You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Philippe Wijdh <p....@assai.nl> on 2014/10/22 11:40:56 UTC
Built-in Tomcat Support for Windows Authentication
Hello,
We have spent a long time now, trying to set up Apache Tomcat with Windows Authentication.
We followed the instructions as per http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot make it work properly, the logon dialog keeps appearing and trying to log on fails.
Additional to that we tried suggestions, like adding the registry key AllowTgtSessionKey and setting it to 0x01
Seems like we are close but we are missing something (see tomcat output below)
Does anyone have a more complete documentation or have any suggestions on how to make this work.
Kind regards,
Philippe Wijdh
Extra information on the setup:
Windows 2008 r2 sp1
Apache Tomcat 7.0.54
jdk1.7.0_60
Tomcat is running as a service using account HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the port number, does not make a difference)
Test is done with user testuser@assai.nl<ma...@assai.nl> in IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly added to the Intranet sites.
Tomcat Output:
>>> KeyTabInputStream, readName(): ASSAI.NL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080
>>> KeyTab: load() entry length: 72; type: 23
Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
Loaded from Java config
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
>>> KdcAccessibility: reset
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=152
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=152
>>> KrbKdcReq send: #bytes read=173
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
suSec is 403143
error code is 25
error Message is Additional pre-authentication required
realm is ASSAI.NL
sname is krbtgt/ASSAI.NL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=235
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=235
>>> KrbKdcReq send: #bytes read=1446
>>> KdcAccessibility: remove v3dom1.assai.nl:88
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=152
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=152
>>> KrbKdcReq send: #bytes read=173
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Oct 22 09:54:12 CEST 2014 1413964452000
suSec is 996893
error code is 25
error Message is Additional pre-authentication required
realm is ASSAI.NL
sname is krbtgt/ASSAI.NL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=235
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=235
>>> KrbKdcReq send: #bytes read=1446
>>> KdcAccessibility: remove v3dom1.assai.nl:88
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=152
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=152
>>> KrbKdcReq send: #bytes read=173
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Oct 22 09:54:56 CEST 2014 1413964496000
suSec is 543768
error code is 25
error Message is Additional pre-authentication required
realm is ASSAI.NL
sname is krbtgt/ASSAI.NL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=235
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=235
>>> KrbKdcReq send: #bytes read=1446
>>> KdcAccessibility: remove v3dom1.assai.nl:88
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
09:55:00.008 [QuartzScheduler_Worker-1] DEBUG org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob
09:55:00.008 [QuartzScheduler_Worker-1] DEBUG org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=152
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=152
>>> KrbKdcReq send: #bytes read=173
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Oct 22 09:55:15 CEST 2014 1413964515000
suSec is 715643
error code is 25
error Message is Additional pre-authentication required
realm is ASSAI.NL
sname is krbtgt/ASSAI.NL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=235
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=235
>>> KrbKdcReq send: #bytes read=1446
>>> KdcAccessibility: remove v3dom1.assai.nl:88
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
RE: Built-in Tomcat Support for Windows Authentication
Posted by Philippe Wijdh <p....@assai.nl>.
Alright, thanks. We will try once more from scratch.
-----Original Message-----
From: Felix Schumacher [mailto:felix.schumacher@internetallee.de]
Sent: donderdag 23 oktober 2014 20:42
To: Tomcat Users List
Subject: Re: Built-in Tomcat Support for Windows Authentication
Am 23.10.2014 um 11:07 schrieb Philippe Wijdh:
> Hi,
>
> Thank you for the response.
> The initial setup of the spn and the keytab was without the port-number, the registry key was a suggestion found on internet but this setting does not change the outcome.
>
> The command kinit on the Tomcat server returns the following
>
>
> C:\MyPrograms\Tomcat7\conf>set
> KRB5_CONFIG=C:\MyPrograms\Tomcat7\conf\krb5.conf
>
>
> C:\MyPrograms\Tomcat7\conf>c:\MyPrograms\Java\jdk1.7.0_60\bin\kinit
> -J-Djava.sec urity.krb5.conf=C:\MyPrograms\Tomcat7\conf\krb5.conf
> -J-Djava.security.auth.logi
> n.config=C:\MyPrograms\Tomcat7\conf\jaas.conf
> -J-Dsun.security.krb5.debug=true - k -t
> C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab
> HTTP/v3tcat4ad.assai.nl:8080@A SSAI.NL
HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL is the wrong spn. You have to use one without the port number (as described in the docs).
Maybe it would be best to follow Mark's advice and start with a fresh system and follow step for step the documentation.
Felix
>>>> KinitOptions cache name is C:\Users\TestUser\krb5cc_testuser
> Principal is HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
>>>> Kinit using keytab
>>>> Kinit keytab file name:
>>>> C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab
> Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
> Loaded from Java config
>>>> Kinit realm name is ASSAI.NL
>>>> Creating KrbAsReq
>>>> KrbKdcReq local addresses for V3TCAT4AD are:
> V3TCAT4AD/10.1.0.67
> IPv4 address
>
> V3TCAT4AD/fe80:0:0:0:d815:81c0:97e7:11d2%11
> IPv6 address
>>>> KdcAccessibility: reset
>>>> KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream,
>>>> readName(): HTTP KeyTabInputStream, readName():
>>>> v3tcat4ad.assai.nl:8080
>>>> KeyTab: load() entry length: 72; type: 23
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>>>> of retries
> =3, #bytes=198
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>>>> =1, #byt
> es=198
>>>> KrbKdcReq send: #bytes read=173
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Thu Oct 23 10:21:31 CEST 2014 1414052491000
> suSec is 776700
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for
> default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>>>> of retries
> =3, #bytes=283
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>>>> =1, #byt
> es=283
>>>> KrbKdcReq send: #bytes read=88
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl TCP:88, timeout=30000, number
>>>> of retries
> =3, #bytes=283
>>>> KDCCommunication: kdc=v3dom1.assai.nl TCP:88, timeout=30000,Attempt
>>>> =1, #byt
> es=283
>>>> DEBUG: TCPClient reading 1496 bytes KrbKdcReq send: #bytes
>>>> read=1496
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
> New ticket is stored in cache file C:\Users\TestUser\krb5cc_testuser
>
> C:\MyPrograms\Tomcat7\conf>klist
>
> Current LogonId is 0:0x13380b5c
>
> Cached Tickets: (0)
>
>
>
>
> Kind regards,
>
> Philippe Wijdh
> Senior Programmer
>
> Assai software services BV, Parallelweg Oost 13a, 4103 NC, Culemborg,
> The Netherlands
> P: +31 (0)345 516 663, E: p.wijdh@assai.nl, W:
> www.assai-software.com
>
> -----Original Message-----
> From: Felix Schumacher [mailto:felix.schumacher@internetallee.de]
> Sent: donderdag 23 oktober 2014 7:53
> To: Tomcat Users List
> Subject: Re: Built-in Tomcat Support for Windows Authentication
>
>
>
> Am 22. Oktober 2014 11:40:56 MESZ, schrieb Philippe Wijdh <p....@assai.nl>:
>> Hello,
>>
>> We have spent a long time now, trying to set up Apache Tomcat with
>> Windows Authentication.
>> We followed the instructions as per
>> http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but
>> we cannot make it work properly, the logon dialog keeps appearing and
>> trying to log on fails.
>> Additional to that we tried suggestions, like adding the registry key
>> AllowTgtSessionKey and setting it to 0x01
> Haven't seen that recommendation in the tomcat documentation.
>
>
>> Seems like we are close but we are missing something (see tomcat
>> output
>> below)
>> Does anyone have a more complete documentation or have any
>> suggestions on how to make this work.
>>
>>
>> Kind regards,
>>
>> Philippe Wijdh
>>
>>
>>
>> Extra information on the setup:
>>
>> Windows 2008 r2 sp1
>> Apache Tomcat 7.0.54
>> jdk1.7.0_60
>>
>> Tomcat is running as a service using account
>> HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the
>> port number, does not make a difference)
> You will have to use the spn without the port.
>
>> Test is done with user testuser@assai.nl<ma...@assai.nl> in
>> IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly
>> added to the Intranet sites.
>>
>>
>>
>> Tomcat Output:
>>
>>>>> KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream,
>>>>> readName(): HTTP KeyTabInputStream, readName():
>>>>> v3tcat4ad.assai.nl:8080
> What is inside your keytab?
>
>>>>> KeyTab: load() entry length: 72; type: 23
>> Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
>> Loaded from Java config
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>>>>> KdcAccessibility: reset
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>> of retries =3, #bytes=152
>>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88,
>>>>> timeout=30000,Attempt
>> =1, #bytes=152
>>>>> KrbKdcReq send: #bytes read=173
>>>>> Pre-Authentication Data:
>> PA-DATA type = 11
>> PA-ETYPE-INFO etype = 23, salt =
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 19
>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 2
>> PA-ENC-TIMESTAMP
>>>>> Pre-Authentication Data:
>> PA-DATA type = 16
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 15
>>
>>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>> KRBError:
>> sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
>> suSec is 403143
>> error code is 25
>> error Message is Additional pre-authentication required
>> realm is ASSAI.NL
>> sname is krbtgt/ASSAI.NL
>> eData provided.
>> msgType is 30
>>>>> Pre-Authentication Data:
>> PA-DATA type = 11
>> PA-ETYPE-INFO etype = 23, salt =
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 19
>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 2
>> PA-ENC-TIMESTAMP
>>>>> Pre-Authentication Data:
>> PA-DATA type = 16
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 15
>>
>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes
>> for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>> of retries =3, #bytes=235
>>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88,
>>>>> timeout=30000,Attempt
>> =1, #bytes=235
>>>>> KrbKdcReq send: #bytes read=1446
>>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
> This is the wrong spn. The port number should not be there.
>
> Regards
> Felix
>
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>> sun.security.jgss.spnego.SpNegoCredElement)
>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>> sun.security.jgss.krb5.Krb5AcceptCredential)
>> Found KeyTab
>> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>> of retries =3, #bytes=152
>>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88,
>>>>> timeout=30000,Attempt
>> =1, #bytes=152
>>>>> KrbKdcReq send: #bytes read=173
>>>>> Pre-Authentication Data:
>> PA-DATA type = 11
>> PA-ETYPE-INFO etype = 23, salt =
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 19
>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 2
>> PA-ENC-TIMESTAMP
>>>>> Pre-Authentication Data:
>> PA-DATA type = 16
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 15
>>
>>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>> KRBError:
>> sTime is Wed Oct 22 09:54:12 CEST 2014 1413964452000
>> suSec is 996893
>> error code is 25
>> error Message is Additional pre-authentication required
>> realm is ASSAI.NL
>> sname is krbtgt/ASSAI.NL
>> eData provided.
>> msgType is 30
>>>>> Pre-Authentication Data:
>> PA-DATA type = 11
>> PA-ETYPE-INFO etype = 23, salt =
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 19
>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 2
>> PA-ENC-TIMESTAMP
>>>>> Pre-Authentication Data:
>> PA-DATA type = 16
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 15
>>
>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes
>> for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>> of retries =3, #bytes=235
>>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88,
>>>>> timeout=30000,Attempt
>> =1, #bytes=235
>>>>> KrbKdcReq send: #bytes read=1446
>>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>> sun.security.jgss.spnego.SpNegoCredElement)
>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>> sun.security.jgss.krb5.Krb5AcceptCredential)
>> Found KeyTab
>> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
>> Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key:
>> 23version: 0 Ordering keys wrt default_tkt_enctypes list default
>> etypes for default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>> of retries =3, #bytes=152
>>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88,
>>>>> timeout=30000,Attempt
>> =1, #bytes=152
>>>>> KrbKdcReq send: #bytes read=173
>>>>> Pre-Authentication Data:
>> PA-DATA type = 11
>> PA-ETYPE-INFO etype = 23, salt =
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 19
>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 2
>> PA-ENC-TIMESTAMP
>>>>> Pre-Authentication Data:
>> PA-DATA type = 16
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 15
>>
>>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>> KRBError:
>> sTime is Wed Oct 22 09:54:56 CEST 2014 1413964496000
>> suSec is 543768
>> error code is 25
>> error Message is Additional pre-authentication required
>> realm is ASSAI.NL
>> sname is krbtgt/ASSAI.NL
>> eData provided.
>> msgType is 30
>>>>> Pre-Authentication Data:
>> PA-DATA type = 11
>> PA-ETYPE-INFO etype = 23, salt =
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 19
>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 2
>> PA-ENC-TIMESTAMP
>>>>> Pre-Authentication Data:
>> PA-DATA type = 16
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 15
>>
>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes
>> for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>> of retries =3, #bytes=235
>>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88,
>>>>> timeout=30000,Attempt
>> =1, #bytes=235
>>>>> KrbKdcReq send: #bytes read=1446
>>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>> sun.security.jgss.spnego.SpNegoCredElement)
>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>> sun.security.jgss.krb5.Krb5AcceptCredential)
>> Found KeyTab
>> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
>> 09:55:00.008 [QuartzScheduler_Worker-1] DEBUG
>> org.quartz.core.JobRunShell - Calling execute on job
>> DEFAULT.reportsJob
>> 09:55:00.008 [QuartzScheduler_Worker-1] DEBUG
>> org.quartz.core.JobRunShell - Calling execute on job
>> DEFAULT.reportsJob Added key: 23version: 0 Ordering keys wrt
>> default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>> of retries =3, #bytes=152
>>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88,
>>>>> timeout=30000,Attempt
>> =1, #bytes=152
>>>>> KrbKdcReq send: #bytes read=173
>>>>> Pre-Authentication Data:
>> PA-DATA type = 11
>> PA-ETYPE-INFO etype = 23, salt =
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 19
>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 2
>> PA-ENC-TIMESTAMP
>>>>> Pre-Authentication Data:
>> PA-DATA type = 16
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 15
>>
>>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>> KRBError:
>> sTime is Wed Oct 22 09:55:15 CEST 2014 1413964515000
>> suSec is 715643
>> error code is 25
>> error Message is Additional pre-authentication required
>> realm is ASSAI.NL
>> sname is krbtgt/ASSAI.NL
>> eData provided.
>> msgType is 30
>>>>> Pre-Authentication Data:
>> PA-DATA type = 11
>> PA-ETYPE-INFO etype = 23, salt =
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 19
>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 2
>> PA-ENC-TIMESTAMP
>>>>> Pre-Authentication Data:
>> PA-DATA type = 16
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 15
>>
>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes
>> for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>> of retries =3, #bytes=235
>>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88,
>>>>> timeout=30000,Attempt
>> =1, #bytes=235
>>>>> KrbKdcReq send: #bytes read=1446
>>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>> sun.security.jgss.spnego.SpNegoCredElement)
>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>> sun.security.jgss.krb5.Krb5AcceptCredential)
>> Found KeyTab
>> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
>> Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key:
>> 23version: 0 Ordering keys wrt default_tkt_enctypes list default
>> etypes for default_tkt_enctypes: 23 18 17.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Built-in Tomcat Support for Windows Authentication
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 23.10.2014 um 11:07 schrieb Philippe Wijdh:
> Hi,
>
> Thank you for the response.
> The initial setup of the spn and the keytab was without the port-number, the registry key was a suggestion found on internet but this setting does not change the outcome.
>
> The command kinit on the Tomcat server returns the following
>
>
> C:\MyPrograms\Tomcat7\conf>set KRB5_CONFIG=C:\MyPrograms\Tomcat7\conf\krb5.conf
>
>
> C:\MyPrograms\Tomcat7\conf>c:\MyPrograms\Java\jdk1.7.0_60\bin\kinit -J-Djava.sec
> urity.krb5.conf=C:\MyPrograms\Tomcat7\conf\krb5.conf -J-Djava.security.auth.logi
> n.config=C:\MyPrograms\Tomcat7\conf\jaas.conf -J-Dsun.security.krb5.debug=true -
> k -t C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab HTTP/v3tcat4ad.assai.nl:8080@A
> SSAI.NL
HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL is the wrong spn. You have to use
one without the port number (as described in the docs).
Maybe it would be best to follow Mark's advice and start with a fresh
system and follow step for step the documentation.
Felix
>>>> KinitOptions cache name is C:\Users\TestUser\krb5cc_testuser
> Principal is HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
>>>> Kinit using keytab
>>>> Kinit keytab file name: C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab
> Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
> Loaded from Java config
>>>> Kinit realm name is ASSAI.NL
>>>> Creating KrbAsReq
>>>> KrbKdcReq local addresses for V3TCAT4AD are:
> V3TCAT4AD/10.1.0.67
> IPv4 address
>
> V3TCAT4AD/fe80:0:0:0:d815:81c0:97e7:11d2%11
> IPv6 address
>>>> KdcAccessibility: reset
>>>> KeyTabInputStream, readName(): ASSAI.NL
>>>> KeyTabInputStream, readName(): HTTP
>>>> KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080
>>>> KeyTab: load() entry length: 72; type: 23
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries
> =3, #bytes=198
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #byt
> es=198
>>>> KrbKdcReq send: #bytes read=173
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Thu Oct 23 10:21:31 CEST 2014 1414052491000
> suSec is 776700
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries
> =3, #bytes=283
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #byt
> es=283
>>>> KrbKdcReq send: #bytes read=88
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl TCP:88, timeout=30000, number of retries
> =3, #bytes=283
>>>> KDCCommunication: kdc=v3dom1.assai.nl TCP:88, timeout=30000,Attempt =1, #byt
> es=283
>>>> DEBUG: TCPClient reading 1496 bytes
>>>> KrbKdcReq send: #bytes read=1496
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
> New ticket is stored in cache file C:\Users\TestUser\krb5cc_testuser
>
> C:\MyPrograms\Tomcat7\conf>klist
>
> Current LogonId is 0:0x13380b5c
>
> Cached Tickets: (0)
>
>
>
>
> Kind regards,
>
> Philippe Wijdh
> Senior Programmer
>
> Assai software services BV, Parallelweg Oost 13a, 4103 NC, Culemborg, The Netherlands
> P: +31 (0)345 516 663, E: p.wijdh@assai.nl, W: www.assai-software.com
>
> -----Original Message-----
> From: Felix Schumacher [mailto:felix.schumacher@internetallee.de]
> Sent: donderdag 23 oktober 2014 7:53
> To: Tomcat Users List
> Subject: Re: Built-in Tomcat Support for Windows Authentication
>
>
>
> Am 22. Oktober 2014 11:40:56 MESZ, schrieb Philippe Wijdh <p....@assai.nl>:
>> Hello,
>>
>> We have spent a long time now, trying to set up Apache Tomcat with
>> Windows Authentication.
>> We followed the instructions as per
>> http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we
>> cannot make it work properly, the logon dialog keeps appearing and
>> trying to log on fails.
>> Additional to that we tried suggestions, like adding the registry key
>> AllowTgtSessionKey and setting it to 0x01
> Haven't seen that recommendation in the tomcat documentation.
>
>
>> Seems like we are close but we are missing something (see tomcat output
>> below)
>> Does anyone have a more complete documentation or have any suggestions
>> on how to make this work.
>>
>>
>> Kind regards,
>>
>> Philippe Wijdh
>>
>>
>>
>> Extra information on the setup:
>>
>> Windows 2008 r2 sp1
>> Apache Tomcat 7.0.54
>> jdk1.7.0_60
>>
>> Tomcat is running as a service using account
>> HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the
>> port number, does not make a difference)
> You will have to use the spn without the port.
>
>> Test is done with user testuser@assai.nl<ma...@assai.nl> in
>> IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly
>> added to the Intranet sites.
>>
>>
>>
>> Tomcat Output:
>>
>>>>> KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream,
>>>>> readName(): HTTP KeyTabInputStream, readName():
>>>>> v3tcat4ad.assai.nl:8080
> What is inside your keytab?
>
>>>>> KeyTab: load() entry length: 72; type: 23
>> Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
>> Loaded from Java config
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>>>>> KdcAccessibility: reset
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>> of retries =3, #bytes=152
>>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>> =1, #bytes=152
>>>>> KrbKdcReq send: #bytes read=173
>>>>> Pre-Authentication Data:
>> PA-DATA type = 11
>> PA-ETYPE-INFO etype = 23, salt =
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 19
>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 2
>> PA-ENC-TIMESTAMP
>>>>> Pre-Authentication Data:
>> PA-DATA type = 16
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 15
>>
>>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>> KRBError:
>> sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
>> suSec is 403143
>> error code is 25
>> error Message is Additional pre-authentication required
>> realm is ASSAI.NL
>> sname is krbtgt/ASSAI.NL
>> eData provided.
>> msgType is 30
>>>>> Pre-Authentication Data:
>> PA-DATA type = 11
>> PA-ETYPE-INFO etype = 23, salt =
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 19
>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 2
>> PA-ENC-TIMESTAMP
>>>>> Pre-Authentication Data:
>> PA-DATA type = 16
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 15
>>
>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>> of retries =3, #bytes=235
>>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>> =1, #bytes=235
>>>>> KrbKdcReq send: #bytes read=1446
>>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
> This is the wrong spn. The port number should not be there.
>
> Regards
> Felix
>
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>> sun.security.jgss.spnego.SpNegoCredElement)
>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>> sun.security.jgss.krb5.Krb5AcceptCredential)
>> Found KeyTab
>> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>> of retries =3, #bytes=152
>>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>> =1, #bytes=152
>>>>> KrbKdcReq send: #bytes read=173
>>>>> Pre-Authentication Data:
>> PA-DATA type = 11
>> PA-ETYPE-INFO etype = 23, salt =
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 19
>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 2
>> PA-ENC-TIMESTAMP
>>>>> Pre-Authentication Data:
>> PA-DATA type = 16
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 15
>>
>>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>> KRBError:
>> sTime is Wed Oct 22 09:54:12 CEST 2014 1413964452000
>> suSec is 996893
>> error code is 25
>> error Message is Additional pre-authentication required
>> realm is ASSAI.NL
>> sname is krbtgt/ASSAI.NL
>> eData provided.
>> msgType is 30
>>>>> Pre-Authentication Data:
>> PA-DATA type = 11
>> PA-ETYPE-INFO etype = 23, salt =
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 19
>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 2
>> PA-ENC-TIMESTAMP
>>>>> Pre-Authentication Data:
>> PA-DATA type = 16
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 15
>>
>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>> of retries =3, #bytes=235
>>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>> =1, #bytes=235
>>>>> KrbKdcReq send: #bytes read=1446
>>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>> sun.security.jgss.spnego.SpNegoCredElement)
>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>> sun.security.jgss.krb5.Krb5AcceptCredential)
>> Found KeyTab
>> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
>> Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key:
>> 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes
>> for default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>> of retries =3, #bytes=152
>>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>> =1, #bytes=152
>>>>> KrbKdcReq send: #bytes read=173
>>>>> Pre-Authentication Data:
>> PA-DATA type = 11
>> PA-ETYPE-INFO etype = 23, salt =
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 19
>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 2
>> PA-ENC-TIMESTAMP
>>>>> Pre-Authentication Data:
>> PA-DATA type = 16
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 15
>>
>>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>> KRBError:
>> sTime is Wed Oct 22 09:54:56 CEST 2014 1413964496000
>> suSec is 543768
>> error code is 25
>> error Message is Additional pre-authentication required
>> realm is ASSAI.NL
>> sname is krbtgt/ASSAI.NL
>> eData provided.
>> msgType is 30
>>>>> Pre-Authentication Data:
>> PA-DATA type = 11
>> PA-ETYPE-INFO etype = 23, salt =
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 19
>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 2
>> PA-ENC-TIMESTAMP
>>>>> Pre-Authentication Data:
>> PA-DATA type = 16
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 15
>>
>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>> of retries =3, #bytes=235
>>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>> =1, #bytes=235
>>>>> KrbKdcReq send: #bytes read=1446
>>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>> sun.security.jgss.spnego.SpNegoCredElement)
>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>> sun.security.jgss.krb5.Krb5AcceptCredential)
>> Found KeyTab
>> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
>> 09:55:00.008 [QuartzScheduler_Worker-1] DEBUG
>> org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob
>> 09:55:00.008 [QuartzScheduler_Worker-1] DEBUG
>> org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob
>> Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list
>> default etypes for default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>> of retries =3, #bytes=152
>>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>> =1, #bytes=152
>>>>> KrbKdcReq send: #bytes read=173
>>>>> Pre-Authentication Data:
>> PA-DATA type = 11
>> PA-ETYPE-INFO etype = 23, salt =
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 19
>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 2
>> PA-ENC-TIMESTAMP
>>>>> Pre-Authentication Data:
>> PA-DATA type = 16
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 15
>>
>>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>> KRBError:
>> sTime is Wed Oct 22 09:55:15 CEST 2014 1413964515000
>> suSec is 715643
>> error code is 25
>> error Message is Additional pre-authentication required
>> realm is ASSAI.NL
>> sname is krbtgt/ASSAI.NL
>> eData provided.
>> msgType is 30
>>>>> Pre-Authentication Data:
>> PA-DATA type = 11
>> PA-ETYPE-INFO etype = 23, salt =
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 19
>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 2
>> PA-ENC-TIMESTAMP
>>>>> Pre-Authentication Data:
>> PA-DATA type = 16
>>
>>>>> Pre-Authentication Data:
>> PA-DATA type = 15
>>
>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>> of retries =3, #bytes=235
>>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>> =1, #bytes=235
>>>>> KrbKdcReq send: #bytes read=1446
>>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
>> Added key: 23version: 0
>> Ordering keys wrt default_tkt_enctypes list default etypes for
>> default_tkt_enctypes: 23 18 17.
>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>> sun.security.jgss.spnego.SpNegoCredElement)
>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>> sun.security.jgss.krb5.Krb5AcceptCredential)
>> Found KeyTab
>> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
>> Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key:
>> 23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes
>> for default_tkt_enctypes: 23 18 17.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Built-in Tomcat Support for Windows Authentication
Posted by Philippe Wijdh <p....@assai.nl>.
Hi,
Thank you for the response.
The initial setup of the spn and the keytab was without the port-number, the registry key was a suggestion found on internet but this setting does not change the outcome.
The command kinit on the Tomcat server returns the following
C:\MyPrograms\Tomcat7\conf>set KRB5_CONFIG=C:\MyPrograms\Tomcat7\conf\krb5.conf
C:\MyPrograms\Tomcat7\conf>c:\MyPrograms\Java\jdk1.7.0_60\bin\kinit -J-Djava.sec
urity.krb5.conf=C:\MyPrograms\Tomcat7\conf\krb5.conf -J-Djava.security.auth.logi
n.config=C:\MyPrograms\Tomcat7\conf\jaas.conf -J-Dsun.security.krb5.debug=true -
k -t C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab HTTP/v3tcat4ad.assai.nl:8080@A
SSAI.NL
>>>KinitOptions cache name is C:\Users\TestUser\krb5cc_testuser
Principal is HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
>>> Kinit using keytab
>>> Kinit keytab file name: C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab
Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
Loaded from Java config
>>> Kinit realm name is ASSAI.NL
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for V3TCAT4AD are:
V3TCAT4AD/10.1.0.67
IPv4 address
V3TCAT4AD/fe80:0:0:0:d815:81c0:97e7:11d2%11
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): ASSAI.NL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080
>>> KeyTab: load() entry length: 72; type: 23
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries
=3, #bytes=198
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #byt
es=198
>>> KrbKdcReq send: #bytes read=173
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Thu Oct 23 10:21:31 CEST 2014 1414052491000
suSec is 776700
error code is 25
error Message is Additional pre-authentication required
realm is ASSAI.NL
sname is krbtgt/ASSAI.NL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries
=3, #bytes=283
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #byt
es=283
>>> KrbKdcReq send: #bytes read=88
>>> KrbKdcReq send: kdc=v3dom1.assai.nl TCP:88, timeout=30000, number of retries
=3, #bytes=283
>>> KDCCommunication: kdc=v3dom1.assai.nl TCP:88, timeout=30000,Attempt =1, #byt
es=283
>>>DEBUG: TCPClient reading 1496 bytes
>>> KrbKdcReq send: #bytes read=1496
>>> KdcAccessibility: remove v3dom1.assai.nl:88
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
New ticket is stored in cache file C:\Users\TestUser\krb5cc_testuser
C:\MyPrograms\Tomcat7\conf>klist
Current LogonId is 0:0x13380b5c
Cached Tickets: (0)
Kind regards,
Philippe Wijdh
Senior Programmer
Assai software services BV, Parallelweg Oost 13a, 4103 NC, Culemborg, The Netherlands
P: +31 (0)345 516 663, E: p.wijdh@assai.nl, W: www.assai-software.com
-----Original Message-----
From: Felix Schumacher [mailto:felix.schumacher@internetallee.de]
Sent: donderdag 23 oktober 2014 7:53
To: Tomcat Users List
Subject: Re: Built-in Tomcat Support for Windows Authentication
Am 22. Oktober 2014 11:40:56 MESZ, schrieb Philippe Wijdh <p....@assai.nl>:
>Hello,
>
>We have spent a long time now, trying to set up Apache Tomcat with
>Windows Authentication.
>We followed the instructions as per
>http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we
>cannot make it work properly, the logon dialog keeps appearing and
>trying to log on fails.
>Additional to that we tried suggestions, like adding the registry key
>AllowTgtSessionKey and setting it to 0x01
Haven't seen that recommendation in the tomcat documentation.
>Seems like we are close but we are missing something (see tomcat output
>below)
>Does anyone have a more complete documentation or have any suggestions
>on how to make this work.
>
>
>Kind regards,
>
>Philippe Wijdh
>
>
>
>Extra information on the setup:
>
>Windows 2008 r2 sp1
>Apache Tomcat 7.0.54
>jdk1.7.0_60
>
>Tomcat is running as a service using account
>HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the
>port number, does not make a difference)
You will have to use the spn without the port.
>
>Test is done with user testuser@assai.nl<ma...@assai.nl> in
>IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly
>added to the Intranet sites.
>
>
>
>Tomcat Output:
>
>>>> KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream,
>>>> readName(): HTTP KeyTabInputStream, readName():
>>>> v3tcat4ad.assai.nl:8080
What is inside your keytab?
>>>> KeyTab: load() entry length: 72; type: 23
>Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
>Loaded from Java config
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>>>> KdcAccessibility: reset
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>=1, #bytes=152
>>>> KrbKdcReq send: #bytes read=173
>>>>Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
> PA-DATA type = 16
>
>>>>Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>KRBError:
> sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
> suSec is 403143
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>>Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
> PA-DATA type = 16
>
>>>>Pre-Authentication Data:
> PA-DATA type = 15
>
>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for
>default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>=1, #bytes=235
>>>> KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
This is the wrong spn. The port number should not be there.
Regards
Felix
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>sun.security.jgss.spnego.SpNegoCredElement)
>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>sun.security.jgss.krb5.Krb5AcceptCredential)
>Found KeyTab
>Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>=1, #bytes=152
>>>> KrbKdcReq send: #bytes read=173
>>>>Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
> PA-DATA type = 16
>
>>>>Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>KRBError:
> sTime is Wed Oct 22 09:54:12 CEST 2014 1413964452000
> suSec is 996893
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>>Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
> PA-DATA type = 16
>
>>>>Pre-Authentication Data:
> PA-DATA type = 15
>
>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for
>default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>=1, #bytes=235
>>>> KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>sun.security.jgss.spnego.SpNegoCredElement)
>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>sun.security.jgss.krb5.Krb5AcceptCredential)
>Found KeyTab
>Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
>Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key:
>23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes
>for default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>=1, #bytes=152
>>>> KrbKdcReq send: #bytes read=173
>>>>Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
> PA-DATA type = 16
>
>>>>Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>KRBError:
> sTime is Wed Oct 22 09:54:56 CEST 2014 1413964496000
> suSec is 543768
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>>Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
> PA-DATA type = 16
>
>>>>Pre-Authentication Data:
> PA-DATA type = 15
>
>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for
>default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>=1, #bytes=235
>>>> KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>sun.security.jgss.spnego.SpNegoCredElement)
>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>sun.security.jgss.krb5.Krb5AcceptCredential)
>Found KeyTab
>Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
>09:55:00.008 [QuartzScheduler_Worker-1] DEBUG
>org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob
>09:55:00.008 [QuartzScheduler_Worker-1] DEBUG
>org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob
>Added key: 23version: 0 Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>=1, #bytes=152
>>>> KrbKdcReq send: #bytes read=173
>>>>Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
> PA-DATA type = 16
>
>>>>Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>KRBError:
> sTime is Wed Oct 22 09:55:15 CEST 2014 1413964515000
> suSec is 715643
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>>Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
> PA-DATA type = 16
>
>>>>Pre-Authentication Data:
> PA-DATA type = 15
>
>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for
>default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>=1, #bytes=235
>>>> KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list default etypes for
>default_tkt_enctypes: 23 18 17.
>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>sun.security.jgss.spnego.SpNegoCredElement)
>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>sun.security.jgss.krb5.Krb5AcceptCredential)
>Found KeyTab
>Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
>Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key:
>23version: 0 Ordering keys wrt default_tkt_enctypes list default etypes
>for default_tkt_enctypes: 23 18 17.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Built-in Tomcat Support for Windows Authentication
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 22. Oktober 2014 11:40:56 MESZ, schrieb Philippe Wijdh <p....@assai.nl>:
>Hello,
>
>We have spent a long time now, trying to set up Apache Tomcat with
>Windows Authentication.
>We followed the instructions as per
>http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we
>cannot make it work properly, the logon dialog keeps appearing and
>trying to log on fails.
>Additional to that we tried suggestions, like adding the registry key
>AllowTgtSessionKey and setting it to 0x01
Haven't seen that recommendation in the tomcat documentation.
>Seems like we are close but we are missing something (see tomcat output
>below)
>Does anyone have a more complete documentation or have any suggestions
>on how to make this work.
>
>
>Kind regards,
>
>Philippe Wijdh
>
>
>
>Extra information on the setup:
>
>Windows 2008 r2 sp1
>Apache Tomcat 7.0.54
>jdk1.7.0_60
>
>Tomcat is running as a service using account
>HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the
>port number, does not make a difference)
You will have to use the spn without the port.
>
>Test is done with user testuser@assai.nl<ma...@assai.nl> in
>IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly
>added to the Intranet sites.
>
>
>
>Tomcat Output:
>
>>>> KeyTabInputStream, readName(): ASSAI.NL
>>>> KeyTabInputStream, readName(): HTTP
>>>> KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080
What is inside your keytab?
>>>> KeyTab: load() entry length: 72; type: 23
>Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
>Loaded from Java config
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> KdcAccessibility: reset
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>=1, #bytes=152
>>>> KrbKdcReq send: #bytes read=173
>>>>Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
> PA-DATA type = 16
>
>>>>Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>KRBError:
> sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
> suSec is 403143
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>>Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
> PA-DATA type = 16
>
>>>>Pre-Authentication Data:
> PA-DATA type = 15
>
>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>default etypes for default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>=1, #bytes=235
>>>> KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
This is the wrong spn. The port number should not be there.
Regards
Felix
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>sun.security.jgss.spnego.SpNegoCredElement)
>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>sun.security.jgss.krb5.Krb5AcceptCredential)
>Found KeyTab
>Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>=1, #bytes=152
>>>> KrbKdcReq send: #bytes read=173
>>>>Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
> PA-DATA type = 16
>
>>>>Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>KRBError:
> sTime is Wed Oct 22 09:54:12 CEST 2014 1413964452000
> suSec is 996893
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>>Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
> PA-DATA type = 16
>
>>>>Pre-Authentication Data:
> PA-DATA type = 15
>
>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>default etypes for default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>=1, #bytes=235
>>>> KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>sun.security.jgss.spnego.SpNegoCredElement)
>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>sun.security.jgss.krb5.Krb5AcceptCredential)
>Found KeyTab
>Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
>Entered Krb5Context.acceptSecContext with state=STATE_NEW
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>=1, #bytes=152
>>>> KrbKdcReq send: #bytes read=173
>>>>Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
> PA-DATA type = 16
>
>>>>Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>KRBError:
> sTime is Wed Oct 22 09:54:56 CEST 2014 1413964496000
> suSec is 543768
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>>Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
> PA-DATA type = 16
>
>>>>Pre-Authentication Data:
> PA-DATA type = 15
>
>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>default etypes for default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>=1, #bytes=235
>>>> KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>sun.security.jgss.spnego.SpNegoCredElement)
>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>sun.security.jgss.krb5.Krb5AcceptCredential)
>Found KeyTab
>Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
>09:55:00.008 [QuartzScheduler_Worker-1] DEBUG
>org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob
>09:55:00.008 [QuartzScheduler_Worker-1] DEBUG
>org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>=1, #bytes=152
>>>> KrbKdcReq send: #bytes read=173
>>>>Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
> PA-DATA type = 16
>
>>>>Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>KRBError:
> sTime is Wed Oct 22 09:55:15 CEST 2014 1413964515000
> suSec is 715643
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>>Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
> PA-DATA type = 16
>
>>>>Pre-Authentication Data:
> PA-DATA type = 15
>
>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>default etypes for default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>=1, #bytes=235
>>>> KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>sun.security.jgss.spnego.SpNegoCredElement)
>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>sun.security.jgss.krb5.Krb5AcceptCredential)
>Found KeyTab
>Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
>Entered Krb5Context.acceptSecContext with state=STATE_NEW
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Built-in Tomcat Support for Windows Authentication
Posted by Philippe Wijdh <p....@assai.nl>.
Thanks Terrence,
We will have a look at Waffle as well.
Kind regards,
Philippe Wijdh
Senior Programmer
Assai software services BV, Parallelweg Oost 13a, 4103 NC, Culemborg, The Netherlands
P: +31 (0)345 516 663, E: p.wijdh@assai.nl, W: www.assai-software.com
-----Original Message-----
From: Terence M. Bandoian [mailto:terence@tmbsw.com]
Sent: woensdag 22 oktober 2014 18:56
To: Tomcat Users List
Subject: Built-in Tomcat Support for Windows Authentication
On 10/22/2014 4:40 AM, Philippe Wijdh wrote:
> Hello,
>
> We have spent a long time now, trying to set up Apache Tomcat with Windows Authentication.
> We followed the instructions as per http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot make it work properly, the logon dialog keeps appearing and trying to log on fails.
> Additional to that we tried suggestions, like adding the registry key
> AllowTgtSessionKey and setting it to 0x01 Seems like we are close but
> we are missing something (see tomcat output below) Does anyone have a more complete documentation or have any suggestions on how to make this work.
>
>
> Kind regards,
>
> Philippe Wijdh
>
>
>
> Extra information on the setup:
>
> Windows 2008 r2 sp1
> Apache Tomcat 7.0.54
> jdk1.7.0_60
>
> Tomcat is running as a service using account
> HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the
> port number, does not make a difference)
>
> Test is done with user testuser@assai.nl<ma...@assai.nl> in IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly added to the Intranet sites.
Hi, Philippe-
I have not used the built-in Tomcat Windows authentication but have had success using Waffle in a similar configuration. You might try that if all else fails.
-Terence Bandoian
>
>
>
> Tomcat Output:
>
>>>> KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream,
>>>> readName(): HTTP KeyTabInputStream, readName():
>>>> v3tcat4ad.assai.nl:8080
>>>> KeyTab: load() entry length: 72; type: 23
> Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
> Loaded from Java config
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
>>>> KdcAccessibility: reset
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>>>> of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>>>> =1, #bytes=152 KrbKdcReq send: #bytes read=173 Pre-Authentication
>>>> Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
> suSec is 403143
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for
> default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>>>> of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>>>> =1, #bytes=235 KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
> sun.security.jgss.spnego.SpNegoCredElement)
> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
> sun.security.jgss.krb5.Krb5AcceptCredential)
> Found KeyTab
> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>>>> of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>>>> =1, #bytes=152 KrbKdcReq send: #bytes read=173 Pre-Authentication
>>>> Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Wed Oct 22 09:54:12 CEST 2014 1413964452000
> suSec is 996893
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for
> default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>>>> of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>>>> =1, #bytes=235 KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
> sun.security.jgss.spnego.SpNegoCredElement)
> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
> sun.security.jgss.krb5.Krb5AcceptCredential)
> Found KeyTab
> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
> Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key:
> 23version: 0 Ordering keys wrt default_tkt_enctypes list default
> etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>>>> of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>>>> =1, #bytes=152 KrbKdcReq send: #bytes read=173 Pre-Authentication
>>>> Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Wed Oct 22 09:54:56 CEST 2014 1413964496000
> suSec is 543768
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for
> default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>>>> of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>>>> =1, #bytes=235 KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
> sun.security.jgss.spnego.SpNegoCredElement)
> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
> sun.security.jgss.krb5.Krb5AcceptCredential)
> Found KeyTab
> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
> 09:55:00.008 [QuartzScheduler_Worker-1] DEBUG
> org.quartz.core.JobRunShell - Calling execute on job
> DEFAULT.reportsJob
> 09:55:00.008 [QuartzScheduler_Worker-1] DEBUG
> org.quartz.core.JobRunShell - Calling execute on job
> DEFAULT.reportsJob Added key: 23version: 0 Ordering keys wrt
> default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>>>> of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>>>> =1, #bytes=152 KrbKdcReq send: #bytes read=173 Pre-Authentication
>>>> Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Wed Oct 22 09:55:15 CEST 2014 1413964515000
> suSec is 715643
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for
> default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number
>>>> of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt
>>>> =1, #bytes=235 KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for
> default_tkt_enctypes: 23 18 17.
> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
> sun.security.jgss.spnego.SpNegoCredElement)
> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
> sun.security.jgss.krb5.Krb5AcceptCredential)
> Found KeyTab
> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
> Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key:
> 23version: 0 Ordering keys wrt default_tkt_enctypes list default
> etypes for default_tkt_enctypes: 23 18 17.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Built-in Tomcat Support for Windows Authentication
Posted by "Terence M. Bandoian" <te...@tmbsw.com>.
On 10/22/2014 4:40 AM, Philippe Wijdh wrote:
> Hello,
>
> We have spent a long time now, trying to set up Apache Tomcat with Windows Authentication.
> We followed the instructions as per http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot make it work properly, the logon dialog keeps appearing and trying to log on fails.
> Additional to that we tried suggestions, like adding the registry key AllowTgtSessionKey and setting it to 0x01
> Seems like we are close but we are missing something (see tomcat output below)
> Does anyone have a more complete documentation or have any suggestions on how to make this work.
>
>
> Kind regards,
>
> Philippe Wijdh
>
>
>
> Extra information on the setup:
>
> Windows 2008 r2 sp1
> Apache Tomcat 7.0.54
> jdk1.7.0_60
>
> Tomcat is running as a service using account HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the port number, does not make a difference)
>
> Test is done with user testuser@assai.nl<ma...@assai.nl> in IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly added to the Intranet sites.
Hi, Philippe-
I have not used the built-in Tomcat Windows authentication but have had
success using Waffle in a similar configuration. You might try that if
all else fails.
-Terence Bandoian
>
>
>
> Tomcat Output:
>
>>>> KeyTabInputStream, readName(): ASSAI.NL
>>>> KeyTabInputStream, readName(): HTTP
>>>> KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080
>>>> KeyTab: load() entry length: 72; type: 23
> Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
> Loaded from Java config
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KdcAccessibility: reset
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=152
>>>> KrbKdcReq send: #bytes read=173
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
> suSec is 403143
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=235
>>>> KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
> Found KeyTab
> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=152
>>>> KrbKdcReq send: #bytes read=173
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Wed Oct 22 09:54:12 CEST 2014 1413964452000
> suSec is 996893
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=235
>>>> KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
> Found KeyTab
> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=152
>>>> KrbKdcReq send: #bytes read=173
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Wed Oct 22 09:54:56 CEST 2014 1413964496000
> suSec is 543768
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=235
>>>> KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
> Found KeyTab
> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
> 09:55:00.008 [QuartzScheduler_Worker-1] DEBUG org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob
> 09:55:00.008 [QuartzScheduler_Worker-1] DEBUG org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=152
>>>> KrbKdcReq send: #bytes read=173
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Wed Oct 22 09:55:15 CEST 2014 1413964515000
> suSec is 715643
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=235
>>>> KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
> Found KeyTab
> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Built-in Tomcat Support for Windows Authentication
Posted by Mark Thomas <ma...@apache.org>.
On 22/10/2014 10:40, Philippe Wijdh wrote:
> Hello,
>
> We have spent a long time now, trying to set up Apache Tomcat with Windows Authentication.
> We followed the instructions as per http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot make it work properly, the logon dialog keeps appearing and trying to log on fails.
> Additional to that we tried suggestions, like adding the registry key AllowTgtSessionKey and setting it to 0x01
> Seems like we are close but we are missing something (see tomcat output below)
> Does anyone have a more complete documentation or have any suggestions on how to make this work.
The documentation is complete. If you follow the steps in that document
then you will end up with a working system.
Either you aren't following the documentation or something in your
environment differs from that described in the document.
> Kind regards,
>
> Philippe Wijdh
>
>
>
> Extra information on the setup:
>
> Windows 2008 r2 sp1
> Apache Tomcat 7.0.54
> jdk1.7.0_60
>
> Tomcat is running as a service using account HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the port number, does not make a difference)
>
> Test is done with user testuser@assai.nl<ma...@assai.nl> in IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly added to the Intranet sites.
You haven't provided any information on the Realm configuration or how
you have secured the page you are trying to test with.
You might have hit https://issues.apache.org/bugzilla/show_bug.cgi?id=57022
There are lots of configuration steps listed in the docs you haven't
mentioned.
Mark
>
>
>
> Tomcat Output:
>
>>>> KeyTabInputStream, readName(): ASSAI.NL
>>>> KeyTabInputStream, readName(): HTTP
>>>> KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080
>>>> KeyTab: load() entry length: 72; type: 23
> Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
> Loaded from Java config
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KdcAccessibility: reset
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=152
>>>> KrbKdcReq send: #bytes read=173
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
> suSec is 403143
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=235
>>>> KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
> Found KeyTab
> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=152
>>>> KrbKdcReq send: #bytes read=173
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Wed Oct 22 09:54:12 CEST 2014 1413964452000
> suSec is 996893
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=235
>>>> KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
> Found KeyTab
> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=152
>>>> KrbKdcReq send: #bytes read=173
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Wed Oct 22 09:54:56 CEST 2014 1413964496000
> suSec is 543768
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=235
>>>> KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
> Found KeyTab
> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
> 09:55:00.008 [QuartzScheduler_Worker-1] DEBUG org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob
> 09:55:00.008 [QuartzScheduler_Worker-1] DEBUG org.quartz.core.JobRunShell - Calling execute on job DEFAULT.reportsJob
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=152
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=152
>>>> KrbKdcReq send: #bytes read=173
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Wed Oct 22 09:55:15 CEST 2014 1413964515000
> suSec is 715643
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 16
>
>>>> Pre-Authentication Data:
> PA-DATA type = 15
>
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries =3, #bytes=235
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, #bytes=235
>>>> KrbKdcReq send: #bytes read=1446
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
> Found KeyTab
> Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8080@ASSAI.NL
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org