't checked the "Message is in
>> HTML Format" option.
>
> It didn't help. Don't use Nabble - post to the user's list directly from an e-mail client.
>
>
> - Chuck
>
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
>
> ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: [hidden email]
>
> For additional commands, e-mail: [hidden email]
>
>
>
>
>
>
>
>
>
>
>
>
>
> If you reply to this email, your message will be added to the discussion below:
> http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html
>
>
>
> To unsubscribe from Tomcat windows authentication domain login issue, click here.
>
> NAML
>
>
>
>
> --
> View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023855.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
If you reply to this email, your message will be added to the discussion below:
http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023861.html
To unsubscribe from Tomcat windows authentication domain login issue, click here.
NAML
--
View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023862.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
Re: Tomcat windows authentication domain login issue
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 15.10.2014 um 03:48 schrieb tantaryu:
> Okay, now I tried with a email client. Let's see if it works.
> I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the "manager" web application comes with tomcat to do a poc. In my web.xml I change <auth-method>BASIC</auth-method> to <auth-method>SPNEGO</auth-method> and also changes the auth-constraint to the following <auth-constraint> <role-name>*</role-name></auth-constraint>.
> This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME = { kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
> This is my jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required debug=true doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true storeKey=true;};com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required debug=true doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true storeKey=true;};
> The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false>>> KeyTabInputStream, readName(): acme>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): Client2>>> KeyTab: load() entry length: 52; type: 23Looking for keys for: HTTP/Client2@ACMEJava config name: C:\tomcat\conf\krb5.iniLoaded from Java configAdded key: 23version: 0>>> KdcAccessibility: resetLooking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0default etypes for default_tkt_enctypes: 23 17.>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000, number of retries =3, #bytes=124>>> KDCCommunication: kdc=AD-Server UDP:88, timeout=30000,Attempt =1, #bytes=124
Could you try to add the missing newlines? It is really hard to read the
text without them.
Regards Felix
>>>> KrbKdcReq send: #bytes read=538>>> KdcAccessibility: remove AD-Server:88Looking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsRep cons in KrbAsReq.getReply HTTP/Client2principal is HTTP/Client2@ACMEWill use keytabCommit Succeeded
> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014 [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject
> I added this in my server.xml <Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.JAASRealm" appName="JspKerberosDemo" allRolesMode="strictAuthOnly" /> </Realm>
> When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work?
> Date: Tue, 14 Oct 2014 18:03:07 -0700
> From: ml-node+s10n5023854h44@n6.nabble.com
> To: ming.sa@outlook.com
> Subject: RE: Tomcat windows authentication domain login issue
>
>
>
> > From: tantaryu [mailto:[hidden email]]
>
>> Subject: Re: Tomcat windows authentication domain login issue
>
>> Let me know if you can read it still. I didn't checked the "Message is in
>> HTML Format" option.
>
> It didn't help. Don't use Nabble - post to the user's list directly from an e-mail client.
>
>
> - Chuck
>
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
>
> ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: [hidden email]
>
> For additional commands, e-mail: [hidden email]
>
>
>
>
>
>
>
>
>
>
>
>
>
> If you reply to this email, your message will be added to the discussion below:
> http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html
>
>
>
> To unsubscribe from Tomcat windows authentication domain login issue, click here.
>
> NAML
>
>
>
>
> --
> View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023855.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat windows authentication domain login issue
Posted by tantaryu <mi...@outlook.com>.
Okay, now I tried with a email client. Let's see if it works.
I need some idea on what's wrong with my tomcat configuration for windows authentication. I followed the tomcat windows authentication tutorial and uses the "manager" web application comes with tomcat to do a poc. In my web.xml I change <auth-method>BASIC</auth-method> to <auth-method>SPNEGO</auth-method> and also changes the auth-constraint to the following <auth-constraint> <role-name>*</role-name></auth-constraint>.
This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME = { kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
This is my jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required debug=true doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true storeKey=true;};com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required debug=true doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true storeKey=true;};
The weird thing is regardless of what username and password I put in when I accessed the tomcat manager web-app the debug message shown is the same. Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is false clearPass is false>>> KeyTabInputStream, readName(): acme>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): Client2>>> KeyTab: load() entry length: 52; type: 23Looking for keys for: HTTP/Client2@ACMEJava config name: C:\tomcat\conf\krb5.iniLoaded from Java configAdded key: 23version: 0>>> KdcAccessibility: resetLooking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0default etypes for default_tkt_enctypes: 23 17.>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000, number of retries =3, #bytes=124>>> KDCCommunication: kdc=AD-Server UDP:88, timeout=30000,Attempt =1, #bytes=124
>>> KrbKdcReq send: #bytes read=538>>> KdcAccessibility: remove AD-Server:88Looking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsRep cons in KrbAsReq.getReply HTTP/Client2principal is HTTP/Client2@ACMEWill use keytabCommit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014 [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject
I added this in my server.xml <Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.JAASRealm" appName="JspKerberosDemo" allRolesMode="strictAuthOnly" /> </Realm>
When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking me to enter a valid credential. What do I need to change to make it work?
Date: Tue, 14 Oct 2014 18:03:07 -0700
From: ml-node+s10n5023854h44@n6.nabble.com
To: ming.sa@outlook.com
Subject: RE: Tomcat windows authentication domain login issue
> From: tantaryu [mailto:[hidden email]]
> Subject: Re: Tomcat windows authentication domain login issue
> Let me know if you can read it still. I didn't checked the "Message is in
> HTML Format" option.
It didn't help. Don't use Nabble - post to the user's list directly from an e-mail client.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
If you reply to this email, your message will be added to the discussion below:
http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html
To unsubscribe from Tomcat windows authentication domain login issue, click here.
NAML
--
View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023855.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
RE: Tomcat windows authentication domain login issue
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: tantaryu [mailto:ming.sa@outlook.com]
> Subject: Re: Tomcat windows authentication domain login issue
> Let me know if you can read it still. I didn't checked the "Message is in
> HTML Format" option.
It didn't help. Don't use Nabble - post to the user's list directly from an e-mail client.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat windows authentication domain login issue
Posted by tantaryu <mi...@outlook.com>.
Let me know if you can read it still. I didn't checked the "Message is in
HTML Format" option.
--
View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023853.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat windows authentication domain login issue
Posted by tantaryu <mi...@outlook.com>.
Oh, let me try again.
I need some idea on what's wrong with my tomcat configuration for windows
authentication. I followed the tomcat windows authentication tutorial and
uses the "manager" web application comes with tomcat to do a poc. In my
web.xml I change
to
and also changes the auth-constraint to the following
.
This is my krb5.ini
This is my jaas.conf
The weird thing is regardless of what username and password I put in when I
accessed the tomcat manager web-app the debug message shown is the same.
I added this in my server.xml
When I tried login, it doesn't seem to recognize the valid credential. The
app keeps on asking me to enter a valid credential. What do I need to change
to make it work?
--
View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023851.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat windows authentication domain login issue
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 14.10.2014 um 05:32 schrieb tantaryu:
> I need some idea on what's wrong with my tomcat configuration for windows
> authentication. I followed the tomcat windows authentication tutorial and
> uses the "manager" web application comes with tomcat to do a poc. In my
> web.xml I change and also changes the auth-constraint to the following
Maybe it is just me, but I can't see, what you have added. Did you send
your mail as html? If so, try to send it as text again.
Regards
Felix
>
> .
>
> This is my krb5.ini
>
>
> This is my jaas.conf
>
>
> The weird thing is regardless of what username and password I put in when I
> accessed the tomcat manager web-app the debug message shown is the same.
>
>
>
> I added this in my server.xml
>
>
>
> When I tried login, it doesn't seem to recognize the valid credential. The
> app keeps on asking me to enter a valid credential. What do I need to change
> to make it work?
>
>
>
> --
> View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org