You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by David Marsh <dm...@outlook.com> on 2015/03/24 11:37:00 UTC
SPNEGO test configuration with Manager webapp
Hello,
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've followed the guidelines on the website.
jaas.conf
com.sun.security.jgss.krb5.initiate {...};
com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="HTTP/tc01.kerbtest.local@KERBTEST.LOCAL" useKeyTab=true keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tc01.keytab" storeKey=true;};
krb5.ini
[libdefaults]default_realm = KERBTEST.LOCALdefault_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tc01.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true
[realms]KERBTEST.LOCAL = { kdc = Server2012dc.kerbtest.local:88}
[domain_realm]kerbtest.local= KERBTEST.LOCAL.kerbtest.local= KERBTEST.LOCAL
I want to use the tomcat manager app to test SPNEGO with Active Directory, Tomcat is currently installed on the domain controller.
It seems like authentication is never completed as in the browser I get prompted for credentials over and over.So there appear two issues :-1. Authentication is not succeeding2. SPNEGO accept header is not currently sent
I have created the tc01 and test users in active directory, and the keytab as instructed.
I run tomcat as tc01 user :-runas /env /user:tc01@kerbtest.local "startup.bat"
Output from running tomcat :-
Server startup in 3443 ms24-Mar-2015 10:26:56.485 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Statusinterface]' against GET /html --> false24-Mar-2015 10:26:56.496 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> false24-Mar-2015 10:26:56.510 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false24-Mar-2015 10:26:56.525 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html --> true24-Mar-2015 10:26:56.544 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Statusinterface]' against GET /html --> false24-Mar-2015 10:26:56.560 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> false24-Mar-2015 10:26:56.575 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false24-Mar-2015 10:26:56.587 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html --> true24-Mar-2015 10:26:56.599 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions>>> KeyTabInputStream, readName(): kerbtest.local>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): tc01.kerbtest.local>>> KeyTab: load() entry length: 74; type: 23Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALJava config name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\krb5.iniLoaded from Java configAdded key: 23version: 7>>> KdcAccessibility: resetLooking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default etypes for default_tkt_enctypes: 23 18 17.>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=Server2012dc.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes=160>>> KDCCommunication: kdc=Server2012dc.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=160>>> KrbKdcReq send: #bytes read=185>>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16
>>>Pre-Authentication Data: PA-DATA type = 15
>>> KdcAccessibility: remove Server2012dc.kerbtest.local:88>>> KDCRep: init() encoding tag is 126 req type is 11>>>KRBError: sTime is Tue Mar 24 10:26:57 GMT 2015 1427192817000 suSec is 627351 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. msgType is 30>>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16
>>>Pre-Authentication Data: PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQdefault etypes for default_tkt_enctypes: 23 18 17.Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default etypes for default_tkt_enctypes: 23 18 17.>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=Server2012dc.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes=243>>> KDCCommunication: kdc=Server2012dc.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=243>>> KrbKdcReq send: #bytes read=100>>> KrbKdcReq send: kdc=Server2012dc.kerbtest.local TCP:88, timeout=30000, number of retries =3, #bytes=243>>> KDCCommunication: kdc=Server2012dc.kerbtest.local TCP:88, timeout=30000,Attempt =1, #bytes=243>>>DEBUG: TCPClient reading 1467 bytes>>> KrbKdcReq send: #bytes read=1467>>> KdcAccessibility: remove Server2012dc.kerbtest.local:88Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsRep cons in KrbAsReq.getReply HTTP/tc01.kerbtest.localSearch Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tc01.keytab for HTTP/tc01.kerbtest.local@KERBTEST.LOCALFound KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tc01.keytab for HTTP/tc01.kerbtest.local@KERBTEST.LOCALFound ticket for HTTP/tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL expiring on Tue Mar 24 20:26:57 GMT 2015
I create a realm in server.xml :-
<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://192.168.78.8:389" userBase="ou=Users,dc=kerbtest,dc=local" userSearch="(mail={0})" userRoleName="memberOf" roleBase="ou=Users,dc=kerbtest,dc=local" roleName="cn" roleSearch="(uniqueMember={0})"/>
web.xml for manager web app has auth method set :-
<!-- Define the Login Configuration for this Application --> <login-config> <!-- <auth-method>BASIC</auth-method> --> <auth-method>SPNEGO</auth-method> <realm-name>Tomcat Manager Application</realm-name> </login-config>
Any ideas what is happening and what I can do to troubleshoot ?
many thanks
David
Re: SPNEGO test configuration with Manager webapp
Posted by André Warnier <aw...@ice-sa.com>.
Mark Thomas wrote:
> On 24/03/2015 20:47, David Marsh wrote:
>> Hi Felix,
>> Thanks fort your help!
>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and also added the same definitions to the Java parameters in Configure Tomcat tool.I definitely got more information when using startup.bat, not sure the settings get picked up by the windows service ?
>> I do not think authentication completes, certainly authorization does not as I cant see the site and get 401 http status.
>> I have not configured a tomcat realm but I have put the test user a manager-gui group in Active Directory.
>
> I've only given your config a quick scan, but the thing that jumps out
> at me is spaces in the some of the paths. I'm not sure how well krb5.ini
> will handle those. It might be fine. It might not be.
>
> Mark
Considering your Kerberos logs, you may want to have a look at this :
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771
(gotten to by Googling for "kerberos preauthentication", as this term seemed to appear in
the logs).
To me, your logs (assuming that they are the Tomcat Kerberos logs) would seem to indicate
that it is Tomcat who is trying to pre-authenticate to the KDC, and failing to do so (for
whatever reason I don't really know).
I am not really a specialist of Kerberos, but from what I understand of it, the first
action of a Kerberos client - when it logs in, which in this case could be construed as
"when Tomcat starts up" - is to contact a Kerberos "ticket granting server" (usually the
same as the KDC), and obtain a "ticket-granting ticket" from it.
Then later, when the client wants to access a service, it re-contacts the KDC, passes it
this "ticket-granting ticket", and requests another ticket to access the desired service.
Then it sends this "service ticket" to the host hosting the desired service, for
authentication.
For whatever reason, it looks as if Tomcat is at least trying to get such an initial
"ticket-granting ticket" for itself at start, and failing.
Maybe such a ticket is a necessary pre-condition for Tomcat's Kerberos stack, to be able
to authenticate "tomcat service tickets" presented to it later by a browser client ?
In terms of debugging what happens, I think that for the time being you should forget the
browser clients for a moment, and concentrate on Tomcat and this Kerberos log of his, and
find out why these seemingly error-messages appear in the log at start.
I would assume that, if everything went as expected, one would see at least some message
indicating success, which is not in evidence here for now.
Maybe the SPNs don't match, between the KDC and the Tomcat server ?
"ktlist" may be a good tool on both, to list what's there and compare.
>
>
>> David
>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>> From: felix.schumacher@internetallee.de
>>> To: users@tomcat.apache.org
>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>
>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>> Everything is as described and still not working, except the jaas.conf is :-
>>>>
>>>> com.sun.security.jgss.krb5.initiate {
>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>> doNotPrompt=true
>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>> useKeyTab=true
>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>>> storeKey=true;
>>>> };
>>>>
>>>> com.sun.security.jgss.krb5.accept {
>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>> doNotPrompt=true
>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>> useKeyTab=true
>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>>> storeKey=true;
>>>> };
>>>>
>>>> In other words the principal is the tomcat server as it should be.
>>>>
>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>> From: felix.schumacher@internetallee.de
>>>>> To: users@tomcat.apache.org
>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>
>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>> Sorry thats :-
>>>>>>
>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>> Is it working with this configuration, or just to point out, that you
>>>>> copied the wrong jaas.conf for the mail?
>>>>>
>>>>> Felix
>>>>>> ----------------------------------------
>>>>>>> From: dmarsh26@outlook.com
>>>>>>> To: users@tomcat.apache.org
>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>
>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
>>>>>>>
>>>>>>> I've created three Windows VMs :-
>>>>>>>
>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>
>>>>>>> The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins.
>>>>>>>
>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>
>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>
>>>>>>> jaas.conf
>>>>>>>
>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>> doNotPrompt=true
>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>> useKeyTab=true
>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>>>>>> storeKey=true;
>>>>>>> };
>>>>>>>
>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>> doNotPrompt=true
>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>> useKeyTab=true
>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>>>>>> storeKey=true;
>>>>>>> };
>>>>>>>
>>>>>>> krb5.ini
>>>>>>>
>>>>>>> [libdefaults]
>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>> default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>> default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>> forwardable=true
>>>>>>>
>>>>>>> [realms]
>>>>>>> KERBTEST.LOCAL = {
>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>> }
>>>>>>>
>>>>>>> I want to use the tomcat manager app to test SPNEGO with Active Directory.
>>>>>>>
>>>>>>> I have tried to keep the setup as basic and vanilla to the instructions as possible.
>>>>>>>
>>>>>>> Users were created as instructed.
>>>>>>>
>>>>>>> Spn was created as instructed
>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>
>>>>>>> keytab was created as instructed
>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
>>>>>>>
>>>>>>> I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.
>>>>>>>
>>>>>>> Tomcat is running as a Windows service under the tc01@kerbtest.local account.
>>>>>>>
>>>>>>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times.
>>>>>>>
>>>>>>> Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header.
>>>>>>>
>>>>>>> The next has an Authorization request http header with long encrypted string.
>>> That means, that tomcat is believing, it can use kerberos/SPNEGO and
>>> firefox is able to get a service ticket, for the server and sends it
>>> back. That far it is looking promising. But I assume the authentication
>>> does not complete, right?
>>>
>>>
>>>>>>> IE still prompts for credentials with a popup, not sure why as does chrome.
>>>>>>> The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites.
>>>>>>>
>>>>>>> It seems like authentication is never completed ?
>>>>>>>
>>>>>>> There are no errors in tomcat logs.
>>>>>>>
>>>>>>> Any ideas what is happening and what I can do to troubleshoot ?
>>> You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that should
>>> print out a lot of debug information, which should end up in catalina.out.
>>>
>>> Felix
>>> ||
>>>>>>> I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up.
>>>>>>>
>>>>>>> many thanks
>>>>>>>
>>>>>>> David
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 25.03.2015 um 18:29 schrieb David Marsh:
> Javas version of kinit seems to report issue ?
>
> C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf>"C:\Program Files\Ja
> va\jdk1.8.0_40\bin\kinit" -t -k c:\keytab\tomcat.keytab
> Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes
> available; only have keys of following type: No error
> KrbException: Do not have keys of types listed in default_tkt_enctypes available
> ; only have keys of following type:
> at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
> at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
> at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
> at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
> at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
Could it be that you have to enable DES in the AD (see a similar problem
described at https://community.igniterealtime.org/thread/49913)?
Alternatively you could try to remove the enctype references from your
krb5.ini and/or add "-crypto DES-CBC-CRC" to the ktpass call (as in
https://community.oracle.com/thread/1527560).
Felix
>
> ----------------------------------------
>> From: dmarsh26@outlook.com
>> To: users@tomcat.apache.org
>> Subject: RE: SPNEGO test configuration with Manager webapp
>> Date: Wed, 25 Mar 2015 16:50:47 +0000
>>
>> Its possible I guess, although I would not expect that.
>>
>> The test is :-
>>
>> Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM
>>
>> Firefox is not configured to use a proxy, its all in Vmware Workstation 10 using the Vmnet01 virtual network.
>>
>> Firefox has three 401 responses with headers "Authorization" and "WWW-Authenticate" :-
>>
>> 1 :- Reponse WWW-Authenticate: "Negotiate"
>>
>> 2 :- Request Authorization: "Negotiate YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1bHVkmmuJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4="
>>
>> Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg==
>>
>> 3 :- Request Authorization: "Negotiate oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zwm+qhPF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E="
>>
>> Reponse WWW-Authenticate: "Negotiate"
>>
>> I'm not sure how long they should be, but they all end "=" so expect not truncated ?
>>
>> ----------------------------------------
>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>> From: felix.schumacher@internetallee.de
>>> Date: Wed, 25 Mar 2015 17:31:51 +0100
>>> To: users@tomcat.apache.org
>>>
>>>
>>>
>>> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh <dm...@outlook.com>:
>>>> This is how the keytab was created :-
>>>>
>>>> ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
>>>> tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>> /pass tc01pass
>>>>
>>>> The password is the correct password for the user tc01 associated with
>>>> the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>>
>>>> I managed to turn on some more logging around JAAS, see the error
>>>> :- java.security.PrivilegedActionException: GSSException: Defective
>>>> token detected
>>> Do you talk directly to Tomcat, or is there any kind of proxy in between?
>>> Could the header be truncated?
>>>
>>> Felix
>>>> 25-Mar-2015 15:46:22.131 INFO [main]
>>>> org.apache.catalina.core.StandardService.startInternal Starting
>>>> service Catalina
>>>> 25-Mar-2015 15:46:22.133 INFO [main]
>>>> org.apache.catalina.core.StandardEngine.startInternal Starting
>>>> Servlet Engine: Apache Tomcat/8.0.20
>>>> 25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
>>>> org.apache.catalina.startup.HostConfig.deployD
>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>> Software Foundation\Tomcat 8.0\
>>>> webapps\docs
>>>> 25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
>>>> org.apache.catalina.startup.HostConfig.deployD
>>>> irectory Deployment of web application directory C:\Program
>>>> Files\Apache Software Foundation\Tomcat
>>>> 8.0\webapps\docs has finished in 380 ms
>>>> 25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
>>>> org.apache.catalina.startup.HostConfig.deployD
>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>> Software Foundation\Tomcat 8.0\
>>>> webapps\manager
>>>> 25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
>>>> org.apache.catalina.authenticator.Authenticato
>>>> rBase.startInternal No SingleSignOn Valve is present
>>>> 25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
>>>> org.apache.catalina.startup.HostConfig.deployD
>>>> irectory Deployment of web application directory C:\Program
>>>> Files\Apache Software Foundation\Tomcat
>>>> 8.0\webapps\manager has finished in 93 ms
>>>> 25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
>>>> org.apache.catalina.startup.HostConfig.deployD
>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>> Software Foundation\Tomcat 8.0\
>>>> webapps\ROOT
>>>> 25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
>>>> org.apache.catalina.startup.HostConfig.deployD
>>>> irectory Deployment of web application directory C:\Program
>>>> Files\Apache Software Foundation\Tomcat
>>>> 8.0\webapps\ROOT has finished in 59 ms
>>>> 25-Mar-2015 15:46:22.797 INFO [main]
>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>> er ["http-nio-80"]
>>>> 25-Mar-2015 15:46:22.806 INFO [main]
>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>> er ["ajp-nio-8009"]
>>>> 25-Mar-2015 15:46:22.808 INFO [main]
>>>> org.apache.catalina.startup.Catalina.start Server startup in 72
>>>> 1 ms
>>>> 25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Security checking request GET /manager/html
>>>> 25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>> against GET /html --> false
>>>> 25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>> interface]' against GET /html --> fal
>>>> se
>>>> 25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>> interface (for scripts)]' against
>>>> GET /html --> false
>>>> 25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>> interface (for humans)]' against G
>>>> ET /html --> true
>>>> 25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>> against GET /html --> false
>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>> interface]' against GET /html --> fal
>>>> se
>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>> interface (for scripts)]' against
>>>> GET /html --> false
>>>> 25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>> interface (for humans)]' against G
>>>> ET /html --> true
>>>> 25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Calling hasUserDataPermission()
>>>> 25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>> rmission User data constraint has no restrictions
>>>> 25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Calling authenticate()
>>>> 25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.authenticator.SpnegoAuthentic
>>>> ator.authenticate No authorization header sent by client
>>>> 25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Failed authenticate() test
>>>> 25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Security checking request GET /manager/html
>>>> 25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>> against GET /html --> false
>>>> 25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>> interface]' against GET /html --> fal
>>>> se
>>>> 25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>> interface (for scripts)]' against
>>>> GET /html --> false
>>>> 25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>> interface (for humans)]' against G
>>>> ET /html --> true
>>>> 25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>> against GET /html --> false
>>>> 25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>> interface]' against GET /html --> fal
>>>> se
>>>> 25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>> interface (for scripts)]' against
>>>> GET /html --> false
>>>> 25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>> interface (for humans)]' against G
>>>> ET /html --> true
>>>> 25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Calling hasUserDataPermission()
>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>> rmission User data constraint has no restrictions
>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Calling authenticate()
>>>> Debug is true storeKey true useTicketCache false useKeyTab true
>>>> doNotPrompt true ticketCache is nul
>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config
>>>> is false principal is HTTP/wi
>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass
>>>> is false storePass is false
>>>> clearPass is false
>>>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>>>> KeyTabInputStream, readName(): HTTP
>>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>>> KeyTab: load() entry length: 78; type: 23
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Java config name: C:\Program Files\Apache Software Foundation\Tomcat
>>>> 8.0\conf\krb5.ini
>>>> Loaded from Java config
>>>> Added key: 23version: 3
>>>>>>> KdcAccessibility: reset
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Added key: 23version: 3
>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>> KrbAsReq creating message
>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>> number of retries =3, #bytes=
>>>> 164
>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>> timeout=30000,Attempt =1, #bytes=164
>>>>>>> KrbKdcReq send: #bytes read=185
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 11
>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 19
>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 2
>>>> PA-ENC-TIMESTAMP
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 16
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 15
>>>>
>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>> KRBError:
>>>> sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
>>>> suSec is 701709
>>>> error code is 25
>>>> error Message is Additional pre-authentication required
>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>> eData provided.
>>>> msgType is 30
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 11
>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 19
>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 2
>>>> PA-ENC-TIMESTAMP
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 16
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 15
>>>>
>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Added key: 23version: 3
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Added key: 23version: 3
>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>> KrbAsReq creating message
>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>> number of retries =3, #bytes=
>>>> 247
>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>> KrbKdcReq send: #bytes read=100
>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>> number of retries =3, #bytes=
>>>> 247
>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>> DEBUG: TCPClient reading 1475 bytes
>>>>>>> KrbKdcReq send: #bytes read=1475
>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Added key: 23version: 3
>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Will use keytab
>>>> Commit Succeeded
>>>>
>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>>> sun.security.jgss.spnego.SpNegoCredElement)
>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
>>>> .LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
>>>> [Krb5LoginModule]: Entering logout
>>>> [Krb5LoginModule]: logged out Subject
>>>> 25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Failed authenticate() test
>>>> 25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Security checking request GET /manager/html
>>>> 25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>> against GET /html --> false
>>>> 25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>> interface]' against GET /html --> fal
>>>> se
>>>> 25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>> interface (for scripts)]' against
>>>> GET /html --> false
>>>> 25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>> interface (for humans)]' against G
>>>> ET /html --> true
>>>> 25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>> against GET /html --> false
>>>> 25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>> interface]' against GET /html --> fal
>>>> se
>>>> 25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>> interface (for scripts)]' against
>>>> GET /html --> false
>>>> 25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>> interface (for humans)]' against G
>>>> ET /html --> true
>>>> 25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Calling hasUserDataPermission()
>>>> 25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>> rmission User data constraint has no restrictions
>>>> 25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Calling authenticate()
>>>> Debug is true storeKey true useTicketCache false useKeyTab true
>>>> doNotPrompt true ticketCache is nul
>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config
>>>> is false principal is HTTP/wi
>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass
>>>> is false storePass is false
>>>> clearPass is false
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Added key: 23version: 3
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Added key: 23version: 3
>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>> KrbAsReq creating message
>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>> number of retries =3, #bytes=
>>>> 164
>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>> timeout=30000,Attempt =1, #bytes=164
>>>>>>> KrbKdcReq send: #bytes read=185
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 11
>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 19
>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 2
>>>> PA-ENC-TIMESTAMP
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 16
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 15
>>>>
>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>> KRBError:
>>>> sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
>>>> suSec is 935731
>>>> error code is 25
>>>> error Message is Additional pre-authentication required
>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>> eData provided.
>>>> msgType is 30
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 11
>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 19
>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 2
>>>> PA-ENC-TIMESTAMP
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 16
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 15
>>>>
>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Added key: 23version: 3
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Added key: 23version: 3
>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>> KrbAsReq creating message
>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>> number of retries =3, #bytes=
>>>> 247
>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>> KrbKdcReq send: #bytes read=100
>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>> number of retries =3, #bytes=
>>>> 247
>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>> DEBUG: TCPClient reading 1475 bytes
>>>>>>> KrbKdcReq send: #bytes read=1475
>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Added key: 23version: 3
>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Will use keytab
>>>> Commit Succeeded
>>>>
>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>>> sun.security.jgss.spnego.SpNegoCredElement)
>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
>>>> .LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
>>>> 25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.authenticator.SpnegoAuthentic
>>>> ator.authenticate Unable to login as the service principal
>>>> java.security.PrivilegedActionException: GSSException: Defective token
>>>> detected (Mechanism level: G
>>>> SSHeader did not find the right tag)
>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>> at javax.security.auth.Subject.doAs(Subject.java:422)
>>>> at
>>>> org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
>>>> va:243)
>>>> at
>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
>>>> at
>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
>>>> at
>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
>>>> at
>>>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
>>>>
>>>> at
>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
>>>> at
>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
>>>> at
>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
>>>> 6)
>>>> at
>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
>>>> a:659)
>>>> at
>>>> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
>>>> col.java:223)
>>>> at
>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
>>>> at
>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>> at
>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>>> at java.lang.Thread.run(Thread.java:745)
>>>> Caused by: GSSException: Defective token detected (Mechanism level:
>>>> GSSHeader did not find the right
>>>> tag)
>>>> at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
>>>> at
>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
>>>> at
>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
>>>> at
>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>> r.java:336)
>>>> at
>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>> r.java:323)
>>>> ... 18 more
>>>>
>>>> [Krb5LoginModule]: Entering logout
>>>> [Krb5LoginModule]: logged out Subject
>>>> 25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Failed authenticate() test
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> Date: Wed, 25 Mar 2015 16:48:10 +0100
>>>>> From: felix.schumacher@internetallee.de
>>>>> To: users@tomcat.apache.org
>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>>
>>>>> Am 25.03.2015 16:09, schrieb David Marsh:
>>>>>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
>>>>>> tc01@KERTEST.LOCAL, still same symptoms.
>>>>>>
>>>>>> Ran klist on client after firefox test and the three 401 responses.
>>>> :-
>>>>>> C:\Users\test.KERBTEST.000>klist
>>>>>>
>>>>>> Current LogonId is 0:0x2fd7a
>>>>>>
>>>>>> Cached Tickets: (2)
>>>>>>
>>>>>> #0> Client: test @ KERBTEST.LOCAL
>>>>>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
>>>>>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
>>>>>> Ticket Flags 0x40e10000 -> forwardable renewable initial
>>>>>> pre_authent nam
>>>>>> e_canonicalize
>>>>>> Start Time: 3/25/2015 14:46:43 (local)
>>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>>> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>>>>>> Cache Flags: 0x1 -> PRIMARY
>>>>>> Kdc Called: 192.168.0.200
>>>>>>
>>>>>> #1> Client: test @ KERBTEST.LOCAL
>>>>>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
>>>>>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>>>>>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
>>>>>> name_canoni
>>>>>> calize
>>>>>> Start Time: 3/25/2015 14:51:21 (local)
>>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>>> Session Key Type: RSADSI RC4-HMAC(NT)
>>>>>> Cache Flags: 0
>>>>>> Kdc Called: 192.168.0.200
>>>>>>
>>>>>> Looks like I was granted a ticket for the SPN
>>>>>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
>>>>>>
>>>>>> If I have ticket why do I get 401 ?
>>>>> Your client has got a service ticket for HTTP/win-tc01... This is
>>>> used
>>>>> by firefox for authentication. Firefox transmits
>>>>> this service ticket to the server (as base64 encoded in the
>>>>> WWW-Authenticate header).
>>>>>
>>>>> Your server has to decrypt this ticket using its own ticket to get at
>>>>> the user information. This is where your problems arise.
>>>>> It looks like your server has trouble to get its own ticket.
>>>>>
>>>>> Are you sure, that the password you used for keytab generation (on
>>>> the
>>>>> server side), is correct? ktpass will probably accept
>>>>> any input as a password. Maybe you can check the keytab by using
>>>> kinit
>>>>> (though I don't know, if it exists for windows, or how
>>>>> the java one is used).
>>>>>
>>>>> Felix
>>>>>
>>>>>> ----------------------------------------
>>>>>>> Date: Tue, 24 Mar 2015 22:46:15 +0000
>>>>>>> From: markt@apache.org
>>>>>>> To: users@tomcat.apache.org
>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>
>>>>>>> On 24/03/2015 20:47, David Marsh wrote:
>>>>>>>> Hi Felix,
>>>>>>>> Thanks fort your help!
>>>>>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
>>>>>>>> startup.bat and also added the same definitions to the Java
>>>>>>>> parameters in Configure Tomcat tool.I definitely got more
>>>> information
>>>>>>>> when using startup.bat, not sure the settings get picked up by the
>>>>>>>> windows service ?
>>>>>>>> I do not think authentication completes, certainly authorization
>>>> does
>>>>>>>> not as I cant see the site and get 401 http status.
>>>>>>>> I have not configured a tomcat realm but I have put the test user
>>>> a
>>>>>>>> manager-gui group in Active Directory.
>>>>>>> I've only given your config a quick scan, but the thing that jumps
>>>> out
>>>>>>> at me is spaces in the some of the paths. I'm not sure how well
>>>>>>> krb5.ini
>>>>>>> will handle those. It might be fine. It might not be.
>>>>>>>
>>>>>>> Mark
>>>>>>>
>>>>>>>
>>>>>>>> David
>>>>>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>
>>>>>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>>>>>>>> Everything is as described and still not working, except the
>>>>>>>>>> jaas.conf is :-
>>>>>>>>>>
>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>> doNotPrompt=true
>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>> useKeyTab=true
>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>> storeKey=true;
>>>>>>>>>> };
>>>>>>>>>>
>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>> doNotPrompt=true
>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>> useKeyTab=true
>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>> storeKey=true;
>>>>>>>>>> };
>>>>>>>>>>
>>>>>>>>>> In other words the principal is the tomcat server as it should
>>>> be.
>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>
>>>>>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>>>>>>>> Sorry thats :-
>>>>>>>>>>>>
>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>>>>>>>> Is it working with this configuration, or just to point out,
>>>> that
>>>>>>>>>>> you
>>>>>>>>>>> copied the wrong jaas.conf for the mail?
>>>>>>>>>>>
>>>>>>>>>>> Felix
>>>>>>>>>>>> ----------------------------------------
>>>>>>>>>>>>> From: dmarsh26@outlook.com
>>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>>>>>>>
>>>>>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat
>>>> 8.
>>>>>>>>>>>>> I've created three Windows VMs :-
>>>>>>>>>>>>>
>>>>>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>>>>>>>
>>>>>>>>>>>>> The Tomcat Server and the Test Client are joined to the same
>>>>>>>>>>>>> domain kerbtest.local, they are logged in with domain logins.
>>>>>>>>>>>>>
>>>>>>>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>>>>>>>
>>>>>>>>>>>>> jaas.conf
>>>>>>>>>>>>>
>>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>> };
>>>>>>>>>>>>>
>>>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>> };
>>>>>>>>>>>>>
>>>>>>>>>>>>> krb5.ini
>>>>>>>>>>>>>
>>>>>>>>>>>>> [libdefaults]
>>>>>>>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
>>>>>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>>>>>>>> default_tkt_enctypes =
>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>>> default_tgs_enctypes =
>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>>> forwardable=true
>>>>>>>>>>>>>
>>>>>>>>>>>>> [realms]
>>>>>>>>>>>>> KERBTEST.LOCAL = {
>>>>>>>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>>>>>>>> }
>>>>>>>>>>>>>
>>>>>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with
>>>> Active
>>>>>>>>>>>>> Directory.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I have tried to keep the setup as basic and vanilla to the
>>>>>>>>>>>>> instructions as possible.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Users were created as instructed.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Spn was created as instructed
>>>>>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>>>>>>>
>>>>>>>>>>>>> keytab was created as instructed
>>>>>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL
>>>> /princ
>>>>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass
>>>> /kvno
>>>>>>>>>>>>> 0
>>>>>>>>>>>>>
>>>>>>>>>>>>> I have tried to test with firefox, chrome and IE, after
>>>> ensuring
>>>>>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In
>>>>>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to
>>>>>>>>>>>>> network.negotiate-auth.delegation-uris and
>>>>>>>>>>>>> network.negotiate-auth.trusted-uris.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Tomcat is running as a Windows service under the
>>>>>>>>>>>>> tc01@kerbtest.local account.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Visiting URL from the Test Client VM :-
>>>>>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401
>>>> three
>>>>>>>>>>>>> times.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Looking at the Network tab in developer tools in firefox
>>>> shows
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Posted by "Terence M. Bandoian" <te...@tmbsw.com>.
On 3/25/2015 2:19 PM, André Warnier wrote:
> David Marsh wrote:
>> Javas version of kinit seems to report issue ?
>>
>> C:\Program Files\Apache Software Foundation\Tomcat
>> 8.0\conf>"C:\Program Files\Ja
>> va\jdk1.8.0_40\bin\kinit" -t -k c:\keytab\tomcat.keytab
>> Exception: krb_error 0 Do not have keys of types listed in
>> default_tkt_enctypes
>> available; only have keys of following type: No error
>> KrbException: Do not have keys of types listed in
>> default_tkt_enctypes available
>> ; only have keys of following type:
>> at
>> sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
>> at
>> sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
>> at
>> sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
>> at
>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
>> at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
>> at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
>
> That seems to indicate that between the Java Kerberos module in
> Tomcat, and the KDC's Kerberos software, there is a mismatch in the
> types of keys used (type of encryption), so they do not understand
> eachother.
> This may be relevant : https://community.igniterealtime.org/thread/49913
>
> It is also a bit strange that it says :
> only have keys of following type:
> (with nothing behind the :.. )
>
> From what I keep browsing on the WWW, it also seems that the types of
> key encryptions that might match between Java Kerberos and Windows
> Kerberos, depend on the versions of both Java and Windows Server..
>
> Man, this thing is really a nightmare, isn't it ?
>
>
>>
>> ----------------------------------------
>>> From: dmarsh26@outlook.com
>>> To: users@tomcat.apache.org
>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>> Date: Wed, 25 Mar 2015 16:50:47 +0000
>>>
>>> Its possible I guess, although I would not expect that.
>>>
>>> The test is :-
>>>
>>> Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM
>>>
>>> Firefox is not configured to use a proxy, its all in Vmware
>>> Workstation 10 using the Vmnet01 virtual network.
>>>
>>> Firefox has three 401 responses with headers "Authorization" and
>>> "WWW-Authenticate" :-
>>>
>>> 1 :- Reponse WWW-Authenticate: "Negotiate"
>>>
>>> 2 :- Request Authorization: "Negotiate
>>> YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxD
> yCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1bHVkm
>
> muJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4="
>
>>>
>>> Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg==
>>>
>>> 3 :- Request Authorization: "Negotiate
>>> oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkco
> Kk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zwm+qh
>
> PF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E="
>
>>>
>>> Reponse WWW-Authenticate: "Negotiate"
>>>
>>> I'm not sure how long they should be, but they all end "=" so expect
>>> not truncated ?
>>>
>>> ----------------------------------------
>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>> From: felix.schumacher@internetallee.de
>>>> Date: Wed, 25 Mar 2015 17:31:51 +0100
>>>> To: users@tomcat.apache.org
>>>>
>>>>
>>>>
>>>> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh
>>>> <dm...@outlook.com>:
>>>>> This is how the keytab was created :-
>>>>>
>>>>> ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
>>>>> tc01@KERBTEST.LOCAL /princ
>>>>> HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>>> /pass tc01pass
>>>>>
>>>>> The password is the correct password for the user tc01 associated
>>>>> with
>>>>> the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>>>
>>>>> I managed to turn on some more logging around JAAS, see the error
>>>>> :- java.security.PrivilegedActionException: GSSException: Defective
>>>>> token detected
>>>> Do you talk directly to Tomcat, or is there any kind of proxy in
>>>> between?
>>>> Could the header be truncated?
>>>>
>>>> Felix
>>>>> 25-Mar-2015 15:46:22.131 INFO [main]
>>>>> org.apache.catalina.core.StandardService.startInternal Starting
>>>>> service Catalina
>>>>> 25-Mar-2015 15:46:22.133 INFO [main]
>>>>> org.apache.catalina.core.StandardEngine.startInternal Starting
>>>>> Servlet Engine: Apache Tomcat/8.0.20
>>>>> 25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>>> Software Foundation\Tomcat 8.0\
>>>>> webapps\docs
>>>>> 25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>> irectory Deployment of web application directory C:\Program
>>>>> Files\Apache Software Foundation\Tomcat
>>>>> 8.0\webapps\docs has finished in 380 ms
>>>>> 25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>>> Software Foundation\Tomcat 8.0\
>>>>> webapps\manager
>>>>> 25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
>>>>> org.apache.catalina.authenticator.Authenticato
>>>>> rBase.startInternal No SingleSignOn Valve is present
>>>>> 25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>> irectory Deployment of web application directory C:\Program
>>>>> Files\Apache Software Foundation\Tomcat
>>>>> 8.0\webapps\manager has finished in 93 ms
>>>>> 25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>>> Software Foundation\Tomcat 8.0\
>>>>> webapps\ROOT
>>>>> 25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>> irectory Deployment of web application directory C:\Program
>>>>> Files\Apache Software Foundation\Tomcat
>>>>> 8.0\webapps\ROOT has finished in 59 ms
>>>>> 25-Mar-2015 15:46:22.797 INFO [main]
>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>>> er ["http-nio-80"]
>>>>> 25-Mar-2015 15:46:22.806 INFO [main]
>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>>> er ["ajp-nio-8009"]
>>>>> 25-Mar-2015 15:46:22.808 INFO [main]
>>>>> org.apache.catalina.startup.Catalina.start Server startup in 72
>>>>> 1 ms
>>>>> 25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Security checking request GET /manager/html
>>>>> 25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>> against GET /html --> false
>>>>> 25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>> interface]' against GET /html --> fal
>>>>> se
>>>>> 25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>> interface (for scripts)]' against
>>>>> GET /html --> false
>>>>> 25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>> interface (for humans)]' against G
>>>>> ET /html --> true
>>>>> 25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>> against GET /html --> false
>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>> interface]' against GET /html --> fal
>>>>> se
>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>> interface (for scripts)]' against
>>>>> GET /html --> false
>>>>> 25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>> interface (for humans)]' against G
>>>>> ET /html --> true
>>>>> 25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Calling hasUserDataPermission()
>>>>> 25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>>> rmission User data constraint has no restrictions
>>>>> 25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Calling authenticate()
>>>>> 25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.authenticator.SpnegoAuthentic
>>>>> ator.authenticate No authorization header sent by client
>>>>> 25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Failed authenticate() test
>>>>> 25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Security checking request GET /manager/html
>>>>> 25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>> against GET /html --> false
>>>>> 25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>> interface]' against GET /html --> fal
>>>>> se
>>>>> 25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>> interface (for scripts)]' against
>>>>> GET /html --> false
>>>>> 25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>> interface (for humans)]' against G
>>>>> ET /html --> true
>>>>> 25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>> against GET /html --> false
>>>>> 25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>> interface]' against GET /html --> fal
>>>>> se
>>>>> 25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>> interface (for scripts)]' against
>>>>> GET /html --> false
>>>>> 25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>> interface (for humans)]' against G
>>>>> ET /html --> true
>>>>> 25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Calling hasUserDataPermission()
>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>>> rmission User data constraint has no restrictions
>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Calling authenticate()
>>>>> Debug is true storeKey true useTicketCache false useKeyTab true
>>>>> doNotPrompt true ticketCache is nul
>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab
>>>>> refreshKrb5Config
>>>>> is false principal is HTTP/wi
>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false
>>>>> useFirstPass
>>>>> is false storePass is false
>>>>> clearPass is false
>>>>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>>>>> KeyTabInputStream, readName(): HTTP
>>>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>>>> KeyTab: load() entry length: 78; type: 23
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Java config name: C:\Program Files\Apache Software Foundation\Tomcat
>>>>> 8.0\conf\krb5.ini
>>>>> Loaded from Java config
>>>>> Added key: 23version: 3
>>>>>>>> KdcAccessibility: reset
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Added key: 23version: 3
>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>> KrbAsReq creating message
>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>> number of retries =3, #bytes=
>>>>> 164
>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>> timeout=30000,Attempt =1, #bytes=164
>>>>>>>> KrbKdcReq send: #bytes read=185
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 11
>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 19
>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 2
>>>>> PA-ENC-TIMESTAMP
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 16
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 15
>>>>>
>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>>> KRBError:
>>>>> sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
>>>>> suSec is 701709
>>>>> error code is 25
>>>>> error Message is Additional pre-authentication required
>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>>> eData provided.
>>>>> msgType is 30
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 11
>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 19
>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 2
>>>>> PA-ENC-TIMESTAMP
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 16
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 15
>>>>>
>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Added key: 23version: 3
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Added key: 23version: 3
>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>> KrbAsReq creating message
>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>> number of retries =3, #bytes=
>>>>> 247
>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>> KrbKdcReq send: #bytes read=100
>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>>> number of retries =3, #bytes=
>>>>> 247
>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>> DEBUG: TCPClient reading 1475 bytes
>>>>>>>> KrbKdcReq send: #bytes read=1475
>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Added key: 23version: 3
>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Will use keytab
>>>>> Commit Succeeded
>>>>>
>>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>>>> sun.security.jgss.spnego.SpNegoCredElement)
>>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
>>>>> .LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
>>>>> [Krb5LoginModule]: Entering logout
>>>>> [Krb5LoginModule]: logged out Subject
>>>>> 25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Failed authenticate() test
>>>>> 25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Security checking request GET /manager/html
>>>>> 25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>> against GET /html --> false
>>>>> 25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>> interface]' against GET /html --> fal
>>>>> se
>>>>> 25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>> interface (for scripts)]' against
>>>>> GET /html --> false
>>>>> 25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>> interface (for humans)]' against G
>>>>> ET /html --> true
>>>>> 25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>> against GET /html --> false
>>>>> 25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>> interface]' against GET /html --> fal
>>>>> se
>>>>> 25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>> interface (for scripts)]' against
>>>>> GET /html --> false
>>>>> 25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>> interface (for humans)]' against G
>>>>> ET /html --> true
>>>>> 25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Calling hasUserDataPermission()
>>>>> 25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>>> rmission User data constraint has no restrictions
>>>>> 25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Calling authenticate()
>>>>> Debug is true storeKey true useTicketCache false useKeyTab true
>>>>> doNotPrompt true ticketCache is nul
>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab
>>>>> refreshKrb5Config
>>>>> is false principal is HTTP/wi
>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false
>>>>> useFirstPass
>>>>> is false storePass is false
>>>>> clearPass is false
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Added key: 23version: 3
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Added key: 23version: 3
>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>> KrbAsReq creating message
>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>> number of retries =3, #bytes=
>>>>> 164
>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>> timeout=30000,Attempt =1, #bytes=164
>>>>>>>> KrbKdcReq send: #bytes read=185
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 11
>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 19
>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 2
>>>>> PA-ENC-TIMESTAMP
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 16
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 15
>>>>>
>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>>> KRBError:
>>>>> sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
>>>>> suSec is 935731
>>>>> error code is 25
>>>>> error Message is Additional pre-authentication required
>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>>> eData provided.
>>>>> msgType is 30
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 11
>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 19
>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 2
>>>>> PA-ENC-TIMESTAMP
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 16
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 15
>>>>>
>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Added key: 23version: 3
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Added key: 23version: 3
>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>> KrbAsReq creating message
>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>> number of retries =3, #bytes=
>>>>> 247
>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>> KrbKdcReq send: #bytes read=100
>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>>> number of retries =3, #bytes=
>>>>> 247
>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>> DEBUG: TCPClient reading 1475 bytes
>>>>>>>> KrbKdcReq send: #bytes read=1475
>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Added key: 23version: 3
>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Will use keytab
>>>>> Commit Succeeded
>>>>>
>>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>>>> sun.security.jgss.spnego.SpNegoCredElement)
>>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
>>>>> .LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
>>>>> 25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.authenticator.SpnegoAuthentic
>>>>> ator.authenticate Unable to login as the service principal
>>>>> java.security.PrivilegedActionException: GSSException: Defective
>>>>> token
>>>>> detected (Mechanism level: G
>>>>> SSHeader did not find the right tag)
>>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>>> at javax.security.auth.Subject.doAs(Subject.java:422)
>>>>> at
>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
>>>>>
>>>>> va:243)
>>>>> at
>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
>>>>>
>>>>> at
>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
>>>>>
>>>>> at
>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
>>>>>
>>>>> at
>>>>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
>>>>>
>>>>>
>>>>> at
>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
>>>>>
>>>>> at
>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
>>>>>
>>>>> at
>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
>>>>>
>>>>> 6)
>>>>> at
>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
>>>>>
>>>>> a:659)
>>>>> at
>>>>> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
>>>>>
>>>>> col.java:223)
>>>>> at
>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
>>>>>
>>>>> at
>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
>>>>>
>>>>> at
>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>>>
>>>>> at
>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>>>
>>>>> at
>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>>>>
>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>> Caused by: GSSException: Defective token detected (Mechanism level:
>>>>> GSSHeader did not find the right
>>>>> tag)
>>>>> at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
>>>>> at
>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
>>>>>
>>>>> at
>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
>>>>>
>>>>> at
>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>>>
>>>>> r.java:336)
>>>>> at
>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>>>
>>>>> r.java:323)
>>>>> ... 18 more
>>>>>
>>>>> [Krb5LoginModule]: Entering logout
>>>>> [Krb5LoginModule]: logged out Subject
>>>>> 25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Failed authenticate() test
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Date: Wed, 25 Mar 2015 16:48:10 +0100
>>>>>> From: felix.schumacher@internetallee.de
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>>>
>>>>>> Am 25.03.2015 16:09, schrieb David Marsh:
>>>>>>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
>>>>>>> tc01@KERTEST.LOCAL, still same symptoms.
>>>>>>>
>>>>>>> Ran klist on client after firefox test and the three 401 responses.
>>>>> :-
>>>>>>> C:\Users\test.KERBTEST.000>klist
>>>>>>>
>>>>>>> Current LogonId is 0:0x2fd7a
>>>>>>>
>>>>>>> Cached Tickets: (2)
>>>>>>>
>>>>>>> #0> Client: test @ KERBTEST.LOCAL
>>>>>>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
>>>>>>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
>>>>>>> Ticket Flags 0x40e10000 -> forwardable renewable initial
>>>>>>> pre_authent nam
>>>>>>> e_canonicalize
>>>>>>> Start Time: 3/25/2015 14:46:43 (local)
>>>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>>>> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>>>>>>> Cache Flags: 0x1 -> PRIMARY
>>>>>>> Kdc Called: 192.168.0.200
>>>>>>>
>>>>>>> #1> Client: test @ KERBTEST.LOCAL
>>>>>>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
>>>>>>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>>>>>>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
>>>>>>> name_canoni
>>>>>>> calize
>>>>>>> Start Time: 3/25/2015 14:51:21 (local)
>>>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>>>> Session Key Type: RSADSI RC4-HMAC(NT)
>>>>>>> Cache Flags: 0
>>>>>>> Kdc Called: 192.168.0.200
>>>>>>>
>>>>>>> Looks like I was granted a ticket for the SPN
>>>>>>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
>>>>>>>
>>>>>>> If I have ticket why do I get 401 ?
>>>>>> Your client has got a service ticket for HTTP/win-tc01... This is
>>>>> used
>>>>>> by firefox for authentication. Firefox transmits
>>>>>> this service ticket to the server (as base64 encoded in the
>>>>>> WWW-Authenticate header).
>>>>>>
>>>>>> Your server has to decrypt this ticket using its own ticket to
>>>>>> get at
>>>>>> the user information. This is where your problems arise.
>>>>>> It looks like your server has trouble to get its own ticket.
>>>>>>
>>>>>> Are you sure, that the password you used for keytab generation (on
>>>>> the
>>>>>> server side), is correct? ktpass will probably accept
>>>>>> any input as a password. Maybe you can check the keytab by using
>>>>> kinit
>>>>>> (though I don't know, if it exists for windows, or how
>>>>>> the java one is used).
>>>>>>
>>>>>> Felix
>>>>>>
>>>>>>> ----------------------------------------
>>>>>>>> Date: Tue, 24 Mar 2015 22:46:15 +0000
>>>>>>>> From: markt@apache.org
>>>>>>>> To: users@tomcat.apache.org
>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>
>>>>>>>> On 24/03/2015 20:47, David Marsh wrote:
>>>>>>>>> Hi Felix,
>>>>>>>>> Thanks fort your help!
>>>>>>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
>>>>>>>>> startup.bat and also added the same definitions to the Java
>>>>>>>>> parameters in Configure Tomcat tool.I definitely got more
>>>>> information
>>>>>>>>> when using startup.bat, not sure the settings get picked up by
>>>>>>>>> the
>>>>>>>>> windows service ?
>>>>>>>>> I do not think authentication completes, certainly authorization
>>>>> does
>>>>>>>>> not as I cant see the site and get 401 http status.
>>>>>>>>> I have not configured a tomcat realm but I have put the test user
>>>>> a
>>>>>>>>> manager-gui group in Active Directory.
>>>>>>>> I've only given your config a quick scan, but the thing that jumps
>>>>> out
>>>>>>>> at me is spaces in the some of the paths. I'm not sure how well
>>>>>>>> krb5.ini
>>>>>>>> will handle those. It might be fine. It might not be.
>>>>>>>>
>>>>>>>> Mark
>>>>>>>>
>>>>>>>>
>>>>>>>>> David
>>>>>>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>
>>>>>>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>>>>>>>>> Everything is as described and still not working, except the
>>>>>>>>>>> jaas.conf is :-
>>>>>>>>>>>
>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>> storeKey=true;
>>>>>>>>>>> };
>>>>>>>>>>>
>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>> storeKey=true;
>>>>>>>>>>> };
>>>>>>>>>>>
>>>>>>>>>>> In other words the principal is the tomcat server as it should
>>>>> be.
>>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>>
>>>>>>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>>>>>>>>> Sorry thats :-
>>>>>>>>>>>>>
>>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>>>>>>>>> Is it working with this configuration, or just to point out,
>>>>> that
>>>>>>>>>>>> you
>>>>>>>>>>>> copied the wrong jaas.conf for the mail?
>>>>>>>>>>>>
>>>>>>>>>>>> Felix
>>>>>>>>>>>>> ----------------------------------------
>>>>>>>>>>>>>> From: dmarsh26@outlook.com
>>>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat
>>>>> 8.
>>>>>>>>>>>>>> I've created three Windows VMs :-
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>>>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The Tomcat Server and the Test Client are joined to the same
>>>>>>>>>>>>>> domain kerbtest.local, they are logged in with domain
>>>>>>>>>>>>>> logins.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> jaas.conf
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>>> };
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>>> };
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> krb5.ini
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [libdefaults]
>>>>>>>>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
>>>>>>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>>>>>>>>> default_tkt_enctypes =
>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>>>> default_tgs_enctypes =
>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>>>> forwardable=true
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [realms]
>>>>>>>>>>>>>> KERBTEST.LOCAL = {
>>>>>>>>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>>>>>>>>> }
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with
>>>>> Active
>>>>>>>>>>>>>> Directory.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I have tried to keep the setup as basic and vanilla to the
>>>>>>>>>>>>>> instructions as possible.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Users were created as instructed.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Spn was created as instructed
>>>>>>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> keytab was created as instructed
>>>>>>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL
>>>>> /princ
>>>>>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass
>>>>> /kvno
>>>>>>>>>>>>>> 0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I have tried to test with firefox, chrome and IE, after
>>>>> ensuring
>>>>>>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In
>>>>>>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to
>>>>>>>>>>>>>> network.negotiate-auth.delegation-uris and
>>>>>>>>>>>>>> network.negotiate-auth.trusted-uris.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Tomcat is running as a Windows service under the
>>>>>>>>>>>>>> tc01@kerbtest.local account.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Visiting URL from the Test Client VM :-
>>>>>>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401
>>>>> three
>>>>>>>>>>>>>> times.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Looking at the Network tab in developer tools in firefox
>>>>> shows
Have you considered using Waffle?
http://dblock.github.io/waffle/
I've used it successfully with Java7/Tomcat7 and configuration was very
simple.
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
Broken trace :-
25-Mar-2015 15:46:22.131 INFO [main] org.apache.catalina.core.StandardService.startInternal
Starting
service Catalina
25-Mar-2015 15:46:22.133 INFO [main] org.apache.catalina.core.StandardEngine.startInternal
Starting
Servlet Engine: Apache Tomcat/8.0.20
25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files\Apache Software Foundation\Tomcat
8.0\
webapps\docs
25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files\Apache Software Foundation\Tomcat
8.0\webapps\docs has finished in 380 ms
25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files\Apache Software Foundation\Tomcat
8.0\
webapps\manager
25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1] org.apache.catalina.authenticator.Authenticato
rBase.startInternal No SingleSignOn Valve is present
25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files\Apache Software Foundation\Tomcat
8.0\webapps\manager has finished in 93 ms
25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files\Apache Software Foundation\Tomcat
8.0\
webapps\ROOT
25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files\Apache Software Foundation\Tomcat
8.0\webapps\ROOT has finished in 59 ms
25-Mar-2015 15:46:22.797 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
er ["http-nio-80"]
25-Mar-2015 15:46:22.806 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
er ["ajp-nio-8009"]
25-Mar-2015 15:46:22.808 INFO [main] org.apache.catalina.startup.Catalina.start Server startup
in 72
1 ms
25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html -->
false
25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html
--> fal
se
25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]'
against
GET /html --> false
25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against
G
ET /html --> true
25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html -->
false
25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html
--> fal
se
25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]'
against
GET /html --> false
25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against
G
ET /html --> true
25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling hasUserDataPermission()
25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission User data constraint has no restrictions
25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling authenticate()
25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate No authorization header sent by client
25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html -->
false
25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html
--> fal
se
25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]'
against
GET /html --> false
25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against
G
ET /html --> true
25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html -->
false
25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html
--> fal
se
25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]'
against
GET /html --> false
25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against
G
ET /html --> true
25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling hasUserDataPermission()
25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission User data constraint has no restrictions
25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling authenticate()
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache
is nul
l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config is false principal
is HTTP/wi
n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass is false storePass
is false
clearPass is false
>>> KeyTabInputStream, readName(): kerbtest.local
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 78; type: 23
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Java config name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\krb5.ini
Loaded from Java config
Added key: 23version: 3
>>> KdcAccessibility: reset
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
retries =3, #bytes=
164
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt =1,
#bytes=164
>>> KrbKdcReq send: #bytes read=185
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
suSec is 701709
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
retries =3, #bytes=
247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt =1,
#bytes=247
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number of
retries =3, #bytes=
247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt =1,
#bytes=247
>>>DEBUG: TCPClient reading 1475 bytes
>>> KrbKdcReq send: #bytes read=1475
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Will use keytab
Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab C:\keytab\tomcat.keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found KeyTab C:\keytab\tomcat.keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST
.LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html -->
false
25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html
--> fal
se
25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]'
against
GET /html --> false
25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against
G
ET /html --> true
25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html -->
false
25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html
--> fal
se
25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]'
against
GET /html --> false
25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against
G
ET /html --> true
25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling hasUserDataPermission()
25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission User data constraint has no restrictions
25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling authenticate()
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache
is nul
l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config is false principal
is HTTP/wi
n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass is false storePass
is false
clearPass is false
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
retries =3, #bytes=
164
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt =1,
#bytes=164
>>> KrbKdcReq send: #bytes read=185
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
suSec is 935731
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
retries =3, #bytes=
247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt =1,
#bytes=247
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number of
retries =3, #bytes=
247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt =1,
#bytes=247
>>>DEBUG: TCPClient reading 1475 bytes
>>> KrbKdcReq send: #bytes read=1475
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Will use keytab
Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab C:\keytab\tomcat.keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found KeyTab C:\keytab\tomcat.keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST
.LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate Unable to login as the service principal
java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism
level: G
SSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
va:243)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
6)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
a:659)
at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
col.java:223)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find
the right
tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:336)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:323)
... 18 more
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
----------------------------------------
> Date: Mon, 30 Mar 2015 00:13:54 +0200
> From: aw@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> David Marsh wrote:
>> I've tested all the following public JDKs
>>
>> jdk-7u45-windows-i586.exe
>> jdk-7u65-windows-i586.exe
>> jdk-7u75-windows-i586.exe
>> jdk-8-windows-i586.exe
>> jdk-8u5-windows-i586.exe
>> jdk-8u11-windows-i586.exe
>> jdk-8u20-windows-i586.exe
>> jdk-8u25-windows-i586.exe
>> jdk-8u31-windows-i586.exe
>> jdk-8u40-windows-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token
>>
>> Seems a recent "fix" must broken it.
>
> That is really great info. Thanks.
>
> By the way, would you still have the Tomcat Kerberos logs that fail, in comparison to one
> where it works ?
>
>
>>
>> David
>>
>> ----------------------------------------
>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>> From: felix.schumacher@internetallee.de
>>> Date: Sun, 29 Mar 2015 10:13:29 +0200
>>> To: users@tomcat.apache.org
>>>
>>>
>>>
>>> Am 28. März 2015 17:46:50 MEZ, schrieb Mark Thomas <ma...@apache.org>:
>>>> On 28/03/2015 14:43, David Marsh wrote:
>>>>> Ok so I went back to basics and created three new VM's.
>>>>>
>>>>> Windows Server 2008 R2
>>>>> Windows 7 Client
>>>>> Windows 7 Tomcat
>>>>>
>>>>> I still had same issues, until I changed the Java on the tomcat
>>>> server to JDK 7 u45.
>>>>> It appears there are breaking changes to JAAS/GSS in newer JDKs ?
>>>> Thank you for doing all this testing. That is useful information to
>>>> know. The next step (for you, me or anyone who has the time and wants
>>>> to
>>>> help) is to test subsequent Java 7 releases and see at which version it
>>>> stops working. I'd hope that a review of the relevant change log would
>>>> identify the change that triggered the breakage and provide some clues
>>>> on how to fix it.
>>>>
>>>> It would be worth testing the Java 8 releases the same way.
>>> I read it, that jdk 7 works and jdk 8 is problematic.
>>>
>>> There are a few Kerberos related Chaves in jdk 8 ( http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html).
>>>
>>> Interesting are the two changes:
>>>
>>> * DES is disabled by default
>>> * constrained delegation is supported.
>>>
>>> My guess would be, that it would help (in this case) to reenable DES by adding allow_weak_crypto=true in the krb5.conf.
>>>
>>> Regards
>>> Felix
>>>> Mark
>>>>
>>>>
>>>>> David
>>>>>
>>>>> ----------------------------------------
>>>>>> From: dmarsh26@outlook.com
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>>> Date: Fri, 27 Mar 2015 23:40:06 +0000
>>>>>>
>>>>>> By the way Tomcat 8 was running on JDK :-
>>>>>>
>>>>>> C:\Windows\system32>java -version
>>>>>> java version "1.8.0_40"
>>>>>> Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
>>>>>> Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)
>>>>>>
>>>>>> Version update 40 should include some JRE fixes around GSS and
>>>> SPNEGO, including ignoring parts of NegoEx, however
>>>>>> it does not seem to work.
>>>>>>
>>>>>> I've also created a Windows 7 client with same config just different
>>>> DNS of win-pc02.kerbtest.local
>>>>>> It has the same issue going from firefox to
>>>> http://win-tc01.kerbtest.local/manager/html
>>>>>> I get the same three 401's and the Negotiate.
>>>>>>
>>>>>> ----------------------------------------
>>>>>>> Date: Thu, 26 Mar 2015 12:11:34 +0100
>>>>>>> From: aw@ice-sa.com
>>>>>>> To: users@tomcat.apache.org
>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>
>>>>>>> David Marsh wrote:
>>>>>>>> Hi Mark,
>>>>>>>>
>>>>>>>> Thanks for that, yes I've got 30 years windows experience, I can
>>>> use Linux at a push but its not really my area expertise.
>>>>>>>> I'm a Java / Windows programmer so I should be able to understand
>>>> it, but not kerberos or Active Directory expert.
>>>>>>>> I have used Waffle in the past with success and used JAAS/GSS-API
>>>> in Java thick clients.
>>>>>>>> I made the IE settings you outlined but it seems to still prompt.
>>>>>>>> IE has win-tc01.kerbtest.local as a trusted site.
>>>>>>>> Enable Windows Integrated Authentication is on
>>>>>>>> Auto logon only in Intranet Zone is on
>>>>>>>>
>>>>>>>> I've been using Firefox to test and that does send 401 and
>>>> negotiate, but causes the GSS token error mentioned.
>>>>>>>> Active directory and krb5.ini are using eType 23 which is rc4-hmac
>>>>>>>>
>>>>>>>> The windows client OS and tomcat server OS has registry setting
>>>> for allowtgtsessionkey set to 1 (enabled).
>>>>>>>> Java kinit test works and stores a ticket in the Java session
>>>> cache.
>>>>>>>> So problem seems to be either :-
>>>>>>>>
>>>>>>>> 1. Browser sends bad token
>>>>>>>> 2. Token is good but Oracle JDK 8 GSS-API cannot handle it
>>>>>>>>
>>>>>>> Another shot almost in the dark : while browsing hundreds of
>>>> Kerberos-related pages on the
>>>>>>> WWW, one other recommendation which seems to appear regularly (and
>>>> Mark also mentioned
>>>>>>> that somewhere), is that each time you make a change somewhere, you
>>>> should reboot the
>>>>>>> machine afterward, before re-testing. (Particularly on Windows
>>>> machines).
>>>>>>> I know it's a PITA, but I have also found the same to be true
>>>> sometimes when merely
>>>>>>> dealing with NTLM matters. There are probably some hidden caches
>>>> that get cleared only in
>>>>>>> that way.
>>>>>>>
>>>>>>>
>>>>>>>> many thanks
>>>>>>>>
>>>>>>>> David
>>>>>>>>
>>>>>>>>> Date: Thu, 26 Mar 2015 11:32:39 +0100
>>>>>>>>> From: aw@ice-sa.com
>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>
>>>>>>>>> David Marsh wrote:
>>>>>>>>>> Hi Mark,
>>>>>>>>>> Thanks that would be great !
>>>>>>>>>> Do you have a good mechanism to test and ensure kerberos token
>>>> is passed to tomcat and not NTLM token ?
>>>>>>>>> I believe that I can answer that.
>>>>>>>>>
>>>>>>>>> And the basic answer is no.
>>>>>>>>>
>>>>>>>>> First the basic principle, valid for this and many many other
>>>> areas : the server cannot
>>>>>>>>> "impose" anything on the browser. The local user can always
>>>> override anything received
>>>>>>>>> from the server, by a setting in the browser. And a hacker can of
>>>> course do anything.
>>>>>>>>> All the server can do, is tell the browser what it will accept,
>>>> and the browser can tell
>>>>>>>>> the server ditto.
>>>>>>>>> So, never assume the opposite, and you will save yourself a lot
>>>> of fruitless searches and
>>>>>>>>> dead-ends.
>>>>>>>>>
>>>>>>>>> Now more specific :
>>>>>>>>> 1) For Kerberos to be used at all at the browser level, the
>>>> server must send a 401
>>>>>>>>> response with "Negociate" as the requested authentication method.
>>>> Unless it does that,
>>>>>>>>> the browser will never even attempt to send a Kerberos
>>>> "Authorization" back.
>>>>>>>>> 2) for the browser to consider returning a Kerberos Authorization
>>>> header to the server,
>>>>>>>>> additional conditions depend on the browser.
>>>>>>>>> For IE :
>>>>>>>>> a) the "enable Windows Integrated Authentication" setting must be
>>>> on (checked), whether
>>>>>>>>> this is done locally by the user, or part of the standard IE
>>>> settings company-wide, or
>>>>>>>>> imposed by some "network policy" at corporate level.
>>>>>>>>> b) the server to which the browser is talking, must be known to
>>>> IE as either
>>>>>>>>> - part of the "Intranet"
>>>>>>>>> - or at least a "trusted" server
>>>>>>>>> That is defined in IE's "security zones" (which again can be
>>>> local, or corporation-wide).
>>>>>>>>> If condition (a) is not met, when the server sends a 401
>>>> "Negociate", IE will fall back to
>>>>>>>>> NTLM, always. And there is nothing you can do about that at the
>>>> server level.
>>>>>>>>> (Funnily enough, disabling the "enable Windows Integrated
>>>> Authentication" at the IE level,
>>>>>>>>> has the effect of disabling Kerberos, but not NTLM).
>>>>>>>>>
>>>>>>>>> If condition (b) is not met, IE will try neither Kerberos nor
>>>> NTLM, and it /might/ fall
>>>>>>>>> back to Basic authentication, if its other settings allow that.
>>>> That's when you see the
>>>>>>>>> browser popup login dialog; and in an SSO context, this is a sure
>>>> sign that something
>>>>>>>>> isn't working as expected.
>>>>>>>>>
>>>>>>>>> Some authentication modules, at the server level, are able to
>>>> adapt to what the browser
>>>>>>>>> sends, others not. I believe that Waffle can accept either
>>>> browser NTLM or Kerberos
>>>>>>>>> authentication. Waffle works only on a Windows Tomcat server, not
>>>> on a Linux Tomcat server.
>>>>>>>>> I do not know about the SPNEGO thing in Tomcat (from the name, it
>>>> should).
>>>>>>>>> The Jespa module from www.ioplex.com does not handle Kerberos,
>>>> just NTLM, but it works
>>>>>>>>> under both Windows and Linux.
>>>>>>>>>
>>>>>>>>> And finally, about your problems : it seems that you have fallen
>>>> in a very specific kind
>>>>>>>>> of hell, because you are trying to talk to a Windows-based
>>>> Kerberos KDC (which is using
>>>>>>>>> Windows Kerberos libraries and encryption method choices and
>>>> hostname formats etc..), from
>>>>>>>>> a Java JVM-based "client" (in this case the Tomcat server,
>>>> whatever its underlying
>>>>>>>>> platform is), which is using Java Kerberos libraries and
>>>> encryption method choices etc...
>>>>>>>>> And it seems that between this Java Kerberos part and the Windows
>>>> Kerberos part, there
>>>>>>>>> are a number of areas of mutual incomprehension (such as which
>>>> key encryption methods they
>>>>>>>>> each implement, or which ones are the "default" ones for each).
>>>>>>>>>
>>>>>>>>> And I am sure that the issue can be resolved. But it is probably
>>>> a question of finding
>>>>>>>>> out which among the 25 or more settings one can alter on each
>>>> side, overlap and either
>>>>>>>>> agree or contradict eachother.
>>>>>>>>>
>>>>>>>>> One underlying issue is that, as well in corporations as on the
>>>> WWW, the "Windows people"
>>>>>>>>> and the "Linux people" tend to be 2 separate groups. If you ask
>>>> the "Windows people" how
>>>>>>>>> to set this up, they will tell you "just do this and it works"
>>>> (assuming that all the
>>>>>>>>> moving parts are Windows-based); and if you ask the "Linux
>>>> people", they will tell you
>>>>>>>>> "just do this and it works" (assuming that all the moving parts
>>>> are Linux-based).
>>>>>>>>> And there are very few people (and web pages) which span both
>>>> worlds with their various
>>>>>>>>> combinations.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> David
>>>>>>>>>>
>>>>>>>>>>> Date: Thu, 26 Mar 2015 09:00:22 +0000
>>>>>>>>>>> From: markt@apache.org
>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>
>>>>>>>>>>> On 26/03/2015 00:36, David Marsh wrote:
>>>>>>>>>>>> Still getting :-
>>>>>>>>>>>> java.security.PrivilegedActionException: GSSException:
>>>> Defective token detected (Mechanism level: G
>>>>>>>>>>>> SSHeader did not find the right tag)
>>>>>>>>>>>>
>>>>>>>>>>>> Folks here mention lack of NegoEx support or bugs in GSS-APi ?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>> http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
>>>>>>>>>>>> Does Tomcat 8 work with NegoEx ?
>>>>>>>>>>>>
>>>>>>>>>>>> Is Windows 8.1 and Windows Server 2012 RC2 supported ?
>>>>>>>>>>> My test environment is Windows 2008 R2 server and Windows 7. It
>>>> is
>>>>>>>>>>> certainly possibly security has been tightened between those
>>>> versions
>>>>>>>>>>> and 2012/R2 + 8 that means things don't work by default with
>>>> Java.
>>>>>>>>>>> I'll see if I can find some time in the next few weeks to
>>>> update my test
>>>>>>>>>>> environment and do some more testing.
>>>>>>>>>>>
>>>>>>>>>>> Mark
>>>>>>>>>>>
>>>>>>>>>>>
>>>> ---------------------------------------------------------------------
>>>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>>>>
>>>>>>>>>
>>>> ---------------------------------------------------------------------
>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>>
>>>>>>>
>>>>>>>
>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>>
>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Posted by Mark Thomas <ma...@apache.org>.
On 14/05/2015 22:29, Mark Thomas wrote:
> On 14/05/2015 21:11, Mark Thomas wrote:
>> On 29/03/2015 23:13, André Warnier wrote:
>>> David Marsh wrote:
>>>> I've tested all the following public JDKs
>>>> jdk-7u45-windows-i586.exe
>>>> jdk-7u65-windows-i586.exe
>>>> jdk-7u75-windows-i586.exe
>>>> jdk-8-windows-i586.exe
>>>> jdk-8u5-windows-i586.exe
>>>> jdk-8u11-windows-i586.exe
>>>> jdk-8u20-windows-i586.exe
>>>> jdk-8u25-windows-i586.exe
>>>> jdk-8u31-windows-i586.exe
>>>> jdk-8u40-windows-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token
>>>>
>>>> Seems a recent "fix" must broken it.
>>>
>>> That is really great info. Thanks.
>>
>> As promised I have found some time to look into this. It appears that
>> this fix in 8u40 onwards broke SPNEGO.
>>
>> https://bugs.openjdk.java.net/browse/JDK-8048194
>>
>> The fix that was applied wasn't the one suggested in the bug report.
>>
>> I've spent some time looking at the code but I haven't found a way
>> around this yet.
>
> Good news (sort of). I have an *extremely* dirty hack that fixes this on
> my test instance by moving some of the data about in the token that the
> client sends. It works with 8u20 and 8u45.
>
> At the moment the hack is extremely fragile. I need to make it more
> robust and make it optional. I should be able to get that done tomorrow
> and have it included in the next Tomcat 8 release.
Fix applied to trunk (for 9.0.x), 8.0.x (for 8.0.23 onwards) and 7.0.x
(for 7.0.63 onwards).
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Posted by Mark Thomas <ma...@apache.org>.
On 14/05/2015 21:11, Mark Thomas wrote:
> On 29/03/2015 23:13, André Warnier wrote:
>> David Marsh wrote:
>>> I've tested all the following public JDKs
>>> jdk-7u45-windows-i586.exe
>>> jdk-7u65-windows-i586.exe
>>> jdk-7u75-windows-i586.exe
>>> jdk-8-windows-i586.exe
>>> jdk-8u5-windows-i586.exe
>>> jdk-8u11-windows-i586.exe
>>> jdk-8u20-windows-i586.exe
>>> jdk-8u25-windows-i586.exe
>>> jdk-8u31-windows-i586.exe
>>> jdk-8u40-windows-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token
>>>
>>> Seems a recent "fix" must broken it.
>>
>> That is really great info. Thanks.
>
> As promised I have found some time to look into this. It appears that
> this fix in 8u40 onwards broke SPNEGO.
>
> https://bugs.openjdk.java.net/browse/JDK-8048194
>
> The fix that was applied wasn't the one suggested in the bug report.
>
> I've spent some time looking at the code but I haven't found a way
> around this yet.
Good news (sort of). I have an *extremely* dirty hack that fixes this on
my test instance by moving some of the data about in the token that the
client sends. It works with 8u20 and 8u45.
At the moment the hack is extremely fragile. I need to make it more
robust and make it optional. I should be able to get that done tomorrow
and have it included in the next Tomcat 8 release.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Posted by Mark Thomas <ma...@apache.org>.
On 29/03/2015 23:13, André Warnier wrote:
> David Marsh wrote:
>> I've tested all the following public JDKs
>> jdk-7u45-windows-i586.exe
>> jdk-7u65-windows-i586.exe
>> jdk-7u75-windows-i586.exe
>> jdk-8-windows-i586.exe
>> jdk-8u5-windows-i586.exe
>> jdk-8u11-windows-i586.exe
>> jdk-8u20-windows-i586.exe
>> jdk-8u25-windows-i586.exe
>> jdk-8u31-windows-i586.exe
>> jdk-8u40-windows-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token
>>
>> Seems a recent "fix" must broken it.
>
> That is really great info. Thanks.
As promised I have found some time to look into this. It appears that
this fix in 8u40 onwards broke SPNEGO.
https://bugs.openjdk.java.net/browse/JDK-8048194
The fix that was applied wasn't the one suggested in the bug report.
I've spent some time looking at the code but I haven't found a way
around this yet.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
Working trace :-
28-Mar-2015 14:20:27.865 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server ve
rsion: Apache Tomcat/8.0.20
28-Mar-2015 14:20:27.881 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server bu
ilt: Feb 15 2015 18:10:42 UTC
28-Mar-2015 14:20:27.881 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server nu
mber: 8.0.20.0
28-Mar-2015 14:20:27.881 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:
Windows 7
28-Mar-2015 14:20:27.881 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Versio
n: 6.1
28-Mar-2015 14:20:27.881 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architect
ure: x86
28-Mar-2015 14:20:27.881 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home
: C:\Program Files (x86)\Java\jdk1.7.0_45\jre
28-Mar-2015 14:20:27.881 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Versi
on: 1.7.0_45-b18
28-Mar-2015 14:20:27.881 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendo
r: Oracle Corporation
28-Mar-2015 14:20:27.881 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_
BASE: C:\Program Files (x86)\Apache Software Foundation\Tomcat 8.0
28-Mar-2015 14:20:27.881 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_
HOME: C:\Program Files (x86)\Apache Software Foundation\Tomcat 8.0
28-Mar-2015 14:20:27.944 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command l
ine argument: -Djava.util.logging.config.file=C:\Program Files (x86)\Apache Software Foundation\Tomc
at 8.0\conf\logging.properties
28-Mar-2015 14:20:27.944 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command l
ine argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
28-Mar-2015 14:20:27.944 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command l
ine argument: -Dsun.security.krb5.debug=true
28-Mar-2015 14:20:27.944 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command l
ine argument: -Dsun.security.jgss.debug=true
28-Mar-2015 14:20:27.944 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command l
ine argument: -Djava.endorsed.dirs=C:\Program Files (x86)\Apache Software Foundation\Tomcat 8.0\endo
rsed
28-Mar-2015 14:20:27.944 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command l
ine argument: -Dcatalina.base=C:\Program Files (x86)\Apache Software Foundation\Tomcat 8.0
28-Mar-2015 14:20:27.944 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command l
ine argument: -Dcatalina.home=C:\Program Files (x86)\Apache Software Foundation\Tomcat 8.0
28-Mar-2015 14:20:27.944 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command l
ine argument: -Djava.io.tmpdir=C:\Program Files (x86)\Apache Software Foundation\Tomcat 8.0\temp
28-Mar-2015 14:20:27.944 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Th
e APR based Apache Tomcat Native library which allows optimal performance in production environments
was not found on the java.library.path: C:\Program Files (x86)\Java\jdk1.7.0_45\bin;C:\Windows\Sun\
Java\bin;C:\Windows\system32;C:\Windows;C:\Program Files (x86)\Java\jdk1.7.0_45\bin;C:\ProgramData\O
racle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\Wind
owsPowerShell\v1.0\;.
28-Mar-2015 14:20:31.657 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHa
ndler ["http-nio-80"]
28-Mar-2015 14:20:32.515 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Us
ing a shared selector for servlet write/read
28-Mar-2015 14:20:32.578 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHa
ndler ["ajp-nio-8009"]
28-Mar-2015 14:20:32.578 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Us
ing a shared selector for servlet write/read
28-Mar-2015 14:20:32.578 INFO [main] org.apache.catalina.startup.Catalina.load Initialization proces
sed in 12345 ms
28-Mar-2015 14:20:33.217 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting
service Catalina
28-Mar-2015 14:20:33.217 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting
Servlet Engine: Apache Tomcat/8.0.20
28-Mar-2015 14:20:34.388 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files (x86)\Apache Software Foundation\Tomca
t 8.0\webapps\docs
28-Mar-2015 14:20:37.929 INFO [localhost-startStop-1] org.apache.catalina.util.SessionIdGeneratorBas
e.createSecureRandom Creation of SecureRandom instance for session ID generation using [SHA1PRNG] to
ok [187] milliseconds.
28-Mar-2015 14:20:38.304 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files (x86)\Apache Software Foundation\T
omcat 8.0\webapps\docs has finished in 3,916 ms
28-Mar-2015 14:20:38.335 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files (x86)\Apache Software Foundation\Tomca
t 8.0\webapps\manager
28-Mar-2015 14:20:38.585 FINE [localhost-startStop-1] org.apache.catalina.authenticator.Authenticato
rBase.startInternal No SingleSignOn Valve is present
28-Mar-2015 14:20:38.772 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files (x86)\Apache Software Foundation\T
omcat 8.0\webapps\manager has finished in 437 ms
28-Mar-2015 14:20:38.788 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files (x86)\Apache Software Foundation\Tomca
t 8.0\webapps\ROOT
28-Mar-2015 14:20:39.006 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files (x86)\Apache Software Foundation\T
omcat 8.0\webapps\ROOT has finished in 218 ms
28-Mar-2015 14:20:39.037 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
er ["http-nio-80"]
28-Mar-2015 14:20:39.084 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
er ["ajp-nio-8009"]
28-Mar-2015 14:20:39.115 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 65
24 ms
28-Mar-2015 14:21:03.119 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
28-Mar-2015 14:21:23.809 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G
ET /html --> true
28-Mar-2015 14:21:23.809 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false
28-Mar-2015 14:21:23.824 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /html --> false
28-Mar-2015 14:21:23.840 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal
se
28-Mar-2015 14:21:23.855 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G
ET /html --> true
28-Mar-2015 14:21:23.871 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false
28-Mar-2015 14:21:23.887 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /html --> false
28-Mar-2015 14:21:23.887 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal
se
28-Mar-2015 14:21:23.918 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling hasUserDataPermission()
28-Mar-2015 14:21:23.918 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission User data constraint has no restrictions
28-Mar-2015 14:21:23.933 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling authenticate()
28-Mar-2015 14:21:23.933 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate No authorization header sent by client
28-Mar-2015 14:21:23.949 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
28-Mar-2015 14:21:24.433 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
28-Mar-2015 14:21:24.448 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G
ET /html --> true
28-Mar-2015 14:21:24.464 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false
28-Mar-2015 14:21:24.479 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /html --> false
28-Mar-2015 14:21:24.479 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal
se
28-Mar-2015 14:21:24.495 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G
ET /html --> true
28-Mar-2015 14:21:24.511 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false
28-Mar-2015 14:21:24.526 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /html --> false
28-Mar-2015 14:21:24.542 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal
se
28-Mar-2015 14:21:24.557 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling hasUserDataPermission()
28-Mar-2015 14:21:24.557 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission User data constraint has no restrictions
28-Mar-2015 14:21:24.573 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling authenticate()
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is nul
l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config is false principal is HTTP/wi
n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass is false storePass is false
clearPass is false
>>> KeyTabInputStream, readName(): KERBTEST.LOCAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 78; type: 23
Java config name: C:\Program Files (x86)\Apache Software Foundation\Tomcat 8.0\conf\krb5.ini
Loaded from Java config
Added key: 23version: 4
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 17.
>>> KdcAccessibility: reset
Added key: 23version: 4
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 17.
default etypes for default_tkt_enctypes: 23 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes=
164
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=164
>>> KrbKdcReq send: #bytes read=185
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Sat Mar 28 14:21:25 GMT 2015 1427552485000
suSec is 49553
error code is 25
error Message is Additional pre-authentication required
realm is KERBTEST.LOCAL
sname is krbtgt/KERBTEST.LOCAL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 17.
Added key: 23version: 4
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 17.
Added key: 23version: 4
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 17.
default etypes for default_tkt_enctypes: 23 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes=
247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=247
>>> KrbKdcReq send: #bytes read=1455
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
Added key: 23version: 4
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Will use keytab
Added key: 23version: 4
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 17.
Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 23version: 4
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
replay cache for test@KERBTEST.LOCAL is null.
object 0: 1427552484000/49
>>> KrbApReq: authenticate succeed.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>Delegated Creds have pname=test@KERBTEST.LOCAL sname=krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL authtim
e=null starttime=20150328135023Z endtime=20150328235013ZrenewTill=20150404135013Z
Krb5Context setting peerSeqNumber to: 2034472035
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 566818784
28-Mar-2015 14:21:26.305 FINE [http-nio-80-exec-2] org.apache.catalina.realm.CombinedRealm.authentic
ate Attempting to authenticate user "test@KERBTEST.LOCAL" with realm "org.apache.catalina.realm.JNDI
Realm"
Search Subject for Kerberos V5 INIT cred (<<DEF>>, sun.security.jgss.krb5.Krb5InitCredential)
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST
.LOCAL expiring on Sun Mar 29 00:21:25 GMT 2015
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST
.LOCAL expiring on Sun Mar 29 00:21:25 GMT 2015
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 23 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes=
1464
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=1464
>>> KrbKdcReq send: #bytes read=107
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number of retries =3, #bytes=
1464
>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt =1, #bytes=1464
>>>DEBUG: TCPClient reading 1488 bytes
>>> KrbKdcReq send: #bytes read=1488
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 739542637
Created InitSecContextToken:
0000: 01 00 6E 82 05 7D 30 82 05 79 A0 03 02 01 05 A1 ..n...0..y......
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 04 ......... ......
0020: 8A 61 82 04 86 30 82 04 82 A0 03 02 01 05 A1 10 .a...0..........
0030: 1B 0E 4B 45 52 42 54 45 53 54 2E 4C 4F 43 41 4C ..KERBTEST.LOCAL
0040: A2 2A 30 28 A0 03 02 01 00 A1 21 30 1F 1B 04 6C .*0(......!0...l
0050: 64 61 70 1B 17 77 69 6E 2D 64 63 30 31 2E 6B 65 dap..win-dc01.ke
0060: 72 62 74 65 73 74 2E 6C 6F 63 61 6C A3 82 04 3B rbtest.local...;
0070: 30 82 04 37 A0 03 02 01 12 A1 03 02 01 03 A2 82 0..7............
0080: 04 29 04 82 04 25 D1 29 BA B7 F3 7D 99 FE 54 52 .)...%.)......TR
0090: 8B 6B 07 B3 A5 34 78 66 BF 53 1B CC 4B 3B F0 30 .k...4xf.S..K;.0
00A0: 82 0A BA 1C C0 12 CF AA FB 3C 12 D1 EA 6B 7D 51 .........<...k.Q
00B0: 6F 74 08 3C 00 22 56 FB 9F 5C 84 E0 CC F2 DA CF ot.<."V..\......
00C0: B2 A7 73 16 13 9E 59 8B EA 45 AC F0 DF 2B 1B 1B ..s...Y..E...+..
00D0: C0 C2 21 BE DE 77 EE E7 05 9B 3E 81 9B B3 D4 8E ..!..w....>.....
00E0: B8 8D F1 CA 78 E2 C0 F7 E6 E6 6B B7 3E 39 52 19 ....x.....k.>9R.
00F0: 23 02 F2 07 B1 8C 8D 27 3E 68 7E D6 2F FA 0A AC #......'>h../...
0100: 45 54 4B A6 56 B8 9F 00 D0 26 94 6E 02 A9 36 4F ETK.V....&.n..6O
0110: 4A DD 22 E1 C3 26 14 F2 6C D8 14 CB 5C 1F 82 F7 J."..&..l...\...
0120: EE 8B 20 11 94 46 12 96 F9 3A 7D 79 73 8A 11 6D .. ..F...:.ys..m
0130: 05 70 6F 8B BE 87 CD 10 13 35 63 EA 08 9F 8F CD .po......5c.....
0140: A1 A8 77 BC 2C 67 60 AD D6 15 22 0C 5A 2F 62 BF ..w.,g`...".Z/b.
0150: F8 06 DA 75 5B 43 61 92 99 89 73 A6 F6 3F 4B F4 ...u[Ca...s..?K.
0160: 82 7F 37 EC 55 76 C7 E1 D5 BB AB B7 8A 1E A0 99 ..7.Uv..........
0170: 65 CF 31 C8 33 A4 FA 6D DC 2C 8A 73 F3 BD D5 DE e.1.3..m.,.s....
0180: 4F F3 09 16 FB CE 7A 73 60 78 9C 43 F1 2F EF F9 O.....zs`x.C./..
0190: 40 A5 7E 89 D2 E5 2B 7A 11 C0 A8 3B B9 F3 F1 3C @.....+z...;...<
01A0: 79 C9 14 A9 DD 62 5E 25 9F F5 F4 F5 98 03 91 85 y....b^%........
01B0: B1 E9 E1 FE 07 14 0C CD BF 06 5C DF EF 9C E1 92 ..........\.....
01C0: 80 75 BA 54 BD B6 D4 D7 A4 F1 6C 5D E4 50 7A CA .u.T......l].Pz.
01D0: 6F 3A 10 19 E9 AD 94 D0 30 02 6F F9 CF 95 16 47 o:......0.o....G
01E0: 5B D2 A7 32 30 96 80 25 93 FB 53 3A 81 9B EA F9 [..20..%..S:....
01F0: A5 11 B7 53 77 DD 1A 1A C3 F8 BB 81 1D C1 1D D7 ...Sw...........
0200: 7C 01 EB D1 A2 F8 72 5B C3 B3 63 AC F9 11 6B 98 ......r[..c...k.
0210: B3 51 F7 79 7A F2 C6 D3 0A 3D FB 09 C0 C6 9B 82 .Q.yz....=......
0220: 06 FE 21 81 18 8B 77 08 B0 5B FC BC 6B E8 6C F0 ..!...w..[..k.l.
0230: 65 DA AE AB 7A AE 95 7A CF A6 EA 4C 3F B1 FA C2 e...z..z...L?...
0240: 0D EA 9C A2 8E 50 D3 5F 35 D5 3D 71 73 E2 77 48 .....P._5.=qs.wH
0250: 84 C1 D8 C1 95 C2 50 9B A6 16 69 68 BC CD 75 11 ......P...ih..u.
0260: 32 32 FB 78 FD 80 C6 BF 69 8F AF F3 3B B1 C9 75 22.x....i...;..u
0270: 69 F1 98 91 13 04 6F 9A 75 E1 32 3C 8B 46 A3 FA i.....o.u.2<.F..
0280: F5 32 25 09 FB 97 EB EA 5E 63 BD A1 89 DF A8 4D .2%.....^c.....M
0290: 4C 82 5D F0 E6 A6 F1 68 CF AE A8 8D 7D 2B 45 DA L.]....h.....+E.
02A0: 3A 4A F0 E5 EA E1 C0 A5 6E 33 DF 60 21 97 50 21 :J......n3.`!.P!
02B0: 26 59 F7 0B 4E C4 FD 1D AA 00 22 EE 18 C8 A0 02 &Y..N.....".....
02C0: 36 8E AF 08 63 0B 73 A9 37 92 4D F1 11 3E 4A 2E 6...c.s.7.M..>J.
02D0: 38 75 0C 52 44 02 E0 17 82 C8 B8 9E 16 F6 58 A1 8u.RD.........X.
02E0: 3E BB C3 10 16 9B 9F BF 30 8A 43 6A 5B 1F 48 E0 >.......0.Cj[.H.
02F0: 0F EE 94 CE A3 49 4C A7 48 A6 10 20 60 A7 FB 43 .....IL.H.. `..C
0300: 13 72 2A F0 98 5D 4A F5 32 42 8E 77 03 94 4C 90 .r*..]J.2B.w..L.
0310: 99 9B FB 7E 43 79 F6 74 B7 49 67 B2 E1 1D 49 1A ....Cy.t.Ig...I.
0320: 57 AD 3E 10 FF AF 3D B2 02 58 BF 90 42 FD F8 75 W.>...=..X..B..u
0330: A8 28 6F 07 8D 94 A5 E3 E1 C9 B5 56 F8 93 4B 6C .(o........V..Kl
0340: 98 A0 08 75 19 8A 7C C7 20 B2 D6 E7 34 07 43 61 ...u.... ...4.Ca
0350: DF F7 58 C4 41 17 D0 F6 A5 99 B6 39 80 51 22 10 ..X.A......9.Q".
0360: 03 30 4D D7 F7 DC 38 F3 07 6E 97 78 8E DF FE 59 .0M...8..n.x...Y
0370: 7B A4 18 55 AC D3 78 AE F5 C5 85 FD 94 12 EA 6A ...U..x........j
0380: 58 9B 7B 0A EC E9 1C 99 9B 15 E3 B9 0F 6A A6 16 X............j..
0390: BD 25 86 A3 7E 50 E6 F4 E5 57 1C 94 9A 9C 27 FE .%...P...W....'.
03A0: A9 14 18 E0 DB 6C F8 AC BD 3F 96 77 7C 8B 19 6E .....l...?.w...n
03B0: BA F7 45 16 40 49 01 2A 45 07 40 32 72 58 5D 10 ..E.@I.*E.@2rX].
03C0: 9A 16 30 CA EF 0C 59 34 42 EE 82 B6 E0 32 0F DA ..0...Y4B....2..
03D0: 44 9A 82 0D 4B C3 1A 73 0A DE 46 E1 4E 05 E4 82 D...K..s..F.N...
03E0: F8 C0 02 90 C7 E1 78 6D 0D 7F EB 6A 4F FB 49 6D ......xm...jO.Im
03F0: C9 93 ED 75 75 31 5C 7E CC 59 73 20 90 6B 1F E1 ...uu1\..Ys .k..
0400: 08 8F 2D 3D 17 64 25 5B B1 5C F2 C5 BF 65 C8 2C ..-=.d%[.\...e.,
0410: EF FF 92 66 04 FF 2C 49 1D E0 91 75 28 51 42 7C ...f..,I...u(QB.
0420: 36 44 9A 19 62 14 7F 72 62 3A 00 65 49 D3 00 3B 6D..b..rb:.eI..;
0430: 63 D8 7D 57 99 0E 97 E5 A9 05 8A B5 C4 76 00 6E c..W.........v.n
0440: 2E 14 87 83 5B 9A 0A 1D E2 0E DD EF 29 B3 63 1C ....[.......).c.
0450: 76 D0 CE 4A E2 39 A6 91 1F A1 BA A3 1B E1 EC A1 v..J.9..........
0460: 94 6B EE 6C B6 3A 9D 66 3D 5E 16 28 27 04 D0 9F .k.l.:.f=^.('...
0470: B1 D7 7D 93 D0 66 A4 58 D5 B3 68 6D EB 37 98 A4 .....f.X..hm.7..
0480: 35 60 9F B9 6B A0 8C 6E A4 B0 CB B2 1A 8B 9F 36 5`..k..n.......6
0490: 3E 65 CD B7 D2 8F F9 99 04 AE 53 24 34 5F FC DA >e........S$4_..
04A0: 22 6E 24 51 B2 51 06 82 29 DB CA A4 81 D5 30 81 "n$Q.Q..).....0.
04B0: D2 A0 03 02 01 17 A2 81 CA 04 81 C7 23 E5 79 55 ............#.yU
04C0: 63 E3 78 62 D9 9B 0E AC 3B F8 18 D2 94 F1 21 A5 c.xb....;.....!.
04D0: 27 B5 E4 24 6E 5F 2F 60 3A 2D 4B 39 98 54 08 F3 '..$n_/`:-K9.T..
04E0: FE F0 FD 2B 49 6E 68 BC C6 38 89 FA 4E D0 24 E0 ...+Inh..8..N.$.
04F0: 3F 0F EE CE 0C 18 7C 7A B6 2E E4 F5 B4 56 2E 06 ?......z.....V..
0500: 6B BF 26 D6 47 07 E8 F3 39 6A D9 B2 D7 80 83 9C k.&.G...9j......
0510: 3E F5 45 6B 52 40 89 45 CF 91 07 17 8E E6 42 09 >.EkR@.E......B.
0520: E8 9F 87 FD 86 5A E5 63 93 13 9A 0C E8 78 34 45 .....Z.c.....x4E
0530: 64 3B 2D C6 A7 34 7B DD 5F 41 18 F6 11 18 62 20 d;-..4.._A....b
0540: 4F 55 C9 6A 83 81 AA 50 63 5E DE 60 F0 6C 6D 93 OU.j...Pc^.`.lm.
0550: B2 FF F8 F9 28 52 74 FC 61 7D DF 73 31 6C 01 B9 ....(Rt.a..s1l..
0560: D5 7E 22 1A 22 17 23 4C 72 A7 64 F0 37 F7 40 02 ..".".#Lr.d.7.@.
0570: 31 78 6C 83 B3 6C 9B F9 33 F6 1E B4 69 16 FC 02 1xl..l..3...i...
0580: E4 9A C5 ...
Entered Krb5Context.initSecContext with state=STATE_IN_PROCESS
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting peerSeqNumber to: 2077264086
Krb5Context.unwrap: token=[60 30 06 09 2a 86 48 86 f7 12 01 02 02 02 01 11 00 ff ff ff ff b3 1d 50 0
b 1c c4 d7 16 70 7e 09 40 1c 9f 90 83 93 e2 74 67 90 64 1c 8d 07 a0 00 00 01 ]
Krb5Context.unwrap: data=[07 a0 00 00 ]
Krb5Context.wrap: data=[04 01 00 00 ]
Krb5Context.wrap: token=[60 30 06 09 2a 86 48 86 f7 12 01 02 02 02 01 11 00 ff ff ff ff 4b 67 86 d6
c3 4a db 5a 75 e8 cf 0e c4 d5 86 b0 08 64 5d 4e 74 23 50 26 04 01 00 00 01 ]
Krb5Context.wrap: data=[30 69 02 01 05 63 47 04 1d 6f 75 3d 55 73 65 72 73 2c 64 63 3d 6b 65 72 62 7
4 65 73 74 2c 64 63 3d 6c 6f 63 61 6c 0a 01 01 0a 01 03 02 01 00 02 01 00 01 01 00 a3 0b 04 03 75 69
64 04 04 74 65 73 74 30 0a 04 08 6d 65 6d 62 65 72 4f 66 a0 1b 30 19 04 17 32 2e 31 36 2e 38 34 30
2e 31 2e 31 31 33 37 33 30 2e 33 2e 34 2e 32 ]
Krb5Context.wrap: token=[60 81 97 06 09 2a 86 48 86 f7 12 01 02 02 02 01 11 00 10 00 ff ff a9 c4 a2
7d 8a 67 41 bd 01 2c 93 3e 4c af cd a8 73 60 d7 c3 7a f0 a4 d7 47 b8 20 1b a7 67 25 3e 07 3e ac 0f d
0 60 45 e3 cc 6f 19 f3 d5 5d 1e 65 f8 3a 30 b2 11 38 a1 f0 d5 5a 5c 5c d2 10 ae c6 f4 dd 56 58 79 4f
2c 8c 79 bb bb 24 e1 e2 31 bb 14 ad 8e 74 c6 cd ef 4c 97 95 2e 94 1f 3f 23 eb e0 96 6b 83 57 d8 2a
03 31 59 5c 35 71 68 79 48 45 5b e7 bc 0b 6c 82 a6 24 6e 00 c3 04 6f b8 5d 27 01 bc 4b ]
Krb5Context.unwrap: token=[60 81 c2 06 09 2a 86 48 86 f7 12 01 02 02 02 01 11 00 10 00 ff ff 69 15 0
2 db 6e f5 97 7c 87 25 b9 3a 3a 00 ff 3f 33 9e 0a 7b 45 9b d4 52 29 5a d4 a5 d9 a9 e1 87 39 1d 44 93
8e 7e af d7 3b ef fa d8 0a 2f 3f bf d5 e8 2f 33 19 96 da 4e 4b 4c 2e b3 52 e5 c3 71 cb b9 98 da af
93 3f 66 8b c1 9d 6d 99 05 42 cb 04 05 1c cd 22 85 af c7 e6 d5 35 03 23 f0 25 16 38 f6 a8 c8 10 cb e
1 69 7d 11 61 a8 35 45 6d b6 ae 18 44 c9 ac 63 b2 fb 88 ba 4f 02 2f 41 6f 0f a9 42 53 3d 87 f7 ca e0
b8 4b 3a f5 b4 7a 38 ff 84 65 58 c4 bc c1 52 6f 0a cd 18 f9 58 82 61 ad aa b4 9c d7 6c 4f 4a 13 7e
0b 29 fa 57 01 66 ]
Krb5Context.unwrap: data=[30 84 00 00 00 90 02 01 05 65 84 00 00 00 87 0a 01 20 04 14 44 43 3d 6b 65
72 62 74 65 73 74 2c 44 43 3d 6c 6f 63 61 6c 04 6c 30 30 30 30 32 30 38 44 3a 20 4e 61 6d 65 45 72
72 3a 20 44 53 49 44 2d 30 33 31 30 30 32 30 41 2c 20 70 72 6f 62 6c 65 6d 20 32 30 30 31 20 28 4e 4
f 5f 4f 42 4a 45 43 54 29 2c 20 64 61 74 61 20 30 2c 20 62 65 73 74 20 6d 61 74 63 68 20 6f 66 3a 0a
09 27 44 43 3d 6b 65 72 62 74 65 73 74 2c 44 43 3d 6c 6f 63 61 6c 27 0a 00 ]
28-Mar-2015 14:21:27.303 SEVERE [http-nio-80-exec-2] org.apache.catalina.realm.JNDIRealm.getPrincipa
l Exception performing authentication
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, proble
m 2001 (NO_OBJECT), data 0, best match of:
'DC=kerbtest,DC=local'
]; remaining name 'ou=Users,dc=kerbtest,dc=local'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3112)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1849)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.jav
a:356)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.jav
a:339)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1473)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1309)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1237)
at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:2079)
at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:1995)
at org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:578)
at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:325)
at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:249)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AuthenticateAction.run(SpnegoAuthen
ticator.java:357)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AuthenticateAction.run(SpnegoAuthen
ticator.java:342)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:356)
at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
va:256)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
6)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
a:659)
at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
col.java:223)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:744)
Krb5Context.wrap: data=[30 22 02 01 06 42 00 a0 1b 30 19 04 17 32 2e 31 36 2e 38 34 30 2e 31 2e 31 3
1 33 37 33 30 2e 33 2e 34 2e 32 ]
Krb5Context.wrap: token=[60 50 06 09 2a 86 48 86 f7 12 01 02 02 02 01 11 00 10 00 ff ff a6 82 0f 16
49 26 14 02 83 46 f7 56 e4 66 be a5 97 fe a6 3b 3a 4d c3 e3 06 38 3f c2 cc 1e 43 75 e7 8b aa c3 f8 0
c bf 5c d2 b5 81 4c a1 ee 26 11 c4 3c a3 88 88 28 92 a5 45 ff b4 61 d2 ]
28-Mar-2015 14:21:27.569 FINE [http-nio-80-exec-2] org.apache.catalina.realm.CombinedRealm.authentic
ate Failed to authenticate user "test@KERBTEST.LOCAL" with realm "org.apache.catalina.realm.JNDIReal
m"
28-Mar-2015 14:21:27.584 FINE [http-nio-80-exec-2] org.apache.catalina.realm.CombinedRealm.authentic
ate Attempting to authenticate user "test@KERBTEST.LOCAL" with realm "org.apache.catalina.realm.User
DatabaseRealm"
28-Mar-2015 14:21:27.600 FINE [http-nio-80-exec-2] org.apache.catalina.realm.CombinedRealm.authentic
ate Authenticated user "test@KERBTEST.LOCAL" with realm "org.apache.catalina.realm.UserDatabaseRealm
"
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
28-Mar-2015 14:21:27.631 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
se.register Authenticated 'test' with type 'SPNEGO'
28-Mar-2015 14:21:27.631 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
se.register Session ID changed on authentication from [728B9064A83E6C33C4B32AEE2ADDFCDD] to [762404E
FFCBD391541903E2692D05B92]
28-Mar-2015 14:21:27.647 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling accessControl()
28-Mar-2015 14:21:27.662 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.hasResourcePe
rmission Checking roles GenericPrincipal[test(manager-gui,)]
28-Mar-2015 14:21:27.678 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.hasRole Usern
ame test has role manager-gui
28-Mar-2015 14:21:27.678 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.hasResourcePe
rmission Role found: manager-gui
28-Mar-2015 14:21:27.694 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Successfully passed all security constraints
28-Mar-2015 14:21:28.364 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/images/asf-logo.gif
28-Mar-2015 14:21:28.380 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke We have cached auth type SPNEGO for principal GenericPrincipal[test(manager-gui,)]
28-Mar-2015 14:21:28.380 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G
ET /images/asf-logo.gif --> false
28-Mar-2015 14:21:28.396 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /images/asf-logo
.gif --> false
28-Mar-2015 14:21:28.411 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /images/asf-logo.gif --> false
28-Mar-2015 14:21:28.427 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /images/asf-l
ogo.gif --> false
28-Mar-2015 14:21:28.442 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G
ET /images/asf-logo.gif --> false
28-Mar-2015 14:21:28.458 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /images/asf-logo
.gif --> false
28-Mar-2015 14:21:28.474 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /images/asf-logo.gif --> false
28-Mar-2015 14:21:28.489 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /images/asf-l
ogo.gif --> false
28-Mar-2015 14:21:28.505 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G
ET /images/asf-logo.gif --> false
28-Mar-2015 14:21:28.520 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /images/asf-logo
.gif --> false
28-Mar-2015 14:21:28.536 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /images/asf-logo.gif --> false
28-Mar-2015 14:21:28.552 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /images/asf-l
ogo.gif --> false
28-Mar-2015 14:21:28.567 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G
ET /images/asf-logo.gif --> false
28-Mar-2015 14:21:28.583 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /images/asf-logo
.gif --> false
28-Mar-2015 14:21:28.598 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /images/asf-logo.gif --> false
28-Mar-2015 14:21:28.614 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /images/asf-l
ogo.gif --> false
28-Mar-2015 14:21:28.630 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints No applicable constraint located
28-Mar-2015 14:21:28.645 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Not subject to any constraint
28-Mar-2015 14:21:28.364 FINE [http-nio-80-exec-4] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/images/tomcat.gif
28-Mar-2015 14:21:28.676 FINE [http-nio-80-exec-4] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke We have cached auth type SPNEGO for principal GenericPrincipal[test(manager-gui,)]
28-Mar-2015 14:21:28.676 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G
ET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.692 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /images/tomcat.g
if --> false
28-Mar-2015 14:21:28.708 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.723 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /images/tomca
t.gif --> false
28-Mar-2015 14:21:28.739 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G
ET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.754 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /images/tomcat.g
if --> false
28-Mar-2015 14:21:28.770 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.786 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /images/tomca
t.gif --> false
28-Mar-2015 14:21:28.801 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G
ET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.817 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /images/tomcat.g
if --> false
28-Mar-2015 14:21:28.832 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.848 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /images/tomca
t.gif --> false
28-Mar-2015 14:21:28.864 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G
ET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.879 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /images/tomcat.g
if --> false
28-Mar-2015 14:21:28.895 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.910 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /images/tomca
t.gif --> false
28-Mar-2015 14:21:28.926 FINE [http-nio-80-exec-4] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints No applicable constraint located
28-Mar-2015 14:21:28.926 FINE [http-nio-80-exec-4] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Not subject to any constraint
----------------------------------------
> Date: Mon, 30 Mar 2015 00:13:54 +0200
> From: aw@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> David Marsh wrote:
>> I've tested all the following public JDKs
>>
>> jdk-7u45-windows-i586.exe
>> jdk-7u65-windows-i586.exe
>> jdk-7u75-windows-i586.exe
>> jdk-8-windows-i586.exe
>> jdk-8u5-windows-i586.exe
>> jdk-8u11-windows-i586.exe
>> jdk-8u20-windows-i586.exe
>> jdk-8u25-windows-i586.exe
>> jdk-8u31-windows-i586.exe
>> jdk-8u40-windows-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token
>>
>> Seems a recent "fix" must broken it.
>
> That is really great info. Thanks.
>
> By the way, would you still have the Tomcat Kerberos logs that fail, in comparison to one
> where it works ?
>
>
>>
>> David
>>
>> ----------------------------------------
>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>> From: felix.schumacher@internetallee.de
>>> Date: Sun, 29 Mar 2015 10:13:29 +0200
>>> To: users@tomcat.apache.org
>>>
>>>
>>>
>>> Am 28. März 2015 17:46:50 MEZ, schrieb Mark Thomas <ma...@apache.org>:
>>>> On 28/03/2015 14:43, David Marsh wrote:
>>>>> Ok so I went back to basics and created three new VM's.
>>>>>
>>>>> Windows Server 2008 R2
>>>>> Windows 7 Client
>>>>> Windows 7 Tomcat
>>>>>
>>>>> I still had same issues, until I changed the Java on the tomcat
>>>> server to JDK 7 u45.
>>>>> It appears there are breaking changes to JAAS/GSS in newer JDKs ?
>>>> Thank you for doing all this testing. That is useful information to
>>>> know. The next step (for you, me or anyone who has the time and wants
>>>> to
>>>> help) is to test subsequent Java 7 releases and see at which version it
>>>> stops working. I'd hope that a review of the relevant change log would
>>>> identify the change that triggered the breakage and provide some clues
>>>> on how to fix it.
>>>>
>>>> It would be worth testing the Java 8 releases the same way.
>>> I read it, that jdk 7 works and jdk 8 is problematic.
>>>
>>> There are a few Kerberos related Chaves in jdk 8 ( http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html).
>>>
>>> Interesting are the two changes:
>>>
>>> * DES is disabled by default
>>> * constrained delegation is supported.
>>>
>>> My guess would be, that it would help (in this case) to reenable DES by adding allow_weak_crypto=true in the krb5.conf.
>>>
>>> Regards
>>> Felix
>>>> Mark
>>>>
>>>>
>>>>> David
>>>>>
>>>>> ----------------------------------------
>>>>>> From: dmarsh26@outlook.com
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>>> Date: Fri, 27 Mar 2015 23:40:06 +0000
>>>>>>
>>>>>> By the way Tomcat 8 was running on JDK :-
>>>>>>
>>>>>> C:\Windows\system32>java -version
>>>>>> java version "1.8.0_40"
>>>>>> Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
>>>>>> Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)
>>>>>>
>>>>>> Version update 40 should include some JRE fixes around GSS and
>>>> SPNEGO, including ignoring parts of NegoEx, however
>>>>>> it does not seem to work.
>>>>>>
>>>>>> I've also created a Windows 7 client with same config just different
>>>> DNS of win-pc02.kerbtest.local
>>>>>> It has the same issue going from firefox to
>>>> http://win-tc01.kerbtest.local/manager/html
>>>>>> I get the same three 401's and the Negotiate.
>>>>>>
>>>>>> ----------------------------------------
>>>>>>> Date: Thu, 26 Mar 2015 12:11:34 +0100
>>>>>>> From: aw@ice-sa.com
>>>>>>> To: users@tomcat.apache.org
>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>
>>>>>>> David Marsh wrote:
>>>>>>>> Hi Mark,
>>>>>>>>
>>>>>>>> Thanks for that, yes I've got 30 years windows experience, I can
>>>> use Linux at a push but its not really my area expertise.
>>>>>>>> I'm a Java / Windows programmer so I should be able to understand
>>>> it, but not kerberos or Active Directory expert.
>>>>>>>> I have used Waffle in the past with success and used JAAS/GSS-API
>>>> in Java thick clients.
>>>>>>>> I made the IE settings you outlined but it seems to still prompt.
>>>>>>>> IE has win-tc01.kerbtest.local as a trusted site.
>>>>>>>> Enable Windows Integrated Authentication is on
>>>>>>>> Auto logon only in Intranet Zone is on
>>>>>>>>
>>>>>>>> I've been using Firefox to test and that does send 401 and
>>>> negotiate, but causes the GSS token error mentioned.
>>>>>>>> Active directory and krb5.ini are using eType 23 which is rc4-hmac
>>>>>>>>
>>>>>>>> The windows client OS and tomcat server OS has registry setting
>>>> for allowtgtsessionkey set to 1 (enabled).
>>>>>>>> Java kinit test works and stores a ticket in the Java session
>>>> cache.
>>>>>>>> So problem seems to be either :-
>>>>>>>>
>>>>>>>> 1. Browser sends bad token
>>>>>>>> 2. Token is good but Oracle JDK 8 GSS-API cannot handle it
>>>>>>>>
>>>>>>> Another shot almost in the dark : while browsing hundreds of
>>>> Kerberos-related pages on the
>>>>>>> WWW, one other recommendation which seems to appear regularly (and
>>>> Mark also mentioned
>>>>>>> that somewhere), is that each time you make a change somewhere, you
>>>> should reboot the
>>>>>>> machine afterward, before re-testing. (Particularly on Windows
>>>> machines).
>>>>>>> I know it's a PITA, but I have also found the same to be true
>>>> sometimes when merely
>>>>>>> dealing with NTLM matters. There are probably some hidden caches
>>>> that get cleared only in
>>>>>>> that way.
>>>>>>>
>>>>>>>
>>>>>>>> many thanks
>>>>>>>>
>>>>>>>> David
>>>>>>>>
>>>>>>>>> Date: Thu, 26 Mar 2015 11:32:39 +0100
>>>>>>>>> From: aw@ice-sa.com
>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>
>>>>>>>>> David Marsh wrote:
>>>>>>>>>> Hi Mark,
>>>>>>>>>> Thanks that would be great !
>>>>>>>>>> Do you have a good mechanism to test and ensure kerberos token
>>>> is passed to tomcat and not NTLM token ?
>>>>>>>>> I believe that I can answer that.
>>>>>>>>>
>>>>>>>>> And the basic answer is no.
>>>>>>>>>
>>>>>>>>> First the basic principle, valid for this and many many other
>>>> areas : the server cannot
>>>>>>>>> "impose" anything on the browser. The local user can always
>>>> override anything received
>>>>>>>>> from the server, by a setting in the browser. And a hacker can of
>>>> course do anything.
>>>>>>>>> All the server can do, is tell the browser what it will accept,
>>>> and the browser can tell
>>>>>>>>> the server ditto.
>>>>>>>>> So, never assume the opposite, and you will save yourself a lot
>>>> of fruitless searches and
>>>>>>>>> dead-ends.
>>>>>>>>>
>>>>>>>>> Now more specific :
>>>>>>>>> 1) For Kerberos to be used at all at the browser level, the
>>>> server must send a 401
>>>>>>>>> response with "Negociate" as the requested authentication method.
>>>> Unless it does that,
>>>>>>>>> the browser will never even attempt to send a Kerberos
>>>> "Authorization" back.
>>>>>>>>> 2) for the browser to consider returning a Kerberos Authorization
>>>> header to the server,
>>>>>>>>> additional conditions depend on the browser.
>>>>>>>>> For IE :
>>>>>>>>> a) the "enable Windows Integrated Authentication" setting must be
>>>> on (checked), whether
>>>>>>>>> this is done locally by the user, or part of the standard IE
>>>> settings company-wide, or
>>>>>>>>> imposed by some "network policy" at corporate level.
>>>>>>>>> b) the server to which the browser is talking, must be known to
>>>> IE as either
>>>>>>>>> - part of the "Intranet"
>>>>>>>>> - or at least a "trusted" server
>>>>>>>>> That is defined in IE's "security zones" (which again can be
>>>> local, or corporation-wide).
>>>>>>>>> If condition (a) is not met, when the server sends a 401
>>>> "Negociate", IE will fall back to
>>>>>>>>> NTLM, always. And there is nothing you can do about that at the
>>>> server level.
>>>>>>>>> (Funnily enough, disabling the "enable Windows Integrated
>>>> Authentication" at the IE level,
>>>>>>>>> has the effect of disabling Kerberos, but not NTLM).
>>>>>>>>>
>>>>>>>>> If condition (b) is not met, IE will try neither Kerberos nor
>>>> NTLM, and it /might/ fall
>>>>>>>>> back to Basic authentication, if its other settings allow that.
>>>> That's when you see the
>>>>>>>>> browser popup login dialog; and in an SSO context, this is a sure
>>>> sign that something
>>>>>>>>> isn't working as expected.
>>>>>>>>>
>>>>>>>>> Some authentication modules, at the server level, are able to
>>>> adapt to what the browser
>>>>>>>>> sends, others not. I believe that Waffle can accept either
>>>> browser NTLM or Kerberos
>>>>>>>>> authentication. Waffle works only on a Windows Tomcat server, not
>>>> on a Linux Tomcat server.
>>>>>>>>> I do not know about the SPNEGO thing in Tomcat (from the name, it
>>>> should).
>>>>>>>>> The Jespa module from www.ioplex.com does not handle Kerberos,
>>>> just NTLM, but it works
>>>>>>>>> under both Windows and Linux.
>>>>>>>>>
>>>>>>>>> And finally, about your problems : it seems that you have fallen
>>>> in a very specific kind
>>>>>>>>> of hell, because you are trying to talk to a Windows-based
>>>> Kerberos KDC (which is using
>>>>>>>>> Windows Kerberos libraries and encryption method choices and
>>>> hostname formats etc..), from
>>>>>>>>> a Java JVM-based "client" (in this case the Tomcat server,
>>>> whatever its underlying
>>>>>>>>> platform is), which is using Java Kerberos libraries and
>>>> encryption method choices etc...
>>>>>>>>> And it seems that between this Java Kerberos part and the Windows
>>>> Kerberos part, there
>>>>>>>>> are a number of areas of mutual incomprehension (such as which
>>>> key encryption methods they
>>>>>>>>> each implement, or which ones are the "default" ones for each).
>>>>>>>>>
>>>>>>>>> And I am sure that the issue can be resolved. But it is probably
>>>> a question of finding
>>>>>>>>> out which among the 25 or more settings one can alter on each
>>>> side, overlap and either
>>>>>>>>> agree or contradict eachother.
>>>>>>>>>
>>>>>>>>> One underlying issue is that, as well in corporations as on the
>>>> WWW, the "Windows people"
>>>>>>>>> and the "Linux people" tend to be 2 separate groups. If you ask
>>>> the "Windows people" how
>>>>>>>>> to set this up, they will tell you "just do this and it works"
>>>> (assuming that all the
>>>>>>>>> moving parts are Windows-based); and if you ask the "Linux
>>>> people", they will tell you
>>>>>>>>> "just do this and it works" (assuming that all the moving parts
>>>> are Linux-based).
>>>>>>>>> And there are very few people (and web pages) which span both
>>>> worlds with their various
>>>>>>>>> combinations.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> David
>>>>>>>>>>
>>>>>>>>>>> Date: Thu, 26 Mar 2015 09:00:22 +0000
>>>>>>>>>>> From: markt@apache.org
>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>
>>>>>>>>>>> On 26/03/2015 00:36, David Marsh wrote:
>>>>>>>>>>>> Still getting :-
>>>>>>>>>>>> java.security.PrivilegedActionException: GSSException:
>>>> Defective token detected (Mechanism level: G
>>>>>>>>>>>> SSHeader did not find the right tag)
>>>>>>>>>>>>
>>>>>>>>>>>> Folks here mention lack of NegoEx support or bugs in GSS-APi ?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>> http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
>>>>>>>>>>>> Does Tomcat 8 work with NegoEx ?
>>>>>>>>>>>>
>>>>>>>>>>>> Is Windows 8.1 and Windows Server 2012 RC2 supported ?
>>>>>>>>>>> My test environment is Windows 2008 R2 server and Windows 7. It
>>>> is
>>>>>>>>>>> certainly possibly security has been tightened between those
>>>> versions
>>>>>>>>>>> and 2012/R2 + 8 that means things don't work by default with
>>>> Java.
>>>>>>>>>>> I'll see if I can find some time in the next few weeks to
>>>> update my test
>>>>>>>>>>> environment and do some more testing.
>>>>>>>>>>>
>>>>>>>>>>> Mark
>>>>>>>>>>>
>>>>>>>>>>>
>>>> ---------------------------------------------------------------------
>>>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>>>>
>>>>>>>>>
>>>> ---------------------------------------------------------------------
>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>>
>>>>>>>
>>>>>>>
>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>>
>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Posted by André Warnier <aw...@ice-sa.com>.
David Marsh wrote:
> I've tested all the following public JDKs
>
> jdk-7u45-windows-i586.exe
> jdk-7u65-windows-i586.exe
> jdk-7u75-windows-i586.exe
> jdk-8-windows-i586.exe
> jdk-8u5-windows-i586.exe
> jdk-8u11-windows-i586.exe
> jdk-8u20-windows-i586.exe
> jdk-8u25-windows-i586.exe
> jdk-8u31-windows-i586.exe
> jdk-8u40-windows-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token
>
> Seems a recent "fix" must broken it.
That is really great info. Thanks.
By the way, would you still have the Tomcat Kerberos logs that fail, in comparison to one
where it works ?
>
> David
>
> ----------------------------------------
>> Subject: Re: SPNEGO test configuration with Manager webapp
>> From: felix.schumacher@internetallee.de
>> Date: Sun, 29 Mar 2015 10:13:29 +0200
>> To: users@tomcat.apache.org
>>
>>
>>
>> Am 28. März 2015 17:46:50 MEZ, schrieb Mark Thomas <ma...@apache.org>:
>>> On 28/03/2015 14:43, David Marsh wrote:
>>>> Ok so I went back to basics and created three new VM's.
>>>>
>>>> Windows Server 2008 R2
>>>> Windows 7 Client
>>>> Windows 7 Tomcat
>>>>
>>>> I still had same issues, until I changed the Java on the tomcat
>>> server to JDK 7 u45.
>>>> It appears there are breaking changes to JAAS/GSS in newer JDKs ?
>>> Thank you for doing all this testing. That is useful information to
>>> know. The next step (for you, me or anyone who has the time and wants
>>> to
>>> help) is to test subsequent Java 7 releases and see at which version it
>>> stops working. I'd hope that a review of the relevant change log would
>>> identify the change that triggered the breakage and provide some clues
>>> on how to fix it.
>>>
>>> It would be worth testing the Java 8 releases the same way.
>> I read it, that jdk 7 works and jdk 8 is problematic.
>>
>> There are a few Kerberos related Chaves in jdk 8 ( http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html).
>>
>> Interesting are the two changes:
>>
>> * DES is disabled by default
>> * constrained delegation is supported.
>>
>> My guess would be, that it would help (in this case) to reenable DES by adding allow_weak_crypto=true in the krb5.conf.
>>
>> Regards
>> Felix
>>> Mark
>>>
>>>
>>>> David
>>>>
>>>> ----------------------------------------
>>>>> From: dmarsh26@outlook.com
>>>>> To: users@tomcat.apache.org
>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>> Date: Fri, 27 Mar 2015 23:40:06 +0000
>>>>>
>>>>> By the way Tomcat 8 was running on JDK :-
>>>>>
>>>>> C:\Windows\system32>java -version
>>>>> java version "1.8.0_40"
>>>>> Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
>>>>> Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)
>>>>>
>>>>> Version update 40 should include some JRE fixes around GSS and
>>> SPNEGO, including ignoring parts of NegoEx, however
>>>>> it does not seem to work.
>>>>>
>>>>> I've also created a Windows 7 client with same config just different
>>> DNS of win-pc02.kerbtest.local
>>>>> It has the same issue going from firefox to
>>> http://win-tc01.kerbtest.local/manager/html
>>>>> I get the same three 401's and the Negotiate.
>>>>>
>>>>> ----------------------------------------
>>>>>> Date: Thu, 26 Mar 2015 12:11:34 +0100
>>>>>> From: aw@ice-sa.com
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>
>>>>>> David Marsh wrote:
>>>>>>> Hi Mark,
>>>>>>>
>>>>>>> Thanks for that, yes I've got 30 years windows experience, I can
>>> use Linux at a push but its not really my area expertise.
>>>>>>> I'm a Java / Windows programmer so I should be able to understand
>>> it, but not kerberos or Active Directory expert.
>>>>>>> I have used Waffle in the past with success and used JAAS/GSS-API
>>> in Java thick clients.
>>>>>>> I made the IE settings you outlined but it seems to still prompt.
>>>>>>> IE has win-tc01.kerbtest.local as a trusted site.
>>>>>>> Enable Windows Integrated Authentication is on
>>>>>>> Auto logon only in Intranet Zone is on
>>>>>>>
>>>>>>> I've been using Firefox to test and that does send 401 and
>>> negotiate, but causes the GSS token error mentioned.
>>>>>>> Active directory and krb5.ini are using eType 23 which is rc4-hmac
>>>>>>>
>>>>>>> The windows client OS and tomcat server OS has registry setting
>>> for allowtgtsessionkey set to 1 (enabled).
>>>>>>> Java kinit test works and stores a ticket in the Java session
>>> cache.
>>>>>>> So problem seems to be either :-
>>>>>>>
>>>>>>> 1. Browser sends bad token
>>>>>>> 2. Token is good but Oracle JDK 8 GSS-API cannot handle it
>>>>>>>
>>>>>> Another shot almost in the dark : while browsing hundreds of
>>> Kerberos-related pages on the
>>>>>> WWW, one other recommendation which seems to appear regularly (and
>>> Mark also mentioned
>>>>>> that somewhere), is that each time you make a change somewhere, you
>>> should reboot the
>>>>>> machine afterward, before re-testing. (Particularly on Windows
>>> machines).
>>>>>> I know it's a PITA, but I have also found the same to be true
>>> sometimes when merely
>>>>>> dealing with NTLM matters. There are probably some hidden caches
>>> that get cleared only in
>>>>>> that way.
>>>>>>
>>>>>>
>>>>>>> many thanks
>>>>>>>
>>>>>>> David
>>>>>>>
>>>>>>>> Date: Thu, 26 Mar 2015 11:32:39 +0100
>>>>>>>> From: aw@ice-sa.com
>>>>>>>> To: users@tomcat.apache.org
>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>
>>>>>>>> David Marsh wrote:
>>>>>>>>> Hi Mark,
>>>>>>>>> Thanks that would be great !
>>>>>>>>> Do you have a good mechanism to test and ensure kerberos token
>>> is passed to tomcat and not NTLM token ?
>>>>>>>> I believe that I can answer that.
>>>>>>>>
>>>>>>>> And the basic answer is no.
>>>>>>>>
>>>>>>>> First the basic principle, valid for this and many many other
>>> areas : the server cannot
>>>>>>>> "impose" anything on the browser. The local user can always
>>> override anything received
>>>>>>>> from the server, by a setting in the browser. And a hacker can of
>>> course do anything.
>>>>>>>> All the server can do, is tell the browser what it will accept,
>>> and the browser can tell
>>>>>>>> the server ditto.
>>>>>>>> So, never assume the opposite, and you will save yourself a lot
>>> of fruitless searches and
>>>>>>>> dead-ends.
>>>>>>>>
>>>>>>>> Now more specific :
>>>>>>>> 1) For Kerberos to be used at all at the browser level, the
>>> server must send a 401
>>>>>>>> response with "Negociate" as the requested authentication method.
>>> Unless it does that,
>>>>>>>> the browser will never even attempt to send a Kerberos
>>> "Authorization" back.
>>>>>>>> 2) for the browser to consider returning a Kerberos Authorization
>>> header to the server,
>>>>>>>> additional conditions depend on the browser.
>>>>>>>> For IE :
>>>>>>>> a) the "enable Windows Integrated Authentication" setting must be
>>> on (checked), whether
>>>>>>>> this is done locally by the user, or part of the standard IE
>>> settings company-wide, or
>>>>>>>> imposed by some "network policy" at corporate level.
>>>>>>>> b) the server to which the browser is talking, must be known to
>>> IE as either
>>>>>>>> - part of the "Intranet"
>>>>>>>> - or at least a "trusted" server
>>>>>>>> That is defined in IE's "security zones" (which again can be
>>> local, or corporation-wide).
>>>>>>>> If condition (a) is not met, when the server sends a 401
>>> "Negociate", IE will fall back to
>>>>>>>> NTLM, always. And there is nothing you can do about that at the
>>> server level.
>>>>>>>> (Funnily enough, disabling the "enable Windows Integrated
>>> Authentication" at the IE level,
>>>>>>>> has the effect of disabling Kerberos, but not NTLM).
>>>>>>>>
>>>>>>>> If condition (b) is not met, IE will try neither Kerberos nor
>>> NTLM, and it /might/ fall
>>>>>>>> back to Basic authentication, if its other settings allow that.
>>> That's when you see the
>>>>>>>> browser popup login dialog; and in an SSO context, this is a sure
>>> sign that something
>>>>>>>> isn't working as expected.
>>>>>>>>
>>>>>>>> Some authentication modules, at the server level, are able to
>>> adapt to what the browser
>>>>>>>> sends, others not. I believe that Waffle can accept either
>>> browser NTLM or Kerberos
>>>>>>>> authentication. Waffle works only on a Windows Tomcat server, not
>>> on a Linux Tomcat server.
>>>>>>>> I do not know about the SPNEGO thing in Tomcat (from the name, it
>>> should).
>>>>>>>> The Jespa module from www.ioplex.com does not handle Kerberos,
>>> just NTLM, but it works
>>>>>>>> under both Windows and Linux.
>>>>>>>>
>>>>>>>> And finally, about your problems : it seems that you have fallen
>>> in a very specific kind
>>>>>>>> of hell, because you are trying to talk to a Windows-based
>>> Kerberos KDC (which is using
>>>>>>>> Windows Kerberos libraries and encryption method choices and
>>> hostname formats etc..), from
>>>>>>>> a Java JVM-based "client" (in this case the Tomcat server,
>>> whatever its underlying
>>>>>>>> platform is), which is using Java Kerberos libraries and
>>> encryption method choices etc...
>>>>>>>> And it seems that between this Java Kerberos part and the Windows
>>> Kerberos part, there
>>>>>>>> are a number of areas of mutual incomprehension (such as which
>>> key encryption methods they
>>>>>>>> each implement, or which ones are the "default" ones for each).
>>>>>>>>
>>>>>>>> And I am sure that the issue can be resolved. But it is probably
>>> a question of finding
>>>>>>>> out which among the 25 or more settings one can alter on each
>>> side, overlap and either
>>>>>>>> agree or contradict eachother.
>>>>>>>>
>>>>>>>> One underlying issue is that, as well in corporations as on the
>>> WWW, the "Windows people"
>>>>>>>> and the "Linux people" tend to be 2 separate groups. If you ask
>>> the "Windows people" how
>>>>>>>> to set this up, they will tell you "just do this and it works"
>>> (assuming that all the
>>>>>>>> moving parts are Windows-based); and if you ask the "Linux
>>> people", they will tell you
>>>>>>>> "just do this and it works" (assuming that all the moving parts
>>> are Linux-based).
>>>>>>>> And there are very few people (and web pages) which span both
>>> worlds with their various
>>>>>>>> combinations.
>>>>>>>>
>>>>>>>>
>>>>>>>>> David
>>>>>>>>>
>>>>>>>>>> Date: Thu, 26 Mar 2015 09:00:22 +0000
>>>>>>>>>> From: markt@apache.org
>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>
>>>>>>>>>> On 26/03/2015 00:36, David Marsh wrote:
>>>>>>>>>>> Still getting :-
>>>>>>>>>>> java.security.PrivilegedActionException: GSSException:
>>> Defective token detected (Mechanism level: G
>>>>>>>>>>> SSHeader did not find the right tag)
>>>>>>>>>>>
>>>>>>>>>>> Folks here mention lack of NegoEx support or bugs in GSS-APi ?
>>>>>>>>>>>
>>>>>>>>>>>
>>> http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
>>>>>>>>>>> Does Tomcat 8 work with NegoEx ?
>>>>>>>>>>>
>>>>>>>>>>> Is Windows 8.1 and Windows Server 2012 RC2 supported ?
>>>>>>>>>> My test environment is Windows 2008 R2 server and Windows 7. It
>>> is
>>>>>>>>>> certainly possibly security has been tightened between those
>>> versions
>>>>>>>>>> and 2012/R2 + 8 that means things don't work by default with
>>> Java.
>>>>>>>>>> I'll see if I can find some time in the next few weeks to
>>> update my test
>>>>>>>>>> environment and do some more testing.
>>>>>>>>>>
>>>>>>>>>> Mark
>>>>>>>>>>
>>>>>>>>>>
>>> ---------------------------------------------------------------------
>>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>>>
>>>>>>>>
>>> ---------------------------------------------------------------------
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>
>>>>>>
>>>>>>
>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>
>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
I've tested all the following public JDKs
jdk-7u45-windows-i586.exe
jdk-7u65-windows-i586.exe
jdk-7u75-windows-i586.exe
jdk-8-windows-i586.exe
jdk-8u5-windows-i586.exe
jdk-8u11-windows-i586.exe
jdk-8u20-windows-i586.exe
jdk-8u25-windows-i586.exe
jdk-8u31-windows-i586.exe
jdk-8u40-windows-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token
Seems a recent "fix" must broken it.
David
----------------------------------------
> Subject: Re: SPNEGO test configuration with Manager webapp
> From: felix.schumacher@internetallee.de
> Date: Sun, 29 Mar 2015 10:13:29 +0200
> To: users@tomcat.apache.org
>
>
>
> Am 28. März 2015 17:46:50 MEZ, schrieb Mark Thomas <ma...@apache.org>:
>>On 28/03/2015 14:43, David Marsh wrote:
>>> Ok so I went back to basics and created three new VM's.
>>>
>>> Windows Server 2008 R2
>>> Windows 7 Client
>>> Windows 7 Tomcat
>>>
>>> I still had same issues, until I changed the Java on the tomcat
>>server to JDK 7 u45.
>>>
>>> It appears there are breaking changes to JAAS/GSS in newer JDKs ?
>>
>>Thank you for doing all this testing. That is useful information to
>>know. The next step (for you, me or anyone who has the time and wants
>>to
>>help) is to test subsequent Java 7 releases and see at which version it
>>stops working. I'd hope that a review of the relevant change log would
>>identify the change that triggered the breakage and provide some clues
>>on how to fix it.
>>
>>It would be worth testing the Java 8 releases the same way.
>
> I read it, that jdk 7 works and jdk 8 is problematic.
>
> There are a few Kerberos related Chaves in jdk 8 ( http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html).
>
> Interesting are the two changes:
>
> * DES is disabled by default
> * constrained delegation is supported.
>
> My guess would be, that it would help (in this case) to reenable DES by adding allow_weak_crypto=true in the krb5.conf.
>
> Regards
> Felix
>>
>>Mark
>>
>>
>>>
>>> David
>>>
>>> ----------------------------------------
>>>> From: dmarsh26@outlook.com
>>>> To: users@tomcat.apache.org
>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>> Date: Fri, 27 Mar 2015 23:40:06 +0000
>>>>
>>>> By the way Tomcat 8 was running on JDK :-
>>>>
>>>> C:\Windows\system32>java -version
>>>> java version "1.8.0_40"
>>>> Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
>>>> Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)
>>>>
>>>> Version update 40 should include some JRE fixes around GSS and
>>SPNEGO, including ignoring parts of NegoEx, however
>>>> it does not seem to work.
>>>>
>>>> I've also created a Windows 7 client with same config just different
>>DNS of win-pc02.kerbtest.local
>>>>
>>>> It has the same issue going from firefox to
>>http://win-tc01.kerbtest.local/manager/html
>>>> I get the same three 401's and the Negotiate.
>>>>
>>>> ----------------------------------------
>>>>> Date: Thu, 26 Mar 2015 12:11:34 +0100
>>>>> From: aw@ice-sa.com
>>>>> To: users@tomcat.apache.org
>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>
>>>>> David Marsh wrote:
>>>>>> Hi Mark,
>>>>>>
>>>>>> Thanks for that, yes I've got 30 years windows experience, I can
>>use Linux at a push but its not really my area expertise.
>>>>>>
>>>>>> I'm a Java / Windows programmer so I should be able to understand
>>it, but not kerberos or Active Directory expert.
>>>>>>
>>>>>> I have used Waffle in the past with success and used JAAS/GSS-API
>>in Java thick clients.
>>>>>>
>>>>>> I made the IE settings you outlined but it seems to still prompt.
>>>>>> IE has win-tc01.kerbtest.local as a trusted site.
>>>>>> Enable Windows Integrated Authentication is on
>>>>>> Auto logon only in Intranet Zone is on
>>>>>>
>>>>>> I've been using Firefox to test and that does send 401 and
>>negotiate, but causes the GSS token error mentioned.
>>>>>>
>>>>>> Active directory and krb5.ini are using eType 23 which is rc4-hmac
>>>>>>
>>>>>> The windows client OS and tomcat server OS has registry setting
>>for allowtgtsessionkey set to 1 (enabled).
>>>>>>
>>>>>> Java kinit test works and stores a ticket in the Java session
>>cache.
>>>>>>
>>>>>> So problem seems to be either :-
>>>>>>
>>>>>> 1. Browser sends bad token
>>>>>> 2. Token is good but Oracle JDK 8 GSS-API cannot handle it
>>>>>>
>>>>>
>>>>> Another shot almost in the dark : while browsing hundreds of
>>Kerberos-related pages on the
>>>>> WWW, one other recommendation which seems to appear regularly (and
>>Mark also mentioned
>>>>> that somewhere), is that each time you make a change somewhere, you
>>should reboot the
>>>>> machine afterward, before re-testing. (Particularly on Windows
>>machines).
>>>>> I know it's a PITA, but I have also found the same to be true
>>sometimes when merely
>>>>> dealing with NTLM matters. There are probably some hidden caches
>>that get cleared only in
>>>>> that way.
>>>>>
>>>>>
>>>>>> many thanks
>>>>>>
>>>>>> David
>>>>>>
>>>>>>> Date: Thu, 26 Mar 2015 11:32:39 +0100
>>>>>>> From: aw@ice-sa.com
>>>>>>> To: users@tomcat.apache.org
>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>
>>>>>>> David Marsh wrote:
>>>>>>>> Hi Mark,
>>>>>>>> Thanks that would be great !
>>>>>>>> Do you have a good mechanism to test and ensure kerberos token
>>is passed to tomcat and not NTLM token ?
>>>>>>> I believe that I can answer that.
>>>>>>>
>>>>>>> And the basic answer is no.
>>>>>>>
>>>>>>> First the basic principle, valid for this and many many other
>>areas : the server cannot
>>>>>>> "impose" anything on the browser. The local user can always
>>override anything received
>>>>>>> from the server, by a setting in the browser. And a hacker can of
>>course do anything.
>>>>>>> All the server can do, is tell the browser what it will accept,
>>and the browser can tell
>>>>>>> the server ditto.
>>>>>>> So, never assume the opposite, and you will save yourself a lot
>>of fruitless searches and
>>>>>>> dead-ends.
>>>>>>>
>>>>>>> Now more specific :
>>>>>>> 1) For Kerberos to be used at all at the browser level, the
>>server must send a 401
>>>>>>> response with "Negociate" as the requested authentication method.
>>Unless it does that,
>>>>>>> the browser will never even attempt to send a Kerberos
>>"Authorization" back.
>>>>>>> 2) for the browser to consider returning a Kerberos Authorization
>>header to the server,
>>>>>>> additional conditions depend on the browser.
>>>>>>> For IE :
>>>>>>> a) the "enable Windows Integrated Authentication" setting must be
>>on (checked), whether
>>>>>>> this is done locally by the user, or part of the standard IE
>>settings company-wide, or
>>>>>>> imposed by some "network policy" at corporate level.
>>>>>>> b) the server to which the browser is talking, must be known to
>>IE as either
>>>>>>> - part of the "Intranet"
>>>>>>> - or at least a "trusted" server
>>>>>>> That is defined in IE's "security zones" (which again can be
>>local, or corporation-wide).
>>>>>>>
>>>>>>> If condition (a) is not met, when the server sends a 401
>>"Negociate", IE will fall back to
>>>>>>> NTLM, always. And there is nothing you can do about that at the
>>server level.
>>>>>>> (Funnily enough, disabling the "enable Windows Integrated
>>Authentication" at the IE level,
>>>>>>> has the effect of disabling Kerberos, but not NTLM).
>>>>>>>
>>>>>>> If condition (b) is not met, IE will try neither Kerberos nor
>>NTLM, and it /might/ fall
>>>>>>> back to Basic authentication, if its other settings allow that.
>>That's when you see the
>>>>>>> browser popup login dialog; and in an SSO context, this is a sure
>>sign that something
>>>>>>> isn't working as expected.
>>>>>>>
>>>>>>> Some authentication modules, at the server level, are able to
>>adapt to what the browser
>>>>>>> sends, others not. I believe that Waffle can accept either
>>browser NTLM or Kerberos
>>>>>>> authentication. Waffle works only on a Windows Tomcat server, not
>>on a Linux Tomcat server.
>>>>>>> I do not know about the SPNEGO thing in Tomcat (from the name, it
>>should).
>>>>>>> The Jespa module from www.ioplex.com does not handle Kerberos,
>>just NTLM, but it works
>>>>>>> under both Windows and Linux.
>>>>>>>
>>>>>>> And finally, about your problems : it seems that you have fallen
>>in a very specific kind
>>>>>>> of hell, because you are trying to talk to a Windows-based
>>Kerberos KDC (which is using
>>>>>>> Windows Kerberos libraries and encryption method choices and
>>hostname formats etc..), from
>>>>>>> a Java JVM-based "client" (in this case the Tomcat server,
>>whatever its underlying
>>>>>>> platform is), which is using Java Kerberos libraries and
>>encryption method choices etc...
>>>>>>> And it seems that between this Java Kerberos part and the Windows
>>Kerberos part, there
>>>>>>> are a number of areas of mutual incomprehension (such as which
>>key encryption methods they
>>>>>>> each implement, or which ones are the "default" ones for each).
>>>>>>>
>>>>>>> And I am sure that the issue can be resolved. But it is probably
>>a question of finding
>>>>>>> out which among the 25 or more settings one can alter on each
>>side, overlap and either
>>>>>>> agree or contradict eachother.
>>>>>>>
>>>>>>> One underlying issue is that, as well in corporations as on the
>>WWW, the "Windows people"
>>>>>>> and the "Linux people" tend to be 2 separate groups. If you ask
>>the "Windows people" how
>>>>>>> to set this up, they will tell you "just do this and it works"
>>(assuming that all the
>>>>>>> moving parts are Windows-based); and if you ask the "Linux
>>people", they will tell you
>>>>>>> "just do this and it works" (assuming that all the moving parts
>>are Linux-based).
>>>>>>> And there are very few people (and web pages) which span both
>>worlds with their various
>>>>>>> combinations.
>>>>>>>
>>>>>>>
>>>>>>>> David
>>>>>>>>
>>>>>>>>> Date: Thu, 26 Mar 2015 09:00:22 +0000
>>>>>>>>> From: markt@apache.org
>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>
>>>>>>>>> On 26/03/2015 00:36, David Marsh wrote:
>>>>>>>>>> Still getting :-
>>>>>>>>>> java.security.PrivilegedActionException: GSSException:
>>Defective token detected (Mechanism level: G
>>>>>>>>>> SSHeader did not find the right tag)
>>>>>>>>>>
>>>>>>>>>> Folks here mention lack of NegoEx support or bugs in GSS-APi ?
>>>>>>>>>>
>>>>>>>>>>
>>http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
>>>>>>>>>>
>>>>>>>>>> Does Tomcat 8 work with NegoEx ?
>>>>>>>>>>
>>>>>>>>>> Is Windows 8.1 and Windows Server 2012 RC2 supported ?
>>>>>>>>> My test environment is Windows 2008 R2 server and Windows 7. It
>>is
>>>>>>>>> certainly possibly security has been tightened between those
>>versions
>>>>>>>>> and 2012/R2 + 8 that means things don't work by default with
>>Java.
>>>>>>>>>
>>>>>>>>> I'll see if I can find some time in the next few weeks to
>>update my test
>>>>>>>>> environment and do some more testing.
>>>>>>>>>
>>>>>>>>> Mark
>>>>>>>>>
>>>>>>>>>
>>---------------------------------------------------------------------
>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>>
>>>>>>>
>>>>>>>
>>---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>
>>>>
>>---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 28. März 2015 17:46:50 MEZ, schrieb Mark Thomas <ma...@apache.org>:
>On 28/03/2015 14:43, David Marsh wrote:
>> Ok so I went back to basics and created three new VM's.
>>
>> Windows Server 2008 R2
>> Windows 7 Client
>> Windows 7 Tomcat
>>
>> I still had same issues, until I changed the Java on the tomcat
>server to JDK 7 u45.
>>
>> It appears there are breaking changes to JAAS/GSS in newer JDKs ?
>
>Thank you for doing all this testing. That is useful information to
>know. The next step (for you, me or anyone who has the time and wants
>to
>help) is to test subsequent Java 7 releases and see at which version it
>stops working. I'd hope that a review of the relevant change log would
>identify the change that triggered the breakage and provide some clues
>on how to fix it.
>
>It would be worth testing the Java 8 releases the same way.
I read it, that jdk 7 works and jdk 8 is problematic.
There are a few Kerberos related Chaves in jdk 8 ( http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html).
Interesting are the two changes:
* DES is disabled by default
* constrained delegation is supported.
My guess would be, that it would help (in this case) to reenable DES by adding allow_weak_crypto=true in the krb5.conf.
Regards
Felix
>
>Mark
>
>
>>
>> David
>>
>> ----------------------------------------
>>> From: dmarsh26@outlook.com
>>> To: users@tomcat.apache.org
>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>> Date: Fri, 27 Mar 2015 23:40:06 +0000
>>>
>>> By the way Tomcat 8 was running on JDK :-
>>>
>>> C:\Windows\system32>java -version
>>> java version "1.8.0_40"
>>> Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
>>> Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)
>>>
>>> Version update 40 should include some JRE fixes around GSS and
>SPNEGO, including ignoring parts of NegoEx, however
>>> it does not seem to work.
>>>
>>> I've also created a Windows 7 client with same config just different
>DNS of win-pc02.kerbtest.local
>>>
>>> It has the same issue going from firefox to
>http://win-tc01.kerbtest.local/manager/html
>>> I get the same three 401's and the Negotiate.
>>>
>>> ----------------------------------------
>>>> Date: Thu, 26 Mar 2015 12:11:34 +0100
>>>> From: aw@ice-sa.com
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>
>>>> David Marsh wrote:
>>>>> Hi Mark,
>>>>>
>>>>> Thanks for that, yes I've got 30 years windows experience, I can
>use Linux at a push but its not really my area expertise.
>>>>>
>>>>> I'm a Java / Windows programmer so I should be able to understand
>it, but not kerberos or Active Directory expert.
>>>>>
>>>>> I have used Waffle in the past with success and used JAAS/GSS-API
>in Java thick clients.
>>>>>
>>>>> I made the IE settings you outlined but it seems to still prompt.
>>>>> IE has win-tc01.kerbtest.local as a trusted site.
>>>>> Enable Windows Integrated Authentication is on
>>>>> Auto logon only in Intranet Zone is on
>>>>>
>>>>> I've been using Firefox to test and that does send 401 and
>negotiate, but causes the GSS token error mentioned.
>>>>>
>>>>> Active directory and krb5.ini are using eType 23 which is rc4-hmac
>>>>>
>>>>> The windows client OS and tomcat server OS has registry setting
>for allowtgtsessionkey set to 1 (enabled).
>>>>>
>>>>> Java kinit test works and stores a ticket in the Java session
>cache.
>>>>>
>>>>> So problem seems to be either :-
>>>>>
>>>>> 1. Browser sends bad token
>>>>> 2. Token is good but Oracle JDK 8 GSS-API cannot handle it
>>>>>
>>>>
>>>> Another shot almost in the dark : while browsing hundreds of
>Kerberos-related pages on the
>>>> WWW, one other recommendation which seems to appear regularly (and
>Mark also mentioned
>>>> that somewhere), is that each time you make a change somewhere, you
>should reboot the
>>>> machine afterward, before re-testing. (Particularly on Windows
>machines).
>>>> I know it's a PITA, but I have also found the same to be true
>sometimes when merely
>>>> dealing with NTLM matters. There are probably some hidden caches
>that get cleared only in
>>>> that way.
>>>>
>>>>
>>>>> many thanks
>>>>>
>>>>> David
>>>>>
>>>>>> Date: Thu, 26 Mar 2015 11:32:39 +0100
>>>>>> From: aw@ice-sa.com
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>
>>>>>> David Marsh wrote:
>>>>>>> Hi Mark,
>>>>>>> Thanks that would be great !
>>>>>>> Do you have a good mechanism to test and ensure kerberos token
>is passed to tomcat and not NTLM token ?
>>>>>> I believe that I can answer that.
>>>>>>
>>>>>> And the basic answer is no.
>>>>>>
>>>>>> First the basic principle, valid for this and many many other
>areas : the server cannot
>>>>>> "impose" anything on the browser. The local user can always
>override anything received
>>>>>> from the server, by a setting in the browser. And a hacker can of
>course do anything.
>>>>>> All the server can do, is tell the browser what it will accept,
>and the browser can tell
>>>>>> the server ditto.
>>>>>> So, never assume the opposite, and you will save yourself a lot
>of fruitless searches and
>>>>>> dead-ends.
>>>>>>
>>>>>> Now more specific :
>>>>>> 1) For Kerberos to be used at all at the browser level, the
>server must send a 401
>>>>>> response with "Negociate" as the requested authentication method.
>Unless it does that,
>>>>>> the browser will never even attempt to send a Kerberos
>"Authorization" back.
>>>>>> 2) for the browser to consider returning a Kerberos Authorization
>header to the server,
>>>>>> additional conditions depend on the browser.
>>>>>> For IE :
>>>>>> a) the "enable Windows Integrated Authentication" setting must be
>on (checked), whether
>>>>>> this is done locally by the user, or part of the standard IE
>settings company-wide, or
>>>>>> imposed by some "network policy" at corporate level.
>>>>>> b) the server to which the browser is talking, must be known to
>IE as either
>>>>>> - part of the "Intranet"
>>>>>> - or at least a "trusted" server
>>>>>> That is defined in IE's "security zones" (which again can be
>local, or corporation-wide).
>>>>>>
>>>>>> If condition (a) is not met, when the server sends a 401
>"Negociate", IE will fall back to
>>>>>> NTLM, always. And there is nothing you can do about that at the
>server level.
>>>>>> (Funnily enough, disabling the "enable Windows Integrated
>Authentication" at the IE level,
>>>>>> has the effect of disabling Kerberos, but not NTLM).
>>>>>>
>>>>>> If condition (b) is not met, IE will try neither Kerberos nor
>NTLM, and it /might/ fall
>>>>>> back to Basic authentication, if its other settings allow that.
>That's when you see the
>>>>>> browser popup login dialog; and in an SSO context, this is a sure
>sign that something
>>>>>> isn't working as expected.
>>>>>>
>>>>>> Some authentication modules, at the server level, are able to
>adapt to what the browser
>>>>>> sends, others not. I believe that Waffle can accept either
>browser NTLM or Kerberos
>>>>>> authentication. Waffle works only on a Windows Tomcat server, not
>on a Linux Tomcat server.
>>>>>> I do not know about the SPNEGO thing in Tomcat (from the name, it
>should).
>>>>>> The Jespa module from www.ioplex.com does not handle Kerberos,
>just NTLM, but it works
>>>>>> under both Windows and Linux.
>>>>>>
>>>>>> And finally, about your problems : it seems that you have fallen
>in a very specific kind
>>>>>> of hell, because you are trying to talk to a Windows-based
>Kerberos KDC (which is using
>>>>>> Windows Kerberos libraries and encryption method choices and
>hostname formats etc..), from
>>>>>> a Java JVM-based "client" (in this case the Tomcat server,
>whatever its underlying
>>>>>> platform is), which is using Java Kerberos libraries and
>encryption method choices etc...
>>>>>> And it seems that between this Java Kerberos part and the Windows
>Kerberos part, there
>>>>>> are a number of areas of mutual incomprehension (such as which
>key encryption methods they
>>>>>> each implement, or which ones are the "default" ones for each).
>>>>>>
>>>>>> And I am sure that the issue can be resolved. But it is probably
>a question of finding
>>>>>> out which among the 25 or more settings one can alter on each
>side, overlap and either
>>>>>> agree or contradict eachother.
>>>>>>
>>>>>> One underlying issue is that, as well in corporations as on the
>WWW, the "Windows people"
>>>>>> and the "Linux people" tend to be 2 separate groups. If you ask
>the "Windows people" how
>>>>>> to set this up, they will tell you "just do this and it works"
>(assuming that all the
>>>>>> moving parts are Windows-based); and if you ask the "Linux
>people", they will tell you
>>>>>> "just do this and it works" (assuming that all the moving parts
>are Linux-based).
>>>>>> And there are very few people (and web pages) which span both
>worlds with their various
>>>>>> combinations.
>>>>>>
>>>>>>
>>>>>>> David
>>>>>>>
>>>>>>>> Date: Thu, 26 Mar 2015 09:00:22 +0000
>>>>>>>> From: markt@apache.org
>>>>>>>> To: users@tomcat.apache.org
>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>
>>>>>>>> On 26/03/2015 00:36, David Marsh wrote:
>>>>>>>>> Still getting :-
>>>>>>>>> java.security.PrivilegedActionException: GSSException:
>Defective token detected (Mechanism level: G
>>>>>>>>> SSHeader did not find the right tag)
>>>>>>>>>
>>>>>>>>> Folks here mention lack of NegoEx support or bugs in GSS-APi ?
>>>>>>>>>
>>>>>>>>>
>http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
>>>>>>>>>
>>>>>>>>> Does Tomcat 8 work with NegoEx ?
>>>>>>>>>
>>>>>>>>> Is Windows 8.1 and Windows Server 2012 RC2 supported ?
>>>>>>>> My test environment is Windows 2008 R2 server and Windows 7. It
>is
>>>>>>>> certainly possibly security has been tightened between those
>versions
>>>>>>>> and 2012/R2 + 8 that means things don't work by default with
>Java.
>>>>>>>>
>>>>>>>> I'll see if I can find some time in the next few weeks to
>update my test
>>>>>>>> environment and do some more testing.
>>>>>>>>
>>>>>>>> Mark
>>>>>>>>
>>>>>>>>
>---------------------------------------------------------------------
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>
>>>>>>
>>>>>>
>---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>
>>>
>---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Posted by Mark Thomas <ma...@apache.org>.
On 28/03/2015 14:43, David Marsh wrote:
> Ok so I went back to basics and created three new VM's.
>
> Windows Server 2008 R2
> Windows 7 Client
> Windows 7 Tomcat
>
> I still had same issues, until I changed the Java on the tomcat server to JDK 7 u45.
>
> It appears there are breaking changes to JAAS/GSS in newer JDKs ?
Thank you for doing all this testing. That is useful information to
know. The next step (for you, me or anyone who has the time and wants to
help) is to test subsequent Java 7 releases and see at which version it
stops working. I'd hope that a review of the relevant change log would
identify the change that triggered the breakage and provide some clues
on how to fix it.
It would be worth testing the Java 8 releases the same way.
Mark
>
> David
>
> ----------------------------------------
>> From: dmarsh26@outlook.com
>> To: users@tomcat.apache.org
>> Subject: RE: SPNEGO test configuration with Manager webapp
>> Date: Fri, 27 Mar 2015 23:40:06 +0000
>>
>> By the way Tomcat 8 was running on JDK :-
>>
>> C:\Windows\system32>java -version
>> java version "1.8.0_40"
>> Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
>> Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)
>>
>> Version update 40 should include some JRE fixes around GSS and SPNEGO, including ignoring parts of NegoEx, however
>> it does not seem to work.
>>
>> I've also created a Windows 7 client with same config just different DNS of win-pc02.kerbtest.local
>>
>> It has the same issue going from firefox to http://win-tc01.kerbtest.local/manager/html
>> I get the same three 401's and the Negotiate.
>>
>> ----------------------------------------
>>> Date: Thu, 26 Mar 2015 12:11:34 +0100
>>> From: aw@ice-sa.com
>>> To: users@tomcat.apache.org
>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>
>>> David Marsh wrote:
>>>> Hi Mark,
>>>>
>>>> Thanks for that, yes I've got 30 years windows experience, I can use Linux at a push but its not really my area expertise.
>>>>
>>>> I'm a Java / Windows programmer so I should be able to understand it, but not kerberos or Active Directory expert.
>>>>
>>>> I have used Waffle in the past with success and used JAAS/GSS-API in Java thick clients.
>>>>
>>>> I made the IE settings you outlined but it seems to still prompt.
>>>> IE has win-tc01.kerbtest.local as a trusted site.
>>>> Enable Windows Integrated Authentication is on
>>>> Auto logon only in Intranet Zone is on
>>>>
>>>> I've been using Firefox to test and that does send 401 and negotiate, but causes the GSS token error mentioned.
>>>>
>>>> Active directory and krb5.ini are using eType 23 which is rc4-hmac
>>>>
>>>> The windows client OS and tomcat server OS has registry setting for allowtgtsessionkey set to 1 (enabled).
>>>>
>>>> Java kinit test works and stores a ticket in the Java session cache.
>>>>
>>>> So problem seems to be either :-
>>>>
>>>> 1. Browser sends bad token
>>>> 2. Token is good but Oracle JDK 8 GSS-API cannot handle it
>>>>
>>>
>>> Another shot almost in the dark : while browsing hundreds of Kerberos-related pages on the
>>> WWW, one other recommendation which seems to appear regularly (and Mark also mentioned
>>> that somewhere), is that each time you make a change somewhere, you should reboot the
>>> machine afterward, before re-testing. (Particularly on Windows machines).
>>> I know it's a PITA, but I have also found the same to be true sometimes when merely
>>> dealing with NTLM matters. There are probably some hidden caches that get cleared only in
>>> that way.
>>>
>>>
>>>> many thanks
>>>>
>>>> David
>>>>
>>>>> Date: Thu, 26 Mar 2015 11:32:39 +0100
>>>>> From: aw@ice-sa.com
>>>>> To: users@tomcat.apache.org
>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>
>>>>> David Marsh wrote:
>>>>>> Hi Mark,
>>>>>> Thanks that would be great !
>>>>>> Do you have a good mechanism to test and ensure kerberos token is passed to tomcat and not NTLM token ?
>>>>> I believe that I can answer that.
>>>>>
>>>>> And the basic answer is no.
>>>>>
>>>>> First the basic principle, valid for this and many many other areas : the server cannot
>>>>> "impose" anything on the browser. The local user can always override anything received
>>>>> from the server, by a setting in the browser. And a hacker can of course do anything.
>>>>> All the server can do, is tell the browser what it will accept, and the browser can tell
>>>>> the server ditto.
>>>>> So, never assume the opposite, and you will save yourself a lot of fruitless searches and
>>>>> dead-ends.
>>>>>
>>>>> Now more specific :
>>>>> 1) For Kerberos to be used at all at the browser level, the server must send a 401
>>>>> response with "Negociate" as the requested authentication method. Unless it does that,
>>>>> the browser will never even attempt to send a Kerberos "Authorization" back.
>>>>> 2) for the browser to consider returning a Kerberos Authorization header to the server,
>>>>> additional conditions depend on the browser.
>>>>> For IE :
>>>>> a) the "enable Windows Integrated Authentication" setting must be on (checked), whether
>>>>> this is done locally by the user, or part of the standard IE settings company-wide, or
>>>>> imposed by some "network policy" at corporate level.
>>>>> b) the server to which the browser is talking, must be known to IE as either
>>>>> - part of the "Intranet"
>>>>> - or at least a "trusted" server
>>>>> That is defined in IE's "security zones" (which again can be local, or corporation-wide).
>>>>>
>>>>> If condition (a) is not met, when the server sends a 401 "Negociate", IE will fall back to
>>>>> NTLM, always. And there is nothing you can do about that at the server level.
>>>>> (Funnily enough, disabling the "enable Windows Integrated Authentication" at the IE level,
>>>>> has the effect of disabling Kerberos, but not NTLM).
>>>>>
>>>>> If condition (b) is not met, IE will try neither Kerberos nor NTLM, and it /might/ fall
>>>>> back to Basic authentication, if its other settings allow that. That's when you see the
>>>>> browser popup login dialog; and in an SSO context, this is a sure sign that something
>>>>> isn't working as expected.
>>>>>
>>>>> Some authentication modules, at the server level, are able to adapt to what the browser
>>>>> sends, others not. I believe that Waffle can accept either browser NTLM or Kerberos
>>>>> authentication. Waffle works only on a Windows Tomcat server, not on a Linux Tomcat server.
>>>>> I do not know about the SPNEGO thing in Tomcat (from the name, it should).
>>>>> The Jespa module from www.ioplex.com does not handle Kerberos, just NTLM, but it works
>>>>> under both Windows and Linux.
>>>>>
>>>>> And finally, about your problems : it seems that you have fallen in a very specific kind
>>>>> of hell, because you are trying to talk to a Windows-based Kerberos KDC (which is using
>>>>> Windows Kerberos libraries and encryption method choices and hostname formats etc..), from
>>>>> a Java JVM-based "client" (in this case the Tomcat server, whatever its underlying
>>>>> platform is), which is using Java Kerberos libraries and encryption method choices etc...
>>>>> And it seems that between this Java Kerberos part and the Windows Kerberos part, there
>>>>> are a number of areas of mutual incomprehension (such as which key encryption methods they
>>>>> each implement, or which ones are the "default" ones for each).
>>>>>
>>>>> And I am sure that the issue can be resolved. But it is probably a question of finding
>>>>> out which among the 25 or more settings one can alter on each side, overlap and either
>>>>> agree or contradict eachother.
>>>>>
>>>>> One underlying issue is that, as well in corporations as on the WWW, the "Windows people"
>>>>> and the "Linux people" tend to be 2 separate groups. If you ask the "Windows people" how
>>>>> to set this up, they will tell you "just do this and it works" (assuming that all the
>>>>> moving parts are Windows-based); and if you ask the "Linux people", they will tell you
>>>>> "just do this and it works" (assuming that all the moving parts are Linux-based).
>>>>> And there are very few people (and web pages) which span both worlds with their various
>>>>> combinations.
>>>>>
>>>>>
>>>>>> David
>>>>>>
>>>>>>> Date: Thu, 26 Mar 2015 09:00:22 +0000
>>>>>>> From: markt@apache.org
>>>>>>> To: users@tomcat.apache.org
>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>
>>>>>>> On 26/03/2015 00:36, David Marsh wrote:
>>>>>>>> Still getting :-
>>>>>>>> java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G
>>>>>>>> SSHeader did not find the right tag)
>>>>>>>>
>>>>>>>> Folks here mention lack of NegoEx support or bugs in GSS-APi ?
>>>>>>>>
>>>>>>>> http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
>>>>>>>>
>>>>>>>> Does Tomcat 8 work with NegoEx ?
>>>>>>>>
>>>>>>>> Is Windows 8.1 and Windows Server 2012 RC2 supported ?
>>>>>>> My test environment is Windows 2008 R2 server and Windows 7. It is
>>>>>>> certainly possibly security has been tightened between those versions
>>>>>>> and 2012/R2 + 8 that means things don't work by default with Java.
>>>>>>>
>>>>>>> I'll see if I can find some time in the next few weeks to update my test
>>>>>>> environment and do some more testing.
>>>>>>>
>>>>>>> Mark
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
Ok so I went back to basics and created three new VM's.
Windows Server 2008 R2
Windows 7 Client
Windows 7 Tomcat
I still had same issues, until I changed the Java on the tomcat server to JDK 7 u45.
It appears there are breaking changes to JAAS/GSS in newer JDKs ?
David
----------------------------------------
> From: dmarsh26@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: SPNEGO test configuration with Manager webapp
> Date: Fri, 27 Mar 2015 23:40:06 +0000
>
> By the way Tomcat 8 was running on JDK :-
>
> C:\Windows\system32>java -version
> java version "1.8.0_40"
> Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
> Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)
>
> Version update 40 should include some JRE fixes around GSS and SPNEGO, including ignoring parts of NegoEx, however
> it does not seem to work.
>
> I've also created a Windows 7 client with same config just different DNS of win-pc02.kerbtest.local
>
> It has the same issue going from firefox to http://win-tc01.kerbtest.local/manager/html
> I get the same three 401's and the Negotiate.
>
> ----------------------------------------
>> Date: Thu, 26 Mar 2015 12:11:34 +0100
>> From: aw@ice-sa.com
>> To: users@tomcat.apache.org
>> Subject: Re: SPNEGO test configuration with Manager webapp
>>
>> David Marsh wrote:
>>> Hi Mark,
>>>
>>> Thanks for that, yes I've got 30 years windows experience, I can use Linux at a push but its not really my area expertise.
>>>
>>> I'm a Java / Windows programmer so I should be able to understand it, but not kerberos or Active Directory expert.
>>>
>>> I have used Waffle in the past with success and used JAAS/GSS-API in Java thick clients.
>>>
>>> I made the IE settings you outlined but it seems to still prompt.
>>> IE has win-tc01.kerbtest.local as a trusted site.
>>> Enable Windows Integrated Authentication is on
>>> Auto logon only in Intranet Zone is on
>>>
>>> I've been using Firefox to test and that does send 401 and negotiate, but causes the GSS token error mentioned.
>>>
>>> Active directory and krb5.ini are using eType 23 which is rc4-hmac
>>>
>>> The windows client OS and tomcat server OS has registry setting for allowtgtsessionkey set to 1 (enabled).
>>>
>>> Java kinit test works and stores a ticket in the Java session cache.
>>>
>>> So problem seems to be either :-
>>>
>>> 1. Browser sends bad token
>>> 2. Token is good but Oracle JDK 8 GSS-API cannot handle it
>>>
>>
>> Another shot almost in the dark : while browsing hundreds of Kerberos-related pages on the
>> WWW, one other recommendation which seems to appear regularly (and Mark also mentioned
>> that somewhere), is that each time you make a change somewhere, you should reboot the
>> machine afterward, before re-testing. (Particularly on Windows machines).
>> I know it's a PITA, but I have also found the same to be true sometimes when merely
>> dealing with NTLM matters. There are probably some hidden caches that get cleared only in
>> that way.
>>
>>
>>> many thanks
>>>
>>> David
>>>
>>>> Date: Thu, 26 Mar 2015 11:32:39 +0100
>>>> From: aw@ice-sa.com
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>
>>>> David Marsh wrote:
>>>>> Hi Mark,
>>>>> Thanks that would be great !
>>>>> Do you have a good mechanism to test and ensure kerberos token is passed to tomcat and not NTLM token ?
>>>> I believe that I can answer that.
>>>>
>>>> And the basic answer is no.
>>>>
>>>> First the basic principle, valid for this and many many other areas : the server cannot
>>>> "impose" anything on the browser. The local user can always override anything received
>>>> from the server, by a setting in the browser. And a hacker can of course do anything.
>>>> All the server can do, is tell the browser what it will accept, and the browser can tell
>>>> the server ditto.
>>>> So, never assume the opposite, and you will save yourself a lot of fruitless searches and
>>>> dead-ends.
>>>>
>>>> Now more specific :
>>>> 1) For Kerberos to be used at all at the browser level, the server must send a 401
>>>> response with "Negociate" as the requested authentication method. Unless it does that,
>>>> the browser will never even attempt to send a Kerberos "Authorization" back.
>>>> 2) for the browser to consider returning a Kerberos Authorization header to the server,
>>>> additional conditions depend on the browser.
>>>> For IE :
>>>> a) the "enable Windows Integrated Authentication" setting must be on (checked), whether
>>>> this is done locally by the user, or part of the standard IE settings company-wide, or
>>>> imposed by some "network policy" at corporate level.
>>>> b) the server to which the browser is talking, must be known to IE as either
>>>> - part of the "Intranet"
>>>> - or at least a "trusted" server
>>>> That is defined in IE's "security zones" (which again can be local, or corporation-wide).
>>>>
>>>> If condition (a) is not met, when the server sends a 401 "Negociate", IE will fall back to
>>>> NTLM, always. And there is nothing you can do about that at the server level.
>>>> (Funnily enough, disabling the "enable Windows Integrated Authentication" at the IE level,
>>>> has the effect of disabling Kerberos, but not NTLM).
>>>>
>>>> If condition (b) is not met, IE will try neither Kerberos nor NTLM, and it /might/ fall
>>>> back to Basic authentication, if its other settings allow that. That's when you see the
>>>> browser popup login dialog; and in an SSO context, this is a sure sign that something
>>>> isn't working as expected.
>>>>
>>>> Some authentication modules, at the server level, are able to adapt to what the browser
>>>> sends, others not. I believe that Waffle can accept either browser NTLM or Kerberos
>>>> authentication. Waffle works only on a Windows Tomcat server, not on a Linux Tomcat server.
>>>> I do not know about the SPNEGO thing in Tomcat (from the name, it should).
>>>> The Jespa module from www.ioplex.com does not handle Kerberos, just NTLM, but it works
>>>> under both Windows and Linux.
>>>>
>>>> And finally, about your problems : it seems that you have fallen in a very specific kind
>>>> of hell, because you are trying to talk to a Windows-based Kerberos KDC (which is using
>>>> Windows Kerberos libraries and encryption method choices and hostname formats etc..), from
>>>> a Java JVM-based "client" (in this case the Tomcat server, whatever its underlying
>>>> platform is), which is using Java Kerberos libraries and encryption method choices etc...
>>>> And it seems that between this Java Kerberos part and the Windows Kerberos part, there
>>>> are a number of areas of mutual incomprehension (such as which key encryption methods they
>>>> each implement, or which ones are the "default" ones for each).
>>>>
>>>> And I am sure that the issue can be resolved. But it is probably a question of finding
>>>> out which among the 25 or more settings one can alter on each side, overlap and either
>>>> agree or contradict eachother.
>>>>
>>>> One underlying issue is that, as well in corporations as on the WWW, the "Windows people"
>>>> and the "Linux people" tend to be 2 separate groups. If you ask the "Windows people" how
>>>> to set this up, they will tell you "just do this and it works" (assuming that all the
>>>> moving parts are Windows-based); and if you ask the "Linux people", they will tell you
>>>> "just do this and it works" (assuming that all the moving parts are Linux-based).
>>>> And there are very few people (and web pages) which span both worlds with their various
>>>> combinations.
>>>>
>>>>
>>>>> David
>>>>>
>>>>>> Date: Thu, 26 Mar 2015 09:00:22 +0000
>>>>>> From: markt@apache.org
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>
>>>>>> On 26/03/2015 00:36, David Marsh wrote:
>>>>>>> Still getting :-
>>>>>>> java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G
>>>>>>> SSHeader did not find the right tag)
>>>>>>>
>>>>>>> Folks here mention lack of NegoEx support or bugs in GSS-APi ?
>>>>>>>
>>>>>>> http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
>>>>>>>
>>>>>>> Does Tomcat 8 work with NegoEx ?
>>>>>>>
>>>>>>> Is Windows 8.1 and Windows Server 2012 RC2 supported ?
>>>>>> My test environment is Windows 2008 R2 server and Windows 7. It is
>>>>>> certainly possibly security has been tightened between those versions
>>>>>> and 2012/R2 + 8 that means things don't work by default with Java.
>>>>>>
>>>>>> I'll see if I can find some time in the next few weeks to update my test
>>>>>> environment and do some more testing.
>>>>>>
>>>>>> Mark
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
By the way Tomcat 8 was running on JDK :-
C:\Windows\system32>java -version
java version "1.8.0_40"
Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)
Version update 40 should include some JRE fixes around GSS and SPNEGO, including ignoring parts of NegoEx, however
it does not seem to work.
I've also created a Windows 7 client with same config just different DNS of win-pc02.kerbtest.local
It has the same issue going from firefox to http://win-tc01.kerbtest.local/manager/html
I get the same three 401's and the Negotiate.
----------------------------------------
> Date: Thu, 26 Mar 2015 12:11:34 +0100
> From: aw@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> David Marsh wrote:
>> Hi Mark,
>>
>> Thanks for that, yes I've got 30 years windows experience, I can use Linux at a push but its not really my area expertise.
>>
>> I'm a Java / Windows programmer so I should be able to understand it, but not kerberos or Active Directory expert.
>>
>> I have used Waffle in the past with success and used JAAS/GSS-API in Java thick clients.
>>
>> I made the IE settings you outlined but it seems to still prompt.
>> IE has win-tc01.kerbtest.local as a trusted site.
>> Enable Windows Integrated Authentication is on
>> Auto logon only in Intranet Zone is on
>>
>> I've been using Firefox to test and that does send 401 and negotiate, but causes the GSS token error mentioned.
>>
>> Active directory and krb5.ini are using eType 23 which is rc4-hmac
>>
>> The windows client OS and tomcat server OS has registry setting for allowtgtsessionkey set to 1 (enabled).
>>
>> Java kinit test works and stores a ticket in the Java session cache.
>>
>> So problem seems to be either :-
>>
>> 1. Browser sends bad token
>> 2. Token is good but Oracle JDK 8 GSS-API cannot handle it
>>
>
> Another shot almost in the dark : while browsing hundreds of Kerberos-related pages on the
> WWW, one other recommendation which seems to appear regularly (and Mark also mentioned
> that somewhere), is that each time you make a change somewhere, you should reboot the
> machine afterward, before re-testing. (Particularly on Windows machines).
> I know it's a PITA, but I have also found the same to be true sometimes when merely
> dealing with NTLM matters. There are probably some hidden caches that get cleared only in
> that way.
>
>
>> many thanks
>>
>> David
>>
>>> Date: Thu, 26 Mar 2015 11:32:39 +0100
>>> From: aw@ice-sa.com
>>> To: users@tomcat.apache.org
>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>
>>> David Marsh wrote:
>>>> Hi Mark,
>>>> Thanks that would be great !
>>>> Do you have a good mechanism to test and ensure kerberos token is passed to tomcat and not NTLM token ?
>>> I believe that I can answer that.
>>>
>>> And the basic answer is no.
>>>
>>> First the basic principle, valid for this and many many other areas : the server cannot
>>> "impose" anything on the browser. The local user can always override anything received
>>> from the server, by a setting in the browser. And a hacker can of course do anything.
>>> All the server can do, is tell the browser what it will accept, and the browser can tell
>>> the server ditto.
>>> So, never assume the opposite, and you will save yourself a lot of fruitless searches and
>>> dead-ends.
>>>
>>> Now more specific :
>>> 1) For Kerberos to be used at all at the browser level, the server must send a 401
>>> response with "Negociate" as the requested authentication method. Unless it does that,
>>> the browser will never even attempt to send a Kerberos "Authorization" back.
>>> 2) for the browser to consider returning a Kerberos Authorization header to the server,
>>> additional conditions depend on the browser.
>>> For IE :
>>> a) the "enable Windows Integrated Authentication" setting must be on (checked), whether
>>> this is done locally by the user, or part of the standard IE settings company-wide, or
>>> imposed by some "network policy" at corporate level.
>>> b) the server to which the browser is talking, must be known to IE as either
>>> - part of the "Intranet"
>>> - or at least a "trusted" server
>>> That is defined in IE's "security zones" (which again can be local, or corporation-wide).
>>>
>>> If condition (a) is not met, when the server sends a 401 "Negociate", IE will fall back to
>>> NTLM, always. And there is nothing you can do about that at the server level.
>>> (Funnily enough, disabling the "enable Windows Integrated Authentication" at the IE level,
>>> has the effect of disabling Kerberos, but not NTLM).
>>>
>>> If condition (b) is not met, IE will try neither Kerberos nor NTLM, and it /might/ fall
>>> back to Basic authentication, if its other settings allow that. That's when you see the
>>> browser popup login dialog; and in an SSO context, this is a sure sign that something
>>> isn't working as expected.
>>>
>>> Some authentication modules, at the server level, are able to adapt to what the browser
>>> sends, others not. I believe that Waffle can accept either browser NTLM or Kerberos
>>> authentication. Waffle works only on a Windows Tomcat server, not on a Linux Tomcat server.
>>> I do not know about the SPNEGO thing in Tomcat (from the name, it should).
>>> The Jespa module from www.ioplex.com does not handle Kerberos, just NTLM, but it works
>>> under both Windows and Linux.
>>>
>>> And finally, about your problems : it seems that you have fallen in a very specific kind
>>> of hell, because you are trying to talk to a Windows-based Kerberos KDC (which is using
>>> Windows Kerberos libraries and encryption method choices and hostname formats etc..), from
>>> a Java JVM-based "client" (in this case the Tomcat server, whatever its underlying
>>> platform is), which is using Java Kerberos libraries and encryption method choices etc...
>>> And it seems that between this Java Kerberos part and the Windows Kerberos part, there
>>> are a number of areas of mutual incomprehension (such as which key encryption methods they
>>> each implement, or which ones are the "default" ones for each).
>>>
>>> And I am sure that the issue can be resolved. But it is probably a question of finding
>>> out which among the 25 or more settings one can alter on each side, overlap and either
>>> agree or contradict eachother.
>>>
>>> One underlying issue is that, as well in corporations as on the WWW, the "Windows people"
>>> and the "Linux people" tend to be 2 separate groups. If you ask the "Windows people" how
>>> to set this up, they will tell you "just do this and it works" (assuming that all the
>>> moving parts are Windows-based); and if you ask the "Linux people", they will tell you
>>> "just do this and it works" (assuming that all the moving parts are Linux-based).
>>> And there are very few people (and web pages) which span both worlds with their various
>>> combinations.
>>>
>>>
>>>> David
>>>>
>>>>> Date: Thu, 26 Mar 2015 09:00:22 +0000
>>>>> From: markt@apache.org
>>>>> To: users@tomcat.apache.org
>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>
>>>>> On 26/03/2015 00:36, David Marsh wrote:
>>>>>> Still getting :-
>>>>>> java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G
>>>>>> SSHeader did not find the right tag)
>>>>>>
>>>>>> Folks here mention lack of NegoEx support or bugs in GSS-APi ?
>>>>>>
>>>>>> http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
>>>>>>
>>>>>> Does Tomcat 8 work with NegoEx ?
>>>>>>
>>>>>> Is Windows 8.1 and Windows Server 2012 RC2 supported ?
>>>>> My test environment is Windows 2008 R2 server and Windows 7. It is
>>>>> certainly possibly security has been tightened between those versions
>>>>> and 2012/R2 + 8 that means things don't work by default with Java.
>>>>>
>>>>> I'll see if I can find some time in the next few weeks to update my test
>>>>> environment and do some more testing.
>>>>>
>>>>> Mark
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Posted by André Warnier <aw...@ice-sa.com>.
David Marsh wrote:
> Hi Mark,
>
> Thanks for that, yes I've got 30 years windows experience, I can use Linux at a push but its not really my area expertise.
>
> I'm a Java / Windows programmer so I should be able to understand it, but not kerberos or Active Directory expert.
>
> I have used Waffle in the past with success and used JAAS/GSS-API in Java thick clients.
>
> I made the IE settings you outlined but it seems to still prompt.
> IE has win-tc01.kerbtest.local as a trusted site.
> Enable Windows Integrated Authentication is on
> Auto logon only in Intranet Zone is on
>
> I've been using Firefox to test and that does send 401 and negotiate, but causes the GSS token error mentioned.
>
> Active directory and krb5.ini are using eType 23 which is rc4-hmac
>
> The windows client OS and tomcat server OS has registry setting for allowtgtsessionkey set to 1 (enabled).
>
> Java kinit test works and stores a ticket in the Java session cache.
>
> So problem seems to be either :-
>
> 1. Browser sends bad token
> 2. Token is good but Oracle JDK 8 GSS-API cannot handle it
>
Another shot almost in the dark : while browsing hundreds of Kerberos-related pages on the
WWW, one other recommendation which seems to appear regularly (and Mark also mentioned
that somewhere), is that each time you make a change somewhere, you should reboot the
machine afterward, before re-testing. (Particularly on Windows machines).
I know it's a PITA, but I have also found the same to be true sometimes when merely
dealing with NTLM matters. There are probably some hidden caches that get cleared only in
that way.
> many thanks
>
> David
>
>> Date: Thu, 26 Mar 2015 11:32:39 +0100
>> From: aw@ice-sa.com
>> To: users@tomcat.apache.org
>> Subject: Re: SPNEGO test configuration with Manager webapp
>>
>> David Marsh wrote:
>>> Hi Mark,
>>> Thanks that would be great !
>>> Do you have a good mechanism to test and ensure kerberos token is passed to tomcat and not NTLM token ?
>> I believe that I can answer that.
>>
>> And the basic answer is no.
>>
>> First the basic principle, valid for this and many many other areas : the server cannot
>> "impose" anything on the browser. The local user can always override anything received
>> from the server, by a setting in the browser. And a hacker can of course do anything.
>> All the server can do, is tell the browser what it will accept, and the browser can tell
>> the server ditto.
>> So, never assume the opposite, and you will save yourself a lot of fruitless searches and
>> dead-ends.
>>
>> Now more specific :
>> 1) For Kerberos to be used at all at the browser level, the server must send a 401
>> response with "Negociate" as the requested authentication method. Unless it does that,
>> the browser will never even attempt to send a Kerberos "Authorization" back.
>> 2) for the browser to consider returning a Kerberos Authorization header to the server,
>> additional conditions depend on the browser.
>> For IE :
>> a) the "enable Windows Integrated Authentication" setting must be on (checked), whether
>> this is done locally by the user, or part of the standard IE settings company-wide, or
>> imposed by some "network policy" at corporate level.
>> b) the server to which the browser is talking, must be known to IE as either
>> - part of the "Intranet"
>> - or at least a "trusted" server
>> That is defined in IE's "security zones" (which again can be local, or corporation-wide).
>>
>> If condition (a) is not met, when the server sends a 401 "Negociate", IE will fall back to
>> NTLM, always. And there is nothing you can do about that at the server level.
>> (Funnily enough, disabling the "enable Windows Integrated Authentication" at the IE level,
>> has the effect of disabling Kerberos, but not NTLM).
>>
>> If condition (b) is not met, IE will try neither Kerberos nor NTLM, and it /might/ fall
>> back to Basic authentication, if its other settings allow that. That's when you see the
>> browser popup login dialog; and in an SSO context, this is a sure sign that something
>> isn't working as expected.
>>
>> Some authentication modules, at the server level, are able to adapt to what the browser
>> sends, others not. I believe that Waffle can accept either browser NTLM or Kerberos
>> authentication. Waffle works only on a Windows Tomcat server, not on a Linux Tomcat server.
>> I do not know about the SPNEGO thing in Tomcat (from the name, it should).
>> The Jespa module from www.ioplex.com does not handle Kerberos, just NTLM, but it works
>> under both Windows and Linux.
>>
>> And finally, about your problems : it seems that you have fallen in a very specific kind
>> of hell, because you are trying to talk to a Windows-based Kerberos KDC (which is using
>> Windows Kerberos libraries and encryption method choices and hostname formats etc..), from
>> a Java JVM-based "client" (in this case the Tomcat server, whatever its underlying
>> platform is), which is using Java Kerberos libraries and encryption method choices etc...
>> And it seems that between this Java Kerberos part and the Windows Kerberos part, there
>> are a number of areas of mutual incomprehension (such as which key encryption methods they
>> each implement, or which ones are the "default" ones for each).
>>
>> And I am sure that the issue can be resolved. But it is probably a question of finding
>> out which among the 25 or more settings one can alter on each side, overlap and either
>> agree or contradict eachother.
>>
>> One underlying issue is that, as well in corporations as on the WWW, the "Windows people"
>> and the "Linux people" tend to be 2 separate groups. If you ask the "Windows people" how
>> to set this up, they will tell you "just do this and it works" (assuming that all the
>> moving parts are Windows-based); and if you ask the "Linux people", they will tell you
>> "just do this and it works" (assuming that all the moving parts are Linux-based).
>> And there are very few people (and web pages) which span both worlds with their various
>> combinations.
>>
>>
>>> David
>>>
>>>> Date: Thu, 26 Mar 2015 09:00:22 +0000
>>>> From: markt@apache.org
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>
>>>> On 26/03/2015 00:36, David Marsh wrote:
>>>>> Still getting :-
>>>>> java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G
>>>>> SSHeader did not find the right tag)
>>>>>
>>>>> Folks here mention lack of NegoEx support or bugs in GSS-APi ?
>>>>>
>>>>> http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
>>>>>
>>>>> Does Tomcat 8 work with NegoEx ?
>>>>>
>>>>> Is Windows 8.1 and Windows Server 2012 RC2 supported ?
>>>> My test environment is Windows 2008 R2 server and Windows 7. It is
>>>> certainly possibly security has been tightened between those versions
>>>> and 2012/R2 + 8 that means things don't work by default with Java.
>>>>
>>>> I'll see if I can find some time in the next few weeks to update my test
>>>> environment and do some more testing.
>>>>
>>>> Mark
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
Hi Mark,
Thanks for that, yes I've got 30 years windows experience, I can use Linux at a push but its not really my area expertise.
I'm a Java / Windows programmer so I should be able to understand it, but not kerberos or Active Directory expert.
I have used Waffle in the past with success and used JAAS/GSS-API in Java thick clients.
I made the IE settings you outlined but it seems to still prompt.
IE has win-tc01.kerbtest.local as a trusted site.
Enable Windows Integrated Authentication is on
Auto logon only in Intranet Zone is on
I've been using Firefox to test and that does send 401 and negotiate, but causes the GSS token error mentioned.
Active directory and krb5.ini are using eType 23 which is rc4-hmac
The windows client OS and tomcat server OS has registry setting for allowtgtsessionkey set to 1 (enabled).
Java kinit test works and stores a ticket in the Java session cache.
So problem seems to be either :-
1. Browser sends bad token
2. Token is good but Oracle JDK 8 GSS-API cannot handle it
many thanks
David
> Date: Thu, 26 Mar 2015 11:32:39 +0100
> From: aw@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> David Marsh wrote:
>> Hi Mark,
>> Thanks that would be great !
>> Do you have a good mechanism to test and ensure kerberos token is passed to tomcat and not NTLM token ?
>
> I believe that I can answer that.
>
> And the basic answer is no.
>
> First the basic principle, valid for this and many many other areas : the server cannot
> "impose" anything on the browser. The local user can always override anything received
> from the server, by a setting in the browser. And a hacker can of course do anything.
> All the server can do, is tell the browser what it will accept, and the browser can tell
> the server ditto.
> So, never assume the opposite, and you will save yourself a lot of fruitless searches and
> dead-ends.
>
> Now more specific :
> 1) For Kerberos to be used at all at the browser level, the server must send a 401
> response with "Negociate" as the requested authentication method. Unless it does that,
> the browser will never even attempt to send a Kerberos "Authorization" back.
> 2) for the browser to consider returning a Kerberos Authorization header to the server,
> additional conditions depend on the browser.
> For IE :
> a) the "enable Windows Integrated Authentication" setting must be on (checked), whether
> this is done locally by the user, or part of the standard IE settings company-wide, or
> imposed by some "network policy" at corporate level.
> b) the server to which the browser is talking, must be known to IE as either
> - part of the "Intranet"
> - or at least a "trusted" server
> That is defined in IE's "security zones" (which again can be local, or corporation-wide).
>
> If condition (a) is not met, when the server sends a 401 "Negociate", IE will fall back to
> NTLM, always. And there is nothing you can do about that at the server level.
> (Funnily enough, disabling the "enable Windows Integrated Authentication" at the IE level,
> has the effect of disabling Kerberos, but not NTLM).
>
> If condition (b) is not met, IE will try neither Kerberos nor NTLM, and it /might/ fall
> back to Basic authentication, if its other settings allow that. That's when you see the
> browser popup login dialog; and in an SSO context, this is a sure sign that something
> isn't working as expected.
>
> Some authentication modules, at the server level, are able to adapt to what the browser
> sends, others not. I believe that Waffle can accept either browser NTLM or Kerberos
> authentication. Waffle works only on a Windows Tomcat server, not on a Linux Tomcat server.
> I do not know about the SPNEGO thing in Tomcat (from the name, it should).
> The Jespa module from www.ioplex.com does not handle Kerberos, just NTLM, but it works
> under both Windows and Linux.
>
> And finally, about your problems : it seems that you have fallen in a very specific kind
> of hell, because you are trying to talk to a Windows-based Kerberos KDC (which is using
> Windows Kerberos libraries and encryption method choices and hostname formats etc..), from
> a Java JVM-based "client" (in this case the Tomcat server, whatever its underlying
> platform is), which is using Java Kerberos libraries and encryption method choices etc...
> And it seems that between this Java Kerberos part and the Windows Kerberos part, there
> are a number of areas of mutual incomprehension (such as which key encryption methods they
> each implement, or which ones are the "default" ones for each).
>
> And I am sure that the issue can be resolved. But it is probably a question of finding
> out which among the 25 or more settings one can alter on each side, overlap and either
> agree or contradict eachother.
>
> One underlying issue is that, as well in corporations as on the WWW, the "Windows people"
> and the "Linux people" tend to be 2 separate groups. If you ask the "Windows people" how
> to set this up, they will tell you "just do this and it works" (assuming that all the
> moving parts are Windows-based); and if you ask the "Linux people", they will tell you
> "just do this and it works" (assuming that all the moving parts are Linux-based).
> And there are very few people (and web pages) which span both worlds with their various
> combinations.
>
>
>> David
>>
>>> Date: Thu, 26 Mar 2015 09:00:22 +0000
>>> From: markt@apache.org
>>> To: users@tomcat.apache.org
>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>
>>> On 26/03/2015 00:36, David Marsh wrote:
>>>> Still getting :-
>>>> java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G
>>>> SSHeader did not find the right tag)
>>>>
>>>> Folks here mention lack of NegoEx support or bugs in GSS-APi ?
>>>>
>>>> http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
>>>>
>>>> Does Tomcat 8 work with NegoEx ?
>>>>
>>>> Is Windows 8.1 and Windows Server 2012 RC2 supported ?
>>> My test environment is Windows 2008 R2 server and Windows 7. It is
>>> certainly possibly security has been tightened between those versions
>>> and 2012/R2 + 8 that means things don't work by default with Java.
>>>
>>> I'll see if I can find some time in the next few weeks to update my test
>>> environment and do some more testing.
>>>
>>> Mark
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: SPNEGO test configuration with Manager webapp
Posted by André Warnier <aw...@ice-sa.com>.
David Marsh wrote:
> Hi Mark,
> Thanks that would be great !
> Do you have a good mechanism to test and ensure kerberos token is passed to tomcat and not NTLM token ?
I believe that I can answer that.
And the basic answer is no.
First the basic principle, valid for this and many many other areas : the server cannot
"impose" anything on the browser. The local user can always override anything received
from the server, by a setting in the browser. And a hacker can of course do anything.
All the server can do, is tell the browser what it will accept, and the browser can tell
the server ditto.
So, never assume the opposite, and you will save yourself a lot of fruitless searches and
dead-ends.
Now more specific :
1) For Kerberos to be used at all at the browser level, the server must send a 401
response with "Negociate" as the requested authentication method. Unless it does that,
the browser will never even attempt to send a Kerberos "Authorization" back.
2) for the browser to consider returning a Kerberos Authorization header to the server,
additional conditions depend on the browser.
For IE :
a) the "enable Windows Integrated Authentication" setting must be on (checked), whether
this is done locally by the user, or part of the standard IE settings company-wide, or
imposed by some "network policy" at corporate level.
b) the server to which the browser is talking, must be known to IE as either
- part of the "Intranet"
- or at least a "trusted" server
That is defined in IE's "security zones" (which again can be local, or corporation-wide).
If condition (a) is not met, when the server sends a 401 "Negociate", IE will fall back to
NTLM, always. And there is nothing you can do about that at the server level.
(Funnily enough, disabling the "enable Windows Integrated Authentication" at the IE level,
has the effect of disabling Kerberos, but not NTLM).
If condition (b) is not met, IE will try neither Kerberos nor NTLM, and it /might/ fall
back to Basic authentication, if its other settings allow that. That's when you see the
browser popup login dialog; and in an SSO context, this is a sure sign that something
isn't working as expected.
Some authentication modules, at the server level, are able to adapt to what the browser
sends, others not. I believe that Waffle can accept either browser NTLM or Kerberos
authentication. Waffle works only on a Windows Tomcat server, not on a Linux Tomcat server.
I do not know about the SPNEGO thing in Tomcat (from the name, it should).
The Jespa module from www.ioplex.com does not handle Kerberos, just NTLM, but it works
under both Windows and Linux.
And finally, about your problems : it seems that you have fallen in a very specific kind
of hell, because you are trying to talk to a Windows-based Kerberos KDC (which is using
Windows Kerberos libraries and encryption method choices and hostname formats etc..), from
a Java JVM-based "client" (in this case the Tomcat server, whatever its underlying
platform is), which is using Java Kerberos libraries and encryption method choices etc...
And it seems that between this Java Kerberos part and the Windows Kerberos part, there
are a number of areas of mutual incomprehension (such as which key encryption methods they
each implement, or which ones are the "default" ones for each).
And I am sure that the issue can be resolved. But it is probably a question of finding
out which among the 25 or more settings one can alter on each side, overlap and either
agree or contradict eachother.
One underlying issue is that, as well in corporations as on the WWW, the "Windows people"
and the "Linux people" tend to be 2 separate groups. If you ask the "Windows people" how
to set this up, they will tell you "just do this and it works" (assuming that all the
moving parts are Windows-based); and if you ask the "Linux people", they will tell you
"just do this and it works" (assuming that all the moving parts are Linux-based).
And there are very few people (and web pages) which span both worlds with their various
combinations.
> David
>
>> Date: Thu, 26 Mar 2015 09:00:22 +0000
>> From: markt@apache.org
>> To: users@tomcat.apache.org
>> Subject: Re: SPNEGO test configuration with Manager webapp
>>
>> On 26/03/2015 00:36, David Marsh wrote:
>>> Still getting :-
>>> java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G
>>> SSHeader did not find the right tag)
>>>
>>> Folks here mention lack of NegoEx support or bugs in GSS-APi ?
>>>
>>> http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
>>>
>>> Does Tomcat 8 work with NegoEx ?
>>>
>>> Is Windows 8.1 and Windows Server 2012 RC2 supported ?
>> My test environment is Windows 2008 R2 server and Windows 7. It is
>> certainly possibly security has been tightened between those versions
>> and 2012/R2 + 8 that means things don't work by default with Java.
>>
>> I'll see if I can find some time in the next few weeks to update my test
>> environment and do some more testing.
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
Hi Mark,
Thanks that would be great !
Do you have a good mechanism to test and ensure kerberos token is passed to tomcat and not NTLM token ?
David
> Date: Thu, 26 Mar 2015 09:00:22 +0000
> From: markt@apache.org
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> On 26/03/2015 00:36, David Marsh wrote:
> > Still getting :-
> > java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G
> > SSHeader did not find the right tag)
> >
> > Folks here mention lack of NegoEx support or bugs in GSS-APi ?
> >
> > http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
> >
> > Does Tomcat 8 work with NegoEx ?
> >
> > Is Windows 8.1 and Windows Server 2012 RC2 supported ?
>
> My test environment is Windows 2008 R2 server and Windows 7. It is
> certainly possibly security has been tightened between those versions
> and 2012/R2 + 8 that means things don't work by default with Java.
>
> I'll see if I can find some time in the next few weeks to update my test
> environment and do some more testing.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: SPNEGO test configuration with Manager webapp
Posted by Mark Thomas <ma...@apache.org>.
On 26/03/2015 00:36, David Marsh wrote:
> Still getting :-
> java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G
> SSHeader did not find the right tag)
>
> Folks here mention lack of NegoEx support or bugs in GSS-APi ?
>
> http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
>
> Does Tomcat 8 work with NegoEx ?
>
> Is Windows 8.1 and Windows Server 2012 RC2 supported ?
My test environment is Windows 2008 R2 server and Windows 7. It is
certainly possibly security has been tightened between those versions
and 2012/R2 + 8 that means things don't work by default with Java.
I'll see if I can find some time in the next few weeks to update my test
environment and do some more testing.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
Still getting :-
java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G
SSHeader did not find the right tag)
Folks here mention lack of NegoEx support or bugs in GSS-APi ?
http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
Does Tomcat 8 work with NegoEx ?
Is Windows 8.1 and Windows Server 2012 RC2 supported ?
many thanks
David
> From: dmarsh26@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: SPNEGO test configuration with Manager webapp
> Date: Thu, 26 Mar 2015 00:18:11 +0000
>
> With the correct keytab and krb5.ini I can get kinit to pass...
> Still cannot get SPNEGO in tomcat to work, have the same 401 three times.
> C:\Windows>java -Dsun.security.krb5.debug=true -Djava.security.krb5.conf=c:\windows\krb5.ini sun.security.krb5.internal.tools.Kinit -k -t c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL>>>KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL>>> Kinit using keytab>>> Kinit keytab file name: c:\keytab\tomcat.keytabJava config name: c:\windows\krb5.iniLoaded from Java config>>> Kinit realm name is KERBTEST.LOCAL>>> Creating KrbAsReq>>> KrbKdcReq local addresses for win-tc01 are:
> win-tc01/192.168.0.3IPv4 address
> win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3IPv6 address
> win-tc01/fe80:0:0:0:cd8:21c6:3f57:fffc%5IPv6 address
> win-tc01/2001:0:9d38:90d7:cd8:21c6:3f57:fffcIPv6 address>>> KdcAccessibility: reset>>> KeyTabInputStream, readName(): KERBTEST.LOCAL>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local>>> KeyTab: load() entry length: 70; type: 1>>> KeyTabInputStream, readName(): KERBTEST.LOCAL>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local>>> KeyTab: load() entry length: 70; type: 3>>> KeyTabInputStream, readName(): KERBTEST.LOCAL>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local>>> KeyTab: load() entry length: 78; type: 23>>> KeyTabInputStream, readName(): KERBTEST.LOCAL>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local>>> KeyTab: load() entry length: 94; type: 18>>> KeyTabInputStream, readName(): KERBTEST.LOCAL>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local>>> KeyTab: load() entry length: 78; type: 17Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version: 15Added key: 18version: 15Added key: 23version: 15Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALdefault etypes for default_tkt_enctypes: 23 18 17.>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3, &bytes=272>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt=1, &bytes=272>>> KrbKdcReq send: &bytes read=213>>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.local, s2kparams = null PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16
>>>>Pre-Authentication Data: PA-DATA type = 15
>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88>>> KDCRep: init() encoding tag is 126 req type is 11>>>KRBError: sTime is Thu Mar 26 00:10:28 GMT 2015 1427328628000 suSec is 635591 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. msgType is 30>>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.local, s2kparams = null PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16
>>>>Pre-Authentication Data: PA-DATA type = 15
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQdefault etypes for default_tkt_enctypes: 23 18 17.Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version: 15Added key: 18version: 15Added key: 23version: 15Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALLooking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version: 15Added key: 18version: 15Added key: 23version: 15Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALdefault etypes for default_tkt_enctypes: 23 18 17.>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3, &bytes=359>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt=1, &bytes=359>>> KrbKdcReq send: &bytes read=100>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number of retries =3, &bytes=359>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt=1, &bytes=359>>>DEBUG: TCPClient reading 1653 bytes>>> KrbKdcReq send: &bytes read=1653>>> KdcAccessibility: remove win-dc01.kerbtest.local:88Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version: 15Added key: 18version: 15Added key: 23version: 15Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.localNew ticket is stored in cache file C:\Users\tc01.KERBTEST\krb5cc_tc01
>> From: dmarsh26@outlook.com
>> To: users@tomcat.apache.org
>> Subject: RE: SPNEGO test configuration with Manager webapp
>> Date: Wed, 25 Mar 2015 22:26:22 +0000
>>
>> Turns out to use the Java kinit I need a krb5.conf inside the jdk/jre lib/secrutiy folder.
>>
>> Now I get :-
>>
>>
>> C:\>java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit
>> k -t c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01
>> Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Kinit using keytab
>>>>> Kinit keytab file name: c:\keytab\tomcat.keytab
>> Java config name: null
>> LSA: Found Ticket
>> LSA: Made NewWeakGlobalRef
>> LSA: Found PrincipalName
>> LSA: Made NewWeakGlobalRef
>> LSA: Found DerValue
>> LSA: Made NewWeakGlobalRef
>> LSA: Found EncryptionKey
>> LSA: Made NewWeakGlobalRef
>> LSA: Found TicketFlags
>> LSA: Made NewWeakGlobalRef
>> LSA: Found KerberosTime
>> LSA: Made NewWeakGlobalRef
>> LSA: Found String
>> LSA: Made NewWeakGlobalRef
>> LSA: Found DerValue constructor
>> LSA: Found Ticket constructor
>> LSA: Found PrincipalName constructor
>> LSA: Found EncryptionKey constructor
>> LSA: Found TicketFlags constructor
>> LSA: Found KerberosTime constructor
>> LSA: Finished OnLoad processing
>> Native config name: C:\Windows\krb5.ini
>> Loaded from native config
>>>>> Kinit realm name is KERBTEST.LOCAL
>>>>> Creating KrbAsReq
>>>>> KrbKdcReq local addresses for win-tc01 are:
>>
>> win-tc01/192.168.0.3
>> IPv4 address
>>
>> win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3
>> IPv6 address
>>>>> KdcAccessibility: reset
>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>> KeyTabInputStream, readName(): HTTP
>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>> KeyTab: load() entry length: 70; type: 1
>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>> KeyTabInputStream, readName(): HTTP
>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>> KeyTab: load() entry length: 70; type: 3
>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>> KeyTabInputStream, readName(): HTTP
>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>> KeyTab: load() entry length: 78; type: 23
>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>> KeyTabInputStream, readName(): HTTP
>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>> KeyTab: load() entry length: 94; type: 18
>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>> KeyTabInputStream, readName(): HTTP
>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>> KeyTab: load() entry length: 78; type: 17
>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>> Added key: 17version: 5
>> Added key: 18version: 5
>> Added key: 23version: 5
>> Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>> Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number o
>> retries =3, &bytes=216
>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
>> =1, &bytes=216
>>>>> KrbKdcReq send: &bytes read=100
>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>KRBError:
>> sTime is Wed Mar 25 22:24:32 GMT 2015 1427322272000
>> suSec is 681217
>> error code is 6
>> error Message is Client not found in Kerberos database
>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>> msgType is 30
>> Exception: krb_error 6 Client not found in Kerberos database (6) Client not fou
>> d in Kerberos database
>> KrbException: Client not found in Kerberos database (6)
>> at sun.security.krb5.KrbAsRep.(Unknown Source)
>> at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
>> at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
>> at sun.security.krb5.internal.tools.Kinit.(Unknown Source)
>> at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
>> Caused by: KrbException: Identifier doesn't match expected value (906)
>> at sun.security.krb5.internal.KDCRep.init(Unknown Source)
>> at sun.security.krb5.internal.ASRep.init(Unknown Source)
>> at sun.security.krb5.internal.ASRep.(Unknown Source)
>> ... 5 more
>>
>>
>> ----------------------------------------
>>> From: dmarsh26@outlook.com
>>> To: users@tomcat.apache.org
>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>> Date: Wed, 25 Mar 2015 21:19:30 +0000
>>>
>>>
>>>
>>>
>>> Thanks for all the help guys, I managed to find the correct way to call kinit for Java on windows :-
>>>
>>> I get the following :-
>>>
>>> C:\>java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -
>>> k -t c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL tc01pas
>>> s
>>>>>>KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01
>>> Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>> Kinit using keytab
>>>>>> Kinit keytab file name: c:\keytab\tomcat.keytab
>>> Java config name: null
>>> LSA: Found Ticket
>>> LSA: Made NewWeakGlobalRef
>>> LSA: Found PrincipalName
>>> LSA: Made NewWeakGlobalRef
>>> LSA: Found DerValue
>>> LSA: Made NewWeakGlobalRef
>>> LSA: Found EncryptionKey
>>> LSA: Made NewWeakGlobalRef
>>> LSA: Found TicketFlags
>>> LSA: Made NewWeakGlobalRef
>>> LSA: Found KerberosTime
>>> LSA: Made NewWeakGlobalRef
>>> LSA: Found String
>>> LSA: Made NewWeakGlobalRef
>>> LSA: Found DerValue constructor
>>> LSA: Found Ticket constructor
>>> LSA: Found PrincipalName constructor
>>> LSA: Found EncryptionKey constructor
>>> LSA: Found TicketFlags constructor
>>> LSA: Found KerberosTime constructor
>>> LSA: Finished OnLoad processing
>>> Native config name: C:\Windows\krb5.ini
>>> Loaded from native config
>>>>>> Kinit realm name is KERBTEST.LOCAL
>>>>>> Creating KrbAsReq
>>>>>> KrbKdcReq local addresses for win-tc01 are:
>>>
>>> win-tc01/192.168.0.3
>>> IPv4 address
>>>
>>> win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3
>>> IPv6 address
>>>>>> KdcAccessibility: reset
>>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>>> KeyTabInputStream, readName(): HTTP
>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>> KeyTab: load() entry length: 70; type: 1
>>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>>> KeyTabInputStream, readName(): HTTP
>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>> KeyTab: load() entry length: 70; type: 3
>>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>>> KeyTabInputStream, readName(): HTTP
>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>> KeyTab: load() entry length: 78; type: 23
>>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>>> KeyTabInputStream, readName(): HTTP
>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>> KeyTab: load() entry length: 94; type: 18
>>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>>> KeyTabInputStream, readName(): HTTP
>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>> KeyTab: load() entry length: 78; type: 17
>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> Added key: 17version: 5
>>> Added key: 18version: 5
>>> Added key: 23version: 5
>>> Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>> KrbAsReq creating message
>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
>>> retries =3, &bytes=216
>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
>>> =1, &bytes=216
>>>>>> KrbKdcReq send: &bytes read=213
>>>>>>Pre-Authentication Data:
>>> PA-DATA type = 19
>>> PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
>>> ocal, s2kparams = null
>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>
>>>>>>Pre-Authentication Data:
>>> PA-DATA type = 2
>>> PA-ENC-TIMESTAMP
>>>>>>Pre-Authentication Data:
>>> PA-DATA type = 16
>>>
>>>>>>Pre-Authentication Data:
>>> PA-DATA type = 15
>>>
>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>KRBError:
>>> sTime is Wed Mar 25 21:09:04 GMT 2015 1427317744000
>>> suSec is 382562
>>> error code is 25
>>> error Message is Additional pre-authentication required
>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>> eData provided.
>>> msgType is 30
>>>>>>Pre-Authentication Data:
>>> PA-DATA type = 19
>>> PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
>>> ocal, s2kparams = null
>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>
>>>>>>Pre-Authentication Data:
>>> PA-DATA type = 2
>>> PA-ENC-TIMESTAMP
>>>>>>Pre-Authentication Data:
>>> PA-DATA type = 16
>>>
>>>>>>Pre-Authentication Data:
>>> PA-DATA type = 15
>>>
>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>> default etypes for default_tkt_enctypes: 23 18 17.
>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> Added key: 17version: 5
>>> Added key: 18version: 5
>>> Added key: 23version: 5
>>> Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> Added key: 17version: 5
>>> Added key: 18version: 5
>>> Added key: 23version: 5
>>> Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>>>> KrbAsReq creating message
>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
>>> retries =3, &bytes=305
>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
>>> =1, &bytes=305
>>>>>> KrbKdcReq send: &bytes read=180
>>>>>>Pre-Authentication Data:
>>> PA-DATA type = 19
>>> PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
>>> ocal, s2kparams = null
>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>
>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>KRBError:
>>> sTime is Wed Mar 25 21:09:08 GMT 2015 1427317748000
>>> suSec is 600802
>>> error code is 24
>>> error Message is Pre-authentication information was invalid
>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>> eData provided.
>>> msgType is 30
>>>>>>Pre-Authentication Data:
>>> PA-DATA type = 19
>>> PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
>>> ocal, s2kparams = null
>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>
>>> Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-auth
>>> entication information was invalid
>>> KrbException: Pre-authentication information was invalid (24)
>>> at sun.security.krb5.KrbAsRep.(Unknown Source)
>>> at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
>>> at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
>>> at sun.security.krb5.internal.tools.Kinit.(Unknown Source)
>>> at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
>>> Caused by: KrbException: Identifier doesn't match expected value (906)
>>> at sun.security.krb5.internal.KDCRep.init(Unknown Source)
>>> at sun.security.krb5.internal.ASRep.init(Unknown Source)
>>> at sun.security.krb5.internal.ASRep.(Unknown Source)
>>> ... 5 more
>>>
>>>
>>>
>>>> Date: Wed, 25 Mar 2015 22:00:13 +0100
>>>> From: aw@ice-sa.com
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>
>>>> Felix Schumacher wrote:
>>>>> Am 25.03.2015 um 20:19 schrieb André Warnier:
>>>>>> David Marsh wrote:
>>>>>>> Javas version of kinit seems to report issue ?
>>>>>>>
>>>>>>> C:\Program Files\Apache Software Foundation\Tomcat
>>>>>>> 8.0\conf>"C:\Program Files\Ja
>>>>>>> va\jdk1.8.0_40\bin\kinit" -t -k c:\keytab\tomcat.keytab
>>>>>>> Exception: krb_error 0 Do not have keys of types listed in
>>>>>>> default_tkt_enctypes
>>>>>>> available; only have keys of following type: No error
>>>>>>> KrbException: Do not have keys of types listed in
>>>>>>> default_tkt_enctypes available
>>>>>>> ; only have keys of following type:
>>>>>>> at
>>>>>>> sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
>>>>>>> at
>>>>>>> sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
>>>>>>> at
>>>>>>> sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
>>>>>>> at
>>>>>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
>>>>>>> at sun.security.krb5.internal.tools.Kinit.(Kinit.java:219)
>>>>>>> at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
>>>>>>
>>>>>> That seems to indicate that between the Java Kerberos module in
>>>>>> Tomcat, and the KDC's Kerberos software, there is a mismatch in the
>>>>>> types of keys used (type of encryption), so they do not understand
>>>>>> eachother.
>>>>>> This may be relevant : https://community.igniterealtime.org/thread/49913
>>>>>>
>>>>>> It is also a bit strange that it says :
>>>>>> only have keys of following type:
>>>>>> (with nothing behind the :.. )
>>>>>>
>>>>>> From what I keep browsing on the WWW, it also seems that the types of
>>>>>> key encryptions that might match between Java Kerberos and Windows
>>>>>> Kerberos, depend on the versions of both Java and Windows Server..
>>>>>>
>>>>> +1 (read your answer to late, I found the same link and posted it :)
>>>>>> Man, this thing is really a nightmare, isn't it ?
>>>>> I especially like the error messages.
>>>>>
>>>>
>>>> Yes, and the thing is : there are a lot of pages on the www that describe the "correct"
>>>> procedure, step by step, some even with screenshots etc..
>>>> But they always leave something out, and you don't know what they left out..
>>>>
>>>>
>>>>> Felix
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> ----------------------------------------
>>>>>>>> From: dmarsh26@outlook.com
>>>>>>>> To: users@tomcat.apache.org
>>>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>>>>> Date: Wed, 25 Mar 2015 16:50:47 +0000
>>>>>>>>
>>>>>>>> Its possible I guess, although I would not expect that.
>>>>>>>>
>>>>>>>> The test is :-
>>>>>>>>
>>>>>>>> Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM
>>>>>>>>
>>>>>>>> Firefox is not configured to use a proxy, its all in Vmware
>>>>>>>> Workstation 10 using the Vmnet01 virtual network.
>>>>>>>>
>>>>>>>> Firefox has three 401 responses with headers "Authorization" and
>>>>>>>> "WWW-Authenticate" :-
>>>>>>>>
>>>>>>>> 1 :- Reponse WWW-Authenticate: "Negotiate"
>>>>>>>>
>>>>>>>> 2 :- Request Authorization: "Negotiate
>>>>>>>> YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxD
>>>>>>>>
>>>>>> yCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1b
>>>> HVkm
>>>>>>
>>>>>> muJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4="
>>>>>>
>>>>>>>>
>>>>>>>> Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg==
>>>>>>>>
>>>>>>>> 3 :- Request Authorization: "Negotiate
>>>>>>>> oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkco
>>>>>>>>
>>>>>> Kk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zw
>>>> m+qh
>>>>>>
>>>>>> PF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E="
>>>>>>
>>>>>>>>
>>>>>>>> Reponse WWW-Authenticate: "Negotiate"
>>>>>>>>
>>>>>>>> I'm not sure how long they should be, but they all end "=" so expect
>>>>>>>> not truncated ?
>>>>>>>>
>>>>>>>> ----------------------------------------
>>>>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>> Date: Wed, 25 Mar 2015 17:31:51 +0100
>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh
>>>>>>>>> :
>>>>>>>>>> This is how the keytab was created :-
>>>>>>>>>>
>>>>>>>>>> ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
>>>>>>>>>> tc01@KERBTEST.LOCAL /princ
>>>>>>>>>> HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>>>>>>>> /pass tc01pass
>>>>>>>>>>
>>>>>>>>>> The password is the correct password for the user tc01 associated
>>>>>>>>>> with
>>>>>>>>>> the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>>>>>>>>
>>>>>>>>>> I managed to turn on some more logging around JAAS, see the error
>>>>>>>>>> :- java.security.PrivilegedActionException: GSSException: Defective
>>>>>>>>>> token detected
>>>>>>>>> Do you talk directly to Tomcat, or is there any kind of proxy in
>>>>>>>>> between?
>>>>>>>>> Could the header be truncated?
>>>>>>>>>
>>>>>>>>> Felix
>>>>>>>>>> 25-Mar-2015 15:46:22.131 INFO [main]
>>>>>>>>>> org.apache.catalina.core.StandardService.startInternal Starting
>>>>>>>>>> service Catalina
>>>>>>>>>> 25-Mar-2015 15:46:22.133 INFO [main]
>>>>>>>>>> org.apache.catalina.core.StandardEngine.startInternal Starting
>>>>>>>>>> Servlet Engine: Apache Tomcat/8.0.20
>>>>>>>>>> 25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
>>>>>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>>>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>>>>>>>> Software Foundation\Tomcat 8.0\
>>>>>>>>>> webapps\docs
>>>>>>>>>> 25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
>>>>>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>>>>>> irectory Deployment of web application directory C:\Program
>>>>>>>>>> Files\Apache Software Foundation\Tomcat
>>>>>>>>>> 8.0\webapps\docs has finished in 380 ms
>>>>>>>>>> 25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
>>>>>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>>>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>>>>>>>> Software Foundation\Tomcat 8.0\
>>>>>>>>>> webapps\manager
>>>>>>>>>> 25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
>>>>>>>>>> org.apache.catalina.authenticator.Authenticato
>>>>>>>>>> rBase.startInternal No SingleSignOn Valve is present
>>>>>>>>>> 25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
>>>>>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>>>>>> irectory Deployment of web application directory C:\Program
>>>>>>>>>> Files\Apache Software Foundation\Tomcat
>>>>>>>>>> 8.0\webapps\manager has finished in 93 ms
>>>>>>>>>> 25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
>>>>>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>>>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>>>>>>>> Software Foundation\Tomcat 8.0\
>>>>>>>>>> webapps\ROOT
>>>>>>>>>> 25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
>>>>>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>>>>>> irectory Deployment of web application directory C:\Program
>>>>>>>>>> Files\Apache Software Foundation\Tomcat
>>>>>>>>>> 8.0\webapps\ROOT has finished in 59 ms
>>>>>>>>>> 25-Mar-2015 15:46:22.797 INFO [main]
>>>>>>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>>>>>>>> er ["http-nio-80"]
>>>>>>>>>> 25-Mar-2015 15:46:22.806 INFO [main]
>>>>>>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>>>>>>>> er ["ajp-nio-8009"]
>>>>>>>>>> 25-Mar-2015 15:46:22.808 INFO [main]
>>>>>>>>>> org.apache.catalina.startup.Catalina.start Server startup in 72
>>>>>>>>>> 1 ms
>>>>>>>>>> 25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1]
>>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>>>> se.invoke Security checking request GET /manager/html
>>>>>>>>>> 25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>>>>>> against GET /html --> false
>>>>>>>>>> 25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>>>>>> interface]' against GET /html --> fal
>>>>>>>>>> se
>>>>>>>>>> 25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>>>>>> interface (for scripts)]' against
>>>>>>>>>> GET /html --> false
>>>>>>>>>> 25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>>>>>> interface (for humans)]' against G
>>>>>>>>>> ET /html --> true
>>>>>>>>>> 25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>>>>>> against GET /html --> false
>>>>>>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>>>>>> interface]' against GET /html --> fal
>>>>>>>>>> se
>>>>>>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>>>>>> interface (for scripts)]' against
>>>>>>>>>> GET /html --> false
>>>>>>>>>> 25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>>>>>> interface (for humans)]' against G
>>>>>>>>>> ET /html --> true
>>>>>>>>>> 25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1]
>>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>>>> se.invoke Calling hasUserDataPermission()
>>>>>>>>>> 25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>>>>>>>> rmission User data constraint has no restrictions
>>>>>>>>>> 25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1]
>>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>>>> se.invoke Calling authenticate()
>>>>>>>>>> 25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1]
>>>>>>>>>> org.apache.catalina.authenticator.SpnegoAuthentic
>>>>>>>>>> ator.authenticate No authorization header sent by client
>>>>>>>>>> 25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1]
>>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>>>> se.invoke Failed authenticate() test
>>>>>>>>>> 25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2]
>>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>>>> se.invoke Security checking request GET /manager/html
>>>>>>>>>> 25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>>>>>> against GET /html --> false
>>>>>>>>>> 25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>>>>>> interface]' against GET /html --> fal
>>>>>>>>>> se
>>>>>>>>>> 25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>>>>>> interface (for scripts)]' against
>>>>>>>>>> GET /html --> false
>>>>>>>>>> 25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>>>>>> interface (for humans)]' against G
>>>>>>>>>> ET /html --> true
>>>>>>>>>> 25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>>>>>> against GET /html --> false
>>>>>>>>>> 25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>>>>>> interface]' against GET /html --> fal
>>>>>>>>>> se
>>>>>>>>>> 25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>>>>>> interface (for scripts)]' against
>>>>>>>>>> GET /html --> false
>>>>>>>>>> 25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>>>>>> interface (for humans)]' against G
>>>>>>>>>> ET /html --> true
>>>>>>>>>> 25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2]
>>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>>>> se.invoke Calling hasUserDataPermission()
>>>>>>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>>>>>>>> rmission User data constraint has no restrictions
>>>>>>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>>>> se.invoke Calling authenticate()
>>>>>>>>>> Debug is true storeKey true useTicketCache false useKeyTab true
>>>>>>>>>> doNotPrompt true ticketCache is nul
>>>>>>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab
>>>>>>>>>> refreshKrb5Config
>>>>>>>>>> is false principal is HTTP/wi
>>>>>>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false
>>>>>>>>>> useFirstPass
>>>>>>>>>> is false storePass is false
>>>>>>>>>> clearPass is false
>>>>>>>>>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>>>>>>>>>> KeyTabInputStream, readName(): HTTP
>>>>>>>>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>>>>>>>>> KeyTab: load() entry length: 78; type: 23
>>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>>>> Java config name: C:\Program Files\Apache Software Foundation\Tomcat
>>>>>>>>>> 8.0\conf\krb5.ini
>>>>>>>>>> Loaded from Java config
>>>>>>>>>> Added key: 23version: 3
>>>>>>>>>>>>> KdcAccessibility: reset
>>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>>>> Added key: 23version: 3
>>>>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>>>>>>> KrbAsReq creating message
>>>>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>>>>>>> number of retries =3, &bytes=
>>>>>>>>>> 164
>>>>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>>>>>>> timeout=30000,Attempt =1, &bytes=164
>>>>>>>>>>>>> KrbKdcReq send: &bytes read=185
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 11
>>>>>>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>>>>>>
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 19
>>>>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>>>>>>
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 2
>>>>>>>>>> PA-ENC-TIMESTAMP
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 16
>>>>>>>>>>
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 15
>>>>>>>>>>
>>>>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>>>>>>>> KRBError:
>>>>>>>>>> sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
>>>>>>>>>> suSec is 701709
>>>>>>>>>> error code is 25
>>>>>>>>>> error Message is Additional pre-authentication required
>>>>>>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>>>>>>>> eData provided.
>>>>>>>>>> msgType is 30
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 11
>>>>>>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>>>>>>
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 19
>>>>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>>>>>>
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 2
>>>>>>>>>> PA-ENC-TIMESTAMP
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 16
>>>>>>>>>>
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 15
>>>>>>>>>>
>>>>>>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>>>> Added key: 23version: 3
>>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>>>> Added key: 23version: 3
>>>>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>>>>>>> KrbAsReq creating message
>>>>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>>>>>>> number of retries =3, &bytes=
>>>>>>>>>> 247
>>>>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>>>>>>> timeout=30000,Attempt =1, &bytes=247
>>>>>>>>>>>>> KrbKdcReq send: &bytes read=100
>>>>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>>>>>>>> number of retries =3, &bytes=
>>>>>>>>>> 247
>>>>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>>>>>>>> timeout=30000,Attempt =1, &bytes=247
>>>>>>>>>>>>> DEBUG: TCPClient reading 1475 bytes
>>>>>>>>>>>>> KrbKdcReq send: &bytes read=1475
>>>>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>>>> Added key: 23version: 3
>>>>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>>>>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>>>> Will use keytab
>>>>>>>>>> Commit Succeeded
>>>>>>>>>>
>>>>>>>>>> Search Subject for SPNEGO ACCEPT cred (<>,
>>>>>>>>>> sun.security.jgss.spnego.SpNegoCredElement)
>>>>>>>>>> Search Subject for Kerberos V5 ACCEPT cred (<>,
>>>>>>>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
>>>>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>>>>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
>>>>>>>>>> .LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
>>>>>>>>>> [Krb5LoginModule]: Entering logout
>>>>>>>>>> [Krb5LoginModule]: logged out Subject
>>>>>>>>>> 25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2]
>>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>>>> se.invoke Failed authenticate() test
>>>>>>>>>> 25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3]
>>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>>>> se.invoke Security checking request GET /manager/html
>>>>>>>>>> 25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>>>>>> against GET /html --> false
>>>>>>>>>> 25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>>>>>> interface]' against GET /html --> fal
>>>>>>>>>> se
>>>>>>>>>> 25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>>>>>> interface (for scripts)]' against
>>>>>>>>>> GET /html --> false
>>>>>>>>>> 25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>>>>>> interface (for humans)]' against G
>>>>>>>>>> ET /html --> true
>>>>>>>>>> 25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>>>>>> against GET /html --> false
>>>>>>>>>> 25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>>>>>> interface]' against GET /html --> fal
>>>>>>>>>> se
>>>>>>>>>> 25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>>>>>> interface (for scripts)]' against
>>>>>>>>>> GET /html --> false
>>>>>>>>>> 25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>>>>>> interface (for humans)]' against G
>>>>>>>>>> ET /html --> true
>>>>>>>>>> 25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3]
>>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>>>> se.invoke Calling hasUserDataPermission()
>>>>>>>>>> 25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3]
>>>>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>>>>>>>> rmission User data constraint has no restrictions
>>>>>>>>>> 25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3]
>>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>>>> se.invoke Calling authenticate()
>>>>>>>>>> Debug is true storeKey true useTicketCache false useKeyTab true
>>>>>>>>>> doNotPrompt true ticketCache is nul
>>>>>>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab
>>>>>>>>>> refreshKrb5Config
>>>>>>>>>> is false principal is HTTP/wi
>>>>>>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false
>>>>>>>>>> useFirstPass
>>>>>>>>>> is false storePass is false
>>>>>>>>>> clearPass is false
>>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>>>> Added key: 23version: 3
>>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>>>> Added key: 23version: 3
>>>>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>>>>>>> KrbAsReq creating message
>>>>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>>>>>>> number of retries =3, &bytes=
>>>>>>>>>> 164
>>>>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>>>>>>> timeout=30000,Attempt =1, &bytes=164
>>>>>>>>>>>>> KrbKdcReq send: &bytes read=185
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 11
>>>>>>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>>>>>>
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 19
>>>>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>>>>>>
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 2
>>>>>>>>>> PA-ENC-TIMESTAMP
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 16
>>>>>>>>>>
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 15
>>>>>>>>>>
>>>>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>>>>>>>> KRBError:
>>>>>>>>>> sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
>>>>>>>>>> suSec is 935731
>>>>>>>>>> error code is 25
>>>>>>>>>> error Message is Additional pre-authentication required
>>>>>>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>>>>>>>> eData provided.
>>>>>>>>>> msgType is 30
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 11
>>>>>>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>>>>>>
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 19
>>>>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>>>>>>
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 2
>>>>>>>>>> PA-ENC-TIMESTAMP
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 16
>>>>>>>>>>
>>>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>>>> PA-DATA type = 15
>>>>>>>>>>
>>>>>>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>>>> Added key: 23version: 3
>>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>>>> Added key: 23version: 3
>>>>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>>>>>>> KrbAsReq creating message
>>>>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>>>>>>> number of retries =3, &bytes=
>>>>>>>>>> 247
>>>>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>>>>>>> timeout=30000,Attempt =1, &bytes=247
>>>>>>>>>>>>> KrbKdcReq send: &bytes read=100
>>>>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>>>>>>>> number of retries =3, &bytes=
>>>>>>>>>> 247
>>>>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>>>>>>>> timeout=30000,Attempt =1, &bytes=247
>>>>>>>>>>>>> DEBUG: TCPClient reading 1475 bytes
>>>>>>>>>>>>> KrbKdcReq send: &bytes read=1475
>>>>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>>>> Added key: 23version: 3
>>>>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>>>>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>>>> Will use keytab
>>>>>>>>>> Commit Succeeded
>>>>>>>>>>
>>>>>>>>>> Search Subject for SPNEGO ACCEPT cred (<>,
>>>>>>>>>> sun.security.jgss.spnego.SpNegoCredElement)
>>>>>>>>>> Search Subject for Kerberos V5 ACCEPT cred (<>,
>>>>>>>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
>>>>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>>>>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
>>>>>>>>>> .LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
>>>>>>>>>> 25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3]
>>>>>>>>>> org.apache.catalina.authenticator.SpnegoAuthentic
>>>>>>>>>> ator.authenticate Unable to login as the service principal
>>>>>>>>>> java.security.PrivilegedActionException: GSSException: Defective
>>>>>>>>>> token
>>>>>>>>>> detected (Mechanism level: G
>>>>>>>>>> SSHeader did not find the right tag)
>>>>>>>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>>>>>>>> at javax.security.auth.Subject.doAs(Subject.java:422)
>>>>>>>>>> at
>>>>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
>>>>>>>>>>
>>>>>>>>>> va:243)
>>>>>>>>>> at
>>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
>>>>>>>>>>
>>>>>>>>>> at
>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
>>>>>>>>>>
>>>>>>>>>> at
>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
>>>>>>>>>>
>>>>>>>>>> at
>>>>>>>>>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> at
>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
>>>>>>>>>>
>>>>>>>>>> at
>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
>>>>>>>>>>
>>>>>>>>>> at
>>>>>>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
>>>>>>>>>>
>>>>>>>>>> 6)
>>>>>>>>>> at
>>>>>>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
>>>>>>>>>>
>>>>>>>>>> a:659)
>>>>>>>>>> at
>>>>>>>>>> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
>>>>>>>>>>
>>>>>>>>>> col.java:223)
>>>>>>>>>> at
>>>>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
>>>>>>>>>>
>>>>>>>>>> at
>>>>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
>>>>>>>>>>
>>>>>>>>>> at
>>>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>>>>>>>>
>>>>>>>>>> at
>>>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>>>>>>>>
>>>>>>>>>> at
>>>>>>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>>>>>>>>>
>>>>>>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>>>>>> Caused by: GSSException: Defective token detected (Mechanism level:
>>>>>>>>>> GSSHeader did not find the right
>>>>>>>>>> tag)
>>>>>>>>>> at sun.security.jgss.GSSHeader.(GSSHeader.java:97)
>>>>>>>>>> at
>>>>>>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
>>>>>>>>>>
>>>>>>>>>> at
>>>>>>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
>>>>>>>>>>
>>>>>>>>>> at
>>>>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>>>>>>>>
>>>>>>>>>> r.java:336)
>>>>>>>>>> at
>>>>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>>>>>>>>
>>>>>>>>>> r.java:323)
>>>>>>>>>> ... 18 more
>>>>>>>>>>
>>>>>>>>>> [Krb5LoginModule]: Entering logout
>>>>>>>>>> [Krb5LoginModule]: logged out Subject
>>>>>>>>>> 25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3]
>>>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>>>> se.invoke Failed authenticate() test
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Date: Wed, 25 Mar 2015 16:48:10 +0100
>>>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>
>>>>>>>>>>> Am 25.03.2015 16:09, schrieb David Marsh:
>>>>>>>>>>>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
>>>>>>>>>>>> tc01@KERTEST.LOCAL, still same symptoms.
>>>>>>>>>>>>
>>>>>>>>>>>> Ran klist on client after firefox test and the three 401 responses.
>>>>>>>>>> :-
>>>>>>>>>>>> C:\Users\test.KERBTEST.000>klist
>>>>>>>>>>>>
>>>>>>>>>>>> Current LogonId is 0:0x2fd7a
>>>>>>>>>>>>
>>>>>>>>>>>> Cached Tickets: (2)
>>>>>>>>>>>>
>>>>>>>>>>>> &0> Client: test @ KERBTEST.LOCAL
>>>>>>>>>>>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
>>>>>>>>>>>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
>>>>>>>>>>>> Ticket Flags 0x40e10000 -> forwardable renewable initial
>>>>>>>>>>>> pre_authent nam
>>>>>>>>>>>> e_canonicalize
>>>>>>>>>>>> Start Time: 3/25/2015 14:46:43 (local)
>>>>>>>>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>>>>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>>>>>>>>> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>>>>>>>>>>>> Cache Flags: 0x1 -> PRIMARY
>>>>>>>>>>>> Kdc Called: 192.168.0.200
>>>>>>>>>>>>
>>>>>>>>>>>> &1> Client: test @ KERBTEST.LOCAL
>>>>>>>>>>>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
>>>>>>>>>>>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>>>>>>>>>>>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
>>>>>>>>>>>> name_canoni
>>>>>>>>>>>> calize
>>>>>>>>>>>> Start Time: 3/25/2015 14:51:21 (local)
>>>>>>>>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>>>>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>>>>>>>>> Session Key Type: RSADSI RC4-HMAC(NT)
>>>>>>>>>>>> Cache Flags: 0
>>>>>>>>>>>> Kdc Called: 192.168.0.200
>>>>>>>>>>>>
>>>>>>>>>>>> Looks like I was granted a ticket for the SPN
>>>>>>>>>>>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
>>>>>>>>>>>>
>>>>>>>>>>>> If I have ticket why do I get 401 ?
>>>>>>>>>>> Your client has got a service ticket for HTTP/win-tc01... This is
>>>>>>>>>> used
>>>>>>>>>>> by firefox for authentication. Firefox transmits
>>>>>>>>>>> this service ticket to the server (as base64 encoded in the
>>>>>>>>>>> WWW-Authenticate header).
>>>>>>>>>>>
>>>>>>>>>>> Your server has to decrypt this ticket using its own ticket to
>>>>>>>>>>> get at
>>>>>>>>>>> the user information. This is where your problems arise.
>>>>>>>>>>> It looks like your server has trouble to get its own ticket.
>>>>>>>>>>>
>>>>>>>>>>> Are you sure, that the password you used for keytab generation (on
>>>>>>>>>> the
>>>>>>>>>>> server side), is correct? ktpass will probably accept
>>>>>>>>>>> any input as a password. Maybe you can check the keytab by using
>>>>>>>>>> kinit
>>>>>>>>>>> (though I don't know, if it exists for windows, or how
>>>>>>>>>>> the java one is used).
>>>>>>>>>>>
>>>>>>>>>>> Felix
>>>>>>>>>>>
>>>>>>>>>>>> ----------------------------------------
>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 22:46:15 +0000
>>>>>>>>>>>>> From: markt@apache.org
>>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 24/03/2015 20:47, David Marsh wrote:
>>>>>>>>>>>>>> Hi Felix,
>>>>>>>>>>>>>> Thanks fort your help!
>>>>>>>>>>>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
>>>>>>>>>>>>>> startup.bat and also added the same definitions to the Java
>>>>>>>>>>>>>> parameters in Configure Tomcat tool.I definitely got more
>>>>>>>>>> information
>>>>>>>>>>>>>> when using startup.bat, not sure the settings get picked up by
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> windows service ?
>>>>>>>>>>>>>> I do not think authentication completes, certainly authorization
>>>>>>>>>> does
>>>>>>>>>>>>>> not as I cant see the site and get 401 http status.
>>>>>>>>>>>>>> I have not configured a tomcat realm but I have put the test user
>>>>>>>>>> a
>>>>>>>>>>>>>> manager-gui group in Active Directory.
>>>>>>>>>>>>> I've only given your config a quick scan, but the thing that jumps
>>>>>>>>>> out
>>>>>>>>>>>>> at me is spaces in the some of the paths. I'm not sure how well
>>>>>>>>>>>>> krb5.ini
>>>>>>>>>>>>> will handle those. It might be fine. It might not be.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Mark
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> David
>>>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>>>>>>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>>>>>>>>>>>>>> Everything is as described and still not working, except the
>>>>>>>>>>>>>>>> jaas.conf is :-
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>>>>> };
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>>>>> };
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> In other words the principal is the tomcat server as it should
>>>>>>>>>> be.
>>>>>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>>>>>>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>>>>>>>>>>>>>> Sorry thats :-
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>>>>>>>>>>>>>> Is it working with this configuration, or just to point out,
>>>>>>>>>> that
>>>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>>>> copied the wrong jaas.conf for the mail?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Felix
>>>>>>>>>>>>>>>>>> ----------------------------------------
>>>>>>>>>>>>>>>>>>> From: dmarsh26@outlook.com
>>>>>>>>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat
>>>>>>>>>> 8.
>>>>>>>>>>>>>>>>>>> I've created three Windows VMs :-
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>>>>>>>>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>>>>>>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> The Tomcat Server and the Test Client are joined to the same
>>>>>>>>>>>>>>>>>>> domain kerbtest.local, they are logged in with domain
>>>>>>>>>>>>>>>>>>> logins.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> jaas.conf
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>>>>>>>> };
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>>>>>>>> };
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> krb5.ini
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> [libdefaults]
>>>>>>>>>>>>>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>>>>>>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
>>>>>>>>>>>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>>>>>>>>>>>>>> default_tkt_enctypes =
>>>>>>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>>>>>>>>> default_tgs_enctypes =
>>>>>>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>>>>>>>>> forwardable=true
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> [realms]
>>>>>>>>>>>>>>>>>>> KERBTEST.LOCAL = {
>>>>>>>>>>>>>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>>>>>>>>>>>>>> }
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with
>>>>>>>>>> Active
>>>>>>>>>>>>>>>>>>> Directory.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I have tried to keep the setup as basic and vanilla to the
>>>>>>>>>>>>>>>>>>> instructions as possible.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Users were created as instructed.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Spn was created as instructed
>>>>>>>>>>>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> keytab was created as instructed
>>>>>>>>>>>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL
>>>>>>>>>> /princ
>>>>>>>>>>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass
>>>>>>>>>> /kvno
>>>>>>>>>>>>>>>>>>> 0
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I have tried to test with firefox, chrome and IE, after
>>>>>>>>>> ensuring
>>>>>>>>>>>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In
>>>>>>>>>>>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to
>>>>>>>>>>>>>>>>>>> network.negotiate-auth.delegation-uris and
>>>>>>>>>>>>>>>>>>> network.negotiate-auth.trusted-uris.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Tomcat is running as a Windows service under the
>>>>>>>>>>>>>>>>>>> tc01@kerbtest.local account.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Visiting URL from the Test Client VM :-
>>>>>>>>>>>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401
>>>>>>>>>> three
>>>>>>>>>>>>>>>>>>> times.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Looking at the Network tab in developer tools in firefox
>>>>>>>>>> shows
>>>>>>>>>
>>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>>
>>>>>>>> ---------------------------------------------------------------------
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
With the correct keytab and krb5.ini I can get kinit to pass...
Still cannot get SPNEGO in tomcat to work, have the same 401 three times.
C:\Windows>java -Dsun.security.krb5.debug=true -Djava.security.krb5.conf=c:\windows\krb5.ini sun.security.krb5.internal.tools.Kinit -k -t c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL>>>KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL>>> Kinit using keytab>>> Kinit keytab file name: c:\keytab\tomcat.keytabJava config name: c:\windows\krb5.iniLoaded from Java config>>> Kinit realm name is KERBTEST.LOCAL>>> Creating KrbAsReq>>> KrbKdcReq local addresses for win-tc01 are:
win-tc01/192.168.0.3IPv4 address
win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3IPv6 address
win-tc01/fe80:0:0:0:cd8:21c6:3f57:fffc%5IPv6 address
win-tc01/2001:0:9d38:90d7:cd8:21c6:3f57:fffcIPv6 address>>> KdcAccessibility: reset>>> KeyTabInputStream, readName(): KERBTEST.LOCAL>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local>>> KeyTab: load() entry length: 70; type: 1>>> KeyTabInputStream, readName(): KERBTEST.LOCAL>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local>>> KeyTab: load() entry length: 70; type: 3>>> KeyTabInputStream, readName(): KERBTEST.LOCAL>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local>>> KeyTab: load() entry length: 78; type: 23>>> KeyTabInputStream, readName(): KERBTEST.LOCAL>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local>>> KeyTab: load() entry length: 94; type: 18>>> KeyTabInputStream, readName(): KERBTEST.LOCAL>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local>>> KeyTab: load() entry length: 78; type: 17Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version: 15Added key: 18version: 15Added key: 23version: 15Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALdefault etypes for default_tkt_enctypes: 23 18 17.>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes=272>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt=1, #bytes=272>>> KrbKdcReq send: #bytes read=213>>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.local, s2kparams = null PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16
>>>Pre-Authentication Data: PA-DATA type = 15
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88>>> KDCRep: init() encoding tag is 126 req type is 11>>>KRBError: sTime is Thu Mar 26 00:10:28 GMT 2015 1427328628000 suSec is 635591 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. msgType is 30>>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.local, s2kparams = null PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16
>>>Pre-Authentication Data: PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQdefault etypes for default_tkt_enctypes: 23 18 17.Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version: 15Added key: 18version: 15Added key: 23version: 15Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALLooking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version: 15Added key: 18version: 15Added key: 23version: 15Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALdefault etypes for default_tkt_enctypes: 23 18 17.>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes=359>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt=1, #bytes=359>>> KrbKdcReq send: #bytes read=100>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number of retries =3, #bytes=359>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt=1, #bytes=359>>>DEBUG: TCPClient reading 1653 bytes>>> KrbKdcReq send: #bytes read=1653>>> KdcAccessibility: remove win-dc01.kerbtest.local:88Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version: 15Added key: 18version: 15Added key: 23version: 15Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.localNew ticket is stored in cache file C:\Users\tc01.KERBTEST\krb5cc_tc01
> From: dmarsh26@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: SPNEGO test configuration with Manager webapp
> Date: Wed, 25 Mar 2015 22:26:22 +0000
>
> Turns out to use the Java kinit I need a krb5.conf inside the jdk/jre lib/secrutiy folder.
>
> Now I get :-
>
>
> C:\>java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit
> k -t c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01
> Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>> Kinit using keytab
> >>> Kinit keytab file name: c:\keytab\tomcat.keytab
> Java config name: null
> LSA: Found Ticket
> LSA: Made NewWeakGlobalRef
> LSA: Found PrincipalName
> LSA: Made NewWeakGlobalRef
> LSA: Found DerValue
> LSA: Made NewWeakGlobalRef
> LSA: Found EncryptionKey
> LSA: Made NewWeakGlobalRef
> LSA: Found TicketFlags
> LSA: Made NewWeakGlobalRef
> LSA: Found KerberosTime
> LSA: Made NewWeakGlobalRef
> LSA: Found String
> LSA: Made NewWeakGlobalRef
> LSA: Found DerValue constructor
> LSA: Found Ticket constructor
> LSA: Found PrincipalName constructor
> LSA: Found EncryptionKey constructor
> LSA: Found TicketFlags constructor
> LSA: Found KerberosTime constructor
> LSA: Finished OnLoad processing
> Native config name: C:\Windows\krb5.ini
> Loaded from native config
> >>> Kinit realm name is KERBTEST.LOCAL
> >>> Creating KrbAsReq
> >>> KrbKdcReq local addresses for win-tc01 are:
>
> win-tc01/192.168.0.3
> IPv4 address
>
> win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3
> IPv6 address
> >>> KdcAccessibility: reset
> >>> KeyTabInputStream, readName(): kerbtest.local
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>> KeyTab: load() entry length: 70; type: 1
> >>> KeyTabInputStream, readName(): kerbtest.local
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>> KeyTab: load() entry length: 70; type: 3
> >>> KeyTabInputStream, readName(): kerbtest.local
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>> KeyTab: load() entry length: 78; type: 23
> >>> KeyTabInputStream, readName(): kerbtest.local
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>> KeyTab: load() entry length: 94; type: 18
> >>> KeyTabInputStream, readName(): kerbtest.local
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>> KeyTab: load() entry length: 78; type: 17
> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> Added key: 17version: 5
> Added key: 18version: 5
> Added key: 23version: 5
> Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> default etypes for default_tkt_enctypes: 23 18 17.
> >>> KrbAsReq creating message
> >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number o
> retries =3, #bytes=216
> >>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
> =1, #bytes=216
> >>> KrbKdcReq send: #bytes read=100
> >>> KdcAccessibility: remove win-dc01.kerbtest.local:88
> >>> KDCRep: init() encoding tag is 126 req type is 11
> >>>KRBError:
> sTime is Wed Mar 25 22:24:32 GMT 2015 1427322272000
> suSec is 681217
> error code is 6
> error Message is Client not found in Kerberos database
> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
> msgType is 30
> Exception: krb_error 6 Client not found in Kerberos database (6) Client not fou
> d in Kerberos database
> KrbException: Client not found in Kerberos database (6)
> at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
> at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
> at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
> at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
> at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
> Caused by: KrbException: Identifier doesn't match expected value (906)
> at sun.security.krb5.internal.KDCRep.init(Unknown Source)
> at sun.security.krb5.internal.ASRep.init(Unknown Source)
> at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
> ... 5 more
>
>
> ----------------------------------------
> > From: dmarsh26@outlook.com
> > To: users@tomcat.apache.org
> > Subject: RE: SPNEGO test configuration with Manager webapp
> > Date: Wed, 25 Mar 2015 21:19:30 +0000
> >
> >
> >
> >
> > Thanks for all the help guys, I managed to find the correct way to call kinit for Java on windows :-
> >
> > I get the following :-
> >
> > C:\>java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -
> > k -t c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL tc01pas
> > s
> >>>>KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01
> > Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>> Kinit using keytab
> >>>> Kinit keytab file name: c:\keytab\tomcat.keytab
> > Java config name: null
> > LSA: Found Ticket
> > LSA: Made NewWeakGlobalRef
> > LSA: Found PrincipalName
> > LSA: Made NewWeakGlobalRef
> > LSA: Found DerValue
> > LSA: Made NewWeakGlobalRef
> > LSA: Found EncryptionKey
> > LSA: Made NewWeakGlobalRef
> > LSA: Found TicketFlags
> > LSA: Made NewWeakGlobalRef
> > LSA: Found KerberosTime
> > LSA: Made NewWeakGlobalRef
> > LSA: Found String
> > LSA: Made NewWeakGlobalRef
> > LSA: Found DerValue constructor
> > LSA: Found Ticket constructor
> > LSA: Found PrincipalName constructor
> > LSA: Found EncryptionKey constructor
> > LSA: Found TicketFlags constructor
> > LSA: Found KerberosTime constructor
> > LSA: Finished OnLoad processing
> > Native config name: C:\Windows\krb5.ini
> > Loaded from native config
> >>>> Kinit realm name is KERBTEST.LOCAL
> >>>> Creating KrbAsReq
> >>>> KrbKdcReq local addresses for win-tc01 are:
> >
> > win-tc01/192.168.0.3
> > IPv4 address
> >
> > win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3
> > IPv6 address
> >>>> KdcAccessibility: reset
> >>>> KeyTabInputStream, readName(): kerbtest.local
> >>>> KeyTabInputStream, readName(): HTTP
> >>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>>> KeyTab: load() entry length: 70; type: 1
> >>>> KeyTabInputStream, readName(): kerbtest.local
> >>>> KeyTabInputStream, readName(): HTTP
> >>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>>> KeyTab: load() entry length: 70; type: 3
> >>>> KeyTabInputStream, readName(): kerbtest.local
> >>>> KeyTabInputStream, readName(): HTTP
> >>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>>> KeyTab: load() entry length: 78; type: 23
> >>>> KeyTabInputStream, readName(): kerbtest.local
> >>>> KeyTabInputStream, readName(): HTTP
> >>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>>> KeyTab: load() entry length: 94; type: 18
> >>>> KeyTabInputStream, readName(): kerbtest.local
> >>>> KeyTabInputStream, readName(): HTTP
> >>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>>> KeyTab: load() entry length: 78; type: 17
> > Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Added key: 17version: 5
> > Added key: 18version: 5
> > Added key: 23version: 5
> > Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > default etypes for default_tkt_enctypes: 23 18 17.
> >>>> KrbAsReq creating message
> >>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
> > retries =3, #bytes=216
> >>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
> > =1, #bytes=216
> >>>> KrbKdcReq send: #bytes read=213
> >>>>Pre-Authentication Data:
> > PA-DATA type = 19
> > PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
> > ocal, s2kparams = null
> > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >
> >>>>Pre-Authentication Data:
> > PA-DATA type = 2
> > PA-ENC-TIMESTAMP
> >>>>Pre-Authentication Data:
> > PA-DATA type = 16
> >
> >>>>Pre-Authentication Data:
> > PA-DATA type = 15
> >
> >>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
> >>>> KDCRep: init() encoding tag is 126 req type is 11
> >>>>KRBError:
> > sTime is Wed Mar 25 21:09:04 GMT 2015 1427317744000
> > suSec is 382562
> > error code is 25
> > error Message is Additional pre-authentication required
> > sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
> > eData provided.
> > msgType is 30
> >>>>Pre-Authentication Data:
> > PA-DATA type = 19
> > PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
> > ocal, s2kparams = null
> > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >
> >>>>Pre-Authentication Data:
> > PA-DATA type = 2
> > PA-ENC-TIMESTAMP
> >>>>Pre-Authentication Data:
> > PA-DATA type = 16
> >
> >>>>Pre-Authentication Data:
> > PA-DATA type = 15
> >
> > KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> > default etypes for default_tkt_enctypes: 23 18 17.
> > Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Added key: 17version: 5
> > Added key: 18version: 5
> > Added key: 23version: 5
> > Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Added key: 17version: 5
> > Added key: 18version: 5
> > Added key: 23version: 5
> > Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > default etypes for default_tkt_enctypes: 23 18 17.
> >>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
> >>>> KrbAsReq creating message
> >>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
> > retries =3, #bytes=305
> >>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
> > =1, #bytes=305
> >>>> KrbKdcReq send: #bytes read=180
> >>>>Pre-Authentication Data:
> > PA-DATA type = 19
> > PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
> > ocal, s2kparams = null
> > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >
> >>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
> >>>> KDCRep: init() encoding tag is 126 req type is 11
> >>>>KRBError:
> > sTime is Wed Mar 25 21:09:08 GMT 2015 1427317748000
> > suSec is 600802
> > error code is 24
> > error Message is Pre-authentication information was invalid
> > sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
> > eData provided.
> > msgType is 30
> >>>>Pre-Authentication Data:
> > PA-DATA type = 19
> > PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
> > ocal, s2kparams = null
> > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >
> > Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-auth
> > entication information was invalid
> > KrbException: Pre-authentication information was invalid (24)
> > at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
> > at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
> > at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
> > at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
> > at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
> > Caused by: KrbException: Identifier doesn't match expected value (906)
> > at sun.security.krb5.internal.KDCRep.init(Unknown Source)
> > at sun.security.krb5.internal.ASRep.init(Unknown Source)
> > at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
> > ... 5 more
> >
> >
> >
> >> Date: Wed, 25 Mar 2015 22:00:13 +0100
> >> From: aw@ice-sa.com
> >> To: users@tomcat.apache.org
> >> Subject: Re: SPNEGO test configuration with Manager webapp
> >>
> >> Felix Schumacher wrote:
> >>> Am 25.03.2015 um 20:19 schrieb André Warnier:
> >>>> David Marsh wrote:
> >>>>> Javas version of kinit seems to report issue ?
> >>>>>
> >>>>> C:\Program Files\Apache Software Foundation\Tomcat
> >>>>> 8.0\conf>"C:\Program Files\Ja
> >>>>> va\jdk1.8.0_40\bin\kinit" -t -k c:\keytab\tomcat.keytab
> >>>>> Exception: krb_error 0 Do not have keys of types listed in
> >>>>> default_tkt_enctypes
> >>>>> available; only have keys of following type: No error
> >>>>> KrbException: Do not have keys of types listed in
> >>>>> default_tkt_enctypes available
> >>>>> ; only have keys of following type:
> >>>>> at
> >>>>> sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
> >>>>> at
> >>>>> sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
> >>>>> at
> >>>>> sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
> >>>>> at
> >>>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
> >>>>> at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
> >>>>> at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
> >>>>
> >>>> That seems to indicate that between the Java Kerberos module in
> >>>> Tomcat, and the KDC's Kerberos software, there is a mismatch in the
> >>>> types of keys used (type of encryption), so they do not understand
> >>>> eachother.
> >>>> This may be relevant : https://community.igniterealtime.org/thread/49913
> >>>>
> >>>> It is also a bit strange that it says :
> >>>> only have keys of following type:
> >>>> (with nothing behind the :.. )
> >>>>
> >>>> From what I keep browsing on the WWW, it also seems that the types of
> >>>> key encryptions that might match between Java Kerberos and Windows
> >>>> Kerberos, depend on the versions of both Java and Windows Server..
> >>>>
> >>> +1 (read your answer to late, I found the same link and posted it :)
> >>>> Man, this thing is really a nightmare, isn't it ?
> >>> I especially like the error messages.
> >>>
> >>
> >> Yes, and the thing is : there are a lot of pages on the www that describe the "correct"
> >> procedure, step by step, some even with screenshots etc..
> >> But they always leave something out, and you don't know what they left out..
> >>
> >>
> >>> Felix
> >>>>
> >>>>
> >>>>>
> >>>>> ----------------------------------------
> >>>>>> From: dmarsh26@outlook.com
> >>>>>> To: users@tomcat.apache.org
> >>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
> >>>>>> Date: Wed, 25 Mar 2015 16:50:47 +0000
> >>>>>>
> >>>>>> Its possible I guess, although I would not expect that.
> >>>>>>
> >>>>>> The test is :-
> >>>>>>
> >>>>>> Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM
> >>>>>>
> >>>>>> Firefox is not configured to use a proxy, its all in Vmware
> >>>>>> Workstation 10 using the Vmnet01 virtual network.
> >>>>>>
> >>>>>> Firefox has three 401 responses with headers "Authorization" and
> >>>>>> "WWW-Authenticate" :-
> >>>>>>
> >>>>>> 1 :- Reponse WWW-Authenticate: "Negotiate"
> >>>>>>
> >>>>>> 2 :- Request Authorization: "Negotiate
> >>>>>> YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxD
> >>>>>>
> >>>> yCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1b
> >> HVkm
> >>>>
> >>>> muJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4="
> >>>>
> >>>>>>
> >>>>>> Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg==
> >>>>>>
> >>>>>> 3 :- Request Authorization: "Negotiate
> >>>>>> oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkco
> >>>>>>
> >>>> Kk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zw
> >> m+qh
> >>>>
> >>>> PF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E="
> >>>>
> >>>>>>
> >>>>>> Reponse WWW-Authenticate: "Negotiate"
> >>>>>>
> >>>>>> I'm not sure how long they should be, but they all end "=" so expect
> >>>>>> not truncated ?
> >>>>>>
> >>>>>> ----------------------------------------
> >>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
> >>>>>>> From: felix.schumacher@internetallee.de
> >>>>>>> Date: Wed, 25 Mar 2015 17:31:51 +0100
> >>>>>>> To: users@tomcat.apache.org
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh
> >>>>>>> <dm...@outlook.com>:
> >>>>>>>> This is how the keytab was created :-
> >>>>>>>>
> >>>>>>>> ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
> >>>>>>>> tc01@KERBTEST.LOCAL /princ
> >>>>>>>> HTTP/win-tc01.kerbtest.local@kerbtest.local
> >>>>>>>> /pass tc01pass
> >>>>>>>>
> >>>>>>>> The password is the correct password for the user tc01 associated
> >>>>>>>> with
> >>>>>>>> the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local
> >>>>>>>>
> >>>>>>>> I managed to turn on some more logging around JAAS, see the error
> >>>>>>>> :- java.security.PrivilegedActionException: GSSException: Defective
> >>>>>>>> token detected
> >>>>>>> Do you talk directly to Tomcat, or is there any kind of proxy in
> >>>>>>> between?
> >>>>>>> Could the header be truncated?
> >>>>>>>
> >>>>>>> Felix
> >>>>>>>> 25-Mar-2015 15:46:22.131 INFO [main]
> >>>>>>>> org.apache.catalina.core.StandardService.startInternal Starting
> >>>>>>>> service Catalina
> >>>>>>>> 25-Mar-2015 15:46:22.133 INFO [main]
> >>>>>>>> org.apache.catalina.core.StandardEngine.startInternal Starting
> >>>>>>>> Servlet Engine: Apache Tomcat/8.0.20
> >>>>>>>> 25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
> >>>>>>>> org.apache.catalina.startup.HostConfig.deployD
> >>>>>>>> irectory Deploying web application directory C:\Program Files\Apache
> >>>>>>>> Software Foundation\Tomcat 8.0\
> >>>>>>>> webapps\docs
> >>>>>>>> 25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
> >>>>>>>> org.apache.catalina.startup.HostConfig.deployD
> >>>>>>>> irectory Deployment of web application directory C:\Program
> >>>>>>>> Files\Apache Software Foundation\Tomcat
> >>>>>>>> 8.0\webapps\docs has finished in 380 ms
> >>>>>>>> 25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
> >>>>>>>> org.apache.catalina.startup.HostConfig.deployD
> >>>>>>>> irectory Deploying web application directory C:\Program Files\Apache
> >>>>>>>> Software Foundation\Tomcat 8.0\
> >>>>>>>> webapps\manager
> >>>>>>>> 25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
> >>>>>>>> org.apache.catalina.authenticator.Authenticato
> >>>>>>>> rBase.startInternal No SingleSignOn Valve is present
> >>>>>>>> 25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
> >>>>>>>> org.apache.catalina.startup.HostConfig.deployD
> >>>>>>>> irectory Deployment of web application directory C:\Program
> >>>>>>>> Files\Apache Software Foundation\Tomcat
> >>>>>>>> 8.0\webapps\manager has finished in 93 ms
> >>>>>>>> 25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
> >>>>>>>> org.apache.catalina.startup.HostConfig.deployD
> >>>>>>>> irectory Deploying web application directory C:\Program Files\Apache
> >>>>>>>> Software Foundation\Tomcat 8.0\
> >>>>>>>> webapps\ROOT
> >>>>>>>> 25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
> >>>>>>>> org.apache.catalina.startup.HostConfig.deployD
> >>>>>>>> irectory Deployment of web application directory C:\Program
> >>>>>>>> Files\Apache Software Foundation\Tomcat
> >>>>>>>> 8.0\webapps\ROOT has finished in 59 ms
> >>>>>>>> 25-Mar-2015 15:46:22.797 INFO [main]
> >>>>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
> >>>>>>>> er ["http-nio-80"]
> >>>>>>>> 25-Mar-2015 15:46:22.806 INFO [main]
> >>>>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
> >>>>>>>> er ["ajp-nio-8009"]
> >>>>>>>> 25-Mar-2015 15:46:22.808 INFO [main]
> >>>>>>>> org.apache.catalina.startup.Catalina.start Server startup in 72
> >>>>>>>> 1 ms
> >>>>>>>> 25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Security checking request GET /manager/html
> >>>>>>>> 25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
> >>>>>>>> against GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
> >>>>>>>> interface]' against GET /html --> fal
> >>>>>>>> se
> >>>>>>>> 25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
> >>>>>>>> interface (for scripts)]' against
> >>>>>>>> GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
> >>>>>>>> interface (for humans)]' against G
> >>>>>>>> ET /html --> true
> >>>>>>>> 25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
> >>>>>>>> against GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
> >>>>>>>> interface]' against GET /html --> fal
> >>>>>>>> se
> >>>>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
> >>>>>>>> interface (for scripts)]' against
> >>>>>>>> GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
> >>>>>>>> interface (for humans)]' against G
> >>>>>>>> ET /html --> true
> >>>>>>>> 25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Calling hasUserDataPermission()
> >>>>>>>> 25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
> >>>>>>>> rmission User data constraint has no restrictions
> >>>>>>>> 25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Calling authenticate()
> >>>>>>>> 25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.authenticator.SpnegoAuthentic
> >>>>>>>> ator.authenticate No authorization header sent by client
> >>>>>>>> 25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Failed authenticate() test
> >>>>>>>> 25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Security checking request GET /manager/html
> >>>>>>>> 25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
> >>>>>>>> against GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
> >>>>>>>> interface]' against GET /html --> fal
> >>>>>>>> se
> >>>>>>>> 25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
> >>>>>>>> interface (for scripts)]' against
> >>>>>>>> GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
> >>>>>>>> interface (for humans)]' against G
> >>>>>>>> ET /html --> true
> >>>>>>>> 25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
> >>>>>>>> against GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
> >>>>>>>> interface]' against GET /html --> fal
> >>>>>>>> se
> >>>>>>>> 25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
> >>>>>>>> interface (for scripts)]' against
> >>>>>>>> GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
> >>>>>>>> interface (for humans)]' against G
> >>>>>>>> ET /html --> true
> >>>>>>>> 25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Calling hasUserDataPermission()
> >>>>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
> >>>>>>>> rmission User data constraint has no restrictions
> >>>>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Calling authenticate()
> >>>>>>>> Debug is true storeKey true useTicketCache false useKeyTab true
> >>>>>>>> doNotPrompt true ticketCache is nul
> >>>>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab
> >>>>>>>> refreshKrb5Config
> >>>>>>>> is false principal is HTTP/wi
> >>>>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false
> >>>>>>>> useFirstPass
> >>>>>>>> is false storePass is false
> >>>>>>>> clearPass is false
> >>>>>>>>>>> KeyTabInputStream, readName(): kerbtest.local
> >>>>>>>>>>> KeyTabInputStream, readName(): HTTP
> >>>>>>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
> >>>>>>>>>>> KeyTab: load() entry length: 78; type: 23
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Java config name: C:\Program Files\Apache Software Foundation\Tomcat
> >>>>>>>> 8.0\conf\krb5.ini
> >>>>>>>> Loaded from Java config
> >>>>>>>> Added key: 23version: 3
> >>>>>>>>>>> KdcAccessibility: reset
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Added key: 23version: 3
> >>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
> >>>>>>>>>>> KrbAsReq creating message
> >>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
> >>>>>>>> number of retries =3, #bytes=
> >>>>>>>> 164
> >>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
> >>>>>>>> timeout=30000,Attempt =1, #bytes=164
> >>>>>>>>>>> KrbKdcReq send: #bytes read=185
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 11
> >>>>>>>> PA-ETYPE-INFO etype = 23, salt =
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 19
> >>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 2
> >>>>>>>> PA-ENC-TIMESTAMP
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 16
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 15
> >>>>>>>>
> >>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
> >>>>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
> >>>>>>>>>>> KRBError:
> >>>>>>>> sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
> >>>>>>>> suSec is 701709
> >>>>>>>> error code is 25
> >>>>>>>> error Message is Additional pre-authentication required
> >>>>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
> >>>>>>>> eData provided.
> >>>>>>>> msgType is 30
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 11
> >>>>>>>> PA-ETYPE-INFO etype = 23, salt =
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 19
> >>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 2
> >>>>>>>> PA-ENC-TIMESTAMP
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 16
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 15
> >>>>>>>>
> >>>>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> >>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Added key: 23version: 3
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Added key: 23version: 3
> >>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
> >>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> >>>>>>>>>>> KrbAsReq creating message
> >>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
> >>>>>>>> number of retries =3, #bytes=
> >>>>>>>> 247
> >>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
> >>>>>>>> timeout=30000,Attempt =1, #bytes=247
> >>>>>>>>>>> KrbKdcReq send: #bytes read=100
> >>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
> >>>>>>>> number of retries =3, #bytes=
> >>>>>>>> 247
> >>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
> >>>>>>>> timeout=30000,Attempt =1, #bytes=247
> >>>>>>>>>>> DEBUG: TCPClient reading 1475 bytes
> >>>>>>>>>>> KrbKdcReq send: #bytes read=1475
> >>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Added key: 23version: 3
> >>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> >>>>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
> >>>>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Will use keytab
> >>>>>>>> Commit Succeeded
> >>>>>>>>
> >>>>>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
> >>>>>>>> sun.security.jgss.spnego.SpNegoCredElement)
> >>>>>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
> >>>>>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
> >>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
> >>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
> >>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
> >>>>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
> >>>>>>>> .LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
> >>>>>>>> [Krb5LoginModule]: Entering logout
> >>>>>>>> [Krb5LoginModule]: logged out Subject
> >>>>>>>> 25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Failed authenticate() test
> >>>>>>>> 25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Security checking request GET /manager/html
> >>>>>>>> 25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
> >>>>>>>> against GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
> >>>>>>>> interface]' against GET /html --> fal
> >>>>>>>> se
> >>>>>>>> 25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
> >>>>>>>> interface (for scripts)]' against
> >>>>>>>> GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
> >>>>>>>> interface (for humans)]' against G
> >>>>>>>> ET /html --> true
> >>>>>>>> 25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
> >>>>>>>> against GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
> >>>>>>>> interface]' against GET /html --> fal
> >>>>>>>> se
> >>>>>>>> 25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
> >>>>>>>> interface (for scripts)]' against
> >>>>>>>> GET /html --> false
> >>>>>>>> 25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
> >>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
> >>>>>>>> interface (for humans)]' against G
> >>>>>>>> ET /html --> true
> >>>>>>>> 25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Calling hasUserDataPermission()
> >>>>>>>> 25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
> >>>>>>>> rmission User data constraint has no restrictions
> >>>>>>>> 25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Calling authenticate()
> >>>>>>>> Debug is true storeKey true useTicketCache false useKeyTab true
> >>>>>>>> doNotPrompt true ticketCache is nul
> >>>>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab
> >>>>>>>> refreshKrb5Config
> >>>>>>>> is false principal is HTTP/wi
> >>>>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false
> >>>>>>>> useFirstPass
> >>>>>>>> is false storePass is false
> >>>>>>>> clearPass is false
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Added key: 23version: 3
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Added key: 23version: 3
> >>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
> >>>>>>>>>>> KrbAsReq creating message
> >>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
> >>>>>>>> number of retries =3, #bytes=
> >>>>>>>> 164
> >>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
> >>>>>>>> timeout=30000,Attempt =1, #bytes=164
> >>>>>>>>>>> KrbKdcReq send: #bytes read=185
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 11
> >>>>>>>> PA-ETYPE-INFO etype = 23, salt =
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 19
> >>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 2
> >>>>>>>> PA-ENC-TIMESTAMP
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 16
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 15
> >>>>>>>>
> >>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
> >>>>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
> >>>>>>>>>>> KRBError:
> >>>>>>>> sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
> >>>>>>>> suSec is 935731
> >>>>>>>> error code is 25
> >>>>>>>> error Message is Additional pre-authentication required
> >>>>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
> >>>>>>>> eData provided.
> >>>>>>>> msgType is 30
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 11
> >>>>>>>> PA-ETYPE-INFO etype = 23, salt =
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 19
> >>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 2
> >>>>>>>> PA-ENC-TIMESTAMP
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 16
> >>>>>>>>
> >>>>>>>>>>> Pre-Authentication Data:
> >>>>>>>> PA-DATA type = 15
> >>>>>>>>
> >>>>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> >>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Added key: 23version: 3
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Added key: 23version: 3
> >>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
> >>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> >>>>>>>>>>> KrbAsReq creating message
> >>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
> >>>>>>>> number of retries =3, #bytes=
> >>>>>>>> 247
> >>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
> >>>>>>>> timeout=30000,Attempt =1, #bytes=247
> >>>>>>>>>>> KrbKdcReq send: #bytes read=100
> >>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
> >>>>>>>> number of retries =3, #bytes=
> >>>>>>>> 247
> >>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
> >>>>>>>> timeout=30000,Attempt =1, #bytes=247
> >>>>>>>>>>> DEBUG: TCPClient reading 1475 bytes
> >>>>>>>>>>> KrbKdcReq send: #bytes read=1475
> >>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
> >>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Added key: 23version: 3
> >>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> >>>>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
> >>>>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Will use keytab
> >>>>>>>> Commit Succeeded
> >>>>>>>>
> >>>>>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
> >>>>>>>> sun.security.jgss.spnego.SpNegoCredElement)
> >>>>>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
> >>>>>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
> >>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
> >>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
> >>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> >>>>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
> >>>>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
> >>>>>>>> .LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
> >>>>>>>> 25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.authenticator.SpnegoAuthentic
> >>>>>>>> ator.authenticate Unable to login as the service principal
> >>>>>>>> java.security.PrivilegedActionException: GSSException: Defective
> >>>>>>>> token
> >>>>>>>> detected (Mechanism level: G
> >>>>>>>> SSHeader did not find the right tag)
> >>>>>>>> at java.security.AccessController.doPrivileged(Native Method)
> >>>>>>>> at javax.security.auth.Subject.doAs(Subject.java:422)
> >>>>>>>> at
> >>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
> >>>>>>>>
> >>>>>>>> va:243)
> >>>>>>>> at
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
> >>>>>>>>
> >>>>>>>> 6)
> >>>>>>>> at
> >>>>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
> >>>>>>>>
> >>>>>>>> a:659)
> >>>>>>>> at
> >>>>>>>> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
> >>>>>>>>
> >>>>>>>> col.java:223)
> >>>>>>>> at
> >>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> >>>>>>>>
> >>>>>>>> at java.lang.Thread.run(Thread.java:745)
> >>>>>>>> Caused by: GSSException: Defective token detected (Mechanism level:
> >>>>>>>> GSSHeader did not find the right
> >>>>>>>> tag)
> >>>>>>>> at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
> >>>>>>>> at
> >>>>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
> >>>>>>>>
> >>>>>>>> at
> >>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
> >>>>>>>>
> >>>>>>>> r.java:336)
> >>>>>>>> at
> >>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
> >>>>>>>>
> >>>>>>>> r.java:323)
> >>>>>>>> ... 18 more
> >>>>>>>>
> >>>>>>>> [Krb5LoginModule]: Entering logout
> >>>>>>>> [Krb5LoginModule]: logged out Subject
> >>>>>>>> 25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3]
> >>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
> >>>>>>>> se.invoke Failed authenticate() test
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>> Date: Wed, 25 Mar 2015 16:48:10 +0100
> >>>>>>>>> From: felix.schumacher@internetallee.de
> >>>>>>>>> To: users@tomcat.apache.org
> >>>>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
> >>>>>>>>>
> >>>>>>>>> Am 25.03.2015 16:09, schrieb David Marsh:
> >>>>>>>>>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
> >>>>>>>>>> tc01@KERTEST.LOCAL, still same symptoms.
> >>>>>>>>>>
> >>>>>>>>>> Ran klist on client after firefox test and the three 401 responses.
> >>>>>>>> :-
> >>>>>>>>>> C:\Users\test.KERBTEST.000>klist
> >>>>>>>>>>
> >>>>>>>>>> Current LogonId is 0:0x2fd7a
> >>>>>>>>>>
> >>>>>>>>>> Cached Tickets: (2)
> >>>>>>>>>>
> >>>>>>>>>> #0> Client: test @ KERBTEST.LOCAL
> >>>>>>>>>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
> >>>>>>>>>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
> >>>>>>>>>> Ticket Flags 0x40e10000 -> forwardable renewable initial
> >>>>>>>>>> pre_authent nam
> >>>>>>>>>> e_canonicalize
> >>>>>>>>>> Start Time: 3/25/2015 14:46:43 (local)
> >>>>>>>>>> End Time: 3/26/2015 0:46:43 (local)
> >>>>>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
> >>>>>>>>>> Session Key Type: AES-256-CTS-HMAC-SHA1-96
> >>>>>>>>>> Cache Flags: 0x1 -> PRIMARY
> >>>>>>>>>> Kdc Called: 192.168.0.200
> >>>>>>>>>>
> >>>>>>>>>> #1> Client: test @ KERBTEST.LOCAL
> >>>>>>>>>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
> >>>>>>>>>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
> >>>>>>>>>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
> >>>>>>>>>> name_canoni
> >>>>>>>>>> calize
> >>>>>>>>>> Start Time: 3/25/2015 14:51:21 (local)
> >>>>>>>>>> End Time: 3/26/2015 0:46:43 (local)
> >>>>>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
> >>>>>>>>>> Session Key Type: RSADSI RC4-HMAC(NT)
> >>>>>>>>>> Cache Flags: 0
> >>>>>>>>>> Kdc Called: 192.168.0.200
> >>>>>>>>>>
> >>>>>>>>>> Looks like I was granted a ticket for the SPN
> >>>>>>>>>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
> >>>>>>>>>>
> >>>>>>>>>> If I have ticket why do I get 401 ?
> >>>>>>>>> Your client has got a service ticket for HTTP/win-tc01... This is
> >>>>>>>> used
> >>>>>>>>> by firefox for authentication. Firefox transmits
> >>>>>>>>> this service ticket to the server (as base64 encoded in the
> >>>>>>>>> WWW-Authenticate header).
> >>>>>>>>>
> >>>>>>>>> Your server has to decrypt this ticket using its own ticket to
> >>>>>>>>> get at
> >>>>>>>>> the user information. This is where your problems arise.
> >>>>>>>>> It looks like your server has trouble to get its own ticket.
> >>>>>>>>>
> >>>>>>>>> Are you sure, that the password you used for keytab generation (on
> >>>>>>>> the
> >>>>>>>>> server side), is correct? ktpass will probably accept
> >>>>>>>>> any input as a password. Maybe you can check the keytab by using
> >>>>>>>> kinit
> >>>>>>>>> (though I don't know, if it exists for windows, or how
> >>>>>>>>> the java one is used).
> >>>>>>>>>
> >>>>>>>>> Felix
> >>>>>>>>>
> >>>>>>>>>> ----------------------------------------
> >>>>>>>>>>> Date: Tue, 24 Mar 2015 22:46:15 +0000
> >>>>>>>>>>> From: markt@apache.org
> >>>>>>>>>>> To: users@tomcat.apache.org
> >>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
> >>>>>>>>>>>
> >>>>>>>>>>> On 24/03/2015 20:47, David Marsh wrote:
> >>>>>>>>>>>> Hi Felix,
> >>>>>>>>>>>> Thanks fort your help!
> >>>>>>>>>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
> >>>>>>>>>>>> startup.bat and also added the same definitions to the Java
> >>>>>>>>>>>> parameters in Configure Tomcat tool.I definitely got more
> >>>>>>>> information
> >>>>>>>>>>>> when using startup.bat, not sure the settings get picked up by
> >>>>>>>>>>>> the
> >>>>>>>>>>>> windows service ?
> >>>>>>>>>>>> I do not think authentication completes, certainly authorization
> >>>>>>>> does
> >>>>>>>>>>>> not as I cant see the site and get 401 http status.
> >>>>>>>>>>>> I have not configured a tomcat realm but I have put the test user
> >>>>>>>> a
> >>>>>>>>>>>> manager-gui group in Active Directory.
> >>>>>>>>>>> I've only given your config a quick scan, but the thing that jumps
> >>>>>>>> out
> >>>>>>>>>>> at me is spaces in the some of the paths. I'm not sure how well
> >>>>>>>>>>> krb5.ini
> >>>>>>>>>>> will handle those. It might be fine. It might not be.
> >>>>>>>>>>>
> >>>>>>>>>>> Mark
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>> David
> >>>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
> >>>>>>>>>>>>> From: felix.schumacher@internetallee.de
> >>>>>>>>>>>>> To: users@tomcat.apache.org
> >>>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
> >>>>>>>>>>>>>> Everything is as described and still not working, except the
> >>>>>>>>>>>>>> jaas.conf is :-
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
> >>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>>>>>>>>>>>> doNotPrompt=true
> >>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> >>>>>>>>>>>>>> useKeyTab=true
> >>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
> >>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
> >>>>>>>>>>>>>> storeKey=true;
> >>>>>>>>>>>>>> };
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
> >>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>>>>>>>>>>>> doNotPrompt=true
> >>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> >>>>>>>>>>>>>> useKeyTab=true
> >>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
> >>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
> >>>>>>>>>>>>>> storeKey=true;
> >>>>>>>>>>>>>> };
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> In other words the principal is the tomcat server as it should
> >>>>>>>> be.
> >>>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
> >>>>>>>>>>>>>>> From: felix.schumacher@internetallee.de
> >>>>>>>>>>>>>>> To: users@tomcat.apache.org
> >>>>>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
> >>>>>>>>>>>>>>>> Sorry thats :-
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> >>>>>>>>>>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
> >>>>>>>>>>>>>>> Is it working with this configuration, or just to point out,
> >>>>>>>> that
> >>>>>>>>>>>>>>> you
> >>>>>>>>>>>>>>> copied the wrong jaas.conf for the mail?
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Felix
> >>>>>>>>>>>>>>>> ----------------------------------------
> >>>>>>>>>>>>>>>>> From: dmarsh26@outlook.com
> >>>>>>>>>>>>>>>>> To: users@tomcat.apache.org
> >>>>>>>>>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
> >>>>>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat
> >>>>>>>> 8.
> >>>>>>>>>>>>>>>>> I've created three Windows VMs :-
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
> >>>>>>>>>>>>>>>>> Test Client - Windows 8.1 32 bit VM
> >>>>>>>>>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> The Tomcat Server and the Test Client are joined to the same
> >>>>>>>>>>>>>>>>> domain kerbtest.local, they are logged in with domain
> >>>>>>>>>>>>>>>>> logins.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> The firewall is disabled on the Tomcat Server VM.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> jaas.conf
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
> >>>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>>>>>>>>>>>>>>> doNotPrompt=true
> >>>>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
> >>>>>>>>>>>>>>>>> useKeyTab=true
> >>>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
> >>>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
> >>>>>>>>>>>>>>>>> storeKey=true;
> >>>>>>>>>>>>>>>>> };
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
> >>>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>>>>>>>>>>>>>>> doNotPrompt=true
> >>>>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
> >>>>>>>>>>>>>>>>> useKeyTab=true
> >>>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
> >>>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
> >>>>>>>>>>>>>>>>> storeKey=true;
> >>>>>>>>>>>>>>>>> };
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> krb5.ini
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> [libdefaults]
> >>>>>>>>>>>>>>>>> default_realm = KERBTEST.LOCAL
> >>>>>>>>>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
> >>>>>>>>>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
> >>>>>>>>>>>>>>>>> default_tkt_enctypes =
> >>>>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> >>>>>>>>>>>>>>>>> default_tgs_enctypes =
> >>>>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> >>>>>>>>>>>>>>>>> forwardable=true
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> [realms]
> >>>>>>>>>>>>>>>>> KERBTEST.LOCAL = {
> >>>>>>>>>>>>>>>>> kdc = win-dc01.kerbtest.local:88
> >>>>>>>>>>>>>>>>> }
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with
> >>>>>>>> Active
> >>>>>>>>>>>>>>>>> Directory.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> I have tried to keep the setup as basic and vanilla to the
> >>>>>>>>>>>>>>>>> instructions as possible.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Users were created as instructed.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Spn was created as instructed
> >>>>>>>>>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> keytab was created as instructed
> >>>>>>>>>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL
> >>>>>>>> /princ
> >>>>>>>>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass
> >>>>>>>> /kvno
> >>>>>>>>>>>>>>>>> 0
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> I have tried to test with firefox, chrome and IE, after
> >>>>>>>> ensuring
> >>>>>>>>>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In
> >>>>>>>>>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to
> >>>>>>>>>>>>>>>>> network.negotiate-auth.delegation-uris and
> >>>>>>>>>>>>>>>>> network.negotiate-auth.trusted-uris.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Tomcat is running as a Windows service under the
> >>>>>>>>>>>>>>>>> tc01@kerbtest.local account.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Visiting URL from the Test Client VM :-
> >>>>>>>>>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401
> >>>>>>>> three
> >>>>>>>>>>>>>>>>> times.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Looking at the Network tab in developer tools in firefox
> >>>>>>>> shows
> >>>>>>>
> >>>>>>> ---------------------------------------------------------------------
> >>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>>
> >>>>>> ---------------------------------------------------------------------
> >>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>>
> >>>>> ---------------------------------------------------------------------
> >>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>
> >>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
Turns out to use the Java kinit I need a krb5.conf inside the jdk/jre lib/secrutiy folder.
Now I get :-
C:\>java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit
k -t c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01
Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> Kinit using keytab
>>> Kinit keytab file name: c:\keytab\tomcat.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is KERBTEST.LOCAL
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for win-tc01 are:
win-tc01/192.168.0.3
IPv4 address
win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): kerbtest.local
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 70; type: 1
>>> KeyTabInputStream, readName(): kerbtest.local
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 70; type: 3
>>> KeyTabInputStream, readName(): kerbtest.local
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 78; type: 23
>>> KeyTabInputStream, readName(): kerbtest.local
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 94; type: 18
>>> KeyTabInputStream, readName(): kerbtest.local
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 78; type: 17
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 17version: 5
Added key: 18version: 5
Added key: 23version: 5
Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number o
retries =3, #bytes=216
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
=1, #bytes=216
>>> KrbKdcReq send: #bytes read=100
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Mar 25 22:24:32 GMT 2015 1427322272000
suSec is 681217
error code is 6
error Message is Client not found in Kerberos database
sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
msgType is 30
Exception: krb_error 6 Client not found in Kerberos database (6) Client not fou
d in Kerberos database
KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
... 5 more
----------------------------------------
> From: dmarsh26@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: SPNEGO test configuration with Manager webapp
> Date: Wed, 25 Mar 2015 21:19:30 +0000
>
>
>
>
> Thanks for all the help guys, I managed to find the correct way to call kinit for Java on windows :-
>
> I get the following :-
>
> C:\>java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -
> k -t c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL tc01pas
> s
>>>>KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01
> Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Kinit using keytab
>>>> Kinit keytab file name: c:\keytab\tomcat.keytab
> Java config name: null
> LSA: Found Ticket
> LSA: Made NewWeakGlobalRef
> LSA: Found PrincipalName
> LSA: Made NewWeakGlobalRef
> LSA: Found DerValue
> LSA: Made NewWeakGlobalRef
> LSA: Found EncryptionKey
> LSA: Made NewWeakGlobalRef
> LSA: Found TicketFlags
> LSA: Made NewWeakGlobalRef
> LSA: Found KerberosTime
> LSA: Made NewWeakGlobalRef
> LSA: Found String
> LSA: Made NewWeakGlobalRef
> LSA: Found DerValue constructor
> LSA: Found Ticket constructor
> LSA: Found PrincipalName constructor
> LSA: Found EncryptionKey constructor
> LSA: Found TicketFlags constructor
> LSA: Found KerberosTime constructor
> LSA: Finished OnLoad processing
> Native config name: C:\Windows\krb5.ini
> Loaded from native config
>>>> Kinit realm name is KERBTEST.LOCAL
>>>> Creating KrbAsReq
>>>> KrbKdcReq local addresses for win-tc01 are:
>
> win-tc01/192.168.0.3
> IPv4 address
>
> win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3
> IPv6 address
>>>> KdcAccessibility: reset
>>>> KeyTabInputStream, readName(): kerbtest.local
>>>> KeyTabInputStream, readName(): HTTP
>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>> KeyTab: load() entry length: 70; type: 1
>>>> KeyTabInputStream, readName(): kerbtest.local
>>>> KeyTabInputStream, readName(): HTTP
>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>> KeyTab: load() entry length: 70; type: 3
>>>> KeyTabInputStream, readName(): kerbtest.local
>>>> KeyTabInputStream, readName(): HTTP
>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>> KeyTab: load() entry length: 78; type: 23
>>>> KeyTabInputStream, readName(): kerbtest.local
>>>> KeyTabInputStream, readName(): HTTP
>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>> KeyTab: load() entry length: 94; type: 18
>>>> KeyTabInputStream, readName(): kerbtest.local
>>>> KeyTabInputStream, readName(): HTTP
>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>> KeyTab: load() entry length: 78; type: 17
> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> Added key: 17version: 5
> Added key: 18version: 5
> Added key: 23version: 5
> Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
> retries =3, #bytes=216
>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
> =1, #bytes=216
>>>> KrbKdcReq send: #bytes read=213
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
> ocal, s2kparams = null
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
> PA-DATA type = 16
>
>>>>Pre-Authentication Data:
> PA-DATA type = 15
>
>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>KRBError:
> sTime is Wed Mar 25 21:09:04 GMT 2015 1427317744000
> suSec is 382562
> error code is 25
> error Message is Additional pre-authentication required
> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
> eData provided.
> msgType is 30
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
> ocal, s2kparams = null
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
> PA-DATA type = 16
>
>>>>Pre-Authentication Data:
> PA-DATA type = 15
>
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> default etypes for default_tkt_enctypes: 23 18 17.
> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> Added key: 17version: 5
> Added key: 18version: 5
> Added key: 23version: 5
> Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> Added key: 17version: 5
> Added key: 18version: 5
> Added key: 23version: 5
> Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
> retries =3, #bytes=305
>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
> =1, #bytes=305
>>>> KrbKdcReq send: #bytes read=180
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
> ocal, s2kparams = null
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>KRBError:
> sTime is Wed Mar 25 21:09:08 GMT 2015 1427317748000
> suSec is 600802
> error code is 24
> error Message is Pre-authentication information was invalid
> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
> eData provided.
> msgType is 30
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
> ocal, s2kparams = null
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
> Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-auth
> entication information was invalid
> KrbException: Pre-authentication information was invalid (24)
> at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
> at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
> at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
> at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
> at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
> Caused by: KrbException: Identifier doesn't match expected value (906)
> at sun.security.krb5.internal.KDCRep.init(Unknown Source)
> at sun.security.krb5.internal.ASRep.init(Unknown Source)
> at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
> ... 5 more
>
>
>
>> Date: Wed, 25 Mar 2015 22:00:13 +0100
>> From: aw@ice-sa.com
>> To: users@tomcat.apache.org
>> Subject: Re: SPNEGO test configuration with Manager webapp
>>
>> Felix Schumacher wrote:
>>> Am 25.03.2015 um 20:19 schrieb André Warnier:
>>>> David Marsh wrote:
>>>>> Javas version of kinit seems to report issue ?
>>>>>
>>>>> C:\Program Files\Apache Software Foundation\Tomcat
>>>>> 8.0\conf>"C:\Program Files\Ja
>>>>> va\jdk1.8.0_40\bin\kinit" -t -k c:\keytab\tomcat.keytab
>>>>> Exception: krb_error 0 Do not have keys of types listed in
>>>>> default_tkt_enctypes
>>>>> available; only have keys of following type: No error
>>>>> KrbException: Do not have keys of types listed in
>>>>> default_tkt_enctypes available
>>>>> ; only have keys of following type:
>>>>> at
>>>>> sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
>>>>> at
>>>>> sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
>>>>> at
>>>>> sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
>>>>> at
>>>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
>>>>> at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
>>>>> at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
>>>>
>>>> That seems to indicate that between the Java Kerberos module in
>>>> Tomcat, and the KDC's Kerberos software, there is a mismatch in the
>>>> types of keys used (type of encryption), so they do not understand
>>>> eachother.
>>>> This may be relevant : https://community.igniterealtime.org/thread/49913
>>>>
>>>> It is also a bit strange that it says :
>>>> only have keys of following type:
>>>> (with nothing behind the :.. )
>>>>
>>>> From what I keep browsing on the WWW, it also seems that the types of
>>>> key encryptions that might match between Java Kerberos and Windows
>>>> Kerberos, depend on the versions of both Java and Windows Server..
>>>>
>>> +1 (read your answer to late, I found the same link and posted it :)
>>>> Man, this thing is really a nightmare, isn't it ?
>>> I especially like the error messages.
>>>
>>
>> Yes, and the thing is : there are a lot of pages on the www that describe the "correct"
>> procedure, step by step, some even with screenshots etc..
>> But they always leave something out, and you don't know what they left out..
>>
>>
>>> Felix
>>>>
>>>>
>>>>>
>>>>> ----------------------------------------
>>>>>> From: dmarsh26@outlook.com
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>>> Date: Wed, 25 Mar 2015 16:50:47 +0000
>>>>>>
>>>>>> Its possible I guess, although I would not expect that.
>>>>>>
>>>>>> The test is :-
>>>>>>
>>>>>> Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM
>>>>>>
>>>>>> Firefox is not configured to use a proxy, its all in Vmware
>>>>>> Workstation 10 using the Vmnet01 virtual network.
>>>>>>
>>>>>> Firefox has three 401 responses with headers "Authorization" and
>>>>>> "WWW-Authenticate" :-
>>>>>>
>>>>>> 1 :- Reponse WWW-Authenticate: "Negotiate"
>>>>>>
>>>>>> 2 :- Request Authorization: "Negotiate
>>>>>> YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxD
>>>>>>
>>>> yCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1b
>> HVkm
>>>>
>>>> muJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4="
>>>>
>>>>>>
>>>>>> Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg==
>>>>>>
>>>>>> 3 :- Request Authorization: "Negotiate
>>>>>> oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkco
>>>>>>
>>>> Kk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zw
>> m+qh
>>>>
>>>> PF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E="
>>>>
>>>>>>
>>>>>> Reponse WWW-Authenticate: "Negotiate"
>>>>>>
>>>>>> I'm not sure how long they should be, but they all end "=" so expect
>>>>>> not truncated ?
>>>>>>
>>>>>> ----------------------------------------
>>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>> Date: Wed, 25 Mar 2015 17:31:51 +0100
>>>>>>> To: users@tomcat.apache.org
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh
>>>>>>> <dm...@outlook.com>:
>>>>>>>> This is how the keytab was created :-
>>>>>>>>
>>>>>>>> ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
>>>>>>>> tc01@KERBTEST.LOCAL /princ
>>>>>>>> HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>>>>>> /pass tc01pass
>>>>>>>>
>>>>>>>> The password is the correct password for the user tc01 associated
>>>>>>>> with
>>>>>>>> the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>>>>>>
>>>>>>>> I managed to turn on some more logging around JAAS, see the error
>>>>>>>> :- java.security.PrivilegedActionException: GSSException: Defective
>>>>>>>> token detected
>>>>>>> Do you talk directly to Tomcat, or is there any kind of proxy in
>>>>>>> between?
>>>>>>> Could the header be truncated?
>>>>>>>
>>>>>>> Felix
>>>>>>>> 25-Mar-2015 15:46:22.131 INFO [main]
>>>>>>>> org.apache.catalina.core.StandardService.startInternal Starting
>>>>>>>> service Catalina
>>>>>>>> 25-Mar-2015 15:46:22.133 INFO [main]
>>>>>>>> org.apache.catalina.core.StandardEngine.startInternal Starting
>>>>>>>> Servlet Engine: Apache Tomcat/8.0.20
>>>>>>>> 25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
>>>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>>>>>> Software Foundation\Tomcat 8.0\
>>>>>>>> webapps\docs
>>>>>>>> 25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
>>>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>>>> irectory Deployment of web application directory C:\Program
>>>>>>>> Files\Apache Software Foundation\Tomcat
>>>>>>>> 8.0\webapps\docs has finished in 380 ms
>>>>>>>> 25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
>>>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>>>>>> Software Foundation\Tomcat 8.0\
>>>>>>>> webapps\manager
>>>>>>>> 25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
>>>>>>>> org.apache.catalina.authenticator.Authenticato
>>>>>>>> rBase.startInternal No SingleSignOn Valve is present
>>>>>>>> 25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
>>>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>>>> irectory Deployment of web application directory C:\Program
>>>>>>>> Files\Apache Software Foundation\Tomcat
>>>>>>>> 8.0\webapps\manager has finished in 93 ms
>>>>>>>> 25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
>>>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>>>>>> Software Foundation\Tomcat 8.0\
>>>>>>>> webapps\ROOT
>>>>>>>> 25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
>>>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>>>> irectory Deployment of web application directory C:\Program
>>>>>>>> Files\Apache Software Foundation\Tomcat
>>>>>>>> 8.0\webapps\ROOT has finished in 59 ms
>>>>>>>> 25-Mar-2015 15:46:22.797 INFO [main]
>>>>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>>>>>> er ["http-nio-80"]
>>>>>>>> 25-Mar-2015 15:46:22.806 INFO [main]
>>>>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>>>>>> er ["ajp-nio-8009"]
>>>>>>>> 25-Mar-2015 15:46:22.808 INFO [main]
>>>>>>>> org.apache.catalina.startup.Catalina.start Server startup in 72
>>>>>>>> 1 ms
>>>>>>>> 25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1]
>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>> se.invoke Security checking request GET /manager/html
>>>>>>>> 25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>>>> against GET /html --> false
>>>>>>>> 25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>>>> interface]' against GET /html --> fal
>>>>>>>> se
>>>>>>>> 25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>>>> interface (for scripts)]' against
>>>>>>>> GET /html --> false
>>>>>>>> 25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>>>> interface (for humans)]' against G
>>>>>>>> ET /html --> true
>>>>>>>> 25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>>>> against GET /html --> false
>>>>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>>>> interface]' against GET /html --> fal
>>>>>>>> se
>>>>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>>>> interface (for scripts)]' against
>>>>>>>> GET /html --> false
>>>>>>>> 25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>>>> interface (for humans)]' against G
>>>>>>>> ET /html --> true
>>>>>>>> 25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1]
>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>> se.invoke Calling hasUserDataPermission()
>>>>>>>> 25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1]
>>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>>>>>> rmission User data constraint has no restrictions
>>>>>>>> 25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1]
>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>> se.invoke Calling authenticate()
>>>>>>>> 25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1]
>>>>>>>> org.apache.catalina.authenticator.SpnegoAuthentic
>>>>>>>> ator.authenticate No authorization header sent by client
>>>>>>>> 25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1]
>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>> se.invoke Failed authenticate() test
>>>>>>>> 25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2]
>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>> se.invoke Security checking request GET /manager/html
>>>>>>>> 25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>>>> against GET /html --> false
>>>>>>>> 25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>>>> interface]' against GET /html --> fal
>>>>>>>> se
>>>>>>>> 25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>>>> interface (for scripts)]' against
>>>>>>>> GET /html --> false
>>>>>>>> 25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>>>> interface (for humans)]' against G
>>>>>>>> ET /html --> true
>>>>>>>> 25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>>>> against GET /html --> false
>>>>>>>> 25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>>>> interface]' against GET /html --> fal
>>>>>>>> se
>>>>>>>> 25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>>>> interface (for scripts)]' against
>>>>>>>> GET /html --> false
>>>>>>>> 25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>>>> interface (for humans)]' against G
>>>>>>>> ET /html --> true
>>>>>>>> 25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2]
>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>> se.invoke Calling hasUserDataPermission()
>>>>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>>>>>> rmission User data constraint has no restrictions
>>>>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>> se.invoke Calling authenticate()
>>>>>>>> Debug is true storeKey true useTicketCache false useKeyTab true
>>>>>>>> doNotPrompt true ticketCache is nul
>>>>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab
>>>>>>>> refreshKrb5Config
>>>>>>>> is false principal is HTTP/wi
>>>>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false
>>>>>>>> useFirstPass
>>>>>>>> is false storePass is false
>>>>>>>> clearPass is false
>>>>>>>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>>>>>>>> KeyTabInputStream, readName(): HTTP
>>>>>>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>>>>>>> KeyTab: load() entry length: 78; type: 23
>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>> Java config name: C:\Program Files\Apache Software Foundation\Tomcat
>>>>>>>> 8.0\conf\krb5.ini
>>>>>>>> Loaded from Java config
>>>>>>>> Added key: 23version: 3
>>>>>>>>>>> KdcAccessibility: reset
>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>> Added key: 23version: 3
>>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>>>>> KrbAsReq creating message
>>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>>>>> number of retries =3, #bytes=
>>>>>>>> 164
>>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>>>>> timeout=30000,Attempt =1, #bytes=164
>>>>>>>>>>> KrbKdcReq send: #bytes read=185
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 11
>>>>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>>>>
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 19
>>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>>>>
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 2
>>>>>>>> PA-ENC-TIMESTAMP
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 16
>>>>>>>>
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 15
>>>>>>>>
>>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>>>>>> KRBError:
>>>>>>>> sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
>>>>>>>> suSec is 701709
>>>>>>>> error code is 25
>>>>>>>> error Message is Additional pre-authentication required
>>>>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>>>>>> eData provided.
>>>>>>>> msgType is 30
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 11
>>>>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>>>>
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 19
>>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>>>>
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 2
>>>>>>>> PA-ENC-TIMESTAMP
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 16
>>>>>>>>
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 15
>>>>>>>>
>>>>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>> Added key: 23version: 3
>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>> Added key: 23version: 3
>>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>>>>> KrbAsReq creating message
>>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>>>>> number of retries =3, #bytes=
>>>>>>>> 247
>>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>>>>> KrbKdcReq send: #bytes read=100
>>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>>>>>> number of retries =3, #bytes=
>>>>>>>> 247
>>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>>>>> DEBUG: TCPClient reading 1475 bytes
>>>>>>>>>>> KrbKdcReq send: #bytes read=1475
>>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>> Added key: 23version: 3
>>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>> Will use keytab
>>>>>>>> Commit Succeeded
>>>>>>>>
>>>>>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>>>>>>> sun.security.jgss.spnego.SpNegoCredElement)
>>>>>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>>>>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
>>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
>>>>>>>> .LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
>>>>>>>> [Krb5LoginModule]: Entering logout
>>>>>>>> [Krb5LoginModule]: logged out Subject
>>>>>>>> 25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2]
>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>> se.invoke Failed authenticate() test
>>>>>>>> 25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3]
>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>> se.invoke Security checking request GET /manager/html
>>>>>>>> 25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>>>> against GET /html --> false
>>>>>>>> 25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>>>> interface]' against GET /html --> fal
>>>>>>>> se
>>>>>>>> 25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>>>> interface (for scripts)]' against
>>>>>>>> GET /html --> false
>>>>>>>> 25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>>>> interface (for humans)]' against G
>>>>>>>> ET /html --> true
>>>>>>>> 25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>>>> against GET /html --> false
>>>>>>>> 25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>>>> interface]' against GET /html --> fal
>>>>>>>> se
>>>>>>>> 25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>>>> interface (for scripts)]' against
>>>>>>>> GET /html --> false
>>>>>>>> 25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3]
>>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>>>> interface (for humans)]' against G
>>>>>>>> ET /html --> true
>>>>>>>> 25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3]
>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>> se.invoke Calling hasUserDataPermission()
>>>>>>>> 25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3]
>>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>>>>>> rmission User data constraint has no restrictions
>>>>>>>> 25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3]
>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>> se.invoke Calling authenticate()
>>>>>>>> Debug is true storeKey true useTicketCache false useKeyTab true
>>>>>>>> doNotPrompt true ticketCache is nul
>>>>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab
>>>>>>>> refreshKrb5Config
>>>>>>>> is false principal is HTTP/wi
>>>>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false
>>>>>>>> useFirstPass
>>>>>>>> is false storePass is false
>>>>>>>> clearPass is false
>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>> Added key: 23version: 3
>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>> Added key: 23version: 3
>>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>>>>> KrbAsReq creating message
>>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>>>>> number of retries =3, #bytes=
>>>>>>>> 164
>>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>>>>> timeout=30000,Attempt =1, #bytes=164
>>>>>>>>>>> KrbKdcReq send: #bytes read=185
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 11
>>>>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>>>>
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 19
>>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>>>>
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 2
>>>>>>>> PA-ENC-TIMESTAMP
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 16
>>>>>>>>
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 15
>>>>>>>>
>>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>>>>>> KRBError:
>>>>>>>> sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
>>>>>>>> suSec is 935731
>>>>>>>> error code is 25
>>>>>>>> error Message is Additional pre-authentication required
>>>>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>>>>>> eData provided.
>>>>>>>> msgType is 30
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 11
>>>>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>>>>
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 19
>>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>>>>
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 2
>>>>>>>> PA-ENC-TIMESTAMP
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 16
>>>>>>>>
>>>>>>>>>>> Pre-Authentication Data:
>>>>>>>> PA-DATA type = 15
>>>>>>>>
>>>>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>> Added key: 23version: 3
>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>> Added key: 23version: 3
>>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>>>>> KrbAsReq creating message
>>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>>>>> number of retries =3, #bytes=
>>>>>>>> 247
>>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>>>>> KrbKdcReq send: #bytes read=100
>>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>>>>>> number of retries =3, #bytes=
>>>>>>>> 247
>>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>>>>> DEBUG: TCPClient reading 1475 bytes
>>>>>>>>>>> KrbKdcReq send: #bytes read=1475
>>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>> Added key: 23version: 3
>>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>> Will use keytab
>>>>>>>> Commit Succeeded
>>>>>>>>
>>>>>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>>>>>>> sun.security.jgss.spnego.SpNegoCredElement)
>>>>>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>>>>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
>>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
>>>>>>>> .LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
>>>>>>>> 25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3]
>>>>>>>> org.apache.catalina.authenticator.SpnegoAuthentic
>>>>>>>> ator.authenticate Unable to login as the service principal
>>>>>>>> java.security.PrivilegedActionException: GSSException: Defective
>>>>>>>> token
>>>>>>>> detected (Mechanism level: G
>>>>>>>> SSHeader did not find the right tag)
>>>>>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>>>>>> at javax.security.auth.Subject.doAs(Subject.java:422)
>>>>>>>> at
>>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
>>>>>>>>
>>>>>>>> va:243)
>>>>>>>> at
>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
>>>>>>>>
>>>>>>>> at
>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
>>>>>>>>
>>>>>>>> at
>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
>>>>>>>>
>>>>>>>> at
>>>>>>>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
>>>>>>>>
>>>>>>>>
>>>>>>>> at
>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
>>>>>>>>
>>>>>>>> at
>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
>>>>>>>>
>>>>>>>> at
>>>>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
>>>>>>>>
>>>>>>>> 6)
>>>>>>>> at
>>>>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
>>>>>>>>
>>>>>>>> a:659)
>>>>>>>> at
>>>>>>>> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
>>>>>>>>
>>>>>>>> col.java:223)
>>>>>>>> at
>>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
>>>>>>>>
>>>>>>>> at
>>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>>>>>>
>>>>>>>> at
>>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>>>>>>
>>>>>>>> at
>>>>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>>>>>>>
>>>>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>>>> Caused by: GSSException: Defective token detected (Mechanism level:
>>>>>>>> GSSHeader did not find the right
>>>>>>>> tag)
>>>>>>>> at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
>>>>>>>> at
>>>>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
>>>>>>>>
>>>>>>>> at
>>>>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
>>>>>>>>
>>>>>>>> at
>>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>>>>>>
>>>>>>>> r.java:336)
>>>>>>>> at
>>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>>>>>>
>>>>>>>> r.java:323)
>>>>>>>> ... 18 more
>>>>>>>>
>>>>>>>> [Krb5LoginModule]: Entering logout
>>>>>>>> [Krb5LoginModule]: logged out Subject
>>>>>>>> 25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3]
>>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>>> se.invoke Failed authenticate() test
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Date: Wed, 25 Mar 2015 16:48:10 +0100
>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>>>>>>
>>>>>>>>> Am 25.03.2015 16:09, schrieb David Marsh:
>>>>>>>>>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
>>>>>>>>>> tc01@KERTEST.LOCAL, still same symptoms.
>>>>>>>>>>
>>>>>>>>>> Ran klist on client after firefox test and the three 401 responses.
>>>>>>>> :-
>>>>>>>>>> C:\Users\test.KERBTEST.000>klist
>>>>>>>>>>
>>>>>>>>>> Current LogonId is 0:0x2fd7a
>>>>>>>>>>
>>>>>>>>>> Cached Tickets: (2)
>>>>>>>>>>
>>>>>>>>>> #0> Client: test @ KERBTEST.LOCAL
>>>>>>>>>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
>>>>>>>>>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
>>>>>>>>>> Ticket Flags 0x40e10000 -> forwardable renewable initial
>>>>>>>>>> pre_authent nam
>>>>>>>>>> e_canonicalize
>>>>>>>>>> Start Time: 3/25/2015 14:46:43 (local)
>>>>>>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>>>>>>> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>>>>>>>>>> Cache Flags: 0x1 -> PRIMARY
>>>>>>>>>> Kdc Called: 192.168.0.200
>>>>>>>>>>
>>>>>>>>>> #1> Client: test @ KERBTEST.LOCAL
>>>>>>>>>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
>>>>>>>>>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>>>>>>>>>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
>>>>>>>>>> name_canoni
>>>>>>>>>> calize
>>>>>>>>>> Start Time: 3/25/2015 14:51:21 (local)
>>>>>>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>>>>>>> Session Key Type: RSADSI RC4-HMAC(NT)
>>>>>>>>>> Cache Flags: 0
>>>>>>>>>> Kdc Called: 192.168.0.200
>>>>>>>>>>
>>>>>>>>>> Looks like I was granted a ticket for the SPN
>>>>>>>>>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
>>>>>>>>>>
>>>>>>>>>> If I have ticket why do I get 401 ?
>>>>>>>>> Your client has got a service ticket for HTTP/win-tc01... This is
>>>>>>>> used
>>>>>>>>> by firefox for authentication. Firefox transmits
>>>>>>>>> this service ticket to the server (as base64 encoded in the
>>>>>>>>> WWW-Authenticate header).
>>>>>>>>>
>>>>>>>>> Your server has to decrypt this ticket using its own ticket to
>>>>>>>>> get at
>>>>>>>>> the user information. This is where your problems arise.
>>>>>>>>> It looks like your server has trouble to get its own ticket.
>>>>>>>>>
>>>>>>>>> Are you sure, that the password you used for keytab generation (on
>>>>>>>> the
>>>>>>>>> server side), is correct? ktpass will probably accept
>>>>>>>>> any input as a password. Maybe you can check the keytab by using
>>>>>>>> kinit
>>>>>>>>> (though I don't know, if it exists for windows, or how
>>>>>>>>> the java one is used).
>>>>>>>>>
>>>>>>>>> Felix
>>>>>>>>>
>>>>>>>>>> ----------------------------------------
>>>>>>>>>>> Date: Tue, 24 Mar 2015 22:46:15 +0000
>>>>>>>>>>> From: markt@apache.org
>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>
>>>>>>>>>>> On 24/03/2015 20:47, David Marsh wrote:
>>>>>>>>>>>> Hi Felix,
>>>>>>>>>>>> Thanks fort your help!
>>>>>>>>>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
>>>>>>>>>>>> startup.bat and also added the same definitions to the Java
>>>>>>>>>>>> parameters in Configure Tomcat tool.I definitely got more
>>>>>>>> information
>>>>>>>>>>>> when using startup.bat, not sure the settings get picked up by
>>>>>>>>>>>> the
>>>>>>>>>>>> windows service ?
>>>>>>>>>>>> I do not think authentication completes, certainly authorization
>>>>>>>> does
>>>>>>>>>>>> not as I cant see the site and get 401 http status.
>>>>>>>>>>>> I have not configured a tomcat realm but I have put the test user
>>>>>>>> a
>>>>>>>>>>>> manager-gui group in Active Directory.
>>>>>>>>>>> I've only given your config a quick scan, but the thing that jumps
>>>>>>>> out
>>>>>>>>>>> at me is spaces in the some of the paths. I'm not sure how well
>>>>>>>>>>> krb5.ini
>>>>>>>>>>> will handle those. It might be fine. It might not be.
>>>>>>>>>>>
>>>>>>>>>>> Mark
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> David
>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>>>>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>>>
>>>>>>>>>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>>>>>>>>>>>> Everything is as described and still not working, except the
>>>>>>>>>>>>>> jaas.conf is :-
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>>> };
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>>> };
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> In other words the principal is the tomcat server as it should
>>>>>>>> be.
>>>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>>>>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>>>>>>>>>>>> Sorry thats :-
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>>>>>>>>>>>> Is it working with this configuration, or just to point out,
>>>>>>>> that
>>>>>>>>>>>>>>> you
>>>>>>>>>>>>>>> copied the wrong jaas.conf for the mail?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Felix
>>>>>>>>>>>>>>>> ----------------------------------------
>>>>>>>>>>>>>>>>> From: dmarsh26@outlook.com
>>>>>>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat
>>>>>>>> 8.
>>>>>>>>>>>>>>>>> I've created three Windows VMs :-
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>>>>>>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>>>>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> The Tomcat Server and the Test Client are joined to the same
>>>>>>>>>>>>>>>>> domain kerbtest.local, they are logged in with domain
>>>>>>>>>>>>>>>>> logins.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> jaas.conf
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>>>>>> };
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>>>>>> };
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> krb5.ini
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> [libdefaults]
>>>>>>>>>>>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>>>>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
>>>>>>>>>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>>>>>>>>>>>> default_tkt_enctypes =
>>>>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>>>>>>> default_tgs_enctypes =
>>>>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>>>>>>> forwardable=true
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> [realms]
>>>>>>>>>>>>>>>>> KERBTEST.LOCAL = {
>>>>>>>>>>>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>>>>>>>>>>>> }
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with
>>>>>>>> Active
>>>>>>>>>>>>>>>>> Directory.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I have tried to keep the setup as basic and vanilla to the
>>>>>>>>>>>>>>>>> instructions as possible.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Users were created as instructed.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Spn was created as instructed
>>>>>>>>>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> keytab was created as instructed
>>>>>>>>>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL
>>>>>>>> /princ
>>>>>>>>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass
>>>>>>>> /kvno
>>>>>>>>>>>>>>>>> 0
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I have tried to test with firefox, chrome and IE, after
>>>>>>>> ensuring
>>>>>>>>>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In
>>>>>>>>>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to
>>>>>>>>>>>>>>>>> network.negotiate-auth.delegation-uris and
>>>>>>>>>>>>>>>>> network.negotiate-auth.trusted-uris.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Tomcat is running as a Windows service under the
>>>>>>>>>>>>>>>>> tc01@kerbtest.local account.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Visiting URL from the Test Client VM :-
>>>>>>>>>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401
>>>>>>>> three
>>>>>>>>>>>>>>>>> times.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Looking at the Network tab in developer tools in firefox
>>>>>>>> shows
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
Thanks for all the help guys, I managed to find the correct way to call kinit for Java on windows :-
I get the following :-
C:\>java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -
k -t c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL tc01pas
s
>>>KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01
Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> Kinit using keytab
>>> Kinit keytab file name: c:\keytab\tomcat.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is KERBTEST.LOCAL
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for win-tc01 are:
win-tc01/192.168.0.3
IPv4 address
win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): kerbtest.local
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 70; type: 1
>>> KeyTabInputStream, readName(): kerbtest.local
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 70; type: 3
>>> KeyTabInputStream, readName(): kerbtest.local
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 78; type: 23
>>> KeyTabInputStream, readName(): kerbtest.local
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 94; type: 18
>>> KeyTabInputStream, readName(): kerbtest.local
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 78; type: 17
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 17version: 5
Added key: 18version: 5
Added key: 23version: 5
Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
retries =3, #bytes=216
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
=1, #bytes=216
>>> KrbKdcReq send: #bytes read=213
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
ocal, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Mar 25 21:09:04 GMT 2015 1427317744000
suSec is 382562
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
ocal, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 17version: 5
Added key: 18version: 5
Added key: 23version: 5
Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 17version: 5
Added key: 18version: 5
Added key: 23version: 5
Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
retries =3, #bytes=305
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
=1, #bytes=305
>>> KrbKdcReq send: #bytes read=180
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
ocal, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Mar 25 21:09:08 GMT 2015 1427317748000
suSec is 600802
error code is 24
error Message is Pre-authentication information was invalid
sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
ocal, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-auth
entication information was invalid
KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
... 5 more
> Date: Wed, 25 Mar 2015 22:00:13 +0100
> From: aw@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> Felix Schumacher wrote:
>> Am 25.03.2015 um 20:19 schrieb André Warnier:
>>> David Marsh wrote:
>>>> Javas version of kinit seems to report issue ?
>>>>
>>>> C:\Program Files\Apache Software Foundation\Tomcat
>>>> 8.0\conf>"C:\Program Files\Ja
>>>> va\jdk1.8.0_40\bin\kinit" -t -k c:\keytab\tomcat.keytab
>>>> Exception: krb_error 0 Do not have keys of types listed in
>>>> default_tkt_enctypes
>>>> available; only have keys of following type: No error
>>>> KrbException: Do not have keys of types listed in
>>>> default_tkt_enctypes available
>>>> ; only have keys of following type:
>>>> at
>>>> sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
>>>> at
>>>> sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
>>>> at
>>>> sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
>>>> at
>>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
>>>> at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
>>>> at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
>>>
>>> That seems to indicate that between the Java Kerberos module in
>>> Tomcat, and the KDC's Kerberos software, there is a mismatch in the
>>> types of keys used (type of encryption), so they do not understand
>>> eachother.
>>> This may be relevant : https://community.igniterealtime.org/thread/49913
>>>
>>> It is also a bit strange that it says :
>>> only have keys of following type:
>>> (with nothing behind the :.. )
>>>
>>> From what I keep browsing on the WWW, it also seems that the types of
>>> key encryptions that might match between Java Kerberos and Windows
>>> Kerberos, depend on the versions of both Java and Windows Server..
>>>
>> +1 (read your answer to late, I found the same link and posted it :)
>>> Man, this thing is really a nightmare, isn't it ?
>> I especially like the error messages.
>>
>
> Yes, and the thing is : there are a lot of pages on the www that describe the "correct"
> procedure, step by step, some even with screenshots etc..
> But they always leave something out, and you don't know what they left out..
>
>
>> Felix
>>>
>>>
>>>>
>>>> ----------------------------------------
>>>>> From: dmarsh26@outlook.com
>>>>> To: users@tomcat.apache.org
>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>> Date: Wed, 25 Mar 2015 16:50:47 +0000
>>>>>
>>>>> Its possible I guess, although I would not expect that.
>>>>>
>>>>> The test is :-
>>>>>
>>>>> Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM
>>>>>
>>>>> Firefox is not configured to use a proxy, its all in Vmware
>>>>> Workstation 10 using the Vmnet01 virtual network.
>>>>>
>>>>> Firefox has three 401 responses with headers "Authorization" and
>>>>> "WWW-Authenticate" :-
>>>>>
>>>>> 1 :- Reponse WWW-Authenticate: "Negotiate"
>>>>>
>>>>> 2 :- Request Authorization: "Negotiate
>>>>> YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxD
>>>>>
>>> yCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1b
> HVkm
>>>
>>> muJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4="
>>>
>>>>>
>>>>> Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg==
>>>>>
>>>>> 3 :- Request Authorization: "Negotiate
>>>>> oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkco
>>>>>
>>> Kk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zw
> m+qh
>>>
>>> PF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E="
>>>
>>>>>
>>>>> Reponse WWW-Authenticate: "Negotiate"
>>>>>
>>>>> I'm not sure how long they should be, but they all end "=" so expect
>>>>> not truncated ?
>>>>>
>>>>> ----------------------------------------
>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>>> From: felix.schumacher@internetallee.de
>>>>>> Date: Wed, 25 Mar 2015 17:31:51 +0100
>>>>>> To: users@tomcat.apache.org
>>>>>>
>>>>>>
>>>>>>
>>>>>> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh
>>>>>> <dm...@outlook.com>:
>>>>>>> This is how the keytab was created :-
>>>>>>>
>>>>>>> ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
>>>>>>> tc01@KERBTEST.LOCAL /princ
>>>>>>> HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>>>>> /pass tc01pass
>>>>>>>
>>>>>>> The password is the correct password for the user tc01 associated
>>>>>>> with
>>>>>>> the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>>>>>
>>>>>>> I managed to turn on some more logging around JAAS, see the error
>>>>>>> :- java.security.PrivilegedActionException: GSSException: Defective
>>>>>>> token detected
>>>>>> Do you talk directly to Tomcat, or is there any kind of proxy in
>>>>>> between?
>>>>>> Could the header be truncated?
>>>>>>
>>>>>> Felix
>>>>>>> 25-Mar-2015 15:46:22.131 INFO [main]
>>>>>>> org.apache.catalina.core.StandardService.startInternal Starting
>>>>>>> service Catalina
>>>>>>> 25-Mar-2015 15:46:22.133 INFO [main]
>>>>>>> org.apache.catalina.core.StandardEngine.startInternal Starting
>>>>>>> Servlet Engine: Apache Tomcat/8.0.20
>>>>>>> 25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
>>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>>>>> Software Foundation\Tomcat 8.0\
>>>>>>> webapps\docs
>>>>>>> 25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
>>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>>> irectory Deployment of web application directory C:\Program
>>>>>>> Files\Apache Software Foundation\Tomcat
>>>>>>> 8.0\webapps\docs has finished in 380 ms
>>>>>>> 25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
>>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>>>>> Software Foundation\Tomcat 8.0\
>>>>>>> webapps\manager
>>>>>>> 25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
>>>>>>> org.apache.catalina.authenticator.Authenticato
>>>>>>> rBase.startInternal No SingleSignOn Valve is present
>>>>>>> 25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
>>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>>> irectory Deployment of web application directory C:\Program
>>>>>>> Files\Apache Software Foundation\Tomcat
>>>>>>> 8.0\webapps\manager has finished in 93 ms
>>>>>>> 25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
>>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>>>>> Software Foundation\Tomcat 8.0\
>>>>>>> webapps\ROOT
>>>>>>> 25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
>>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>>> irectory Deployment of web application directory C:\Program
>>>>>>> Files\Apache Software Foundation\Tomcat
>>>>>>> 8.0\webapps\ROOT has finished in 59 ms
>>>>>>> 25-Mar-2015 15:46:22.797 INFO [main]
>>>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>>>>> er ["http-nio-80"]
>>>>>>> 25-Mar-2015 15:46:22.806 INFO [main]
>>>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>>>>> er ["ajp-nio-8009"]
>>>>>>> 25-Mar-2015 15:46:22.808 INFO [main]
>>>>>>> org.apache.catalina.startup.Catalina.start Server startup in 72
>>>>>>> 1 ms
>>>>>>> 25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1]
>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>> se.invoke Security checking request GET /manager/html
>>>>>>> 25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>>> against GET /html --> false
>>>>>>> 25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>>> interface]' against GET /html --> fal
>>>>>>> se
>>>>>>> 25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>>> interface (for scripts)]' against
>>>>>>> GET /html --> false
>>>>>>> 25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>>> interface (for humans)]' against G
>>>>>>> ET /html --> true
>>>>>>> 25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>>> against GET /html --> false
>>>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>>> interface]' against GET /html --> fal
>>>>>>> se
>>>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>>> interface (for scripts)]' against
>>>>>>> GET /html --> false
>>>>>>> 25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>>> interface (for humans)]' against G
>>>>>>> ET /html --> true
>>>>>>> 25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1]
>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>> se.invoke Calling hasUserDataPermission()
>>>>>>> 25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1]
>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>>>>> rmission User data constraint has no restrictions
>>>>>>> 25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1]
>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>> se.invoke Calling authenticate()
>>>>>>> 25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1]
>>>>>>> org.apache.catalina.authenticator.SpnegoAuthentic
>>>>>>> ator.authenticate No authorization header sent by client
>>>>>>> 25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1]
>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>> se.invoke Failed authenticate() test
>>>>>>> 25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2]
>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>> se.invoke Security checking request GET /manager/html
>>>>>>> 25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>>> against GET /html --> false
>>>>>>> 25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>>> interface]' against GET /html --> fal
>>>>>>> se
>>>>>>> 25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>>> interface (for scripts)]' against
>>>>>>> GET /html --> false
>>>>>>> 25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>>> interface (for humans)]' against G
>>>>>>> ET /html --> true
>>>>>>> 25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>>> against GET /html --> false
>>>>>>> 25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>>> interface]' against GET /html --> fal
>>>>>>> se
>>>>>>> 25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>>> interface (for scripts)]' against
>>>>>>> GET /html --> false
>>>>>>> 25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>>> interface (for humans)]' against G
>>>>>>> ET /html --> true
>>>>>>> 25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2]
>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>> se.invoke Calling hasUserDataPermission()
>>>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>>>>> rmission User data constraint has no restrictions
>>>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>> se.invoke Calling authenticate()
>>>>>>> Debug is true storeKey true useTicketCache false useKeyTab true
>>>>>>> doNotPrompt true ticketCache is nul
>>>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab
>>>>>>> refreshKrb5Config
>>>>>>> is false principal is HTTP/wi
>>>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false
>>>>>>> useFirstPass
>>>>>>> is false storePass is false
>>>>>>> clearPass is false
>>>>>>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>>>>>>> KeyTabInputStream, readName(): HTTP
>>>>>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>>>>>> KeyTab: load() entry length: 78; type: 23
>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>> Java config name: C:\Program Files\Apache Software Foundation\Tomcat
>>>>>>> 8.0\conf\krb5.ini
>>>>>>> Loaded from Java config
>>>>>>> Added key: 23version: 3
>>>>>>>>>> KdcAccessibility: reset
>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>> Added key: 23version: 3
>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>>>> KrbAsReq creating message
>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>>>> number of retries =3, #bytes=
>>>>>>> 164
>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>>>> timeout=30000,Attempt =1, #bytes=164
>>>>>>>>>> KrbKdcReq send: #bytes read=185
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 11
>>>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>>>
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 19
>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>>>
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 2
>>>>>>> PA-ENC-TIMESTAMP
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 16
>>>>>>>
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 15
>>>>>>>
>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>>>>> KRBError:
>>>>>>> sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
>>>>>>> suSec is 701709
>>>>>>> error code is 25
>>>>>>> error Message is Additional pre-authentication required
>>>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>>>>> eData provided.
>>>>>>> msgType is 30
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 11
>>>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>>>
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 19
>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>>>
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 2
>>>>>>> PA-ENC-TIMESTAMP
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 16
>>>>>>>
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 15
>>>>>>>
>>>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>> Added key: 23version: 3
>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>> Added key: 23version: 3
>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>>>> KrbAsReq creating message
>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>>>> number of retries =3, #bytes=
>>>>>>> 247
>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>>>> KrbKdcReq send: #bytes read=100
>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>>>>> number of retries =3, #bytes=
>>>>>>> 247
>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>>>> DEBUG: TCPClient reading 1475 bytes
>>>>>>>>>> KrbKdcReq send: #bytes read=1475
>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>> Added key: 23version: 3
>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>> Will use keytab
>>>>>>> Commit Succeeded
>>>>>>>
>>>>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>>>>>> sun.security.jgss.spnego.SpNegoCredElement)
>>>>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>>>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
>>>>>>> .LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
>>>>>>> [Krb5LoginModule]: Entering logout
>>>>>>> [Krb5LoginModule]: logged out Subject
>>>>>>> 25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2]
>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>> se.invoke Failed authenticate() test
>>>>>>> 25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3]
>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>> se.invoke Security checking request GET /manager/html
>>>>>>> 25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>>> against GET /html --> false
>>>>>>> 25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>>> interface]' against GET /html --> fal
>>>>>>> se
>>>>>>> 25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>>> interface (for scripts)]' against
>>>>>>> GET /html --> false
>>>>>>> 25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>>> interface (for humans)]' against G
>>>>>>> ET /html --> true
>>>>>>> 25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>>> against GET /html --> false
>>>>>>> 25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>>> interface]' against GET /html --> fal
>>>>>>> se
>>>>>>> 25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>>> interface (for scripts)]' against
>>>>>>> GET /html --> false
>>>>>>> 25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3]
>>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>>> interface (for humans)]' against G
>>>>>>> ET /html --> true
>>>>>>> 25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3]
>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>> se.invoke Calling hasUserDataPermission()
>>>>>>> 25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3]
>>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>>>>> rmission User data constraint has no restrictions
>>>>>>> 25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3]
>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>> se.invoke Calling authenticate()
>>>>>>> Debug is true storeKey true useTicketCache false useKeyTab true
>>>>>>> doNotPrompt true ticketCache is nul
>>>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab
>>>>>>> refreshKrb5Config
>>>>>>> is false principal is HTTP/wi
>>>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false
>>>>>>> useFirstPass
>>>>>>> is false storePass is false
>>>>>>> clearPass is false
>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>> Added key: 23version: 3
>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>> Added key: 23version: 3
>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>>>> KrbAsReq creating message
>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>>>> number of retries =3, #bytes=
>>>>>>> 164
>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>>>> timeout=30000,Attempt =1, #bytes=164
>>>>>>>>>> KrbKdcReq send: #bytes read=185
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 11
>>>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>>>
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 19
>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>>>
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 2
>>>>>>> PA-ENC-TIMESTAMP
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 16
>>>>>>>
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 15
>>>>>>>
>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>>>>> KRBError:
>>>>>>> sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
>>>>>>> suSec is 935731
>>>>>>> error code is 25
>>>>>>> error Message is Additional pre-authentication required
>>>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>>>>> eData provided.
>>>>>>> msgType is 30
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 11
>>>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>>>
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 19
>>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>>>
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 2
>>>>>>> PA-ENC-TIMESTAMP
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 16
>>>>>>>
>>>>>>>>>> Pre-Authentication Data:
>>>>>>> PA-DATA type = 15
>>>>>>>
>>>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>> Added key: 23version: 3
>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>> Added key: 23version: 3
>>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>>>> KrbAsReq creating message
>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>>>> number of retries =3, #bytes=
>>>>>>> 247
>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>>>> KrbKdcReq send: #bytes read=100
>>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>>>>> number of retries =3, #bytes=
>>>>>>> 247
>>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>>>> DEBUG: TCPClient reading 1475 bytes
>>>>>>>>>> KrbKdcReq send: #bytes read=1475
>>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>> Added key: 23version: 3
>>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>> Will use keytab
>>>>>>> Commit Succeeded
>>>>>>>
>>>>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>>>>>> sun.security.jgss.spnego.SpNegoCredElement)
>>>>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>>>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
>>>>>>> .LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
>>>>>>> 25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3]
>>>>>>> org.apache.catalina.authenticator.SpnegoAuthentic
>>>>>>> ator.authenticate Unable to login as the service principal
>>>>>>> java.security.PrivilegedActionException: GSSException: Defective
>>>>>>> token
>>>>>>> detected (Mechanism level: G
>>>>>>> SSHeader did not find the right tag)
>>>>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>>>>> at javax.security.auth.Subject.doAs(Subject.java:422)
>>>>>>> at
>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
>>>>>>>
>>>>>>> va:243)
>>>>>>> at
>>>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
>>>>>>>
>>>>>>> at
>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
>>>>>>>
>>>>>>> at
>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
>>>>>>>
>>>>>>> at
>>>>>>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
>>>>>>>
>>>>>>>
>>>>>>> at
>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
>>>>>>>
>>>>>>> at
>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
>>>>>>>
>>>>>>> at
>>>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
>>>>>>>
>>>>>>> 6)
>>>>>>> at
>>>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
>>>>>>>
>>>>>>> a:659)
>>>>>>> at
>>>>>>> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
>>>>>>>
>>>>>>> col.java:223)
>>>>>>> at
>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
>>>>>>>
>>>>>>> at
>>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
>>>>>>>
>>>>>>> at
>>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>>>>>
>>>>>>> at
>>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>>>>>
>>>>>>> at
>>>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>>>>>>
>>>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>>> Caused by: GSSException: Defective token detected (Mechanism level:
>>>>>>> GSSHeader did not find the right
>>>>>>> tag)
>>>>>>> at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
>>>>>>> at
>>>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
>>>>>>>
>>>>>>> at
>>>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
>>>>>>>
>>>>>>> at
>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>>>>>
>>>>>>> r.java:336)
>>>>>>> at
>>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>>>>>
>>>>>>> r.java:323)
>>>>>>> ... 18 more
>>>>>>>
>>>>>>> [Krb5LoginModule]: Entering logout
>>>>>>> [Krb5LoginModule]: logged out Subject
>>>>>>> 25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3]
>>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>>> se.invoke Failed authenticate() test
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Date: Wed, 25 Mar 2015 16:48:10 +0100
>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>> To: users@tomcat.apache.org
>>>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>>>>>
>>>>>>>> Am 25.03.2015 16:09, schrieb David Marsh:
>>>>>>>>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
>>>>>>>>> tc01@KERTEST.LOCAL, still same symptoms.
>>>>>>>>>
>>>>>>>>> Ran klist on client after firefox test and the three 401 responses.
>>>>>>> :-
>>>>>>>>> C:\Users\test.KERBTEST.000>klist
>>>>>>>>>
>>>>>>>>> Current LogonId is 0:0x2fd7a
>>>>>>>>>
>>>>>>>>> Cached Tickets: (2)
>>>>>>>>>
>>>>>>>>> #0> Client: test @ KERBTEST.LOCAL
>>>>>>>>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
>>>>>>>>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
>>>>>>>>> Ticket Flags 0x40e10000 -> forwardable renewable initial
>>>>>>>>> pre_authent nam
>>>>>>>>> e_canonicalize
>>>>>>>>> Start Time: 3/25/2015 14:46:43 (local)
>>>>>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>>>>>> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>>>>>>>>> Cache Flags: 0x1 -> PRIMARY
>>>>>>>>> Kdc Called: 192.168.0.200
>>>>>>>>>
>>>>>>>>> #1> Client: test @ KERBTEST.LOCAL
>>>>>>>>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
>>>>>>>>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>>>>>>>>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
>>>>>>>>> name_canoni
>>>>>>>>> calize
>>>>>>>>> Start Time: 3/25/2015 14:51:21 (local)
>>>>>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>>>>>> Session Key Type: RSADSI RC4-HMAC(NT)
>>>>>>>>> Cache Flags: 0
>>>>>>>>> Kdc Called: 192.168.0.200
>>>>>>>>>
>>>>>>>>> Looks like I was granted a ticket for the SPN
>>>>>>>>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
>>>>>>>>>
>>>>>>>>> If I have ticket why do I get 401 ?
>>>>>>>> Your client has got a service ticket for HTTP/win-tc01... This is
>>>>>>> used
>>>>>>>> by firefox for authentication. Firefox transmits
>>>>>>>> this service ticket to the server (as base64 encoded in the
>>>>>>>> WWW-Authenticate header).
>>>>>>>>
>>>>>>>> Your server has to decrypt this ticket using its own ticket to
>>>>>>>> get at
>>>>>>>> the user information. This is where your problems arise.
>>>>>>>> It looks like your server has trouble to get its own ticket.
>>>>>>>>
>>>>>>>> Are you sure, that the password you used for keytab generation (on
>>>>>>> the
>>>>>>>> server side), is correct? ktpass will probably accept
>>>>>>>> any input as a password. Maybe you can check the keytab by using
>>>>>>> kinit
>>>>>>>> (though I don't know, if it exists for windows, or how
>>>>>>>> the java one is used).
>>>>>>>>
>>>>>>>> Felix
>>>>>>>>
>>>>>>>>> ----------------------------------------
>>>>>>>>>> Date: Tue, 24 Mar 2015 22:46:15 +0000
>>>>>>>>>> From: markt@apache.org
>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>
>>>>>>>>>> On 24/03/2015 20:47, David Marsh wrote:
>>>>>>>>>>> Hi Felix,
>>>>>>>>>>> Thanks fort your help!
>>>>>>>>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
>>>>>>>>>>> startup.bat and also added the same definitions to the Java
>>>>>>>>>>> parameters in Configure Tomcat tool.I definitely got more
>>>>>>> information
>>>>>>>>>>> when using startup.bat, not sure the settings get picked up by
>>>>>>>>>>> the
>>>>>>>>>>> windows service ?
>>>>>>>>>>> I do not think authentication completes, certainly authorization
>>>>>>> does
>>>>>>>>>>> not as I cant see the site and get 401 http status.
>>>>>>>>>>> I have not configured a tomcat realm but I have put the test user
>>>>>>> a
>>>>>>>>>>> manager-gui group in Active Directory.
>>>>>>>>>> I've only given your config a quick scan, but the thing that jumps
>>>>>>> out
>>>>>>>>>> at me is spaces in the some of the paths. I'm not sure how well
>>>>>>>>>> krb5.ini
>>>>>>>>>> will handle those. It might be fine. It might not be.
>>>>>>>>>>
>>>>>>>>>> Mark
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> David
>>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>>>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>>
>>>>>>>>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>>>>>>>>>>> Everything is as described and still not working, except the
>>>>>>>>>>>>> jaas.conf is :-
>>>>>>>>>>>>>
>>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>> };
>>>>>>>>>>>>>
>>>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>> };
>>>>>>>>>>>>>
>>>>>>>>>>>>> In other words the principal is the tomcat server as it should
>>>>>>> be.
>>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>>>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>>>>>>>>>>> Sorry thats :-
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>>>>>>>>>>> Is it working with this configuration, or just to point out,
>>>>>>> that
>>>>>>>>>>>>>> you
>>>>>>>>>>>>>> copied the wrong jaas.conf for the mail?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Felix
>>>>>>>>>>>>>>> ----------------------------------------
>>>>>>>>>>>>>>>> From: dmarsh26@outlook.com
>>>>>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat
>>>>>>> 8.
>>>>>>>>>>>>>>>> I've created three Windows VMs :-
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>>>>>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>>>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> The Tomcat Server and the Test Client are joined to the same
>>>>>>>>>>>>>>>> domain kerbtest.local, they are logged in with domain
>>>>>>>>>>>>>>>> logins.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> jaas.conf
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>>>>> };
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>>>>> };
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> krb5.ini
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> [libdefaults]
>>>>>>>>>>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>>>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
>>>>>>>>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>>>>>>>>>>> default_tkt_enctypes =
>>>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>>>>>> default_tgs_enctypes =
>>>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>>>>>> forwardable=true
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> [realms]
>>>>>>>>>>>>>>>> KERBTEST.LOCAL = {
>>>>>>>>>>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>>>>>>>>>>> }
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with
>>>>>>> Active
>>>>>>>>>>>>>>>> Directory.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I have tried to keep the setup as basic and vanilla to the
>>>>>>>>>>>>>>>> instructions as possible.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Users were created as instructed.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Spn was created as instructed
>>>>>>>>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> keytab was created as instructed
>>>>>>>>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL
>>>>>>> /princ
>>>>>>>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass
>>>>>>> /kvno
>>>>>>>>>>>>>>>> 0
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I have tried to test with firefox, chrome and IE, after
>>>>>>> ensuring
>>>>>>>>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In
>>>>>>>>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to
>>>>>>>>>>>>>>>> network.negotiate-auth.delegation-uris and
>>>>>>>>>>>>>>>> network.negotiate-auth.trusted-uris.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Tomcat is running as a Windows service under the
>>>>>>>>>>>>>>>> tc01@kerbtest.local account.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Visiting URL from the Test Client VM :-
>>>>>>>>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401
>>>>>>> three
>>>>>>>>>>>>>>>> times.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Looking at the Network tab in developer tools in firefox
>>>>>>> shows
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Posted by André Warnier <aw...@ice-sa.com>.
Felix Schumacher wrote:
> Am 25.03.2015 um 20:19 schrieb André Warnier:
>> David Marsh wrote:
>>> Javas version of kinit seems to report issue ?
>>>
>>> C:\Program Files\Apache Software Foundation\Tomcat
>>> 8.0\conf>"C:\Program Files\Ja
>>> va\jdk1.8.0_40\bin\kinit" -t -k c:\keytab\tomcat.keytab
>>> Exception: krb_error 0 Do not have keys of types listed in
>>> default_tkt_enctypes
>>> available; only have keys of following type: No error
>>> KrbException: Do not have keys of types listed in
>>> default_tkt_enctypes available
>>> ; only have keys of following type:
>>> at
>>> sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
>>> at
>>> sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
>>> at
>>> sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
>>> at
>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
>>> at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
>>> at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
>>
>> That seems to indicate that between the Java Kerberos module in
>> Tomcat, and the KDC's Kerberos software, there is a mismatch in the
>> types of keys used (type of encryption), so they do not understand
>> eachother.
>> This may be relevant : https://community.igniterealtime.org/thread/49913
>>
>> It is also a bit strange that it says :
>> only have keys of following type:
>> (with nothing behind the :.. )
>>
>> From what I keep browsing on the WWW, it also seems that the types of
>> key encryptions that might match between Java Kerberos and Windows
>> Kerberos, depend on the versions of both Java and Windows Server..
>>
> +1 (read your answer to late, I found the same link and posted it :)
>> Man, this thing is really a nightmare, isn't it ?
> I especially like the error messages.
>
Yes, and the thing is : there are a lot of pages on the www that describe the "correct"
procedure, step by step, some even with screenshots etc..
But they always leave something out, and you don't know what they left out..
> Felix
>>
>>
>>>
>>> ----------------------------------------
>>>> From: dmarsh26@outlook.com
>>>> To: users@tomcat.apache.org
>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>> Date: Wed, 25 Mar 2015 16:50:47 +0000
>>>>
>>>> Its possible I guess, although I would not expect that.
>>>>
>>>> The test is :-
>>>>
>>>> Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM
>>>>
>>>> Firefox is not configured to use a proxy, its all in Vmware
>>>> Workstation 10 using the Vmnet01 virtual network.
>>>>
>>>> Firefox has three 401 responses with headers "Authorization" and
>>>> "WWW-Authenticate" :-
>>>>
>>>> 1 :- Reponse WWW-Authenticate: "Negotiate"
>>>>
>>>> 2 :- Request Authorization: "Negotiate
>>>> YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxD
>>>>
>> yCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1b
HVkm
>>
>> muJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4="
>>
>>>>
>>>> Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg==
>>>>
>>>> 3 :- Request Authorization: "Negotiate
>>>> oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkco
>>>>
>> Kk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zw
m+qh
>>
>> PF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E="
>>
>>>>
>>>> Reponse WWW-Authenticate: "Negotiate"
>>>>
>>>> I'm not sure how long they should be, but they all end "=" so expect
>>>> not truncated ?
>>>>
>>>> ----------------------------------------
>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>> From: felix.schumacher@internetallee.de
>>>>> Date: Wed, 25 Mar 2015 17:31:51 +0100
>>>>> To: users@tomcat.apache.org
>>>>>
>>>>>
>>>>>
>>>>> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh
>>>>> <dm...@outlook.com>:
>>>>>> This is how the keytab was created :-
>>>>>>
>>>>>> ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
>>>>>> tc01@KERBTEST.LOCAL /princ
>>>>>> HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>>>> /pass tc01pass
>>>>>>
>>>>>> The password is the correct password for the user tc01 associated
>>>>>> with
>>>>>> the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>>>>
>>>>>> I managed to turn on some more logging around JAAS, see the error
>>>>>> :- java.security.PrivilegedActionException: GSSException: Defective
>>>>>> token detected
>>>>> Do you talk directly to Tomcat, or is there any kind of proxy in
>>>>> between?
>>>>> Could the header be truncated?
>>>>>
>>>>> Felix
>>>>>> 25-Mar-2015 15:46:22.131 INFO [main]
>>>>>> org.apache.catalina.core.StandardService.startInternal Starting
>>>>>> service Catalina
>>>>>> 25-Mar-2015 15:46:22.133 INFO [main]
>>>>>> org.apache.catalina.core.StandardEngine.startInternal Starting
>>>>>> Servlet Engine: Apache Tomcat/8.0.20
>>>>>> 25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>>>> Software Foundation\Tomcat 8.0\
>>>>>> webapps\docs
>>>>>> 25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>> irectory Deployment of web application directory C:\Program
>>>>>> Files\Apache Software Foundation\Tomcat
>>>>>> 8.0\webapps\docs has finished in 380 ms
>>>>>> 25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>>>> Software Foundation\Tomcat 8.0\
>>>>>> webapps\manager
>>>>>> 25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
>>>>>> org.apache.catalina.authenticator.Authenticato
>>>>>> rBase.startInternal No SingleSignOn Valve is present
>>>>>> 25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>> irectory Deployment of web application directory C:\Program
>>>>>> Files\Apache Software Foundation\Tomcat
>>>>>> 8.0\webapps\manager has finished in 93 ms
>>>>>> 25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>>>> Software Foundation\Tomcat 8.0\
>>>>>> webapps\ROOT
>>>>>> 25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
>>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>>> irectory Deployment of web application directory C:\Program
>>>>>> Files\Apache Software Foundation\Tomcat
>>>>>> 8.0\webapps\ROOT has finished in 59 ms
>>>>>> 25-Mar-2015 15:46:22.797 INFO [main]
>>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>>>> er ["http-nio-80"]
>>>>>> 25-Mar-2015 15:46:22.806 INFO [main]
>>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>>>> er ["ajp-nio-8009"]
>>>>>> 25-Mar-2015 15:46:22.808 INFO [main]
>>>>>> org.apache.catalina.startup.Catalina.start Server startup in 72
>>>>>> 1 ms
>>>>>> 25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1]
>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>> se.invoke Security checking request GET /manager/html
>>>>>> 25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>> against GET /html --> false
>>>>>> 25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>> interface]' against GET /html --> fal
>>>>>> se
>>>>>> 25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>> interface (for scripts)]' against
>>>>>> GET /html --> false
>>>>>> 25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>> interface (for humans)]' against G
>>>>>> ET /html --> true
>>>>>> 25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>> against GET /html --> false
>>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>> interface]' against GET /html --> fal
>>>>>> se
>>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>> interface (for scripts)]' against
>>>>>> GET /html --> false
>>>>>> 25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>> interface (for humans)]' against G
>>>>>> ET /html --> true
>>>>>> 25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1]
>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>> se.invoke Calling hasUserDataPermission()
>>>>>> 25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1]
>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>>>> rmission User data constraint has no restrictions
>>>>>> 25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1]
>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>> se.invoke Calling authenticate()
>>>>>> 25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1]
>>>>>> org.apache.catalina.authenticator.SpnegoAuthentic
>>>>>> ator.authenticate No authorization header sent by client
>>>>>> 25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1]
>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>> se.invoke Failed authenticate() test
>>>>>> 25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2]
>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>> se.invoke Security checking request GET /manager/html
>>>>>> 25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>> against GET /html --> false
>>>>>> 25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>> interface]' against GET /html --> fal
>>>>>> se
>>>>>> 25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>> interface (for scripts)]' against
>>>>>> GET /html --> false
>>>>>> 25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>> interface (for humans)]' against G
>>>>>> ET /html --> true
>>>>>> 25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>> against GET /html --> false
>>>>>> 25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>> interface]' against GET /html --> fal
>>>>>> se
>>>>>> 25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>> interface (for scripts)]' against
>>>>>> GET /html --> false
>>>>>> 25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>> interface (for humans)]' against G
>>>>>> ET /html --> true
>>>>>> 25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2]
>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>> se.invoke Calling hasUserDataPermission()
>>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>>>> rmission User data constraint has no restrictions
>>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>> se.invoke Calling authenticate()
>>>>>> Debug is true storeKey true useTicketCache false useKeyTab true
>>>>>> doNotPrompt true ticketCache is nul
>>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab
>>>>>> refreshKrb5Config
>>>>>> is false principal is HTTP/wi
>>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false
>>>>>> useFirstPass
>>>>>> is false storePass is false
>>>>>> clearPass is false
>>>>>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>>>>>> KeyTabInputStream, readName(): HTTP
>>>>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>>>>> KeyTab: load() entry length: 78; type: 23
>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>> Java config name: C:\Program Files\Apache Software Foundation\Tomcat
>>>>>> 8.0\conf\krb5.ini
>>>>>> Loaded from Java config
>>>>>> Added key: 23version: 3
>>>>>>>>> KdcAccessibility: reset
>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>> Added key: 23version: 3
>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>>> KrbAsReq creating message
>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>>> number of retries =3, #bytes=
>>>>>> 164
>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>>> timeout=30000,Attempt =1, #bytes=164
>>>>>>>>> KrbKdcReq send: #bytes read=185
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 11
>>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>>
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 19
>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>>
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 2
>>>>>> PA-ENC-TIMESTAMP
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 16
>>>>>>
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 15
>>>>>>
>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>>>> KRBError:
>>>>>> sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
>>>>>> suSec is 701709
>>>>>> error code is 25
>>>>>> error Message is Additional pre-authentication required
>>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>>>> eData provided.
>>>>>> msgType is 30
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 11
>>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>>
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 19
>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>>
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 2
>>>>>> PA-ENC-TIMESTAMP
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 16
>>>>>>
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 15
>>>>>>
>>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>> Added key: 23version: 3
>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>> Added key: 23version: 3
>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>>> KrbAsReq creating message
>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>>> number of retries =3, #bytes=
>>>>>> 247
>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>>> KrbKdcReq send: #bytes read=100
>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>>>> number of retries =3, #bytes=
>>>>>> 247
>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>>> DEBUG: TCPClient reading 1475 bytes
>>>>>>>>> KrbKdcReq send: #bytes read=1475
>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>> Added key: 23version: 3
>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>> Will use keytab
>>>>>> Commit Succeeded
>>>>>>
>>>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>>>>> sun.security.jgss.spnego.SpNegoCredElement)
>>>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
>>>>>> .LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
>>>>>> [Krb5LoginModule]: Entering logout
>>>>>> [Krb5LoginModule]: logged out Subject
>>>>>> 25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2]
>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>> se.invoke Failed authenticate() test
>>>>>> 25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3]
>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>> se.invoke Security checking request GET /manager/html
>>>>>> 25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>> against GET /html --> false
>>>>>> 25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>> interface]' against GET /html --> fal
>>>>>> se
>>>>>> 25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>> interface (for scripts)]' against
>>>>>> GET /html --> false
>>>>>> 25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>> interface (for humans)]' against G
>>>>>> ET /html --> true
>>>>>> 25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>>> against GET /html --> false
>>>>>> 25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>>> interface]' against GET /html --> fal
>>>>>> se
>>>>>> 25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>>> interface (for scripts)]' against
>>>>>> GET /html --> false
>>>>>> 25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3]
>>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>>> interface (for humans)]' against G
>>>>>> ET /html --> true
>>>>>> 25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3]
>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>> se.invoke Calling hasUserDataPermission()
>>>>>> 25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3]
>>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>>>> rmission User data constraint has no restrictions
>>>>>> 25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3]
>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>> se.invoke Calling authenticate()
>>>>>> Debug is true storeKey true useTicketCache false useKeyTab true
>>>>>> doNotPrompt true ticketCache is nul
>>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab
>>>>>> refreshKrb5Config
>>>>>> is false principal is HTTP/wi
>>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false
>>>>>> useFirstPass
>>>>>> is false storePass is false
>>>>>> clearPass is false
>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>> Added key: 23version: 3
>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>> Added key: 23version: 3
>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>>> KrbAsReq creating message
>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>>> number of retries =3, #bytes=
>>>>>> 164
>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>>> timeout=30000,Attempt =1, #bytes=164
>>>>>>>>> KrbKdcReq send: #bytes read=185
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 11
>>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>>
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 19
>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>>
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 2
>>>>>> PA-ENC-TIMESTAMP
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 16
>>>>>>
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 15
>>>>>>
>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>>>> KRBError:
>>>>>> sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
>>>>>> suSec is 935731
>>>>>> error code is 25
>>>>>> error Message is Additional pre-authentication required
>>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>>>> eData provided.
>>>>>> msgType is 30
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 11
>>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>>
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 19
>>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>>
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 2
>>>>>> PA-ENC-TIMESTAMP
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 16
>>>>>>
>>>>>>>>> Pre-Authentication Data:
>>>>>> PA-DATA type = 15
>>>>>>
>>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>> Added key: 23version: 3
>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>> Added key: 23version: 3
>>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>>> KrbAsReq creating message
>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>>> number of retries =3, #bytes=
>>>>>> 247
>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>>> KrbKdcReq send: #bytes read=100
>>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>>>> number of retries =3, #bytes=
>>>>>> 247
>>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>>> DEBUG: TCPClient reading 1475 bytes
>>>>>>>>> KrbKdcReq send: #bytes read=1475
>>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>> Added key: 23version: 3
>>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>> Will use keytab
>>>>>> Commit Succeeded
>>>>>>
>>>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>>>>> sun.security.jgss.spnego.SpNegoCredElement)
>>>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
>>>>>> .LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
>>>>>> 25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3]
>>>>>> org.apache.catalina.authenticator.SpnegoAuthentic
>>>>>> ator.authenticate Unable to login as the service principal
>>>>>> java.security.PrivilegedActionException: GSSException: Defective
>>>>>> token
>>>>>> detected (Mechanism level: G
>>>>>> SSHeader did not find the right tag)
>>>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>>>> at javax.security.auth.Subject.doAs(Subject.java:422)
>>>>>> at
>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
>>>>>>
>>>>>> va:243)
>>>>>> at
>>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
>>>>>>
>>>>>> at
>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
>>>>>>
>>>>>> at
>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
>>>>>>
>>>>>> at
>>>>>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
>>>>>>
>>>>>>
>>>>>> at
>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
>>>>>>
>>>>>> at
>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
>>>>>>
>>>>>> at
>>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
>>>>>>
>>>>>> 6)
>>>>>> at
>>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
>>>>>>
>>>>>> a:659)
>>>>>> at
>>>>>> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
>>>>>>
>>>>>> col.java:223)
>>>>>> at
>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
>>>>>>
>>>>>> at
>>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
>>>>>>
>>>>>> at
>>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>>>>
>>>>>> at
>>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>>>>
>>>>>> at
>>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>>>>>
>>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>> Caused by: GSSException: Defective token detected (Mechanism level:
>>>>>> GSSHeader did not find the right
>>>>>> tag)
>>>>>> at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
>>>>>> at
>>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
>>>>>>
>>>>>> at
>>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
>>>>>>
>>>>>> at
>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>>>>
>>>>>> r.java:336)
>>>>>> at
>>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>>>>
>>>>>> r.java:323)
>>>>>> ... 18 more
>>>>>>
>>>>>> [Krb5LoginModule]: Entering logout
>>>>>> [Krb5LoginModule]: logged out Subject
>>>>>> 25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3]
>>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>>> se.invoke Failed authenticate() test
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Date: Wed, 25 Mar 2015 16:48:10 +0100
>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>> To: users@tomcat.apache.org
>>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>>>>
>>>>>>> Am 25.03.2015 16:09, schrieb David Marsh:
>>>>>>>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
>>>>>>>> tc01@KERTEST.LOCAL, still same symptoms.
>>>>>>>>
>>>>>>>> Ran klist on client after firefox test and the three 401 responses.
>>>>>> :-
>>>>>>>> C:\Users\test.KERBTEST.000>klist
>>>>>>>>
>>>>>>>> Current LogonId is 0:0x2fd7a
>>>>>>>>
>>>>>>>> Cached Tickets: (2)
>>>>>>>>
>>>>>>>> #0> Client: test @ KERBTEST.LOCAL
>>>>>>>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
>>>>>>>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
>>>>>>>> Ticket Flags 0x40e10000 -> forwardable renewable initial
>>>>>>>> pre_authent nam
>>>>>>>> e_canonicalize
>>>>>>>> Start Time: 3/25/2015 14:46:43 (local)
>>>>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>>>>> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>>>>>>>> Cache Flags: 0x1 -> PRIMARY
>>>>>>>> Kdc Called: 192.168.0.200
>>>>>>>>
>>>>>>>> #1> Client: test @ KERBTEST.LOCAL
>>>>>>>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
>>>>>>>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>>>>>>>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
>>>>>>>> name_canoni
>>>>>>>> calize
>>>>>>>> Start Time: 3/25/2015 14:51:21 (local)
>>>>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>>>>> Session Key Type: RSADSI RC4-HMAC(NT)
>>>>>>>> Cache Flags: 0
>>>>>>>> Kdc Called: 192.168.0.200
>>>>>>>>
>>>>>>>> Looks like I was granted a ticket for the SPN
>>>>>>>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
>>>>>>>>
>>>>>>>> If I have ticket why do I get 401 ?
>>>>>>> Your client has got a service ticket for HTTP/win-tc01... This is
>>>>>> used
>>>>>>> by firefox for authentication. Firefox transmits
>>>>>>> this service ticket to the server (as base64 encoded in the
>>>>>>> WWW-Authenticate header).
>>>>>>>
>>>>>>> Your server has to decrypt this ticket using its own ticket to
>>>>>>> get at
>>>>>>> the user information. This is where your problems arise.
>>>>>>> It looks like your server has trouble to get its own ticket.
>>>>>>>
>>>>>>> Are you sure, that the password you used for keytab generation (on
>>>>>> the
>>>>>>> server side), is correct? ktpass will probably accept
>>>>>>> any input as a password. Maybe you can check the keytab by using
>>>>>> kinit
>>>>>>> (though I don't know, if it exists for windows, or how
>>>>>>> the java one is used).
>>>>>>>
>>>>>>> Felix
>>>>>>>
>>>>>>>> ----------------------------------------
>>>>>>>>> Date: Tue, 24 Mar 2015 22:46:15 +0000
>>>>>>>>> From: markt@apache.org
>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>
>>>>>>>>> On 24/03/2015 20:47, David Marsh wrote:
>>>>>>>>>> Hi Felix,
>>>>>>>>>> Thanks fort your help!
>>>>>>>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
>>>>>>>>>> startup.bat and also added the same definitions to the Java
>>>>>>>>>> parameters in Configure Tomcat tool.I definitely got more
>>>>>> information
>>>>>>>>>> when using startup.bat, not sure the settings get picked up by
>>>>>>>>>> the
>>>>>>>>>> windows service ?
>>>>>>>>>> I do not think authentication completes, certainly authorization
>>>>>> does
>>>>>>>>>> not as I cant see the site and get 401 http status.
>>>>>>>>>> I have not configured a tomcat realm but I have put the test user
>>>>>> a
>>>>>>>>>> manager-gui group in Active Directory.
>>>>>>>>> I've only given your config a quick scan, but the thing that jumps
>>>>>> out
>>>>>>>>> at me is spaces in the some of the paths. I'm not sure how well
>>>>>>>>> krb5.ini
>>>>>>>>> will handle those. It might be fine. It might not be.
>>>>>>>>>
>>>>>>>>> Mark
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> David
>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>
>>>>>>>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>>>>>>>>>> Everything is as described and still not working, except the
>>>>>>>>>>>> jaas.conf is :-
>>>>>>>>>>>>
>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>> };
>>>>>>>>>>>>
>>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>> };
>>>>>>>>>>>>
>>>>>>>>>>>> In other words the principal is the tomcat server as it should
>>>>>> be.
>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>>>
>>>>>>>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>>>>>>>>>> Sorry thats :-
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>>>>>>>>>> Is it working with this configuration, or just to point out,
>>>>>> that
>>>>>>>>>>>>> you
>>>>>>>>>>>>> copied the wrong jaas.conf for the mail?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Felix
>>>>>>>>>>>>>> ----------------------------------------
>>>>>>>>>>>>>>> From: dmarsh26@outlook.com
>>>>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat
>>>>>> 8.
>>>>>>>>>>>>>>> I've created three Windows VMs :-
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>>>>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The Tomcat Server and the Test Client are joined to the same
>>>>>>>>>>>>>>> domain kerbtest.local, they are logged in with domain
>>>>>>>>>>>>>>> logins.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> jaas.conf
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>>>> };
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>>>> };
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> krb5.ini
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [libdefaults]
>>>>>>>>>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
>>>>>>>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>>>>>>>>>> default_tkt_enctypes =
>>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>>>>> default_tgs_enctypes =
>>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>>>>> forwardable=true
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [realms]
>>>>>>>>>>>>>>> KERBTEST.LOCAL = {
>>>>>>>>>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>>>>>>>>>> }
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with
>>>>>> Active
>>>>>>>>>>>>>>> Directory.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I have tried to keep the setup as basic and vanilla to the
>>>>>>>>>>>>>>> instructions as possible.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Users were created as instructed.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Spn was created as instructed
>>>>>>>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> keytab was created as instructed
>>>>>>>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL
>>>>>> /princ
>>>>>>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass
>>>>>> /kvno
>>>>>>>>>>>>>>> 0
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I have tried to test with firefox, chrome and IE, after
>>>>>> ensuring
>>>>>>>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In
>>>>>>>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to
>>>>>>>>>>>>>>> network.negotiate-auth.delegation-uris and
>>>>>>>>>>>>>>> network.negotiate-auth.trusted-uris.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Tomcat is running as a Windows service under the
>>>>>>>>>>>>>>> tc01@kerbtest.local account.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Visiting URL from the Test Client VM :-
>>>>>>>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401
>>>>>> three
>>>>>>>>>>>>>>> times.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Looking at the Network tab in developer tools in firefox
>>>>>> shows
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 25.03.2015 um 20:19 schrieb André Warnier:
> David Marsh wrote:
>> Javas version of kinit seems to report issue ?
>>
>> C:\Program Files\Apache Software Foundation\Tomcat
>> 8.0\conf>"C:\Program Files\Ja
>> va\jdk1.8.0_40\bin\kinit" -t -k c:\keytab\tomcat.keytab
>> Exception: krb_error 0 Do not have keys of types listed in
>> default_tkt_enctypes
>> available; only have keys of following type: No error
>> KrbException: Do not have keys of types listed in
>> default_tkt_enctypes available
>> ; only have keys of following type:
>> at
>> sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
>> at
>> sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
>> at
>> sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
>> at
>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
>> at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
>> at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
>
> That seems to indicate that between the Java Kerberos module in
> Tomcat, and the KDC's Kerberos software, there is a mismatch in the
> types of keys used (type of encryption), so they do not understand
> eachother.
> This may be relevant : https://community.igniterealtime.org/thread/49913
>
> It is also a bit strange that it says :
> only have keys of following type:
> (with nothing behind the :.. )
>
> From what I keep browsing on the WWW, it also seems that the types of
> key encryptions that might match between Java Kerberos and Windows
> Kerberos, depend on the versions of both Java and Windows Server..
>
+1 (read your answer to late, I found the same link and posted it :)
> Man, this thing is really a nightmare, isn't it ?
I especially like the error messages.
Felix
>
>
>>
>> ----------------------------------------
>>> From: dmarsh26@outlook.com
>>> To: users@tomcat.apache.org
>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>> Date: Wed, 25 Mar 2015 16:50:47 +0000
>>>
>>> Its possible I guess, although I would not expect that.
>>>
>>> The test is :-
>>>
>>> Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM
>>>
>>> Firefox is not configured to use a proxy, its all in Vmware
>>> Workstation 10 using the Vmnet01 virtual network.
>>>
>>> Firefox has three 401 responses with headers "Authorization" and
>>> "WWW-Authenticate" :-
>>>
>>> 1 :- Reponse WWW-Authenticate: "Negotiate"
>>>
>>> 2 :- Request Authorization: "Negotiate
>>> YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxD
> yCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1bHVkm
>
> muJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4="
>
>>>
>>> Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg==
>>>
>>> 3 :- Request Authorization: "Negotiate
>>> oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkco
> Kk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zwm+qh
>
> PF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E="
>
>>>
>>> Reponse WWW-Authenticate: "Negotiate"
>>>
>>> I'm not sure how long they should be, but they all end "=" so expect
>>> not truncated ?
>>>
>>> ----------------------------------------
>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>> From: felix.schumacher@internetallee.de
>>>> Date: Wed, 25 Mar 2015 17:31:51 +0100
>>>> To: users@tomcat.apache.org
>>>>
>>>>
>>>>
>>>> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh
>>>> <dm...@outlook.com>:
>>>>> This is how the keytab was created :-
>>>>>
>>>>> ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
>>>>> tc01@KERBTEST.LOCAL /princ
>>>>> HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>>> /pass tc01pass
>>>>>
>>>>> The password is the correct password for the user tc01 associated
>>>>> with
>>>>> the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>>>
>>>>> I managed to turn on some more logging around JAAS, see the error
>>>>> :- java.security.PrivilegedActionException: GSSException: Defective
>>>>> token detected
>>>> Do you talk directly to Tomcat, or is there any kind of proxy in
>>>> between?
>>>> Could the header be truncated?
>>>>
>>>> Felix
>>>>> 25-Mar-2015 15:46:22.131 INFO [main]
>>>>> org.apache.catalina.core.StandardService.startInternal Starting
>>>>> service Catalina
>>>>> 25-Mar-2015 15:46:22.133 INFO [main]
>>>>> org.apache.catalina.core.StandardEngine.startInternal Starting
>>>>> Servlet Engine: Apache Tomcat/8.0.20
>>>>> 25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>>> Software Foundation\Tomcat 8.0\
>>>>> webapps\docs
>>>>> 25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>> irectory Deployment of web application directory C:\Program
>>>>> Files\Apache Software Foundation\Tomcat
>>>>> 8.0\webapps\docs has finished in 380 ms
>>>>> 25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>>> Software Foundation\Tomcat 8.0\
>>>>> webapps\manager
>>>>> 25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
>>>>> org.apache.catalina.authenticator.Authenticato
>>>>> rBase.startInternal No SingleSignOn Valve is present
>>>>> 25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>> irectory Deployment of web application directory C:\Program
>>>>> Files\Apache Software Foundation\Tomcat
>>>>> 8.0\webapps\manager has finished in 93 ms
>>>>> 25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>>> Software Foundation\Tomcat 8.0\
>>>>> webapps\ROOT
>>>>> 25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
>>>>> org.apache.catalina.startup.HostConfig.deployD
>>>>> irectory Deployment of web application directory C:\Program
>>>>> Files\Apache Software Foundation\Tomcat
>>>>> 8.0\webapps\ROOT has finished in 59 ms
>>>>> 25-Mar-2015 15:46:22.797 INFO [main]
>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>>> er ["http-nio-80"]
>>>>> 25-Mar-2015 15:46:22.806 INFO [main]
>>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>>> er ["ajp-nio-8009"]
>>>>> 25-Mar-2015 15:46:22.808 INFO [main]
>>>>> org.apache.catalina.startup.Catalina.start Server startup in 72
>>>>> 1 ms
>>>>> 25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Security checking request GET /manager/html
>>>>> 25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>> against GET /html --> false
>>>>> 25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>> interface]' against GET /html --> fal
>>>>> se
>>>>> 25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>> interface (for scripts)]' against
>>>>> GET /html --> false
>>>>> 25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>> interface (for humans)]' against G
>>>>> ET /html --> true
>>>>> 25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>> against GET /html --> false
>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>> interface]' against GET /html --> fal
>>>>> se
>>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>> interface (for scripts)]' against
>>>>> GET /html --> false
>>>>> 25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>> interface (for humans)]' against G
>>>>> ET /html --> true
>>>>> 25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Calling hasUserDataPermission()
>>>>> 25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>>> rmission User data constraint has no restrictions
>>>>> 25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Calling authenticate()
>>>>> 25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.authenticator.SpnegoAuthentic
>>>>> ator.authenticate No authorization header sent by client
>>>>> 25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Failed authenticate() test
>>>>> 25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Security checking request GET /manager/html
>>>>> 25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>> against GET /html --> false
>>>>> 25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>> interface]' against GET /html --> fal
>>>>> se
>>>>> 25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>> interface (for scripts)]' against
>>>>> GET /html --> false
>>>>> 25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>> interface (for humans)]' against G
>>>>> ET /html --> true
>>>>> 25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>> against GET /html --> false
>>>>> 25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>> interface]' against GET /html --> fal
>>>>> se
>>>>> 25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>> interface (for scripts)]' against
>>>>> GET /html --> false
>>>>> 25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>> interface (for humans)]' against G
>>>>> ET /html --> true
>>>>> 25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Calling hasUserDataPermission()
>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>>> rmission User data constraint has no restrictions
>>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Calling authenticate()
>>>>> Debug is true storeKey true useTicketCache false useKeyTab true
>>>>> doNotPrompt true ticketCache is nul
>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab
>>>>> refreshKrb5Config
>>>>> is false principal is HTTP/wi
>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false
>>>>> useFirstPass
>>>>> is false storePass is false
>>>>> clearPass is false
>>>>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>>>>> KeyTabInputStream, readName(): HTTP
>>>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>>>> KeyTab: load() entry length: 78; type: 23
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Java config name: C:\Program Files\Apache Software Foundation\Tomcat
>>>>> 8.0\conf\krb5.ini
>>>>> Loaded from Java config
>>>>> Added key: 23version: 3
>>>>>>>> KdcAccessibility: reset
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Added key: 23version: 3
>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>> KrbAsReq creating message
>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>> number of retries =3, #bytes=
>>>>> 164
>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>> timeout=30000,Attempt =1, #bytes=164
>>>>>>>> KrbKdcReq send: #bytes read=185
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 11
>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 19
>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 2
>>>>> PA-ENC-TIMESTAMP
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 16
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 15
>>>>>
>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>>> KRBError:
>>>>> sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
>>>>> suSec is 701709
>>>>> error code is 25
>>>>> error Message is Additional pre-authentication required
>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>>> eData provided.
>>>>> msgType is 30
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 11
>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 19
>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 2
>>>>> PA-ENC-TIMESTAMP
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 16
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 15
>>>>>
>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Added key: 23version: 3
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Added key: 23version: 3
>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>> KrbAsReq creating message
>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>> number of retries =3, #bytes=
>>>>> 247
>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>> KrbKdcReq send: #bytes read=100
>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>>> number of retries =3, #bytes=
>>>>> 247
>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>> DEBUG: TCPClient reading 1475 bytes
>>>>>>>> KrbKdcReq send: #bytes read=1475
>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Added key: 23version: 3
>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Will use keytab
>>>>> Commit Succeeded
>>>>>
>>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>>>> sun.security.jgss.spnego.SpNegoCredElement)
>>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
>>>>> .LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
>>>>> [Krb5LoginModule]: Entering logout
>>>>> [Krb5LoginModule]: logged out Subject
>>>>> 25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Failed authenticate() test
>>>>> 25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Security checking request GET /manager/html
>>>>> 25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>> against GET /html --> false
>>>>> 25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>> interface]' against GET /html --> fal
>>>>> se
>>>>> 25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>> interface (for scripts)]' against
>>>>> GET /html --> false
>>>>> 25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>> interface (for humans)]' against G
>>>>> ET /html --> true
>>>>> 25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>>> against GET /html --> false
>>>>> 25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>>> interface]' against GET /html --> fal
>>>>> se
>>>>> 25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>>> interface (for scripts)]' against
>>>>> GET /html --> false
>>>>> 25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>>> interface (for humans)]' against G
>>>>> ET /html --> true
>>>>> 25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Calling hasUserDataPermission()
>>>>> 25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>>> rmission User data constraint has no restrictions
>>>>> 25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Calling authenticate()
>>>>> Debug is true storeKey true useTicketCache false useKeyTab true
>>>>> doNotPrompt true ticketCache is nul
>>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab
>>>>> refreshKrb5Config
>>>>> is false principal is HTTP/wi
>>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false
>>>>> useFirstPass
>>>>> is false storePass is false
>>>>> clearPass is false
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Added key: 23version: 3
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Added key: 23version: 3
>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>> KrbAsReq creating message
>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>> number of retries =3, #bytes=
>>>>> 164
>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>> timeout=30000,Attempt =1, #bytes=164
>>>>>>>> KrbKdcReq send: #bytes read=185
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 11
>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 19
>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 2
>>>>> PA-ENC-TIMESTAMP
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 16
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 15
>>>>>
>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>>> KRBError:
>>>>> sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
>>>>> suSec is 935731
>>>>> error code is 25
>>>>> error Message is Additional pre-authentication required
>>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>>> eData provided.
>>>>> msgType is 30
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 11
>>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 19
>>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 2
>>>>> PA-ENC-TIMESTAMP
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 16
>>>>>
>>>>>>>> Pre-Authentication Data:
>>>>> PA-DATA type = 15
>>>>>
>>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Added key: 23version: 3
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Added key: 23version: 3
>>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>> KrbAsReq creating message
>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>>> number of retries =3, #bytes=
>>>>> 247
>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>> KrbKdcReq send: #bytes read=100
>>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>>> number of retries =3, #bytes=
>>>>> 247
>>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>>> DEBUG: TCPClient reading 1475 bytes
>>>>>>>> KrbKdcReq send: #bytes read=1475
>>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Added key: 23version: 3
>>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Will use keytab
>>>>> Commit Succeeded
>>>>>
>>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>>>> sun.security.jgss.spnego.SpNegoCredElement)
>>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
>>>>> .LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
>>>>> 25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.authenticator.SpnegoAuthentic
>>>>> ator.authenticate Unable to login as the service principal
>>>>> java.security.PrivilegedActionException: GSSException: Defective
>>>>> token
>>>>> detected (Mechanism level: G
>>>>> SSHeader did not find the right tag)
>>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>>> at javax.security.auth.Subject.doAs(Subject.java:422)
>>>>> at
>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
>>>>>
>>>>> va:243)
>>>>> at
>>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
>>>>>
>>>>> at
>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
>>>>>
>>>>> at
>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
>>>>>
>>>>> at
>>>>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
>>>>>
>>>>>
>>>>> at
>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
>>>>>
>>>>> at
>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
>>>>>
>>>>> at
>>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
>>>>>
>>>>> 6)
>>>>> at
>>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
>>>>>
>>>>> a:659)
>>>>> at
>>>>> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
>>>>>
>>>>> col.java:223)
>>>>> at
>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
>>>>>
>>>>> at
>>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
>>>>>
>>>>> at
>>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>>>
>>>>> at
>>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>>>
>>>>> at
>>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>>>>
>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>> Caused by: GSSException: Defective token detected (Mechanism level:
>>>>> GSSHeader did not find the right
>>>>> tag)
>>>>> at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
>>>>> at
>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
>>>>>
>>>>> at
>>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
>>>>>
>>>>> at
>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>>>
>>>>> r.java:336)
>>>>> at
>>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>>>
>>>>> r.java:323)
>>>>> ... 18 more
>>>>>
>>>>> [Krb5LoginModule]: Entering logout
>>>>> [Krb5LoginModule]: logged out Subject
>>>>> 25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3]
>>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>>> se.invoke Failed authenticate() test
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Date: Wed, 25 Mar 2015 16:48:10 +0100
>>>>>> From: felix.schumacher@internetallee.de
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>>>
>>>>>> Am 25.03.2015 16:09, schrieb David Marsh:
>>>>>>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
>>>>>>> tc01@KERTEST.LOCAL, still same symptoms.
>>>>>>>
>>>>>>> Ran klist on client after firefox test and the three 401 responses.
>>>>> :-
>>>>>>> C:\Users\test.KERBTEST.000>klist
>>>>>>>
>>>>>>> Current LogonId is 0:0x2fd7a
>>>>>>>
>>>>>>> Cached Tickets: (2)
>>>>>>>
>>>>>>> #0> Client: test @ KERBTEST.LOCAL
>>>>>>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
>>>>>>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
>>>>>>> Ticket Flags 0x40e10000 -> forwardable renewable initial
>>>>>>> pre_authent nam
>>>>>>> e_canonicalize
>>>>>>> Start Time: 3/25/2015 14:46:43 (local)
>>>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>>>> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>>>>>>> Cache Flags: 0x1 -> PRIMARY
>>>>>>> Kdc Called: 192.168.0.200
>>>>>>>
>>>>>>> #1> Client: test @ KERBTEST.LOCAL
>>>>>>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
>>>>>>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>>>>>>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
>>>>>>> name_canoni
>>>>>>> calize
>>>>>>> Start Time: 3/25/2015 14:51:21 (local)
>>>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>>>> Session Key Type: RSADSI RC4-HMAC(NT)
>>>>>>> Cache Flags: 0
>>>>>>> Kdc Called: 192.168.0.200
>>>>>>>
>>>>>>> Looks like I was granted a ticket for the SPN
>>>>>>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
>>>>>>>
>>>>>>> If I have ticket why do I get 401 ?
>>>>>> Your client has got a service ticket for HTTP/win-tc01... This is
>>>>> used
>>>>>> by firefox for authentication. Firefox transmits
>>>>>> this service ticket to the server (as base64 encoded in the
>>>>>> WWW-Authenticate header).
>>>>>>
>>>>>> Your server has to decrypt this ticket using its own ticket to
>>>>>> get at
>>>>>> the user information. This is where your problems arise.
>>>>>> It looks like your server has trouble to get its own ticket.
>>>>>>
>>>>>> Are you sure, that the password you used for keytab generation (on
>>>>> the
>>>>>> server side), is correct? ktpass will probably accept
>>>>>> any input as a password. Maybe you can check the keytab by using
>>>>> kinit
>>>>>> (though I don't know, if it exists for windows, or how
>>>>>> the java one is used).
>>>>>>
>>>>>> Felix
>>>>>>
>>>>>>> ----------------------------------------
>>>>>>>> Date: Tue, 24 Mar 2015 22:46:15 +0000
>>>>>>>> From: markt@apache.org
>>>>>>>> To: users@tomcat.apache.org
>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>
>>>>>>>> On 24/03/2015 20:47, David Marsh wrote:
>>>>>>>>> Hi Felix,
>>>>>>>>> Thanks fort your help!
>>>>>>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
>>>>>>>>> startup.bat and also added the same definitions to the Java
>>>>>>>>> parameters in Configure Tomcat tool.I definitely got more
>>>>> information
>>>>>>>>> when using startup.bat, not sure the settings get picked up by
>>>>>>>>> the
>>>>>>>>> windows service ?
>>>>>>>>> I do not think authentication completes, certainly authorization
>>>>> does
>>>>>>>>> not as I cant see the site and get 401 http status.
>>>>>>>>> I have not configured a tomcat realm but I have put the test user
>>>>> a
>>>>>>>>> manager-gui group in Active Directory.
>>>>>>>> I've only given your config a quick scan, but the thing that jumps
>>>>> out
>>>>>>>> at me is spaces in the some of the paths. I'm not sure how well
>>>>>>>> krb5.ini
>>>>>>>> will handle those. It might be fine. It might not be.
>>>>>>>>
>>>>>>>> Mark
>>>>>>>>
>>>>>>>>
>>>>>>>>> David
>>>>>>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>
>>>>>>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>>>>>>>>> Everything is as described and still not working, except the
>>>>>>>>>>> jaas.conf is :-
>>>>>>>>>>>
>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>> storeKey=true;
>>>>>>>>>>> };
>>>>>>>>>>>
>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>> storeKey=true;
>>>>>>>>>>> };
>>>>>>>>>>>
>>>>>>>>>>> In other words the principal is the tomcat server as it should
>>>>> be.
>>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>>
>>>>>>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>>>>>>>>> Sorry thats :-
>>>>>>>>>>>>>
>>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>>>>>>>>> Is it working with this configuration, or just to point out,
>>>>> that
>>>>>>>>>>>> you
>>>>>>>>>>>> copied the wrong jaas.conf for the mail?
>>>>>>>>>>>>
>>>>>>>>>>>> Felix
>>>>>>>>>>>>> ----------------------------------------
>>>>>>>>>>>>>> From: dmarsh26@outlook.com
>>>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat
>>>>> 8.
>>>>>>>>>>>>>> I've created three Windows VMs :-
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>>>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The Tomcat Server and the Test Client are joined to the same
>>>>>>>>>>>>>> domain kerbtest.local, they are logged in with domain
>>>>>>>>>>>>>> logins.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> jaas.conf
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>>> };
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>>> };
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> krb5.ini
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [libdefaults]
>>>>>>>>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
>>>>>>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>>>>>>>>> default_tkt_enctypes =
>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>>>> default_tgs_enctypes =
>>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>>>> forwardable=true
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [realms]
>>>>>>>>>>>>>> KERBTEST.LOCAL = {
>>>>>>>>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>>>>>>>>> }
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with
>>>>> Active
>>>>>>>>>>>>>> Directory.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I have tried to keep the setup as basic and vanilla to the
>>>>>>>>>>>>>> instructions as possible.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Users were created as instructed.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Spn was created as instructed
>>>>>>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> keytab was created as instructed
>>>>>>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL
>>>>> /princ
>>>>>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass
>>>>> /kvno
>>>>>>>>>>>>>> 0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I have tried to test with firefox, chrome and IE, after
>>>>> ensuring
>>>>>>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In
>>>>>>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to
>>>>>>>>>>>>>> network.negotiate-auth.delegation-uris and
>>>>>>>>>>>>>> network.negotiate-auth.trusted-uris.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Tomcat is running as a Windows service under the
>>>>>>>>>>>>>> tc01@kerbtest.local account.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Visiting URL from the Test Client VM :-
>>>>>>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401
>>>>> three
>>>>>>>>>>>>>> times.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Looking at the Network tab in developer tools in firefox
>>>>> shows
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Posted by André Warnier <aw...@ice-sa.com>.
David Marsh wrote:
> Javas version of kinit seems to report issue ?
>
> C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf>"C:\Program Files\Ja
> va\jdk1.8.0_40\bin\kinit" -t -k c:\keytab\tomcat.keytab
> Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes
> available; only have keys of following type: No error
> KrbException: Do not have keys of types listed in default_tkt_enctypes available
> ; only have keys of following type:
> at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
> at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
> at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
> at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
> at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
That seems to indicate that between the Java Kerberos module in Tomcat, and the KDC's
Kerberos software, there is a mismatch in the types of keys used (type of encryption), so
they do not understand eachother.
This may be relevant : https://community.igniterealtime.org/thread/49913
It is also a bit strange that it says :
only have keys of following type:
(with nothing behind the :.. )
From what I keep browsing on the WWW, it also seems that the types of key encryptions
that might match between Java Kerberos and Windows Kerberos, depend on the versions of
both Java and Windows Server..
Man, this thing is really a nightmare, isn't it ?
>
> ----------------------------------------
>> From: dmarsh26@outlook.com
>> To: users@tomcat.apache.org
>> Subject: RE: SPNEGO test configuration with Manager webapp
>> Date: Wed, 25 Mar 2015 16:50:47 +0000
>>
>> Its possible I guess, although I would not expect that.
>>
>> The test is :-
>>
>> Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM
>>
>> Firefox is not configured to use a proxy, its all in Vmware Workstation 10 using the Vmnet01 virtual network.
>>
>> Firefox has three 401 responses with headers "Authorization" and "WWW-Authenticate" :-
>>
>> 1 :- Reponse WWW-Authenticate: "Negotiate"
>>
>> 2 :- Request Authorization: "Negotiate YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxD
yCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1bHVkm
muJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4="
>>
>> Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg==
>>
>> 3 :- Request Authorization: "Negotiate oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkco
Kk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zwm+qh
PF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E="
>>
>> Reponse WWW-Authenticate: "Negotiate"
>>
>> I'm not sure how long they should be, but they all end "=" so expect not truncated ?
>>
>> ----------------------------------------
>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>> From: felix.schumacher@internetallee.de
>>> Date: Wed, 25 Mar 2015 17:31:51 +0100
>>> To: users@tomcat.apache.org
>>>
>>>
>>>
>>> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh <dm...@outlook.com>:
>>>> This is how the keytab was created :-
>>>>
>>>> ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
>>>> tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>> /pass tc01pass
>>>>
>>>> The password is the correct password for the user tc01 associated with
>>>> the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>>
>>>> I managed to turn on some more logging around JAAS, see the error
>>>> :- java.security.PrivilegedActionException: GSSException: Defective
>>>> token detected
>>> Do you talk directly to Tomcat, or is there any kind of proxy in between?
>>> Could the header be truncated?
>>>
>>> Felix
>>>> 25-Mar-2015 15:46:22.131 INFO [main]
>>>> org.apache.catalina.core.StandardService.startInternal Starting
>>>> service Catalina
>>>> 25-Mar-2015 15:46:22.133 INFO [main]
>>>> org.apache.catalina.core.StandardEngine.startInternal Starting
>>>> Servlet Engine: Apache Tomcat/8.0.20
>>>> 25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
>>>> org.apache.catalina.startup.HostConfig.deployD
>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>> Software Foundation\Tomcat 8.0\
>>>> webapps\docs
>>>> 25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
>>>> org.apache.catalina.startup.HostConfig.deployD
>>>> irectory Deployment of web application directory C:\Program
>>>> Files\Apache Software Foundation\Tomcat
>>>> 8.0\webapps\docs has finished in 380 ms
>>>> 25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
>>>> org.apache.catalina.startup.HostConfig.deployD
>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>> Software Foundation\Tomcat 8.0\
>>>> webapps\manager
>>>> 25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
>>>> org.apache.catalina.authenticator.Authenticato
>>>> rBase.startInternal No SingleSignOn Valve is present
>>>> 25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
>>>> org.apache.catalina.startup.HostConfig.deployD
>>>> irectory Deployment of web application directory C:\Program
>>>> Files\Apache Software Foundation\Tomcat
>>>> 8.0\webapps\manager has finished in 93 ms
>>>> 25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
>>>> org.apache.catalina.startup.HostConfig.deployD
>>>> irectory Deploying web application directory C:\Program Files\Apache
>>>> Software Foundation\Tomcat 8.0\
>>>> webapps\ROOT
>>>> 25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
>>>> org.apache.catalina.startup.HostConfig.deployD
>>>> irectory Deployment of web application directory C:\Program
>>>> Files\Apache Software Foundation\Tomcat
>>>> 8.0\webapps\ROOT has finished in 59 ms
>>>> 25-Mar-2015 15:46:22.797 INFO [main]
>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>> er ["http-nio-80"]
>>>> 25-Mar-2015 15:46:22.806 INFO [main]
>>>> org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>> er ["ajp-nio-8009"]
>>>> 25-Mar-2015 15:46:22.808 INFO [main]
>>>> org.apache.catalina.startup.Catalina.start Server startup in 72
>>>> 1 ms
>>>> 25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Security checking request GET /manager/html
>>>> 25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>> against GET /html --> false
>>>> 25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>> interface]' against GET /html --> fal
>>>> se
>>>> 25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>> interface (for scripts)]' against
>>>> GET /html --> false
>>>> 25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>> interface (for humans)]' against G
>>>> ET /html --> true
>>>> 25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>> against GET /html --> false
>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>> interface]' against GET /html --> fal
>>>> se
>>>> 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>> interface (for scripts)]' against
>>>> GET /html --> false
>>>> 25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>> interface (for humans)]' against G
>>>> ET /html --> true
>>>> 25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Calling hasUserDataPermission()
>>>> 25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>> rmission User data constraint has no restrictions
>>>> 25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Calling authenticate()
>>>> 25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.authenticator.SpnegoAuthentic
>>>> ator.authenticate No authorization header sent by client
>>>> 25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Failed authenticate() test
>>>> 25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Security checking request GET /manager/html
>>>> 25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>> against GET /html --> false
>>>> 25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>> interface]' against GET /html --> fal
>>>> se
>>>> 25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>> interface (for scripts)]' against
>>>> GET /html --> false
>>>> 25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>> interface (for humans)]' against G
>>>> ET /html --> true
>>>> 25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>> against GET /html --> false
>>>> 25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>> interface]' against GET /html --> fal
>>>> se
>>>> 25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>> interface (for scripts)]' against
>>>> GET /html --> false
>>>> 25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>> interface (for humans)]' against G
>>>> ET /html --> true
>>>> 25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Calling hasUserDataPermission()
>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>> rmission User data constraint has no restrictions
>>>> 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Calling authenticate()
>>>> Debug is true storeKey true useTicketCache false useKeyTab true
>>>> doNotPrompt true ticketCache is nul
>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config
>>>> is false principal is HTTP/wi
>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass
>>>> is false storePass is false
>>>> clearPass is false
>>>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>>>> KeyTabInputStream, readName(): HTTP
>>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>>> KeyTab: load() entry length: 78; type: 23
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Java config name: C:\Program Files\Apache Software Foundation\Tomcat
>>>> 8.0\conf\krb5.ini
>>>> Loaded from Java config
>>>> Added key: 23version: 3
>>>>>>> KdcAccessibility: reset
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Added key: 23version: 3
>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>> KrbAsReq creating message
>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>> number of retries =3, #bytes=
>>>> 164
>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>> timeout=30000,Attempt =1, #bytes=164
>>>>>>> KrbKdcReq send: #bytes read=185
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 11
>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 19
>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 2
>>>> PA-ENC-TIMESTAMP
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 16
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 15
>>>>
>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>> KRBError:
>>>> sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
>>>> suSec is 701709
>>>> error code is 25
>>>> error Message is Additional pre-authentication required
>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>> eData provided.
>>>> msgType is 30
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 11
>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 19
>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 2
>>>> PA-ENC-TIMESTAMP
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 16
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 15
>>>>
>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Added key: 23version: 3
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Added key: 23version: 3
>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>> KrbAsReq creating message
>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>> number of retries =3, #bytes=
>>>> 247
>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>> KrbKdcReq send: #bytes read=100
>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>> number of retries =3, #bytes=
>>>> 247
>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>> DEBUG: TCPClient reading 1475 bytes
>>>>>>> KrbKdcReq send: #bytes read=1475
>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Added key: 23version: 3
>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Will use keytab
>>>> Commit Succeeded
>>>>
>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>>> sun.security.jgss.spnego.SpNegoCredElement)
>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
>>>> .LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
>>>> [Krb5LoginModule]: Entering logout
>>>> [Krb5LoginModule]: logged out Subject
>>>> 25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Failed authenticate() test
>>>> 25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Security checking request GET /manager/html
>>>> 25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>> against GET /html --> false
>>>> 25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>> interface]' against GET /html --> fal
>>>> se
>>>> 25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>> interface (for scripts)]' against
>>>> GET /html --> false
>>>> 25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>> interface (for humans)]' against G
>>>> ET /html --> true
>>>> 25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>> against GET /html --> false
>>>> 25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>> interface]' against GET /html --> fal
>>>> se
>>>> 25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>> interface (for scripts)]' against
>>>> GET /html --> false
>>>> 25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.realm.RealmBase.findSecurityC
>>>> onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>> interface (for humans)]' against G
>>>> ET /html --> true
>>>> 25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Calling hasUserDataPermission()
>>>> 25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>> rmission User data constraint has no restrictions
>>>> 25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Calling authenticate()
>>>> Debug is true storeKey true useTicketCache false useKeyTab true
>>>> doNotPrompt true ticketCache is nul
>>>> l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config
>>>> is false principal is HTTP/wi
>>>> n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass
>>>> is false storePass is false
>>>> clearPass is false
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Added key: 23version: 3
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Added key: 23version: 3
>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>> KrbAsReq creating message
>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>> number of retries =3, #bytes=
>>>> 164
>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>> timeout=30000,Attempt =1, #bytes=164
>>>>>>> KrbKdcReq send: #bytes read=185
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 11
>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 19
>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 2
>>>> PA-ENC-TIMESTAMP
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 16
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 15
>>>>
>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>> KRBError:
>>>> sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
>>>> suSec is 935731
>>>> error code is 25
>>>> error Message is Additional pre-authentication required
>>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>> eData provided.
>>>> msgType is 30
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 11
>>>> PA-ETYPE-INFO etype = 23, salt =
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 19
>>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 2
>>>> PA-ENC-TIMESTAMP
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 16
>>>>
>>>>>>> Pre-Authentication Data:
>>>> PA-DATA type = 15
>>>>
>>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Added key: 23version: 3
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Added key: 23version: 3
>>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>> KrbAsReq creating message
>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>> number of retries =3, #bytes=
>>>> 247
>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>> KrbKdcReq send: #bytes read=100
>>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>> number of retries =3, #bytes=
>>>> 247
>>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>> timeout=30000,Attempt =1, #bytes=247
>>>>>>> DEBUG: TCPClient reading 1475 bytes
>>>>>>> KrbKdcReq send: #bytes read=1475
>>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Added key: 23version: 3
>>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>> principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Will use keytab
>>>> Commit Succeeded
>>>>
>>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>>> sun.security.jgss.spnego.SpNegoCredElement)
>>>> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>>> sun.security.jgss.krb5.Krb5AcceptCredential)
>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Found KeyTab C:\keytab\tomcat.keytab for
>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>> Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>> krbtgt/KERBTEST.LOCAL@KERBTEST
>>>> .LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
>>>> 25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.authenticator.SpnegoAuthentic
>>>> ator.authenticate Unable to login as the service principal
>>>> java.security.PrivilegedActionException: GSSException: Defective token
>>>> detected (Mechanism level: G
>>>> SSHeader did not find the right tag)
>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>> at javax.security.auth.Subject.doAs(Subject.java:422)
>>>> at
>>>> org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
>>>> va:243)
>>>> at
>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
>>>> at
>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
>>>> at
>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
>>>> at
>>>> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
>>>>
>>>> at
>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
>>>> at
>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
>>>> at
>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
>>>> 6)
>>>> at
>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
>>>> a:659)
>>>> at
>>>> org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
>>>> col.java:223)
>>>> at
>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
>>>> at
>>>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>> at
>>>> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>>> at java.lang.Thread.run(Thread.java:745)
>>>> Caused by: GSSException: Defective token detected (Mechanism level:
>>>> GSSHeader did not find the right
>>>> tag)
>>>> at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
>>>> at
>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
>>>> at
>>>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
>>>> at
>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>> r.java:336)
>>>> at
>>>> org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>> r.java:323)
>>>> ... 18 more
>>>>
>>>> [Krb5LoginModule]: Entering logout
>>>> [Krb5LoginModule]: logged out Subject
>>>> 25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3]
>>>> org.apache.catalina.authenticator.AuthenticatorBa
>>>> se.invoke Failed authenticate() test
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> Date: Wed, 25 Mar 2015 16:48:10 +0100
>>>>> From: felix.schumacher@internetallee.de
>>>>> To: users@tomcat.apache.org
>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>>
>>>>> Am 25.03.2015 16:09, schrieb David Marsh:
>>>>>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
>>>>>> tc01@KERTEST.LOCAL, still same symptoms.
>>>>>>
>>>>>> Ran klist on client after firefox test and the three 401 responses.
>>>> :-
>>>>>> C:\Users\test.KERBTEST.000>klist
>>>>>>
>>>>>> Current LogonId is 0:0x2fd7a
>>>>>>
>>>>>> Cached Tickets: (2)
>>>>>>
>>>>>> #0> Client: test @ KERBTEST.LOCAL
>>>>>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
>>>>>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
>>>>>> Ticket Flags 0x40e10000 -> forwardable renewable initial
>>>>>> pre_authent nam
>>>>>> e_canonicalize
>>>>>> Start Time: 3/25/2015 14:46:43 (local)
>>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>>> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>>>>>> Cache Flags: 0x1 -> PRIMARY
>>>>>> Kdc Called: 192.168.0.200
>>>>>>
>>>>>> #1> Client: test @ KERBTEST.LOCAL
>>>>>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
>>>>>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>>>>>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
>>>>>> name_canoni
>>>>>> calize
>>>>>> Start Time: 3/25/2015 14:51:21 (local)
>>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>>> Session Key Type: RSADSI RC4-HMAC(NT)
>>>>>> Cache Flags: 0
>>>>>> Kdc Called: 192.168.0.200
>>>>>>
>>>>>> Looks like I was granted a ticket for the SPN
>>>>>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
>>>>>>
>>>>>> If I have ticket why do I get 401 ?
>>>>> Your client has got a service ticket for HTTP/win-tc01... This is
>>>> used
>>>>> by firefox for authentication. Firefox transmits
>>>>> this service ticket to the server (as base64 encoded in the
>>>>> WWW-Authenticate header).
>>>>>
>>>>> Your server has to decrypt this ticket using its own ticket to get at
>>>>> the user information. This is where your problems arise.
>>>>> It looks like your server has trouble to get its own ticket.
>>>>>
>>>>> Are you sure, that the password you used for keytab generation (on
>>>> the
>>>>> server side), is correct? ktpass will probably accept
>>>>> any input as a password. Maybe you can check the keytab by using
>>>> kinit
>>>>> (though I don't know, if it exists for windows, or how
>>>>> the java one is used).
>>>>>
>>>>> Felix
>>>>>
>>>>>> ----------------------------------------
>>>>>>> Date: Tue, 24 Mar 2015 22:46:15 +0000
>>>>>>> From: markt@apache.org
>>>>>>> To: users@tomcat.apache.org
>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>
>>>>>>> On 24/03/2015 20:47, David Marsh wrote:
>>>>>>>> Hi Felix,
>>>>>>>> Thanks fort your help!
>>>>>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
>>>>>>>> startup.bat and also added the same definitions to the Java
>>>>>>>> parameters in Configure Tomcat tool.I definitely got more
>>>> information
>>>>>>>> when using startup.bat, not sure the settings get picked up by the
>>>>>>>> windows service ?
>>>>>>>> I do not think authentication completes, certainly authorization
>>>> does
>>>>>>>> not as I cant see the site and get 401 http status.
>>>>>>>> I have not configured a tomcat realm but I have put the test user
>>>> a
>>>>>>>> manager-gui group in Active Directory.
>>>>>>> I've only given your config a quick scan, but the thing that jumps
>>>> out
>>>>>>> at me is spaces in the some of the paths. I'm not sure how well
>>>>>>> krb5.ini
>>>>>>> will handle those. It might be fine. It might not be.
>>>>>>>
>>>>>>> Mark
>>>>>>>
>>>>>>>
>>>>>>>> David
>>>>>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>
>>>>>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>>>>>>>> Everything is as described and still not working, except the
>>>>>>>>>> jaas.conf is :-
>>>>>>>>>>
>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>> doNotPrompt=true
>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>> useKeyTab=true
>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>> storeKey=true;
>>>>>>>>>> };
>>>>>>>>>>
>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>> doNotPrompt=true
>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>> useKeyTab=true
>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>> storeKey=true;
>>>>>>>>>> };
>>>>>>>>>>
>>>>>>>>>> In other words the principal is the tomcat server as it should
>>>> be.
>>>>>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>
>>>>>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>>>>>>>> Sorry thats :-
>>>>>>>>>>>>
>>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>>>>>>>> Is it working with this configuration, or just to point out,
>>>> that
>>>>>>>>>>> you
>>>>>>>>>>> copied the wrong jaas.conf for the mail?
>>>>>>>>>>>
>>>>>>>>>>> Felix
>>>>>>>>>>>> ----------------------------------------
>>>>>>>>>>>>> From: dmarsh26@outlook.com
>>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>>>>>>>
>>>>>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat
>>>> 8.
>>>>>>>>>>>>> I've created three Windows VMs :-
>>>>>>>>>>>>>
>>>>>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>>>>>>>
>>>>>>>>>>>>> The Tomcat Server and the Test Client are joined to the same
>>>>>>>>>>>>> domain kerbtest.local, they are logged in with domain logins.
>>>>>>>>>>>>>
>>>>>>>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>>>>>>>
>>>>>>>>>>>>> jaas.conf
>>>>>>>>>>>>>
>>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>> };
>>>>>>>>>>>>>
>>>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>>> };
>>>>>>>>>>>>>
>>>>>>>>>>>>> krb5.ini
>>>>>>>>>>>>>
>>>>>>>>>>>>> [libdefaults]
>>>>>>>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
>>>>>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>>>>>>>> default_tkt_enctypes =
>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>>> default_tgs_enctypes =
>>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>>> forwardable=true
>>>>>>>>>>>>>
>>>>>>>>>>>>> [realms]
>>>>>>>>>>>>> KERBTEST.LOCAL = {
>>>>>>>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>>>>>>>> }
>>>>>>>>>>>>>
>>>>>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with
>>>> Active
>>>>>>>>>>>>> Directory.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I have tried to keep the setup as basic and vanilla to the
>>>>>>>>>>>>> instructions as possible.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Users were created as instructed.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Spn was created as instructed
>>>>>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>>>>>>>
>>>>>>>>>>>>> keytab was created as instructed
>>>>>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL
>>>> /princ
>>>>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass
>>>> /kvno
>>>>>>>>>>>>> 0
>>>>>>>>>>>>>
>>>>>>>>>>>>> I have tried to test with firefox, chrome and IE, after
>>>> ensuring
>>>>>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In
>>>>>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to
>>>>>>>>>>>>> network.negotiate-auth.delegation-uris and
>>>>>>>>>>>>> network.negotiate-auth.trusted-uris.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Tomcat is running as a Windows service under the
>>>>>>>>>>>>> tc01@kerbtest.local account.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Visiting URL from the Test Client VM :-
>>>>>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401
>>>> three
>>>>>>>>>>>>> times.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Looking at the Network tab in developer tools in firefox
>>>> shows
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
Javas version of kinit seems to report issue ?
C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf>"C:\Program Files\Ja
va\jdk1.8.0_40\bin\kinit" -t -k c:\keytab\tomcat.keytab
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes
available; only have keys of following type: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available
; only have keys of following type:
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
----------------------------------------
> From: dmarsh26@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: SPNEGO test configuration with Manager webapp
> Date: Wed, 25 Mar 2015 16:50:47 +0000
>
> Its possible I guess, although I would not expect that.
>
> The test is :-
>
> Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM
>
> Firefox is not configured to use a proxy, its all in Vmware Workstation 10 using the Vmnet01 virtual network.
>
> Firefox has three 401 responses with headers "Authorization" and "WWW-Authenticate" :-
>
> 1 :- Reponse WWW-Authenticate: "Negotiate"
>
> 2 :- Request Authorization: "Negotiate YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1bHVkmmuJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4="
>
> Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg==
>
> 3 :- Request Authorization: "Negotiate oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zwm+qhPF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E="
>
> Reponse WWW-Authenticate: "Negotiate"
>
> I'm not sure how long they should be, but they all end "=" so expect not truncated ?
>
> ----------------------------------------
>> Subject: RE: SPNEGO test configuration with Manager webapp
>> From: felix.schumacher@internetallee.de
>> Date: Wed, 25 Mar 2015 17:31:51 +0100
>> To: users@tomcat.apache.org
>>
>>
>>
>> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh <dm...@outlook.com>:
>>>This is how the keytab was created :-
>>>
>>>ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
>>>tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>/pass tc01pass
>>>
>>>The password is the correct password for the user tc01 associated with
>>>the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>
>>>I managed to turn on some more logging around JAAS, see the error
>>>:- java.security.PrivilegedActionException: GSSException: Defective
>>>token detected
>> Do you talk directly to Tomcat, or is there any kind of proxy in between?
>> Could the header be truncated?
>>
>> Felix
>>>
>>>25-Mar-2015 15:46:22.131 INFO [main]
>>>org.apache.catalina.core.StandardService.startInternal Starting
>>>service Catalina
>>>25-Mar-2015 15:46:22.133 INFO [main]
>>>org.apache.catalina.core.StandardEngine.startInternal Starting
>>>Servlet Engine: Apache Tomcat/8.0.20
>>>25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
>>>org.apache.catalina.startup.HostConfig.deployD
>>>irectory Deploying web application directory C:\Program Files\Apache
>>>Software Foundation\Tomcat 8.0\
>>>webapps\docs
>>>25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
>>>org.apache.catalina.startup.HostConfig.deployD
>>>irectory Deployment of web application directory C:\Program
>>>Files\Apache Software Foundation\Tomcat
>>>8.0\webapps\docs has finished in 380 ms
>>>25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
>>>org.apache.catalina.startup.HostConfig.deployD
>>>irectory Deploying web application directory C:\Program Files\Apache
>>>Software Foundation\Tomcat 8.0\
>>>webapps\manager
>>>25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
>>>org.apache.catalina.authenticator.Authenticato
>>>rBase.startInternal No SingleSignOn Valve is present
>>>25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
>>>org.apache.catalina.startup.HostConfig.deployD
>>>irectory Deployment of web application directory C:\Program
>>>Files\Apache Software Foundation\Tomcat
>>>8.0\webapps\manager has finished in 93 ms
>>>25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
>>>org.apache.catalina.startup.HostConfig.deployD
>>>irectory Deploying web application directory C:\Program Files\Apache
>>>Software Foundation\Tomcat 8.0\
>>>webapps\ROOT
>>>25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
>>>org.apache.catalina.startup.HostConfig.deployD
>>>irectory Deployment of web application directory C:\Program
>>>Files\Apache Software Foundation\Tomcat
>>>8.0\webapps\ROOT has finished in 59 ms
>>>25-Mar-2015 15:46:22.797 INFO [main]
>>>org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>er ["http-nio-80"]
>>>25-Mar-2015 15:46:22.806 INFO [main]
>>>org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>er ["ajp-nio-8009"]
>>>25-Mar-2015 15:46:22.808 INFO [main]
>>>org.apache.catalina.startup.Catalina.start Server startup in 72
>>>1 ms
>>>25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Security checking request GET /manager/html
>>>25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>against GET /html --> false
>>>25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>interface]' against GET /html --> fal
>>>se
>>>25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>interface (for scripts)]' against
>>>GET /html --> false
>>>25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>interface (for humans)]' against G
>>>ET /html --> true
>>>25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>against GET /html --> false
>>>25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>interface]' against GET /html --> fal
>>>se
>>>25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>interface (for scripts)]' against
>>>GET /html --> false
>>>25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>interface (for humans)]' against G
>>>ET /html --> true
>>>25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Calling hasUserDataPermission()
>>>25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>rmission User data constraint has no restrictions
>>>25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Calling authenticate()
>>>25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.authenticator.SpnegoAuthentic
>>>ator.authenticate No authorization header sent by client
>>>25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Failed authenticate() test
>>>25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Security checking request GET /manager/html
>>>25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>against GET /html --> false
>>>25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>interface]' against GET /html --> fal
>>>se
>>>25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>interface (for scripts)]' against
>>>GET /html --> false
>>>25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>interface (for humans)]' against G
>>>ET /html --> true
>>>25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>against GET /html --> false
>>>25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>interface]' against GET /html --> fal
>>>se
>>>25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>interface (for scripts)]' against
>>>GET /html --> false
>>>25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>interface (for humans)]' against G
>>>ET /html --> true
>>>25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Calling hasUserDataPermission()
>>>25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>rmission User data constraint has no restrictions
>>>25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Calling authenticate()
>>>Debug is true storeKey true useTicketCache false useKeyTab true
>>>doNotPrompt true ticketCache is nul
>>>l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config
>>>is false principal is HTTP/wi
>>>n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass
>>>is false storePass is false
>>>clearPass is false
>>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>>> KeyTabInputStream, readName(): HTTP
>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>> KeyTab: load() entry length: 78; type: 23
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Java config name: C:\Program Files\Apache Software Foundation\Tomcat
>>>8.0\conf\krb5.ini
>>>Loaded from Java config
>>>Added key: 23version: 3
>>>>>> KdcAccessibility: reset
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Added key: 23version: 3
>>>default etypes for default_tkt_enctypes: 23 18 17.
>>>>>> KrbAsReq creating message
>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>number of retries =3, #bytes=
>>>164
>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>timeout=30000,Attempt =1, #bytes=164
>>>>>> KrbKdcReq send: #bytes read=185
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 11
>>>PA-ETYPE-INFO etype = 23, salt =
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 19
>>>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 2
>>>PA-ENC-TIMESTAMP
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 16
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 15
>>>
>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>KRBError:
>>>sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
>>>suSec is 701709
>>>error code is 25
>>>error Message is Additional pre-authentication required
>>>sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>eData provided.
>>>msgType is 30
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 11
>>>PA-ETYPE-INFO etype = 23, salt =
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 19
>>>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 2
>>>PA-ENC-TIMESTAMP
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 16
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 15
>>>
>>>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>default etypes for default_tkt_enctypes: 23 18 17.
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Added key: 23version: 3
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Added key: 23version: 3
>>>default etypes for default_tkt_enctypes: 23 18 17.
>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>> KrbAsReq creating message
>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>number of retries =3, #bytes=
>>>247
>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>timeout=30000,Attempt =1, #bytes=247
>>>>>> KrbKdcReq send: #bytes read=100
>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>number of retries =3, #bytes=
>>>247
>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>timeout=30000,Attempt =1, #bytes=247
>>>>>>DEBUG: TCPClient reading 1475 bytes
>>>>>> KrbKdcReq send: #bytes read=1475
>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Added key: 23version: 3
>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Will use keytab
>>>Commit Succeeded
>>>
>>>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>>sun.security.jgss.spnego.SpNegoCredElement)
>>>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>>sun.security.jgss.krb5.Krb5AcceptCredential)
>>>Found KeyTab C:\keytab\tomcat.keytab for
>>>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Found KeyTab C:\keytab\tomcat.keytab for
>>>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>krbtgt/KERBTEST.LOCAL@KERBTEST
>>>.LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
>>>[Krb5LoginModule]: Entering logout
>>>[Krb5LoginModule]: logged out Subject
>>>25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Failed authenticate() test
>>>25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Security checking request GET /manager/html
>>>25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>against GET /html --> false
>>>25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>interface]' against GET /html --> fal
>>>se
>>>25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>interface (for scripts)]' against
>>>GET /html --> false
>>>25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>interface (for humans)]' against G
>>>ET /html --> true
>>>25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>>against GET /html --> false
>>>25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>>interface]' against GET /html --> fal
>>>se
>>>25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>>interface (for scripts)]' against
>>>GET /html --> false
>>>25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.realm.RealmBase.findSecurityC
>>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>>interface (for humans)]' against G
>>>ET /html --> true
>>>25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Calling hasUserDataPermission()
>>>25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.realm.RealmBase.hasUserDataPe
>>>rmission User data constraint has no restrictions
>>>25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Calling authenticate()
>>>Debug is true storeKey true useTicketCache false useKeyTab true
>>>doNotPrompt true ticketCache is nul
>>>l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config
>>>is false principal is HTTP/wi
>>>n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass
>>>is false storePass is false
>>>clearPass is false
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Added key: 23version: 3
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Added key: 23version: 3
>>>default etypes for default_tkt_enctypes: 23 18 17.
>>>>>> KrbAsReq creating message
>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>number of retries =3, #bytes=
>>>164
>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>timeout=30000,Attempt =1, #bytes=164
>>>>>> KrbKdcReq send: #bytes read=185
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 11
>>>PA-ETYPE-INFO etype = 23, salt =
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 19
>>>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 2
>>>PA-ENC-TIMESTAMP
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 16
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 15
>>>
>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>KRBError:
>>>sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
>>>suSec is 935731
>>>error code is 25
>>>error Message is Additional pre-authentication required
>>>sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>>eData provided.
>>>msgType is 30
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 11
>>>PA-ETYPE-INFO etype = 23, salt =
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 19
>>>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 2
>>>PA-ENC-TIMESTAMP
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 16
>>>
>>>>>>Pre-Authentication Data:
>>>PA-DATA type = 15
>>>
>>>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>>default etypes for default_tkt_enctypes: 23 18 17.
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Added key: 23version: 3
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Added key: 23version: 3
>>>default etypes for default_tkt_enctypes: 23 18 17.
>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>> KrbAsReq creating message
>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>>number of retries =3, #bytes=
>>>247
>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>>timeout=30000,Attempt =1, #bytes=247
>>>>>> KrbKdcReq send: #bytes read=100
>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>>number of retries =3, #bytes=
>>>247
>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>>timeout=30000,Attempt =1, #bytes=247
>>>>>>DEBUG: TCPClient reading 1475 bytes
>>>>>> KrbKdcReq send: #bytes read=1475
>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Added key: 23version: 3
>>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>>principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Will use keytab
>>>Commit Succeeded
>>>
>>>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>>sun.security.jgss.spnego.SpNegoCredElement)
>>>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>>sun.security.jgss.krb5.Krb5AcceptCredential)
>>>Found KeyTab C:\keytab\tomcat.keytab for
>>>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Found KeyTab C:\keytab\tomcat.keytab for
>>>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>>Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>>krbtgt/KERBTEST.LOCAL@KERBTEST
>>>.LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
>>>25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.authenticator.SpnegoAuthentic
>>>ator.authenticate Unable to login as the service principal
>>>java.security.PrivilegedActionException: GSSException: Defective token
>>>detected (Mechanism level: G
>>>SSHeader did not find the right tag)
>>>at java.security.AccessController.doPrivileged(Native Method)
>>>at javax.security.auth.Subject.doAs(Subject.java:422)
>>>at
>>>org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
>>>va:243)
>>>at
>>>org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
>>>at
>>>org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
>>>at
>>>org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
>>>at
>>>org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
>>>
>>>at
>>>org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
>>>at
>>>org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
>>>at
>>>org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
>>>6)
>>>at
>>>org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
>>>a:659)
>>>at
>>>org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
>>>col.java:223)
>>>at
>>>org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
>>>at
>>>org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
>>>at
>>>java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>at
>>>java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>at
>>>org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>>at java.lang.Thread.run(Thread.java:745)
>>>Caused by: GSSException: Defective token detected (Mechanism level:
>>>GSSHeader did not find the right
>>>tag)
>>>at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
>>>at
>>>sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
>>>at
>>>sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
>>>at
>>>org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>r.java:336)
>>>at
>>>org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>>r.java:323)
>>>... 18 more
>>>
>>>[Krb5LoginModule]: Entering logout
>>>[Krb5LoginModule]: logged out Subject
>>>25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3]
>>>org.apache.catalina.authenticator.AuthenticatorBa
>>>se.invoke Failed authenticate() test
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>> Date: Wed, 25 Mar 2015 16:48:10 +0100
>>>> From: felix.schumacher@internetallee.de
>>>> To: users@tomcat.apache.org
>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>
>>>> Am 25.03.2015 16:09, schrieb David Marsh:
>>>>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
>>>>> tc01@KERTEST.LOCAL, still same symptoms.
>>>>>
>>>>> Ran klist on client after firefox test and the three 401 responses.
>>>:-
>>>>>
>>>>> C:\Users\test.KERBTEST.000>klist
>>>>>
>>>>> Current LogonId is 0:0x2fd7a
>>>>>
>>>>> Cached Tickets: (2)
>>>>>
>>>>> #0> Client: test @ KERBTEST.LOCAL
>>>>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
>>>>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
>>>>> Ticket Flags 0x40e10000 -> forwardable renewable initial
>>>>> pre_authent nam
>>>>> e_canonicalize
>>>>> Start Time: 3/25/2015 14:46:43 (local)
>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>>>>> Cache Flags: 0x1 -> PRIMARY
>>>>> Kdc Called: 192.168.0.200
>>>>>
>>>>> #1> Client: test @ KERBTEST.LOCAL
>>>>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
>>>>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>>>>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
>>>>> name_canoni
>>>>> calize
>>>>> Start Time: 3/25/2015 14:51:21 (local)
>>>>> End Time: 3/26/2015 0:46:43 (local)
>>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>>> Session Key Type: RSADSI RC4-HMAC(NT)
>>>>> Cache Flags: 0
>>>>> Kdc Called: 192.168.0.200
>>>>>
>>>>> Looks like I was granted a ticket for the SPN
>>>>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
>>>>>
>>>>> If I have ticket why do I get 401 ?
>>>> Your client has got a service ticket for HTTP/win-tc01... This is
>>>used
>>>> by firefox for authentication. Firefox transmits
>>>> this service ticket to the server (as base64 encoded in the
>>>> WWW-Authenticate header).
>>>>
>>>> Your server has to decrypt this ticket using its own ticket to get at
>>>> the user information. This is where your problems arise.
>>>> It looks like your server has trouble to get its own ticket.
>>>>
>>>> Are you sure, that the password you used for keytab generation (on
>>>the
>>>> server side), is correct? ktpass will probably accept
>>>> any input as a password. Maybe you can check the keytab by using
>>>kinit
>>>> (though I don't know, if it exists for windows, or how
>>>> the java one is used).
>>>>
>>>> Felix
>>>>
>>>>>
>>>>> ----------------------------------------
>>>>>> Date: Tue, 24 Mar 2015 22:46:15 +0000
>>>>>> From: markt@apache.org
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>
>>>>>> On 24/03/2015 20:47, David Marsh wrote:
>>>>>>> Hi Felix,
>>>>>>> Thanks fort your help!
>>>>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
>>>>>>> startup.bat and also added the same definitions to the Java
>>>>>>> parameters in Configure Tomcat tool.I definitely got more
>>>information
>>>>>>> when using startup.bat, not sure the settings get picked up by the
>>>>>>> windows service ?
>>>>>>> I do not think authentication completes, certainly authorization
>>>does
>>>>>>> not as I cant see the site and get 401 http status.
>>>>>>> I have not configured a tomcat realm but I have put the test user
>>>a
>>>>>>> manager-gui group in Active Directory.
>>>>>>
>>>>>> I've only given your config a quick scan, but the thing that jumps
>>>out
>>>>>> at me is spaces in the some of the paths. I'm not sure how well
>>>>>> krb5.ini
>>>>>> will handle those. It might be fine. It might not be.
>>>>>>
>>>>>> Mark
>>>>>>
>>>>>>
>>>>>>> David
>>>>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>> To: users@tomcat.apache.org
>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>
>>>>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>>>>>>> Everything is as described and still not working, except the
>>>>>>>>> jaas.conf is :-
>>>>>>>>>
>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>> doNotPrompt=true
>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>> useKeyTab=true
>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>> storeKey=true;
>>>>>>>>> };
>>>>>>>>>
>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>> doNotPrompt=true
>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>> useKeyTab=true
>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>> storeKey=true;
>>>>>>>>> };
>>>>>>>>>
>>>>>>>>> In other words the principal is the tomcat server as it should
>>>be.
>>>>>>>>>
>>>>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>
>>>>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>>>>>>> Sorry thats :-
>>>>>>>>>>>
>>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>>>>>>> Is it working with this configuration, or just to point out,
>>>that
>>>>>>>>>> you
>>>>>>>>>> copied the wrong jaas.conf for the mail?
>>>>>>>>>>
>>>>>>>>>> Felix
>>>>>>>>>>> ----------------------------------------
>>>>>>>>>>>> From: dmarsh26@outlook.com
>>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>>>>>>
>>>>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat
>>>8.
>>>>>>>>>>>>
>>>>>>>>>>>> I've created three Windows VMs :-
>>>>>>>>>>>>
>>>>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>>>>>>
>>>>>>>>>>>> The Tomcat Server and the Test Client are joined to the same
>>>>>>>>>>>> domain kerbtest.local, they are logged in with domain logins.
>>>>>>>>>>>>
>>>>>>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>>>>>>
>>>>>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>>>>>>
>>>>>>>>>>>> jaas.conf
>>>>>>>>>>>>
>>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>> };
>>>>>>>>>>>>
>>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>>> storeKey=true;
>>>>>>>>>>>> };
>>>>>>>>>>>>
>>>>>>>>>>>> krb5.ini
>>>>>>>>>>>>
>>>>>>>>>>>> [libdefaults]
>>>>>>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
>>>>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>>>>>>> default_tkt_enctypes =
>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>> default_tgs_enctypes =
>>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>>> forwardable=true
>>>>>>>>>>>>
>>>>>>>>>>>> [realms]
>>>>>>>>>>>> KERBTEST.LOCAL = {
>>>>>>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>>>>>>> }
>>>>>>>>>>>>
>>>>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with
>>>Active
>>>>>>>>>>>> Directory.
>>>>>>>>>>>>
>>>>>>>>>>>> I have tried to keep the setup as basic and vanilla to the
>>>>>>>>>>>> instructions as possible.
>>>>>>>>>>>>
>>>>>>>>>>>> Users were created as instructed.
>>>>>>>>>>>>
>>>>>>>>>>>> Spn was created as instructed
>>>>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>>>>>>
>>>>>>>>>>>> keytab was created as instructed
>>>>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL
>>>/princ
>>>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass
>>>/kvno
>>>>>>>>>>>> 0
>>>>>>>>>>>>
>>>>>>>>>>>> I have tried to test with firefox, chrome and IE, after
>>>ensuring
>>>>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In
>>>>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to
>>>>>>>>>>>> network.negotiate-auth.delegation-uris and
>>>>>>>>>>>> network.negotiate-auth.trusted-uris.
>>>>>>>>>>>>
>>>>>>>>>>>> Tomcat is running as a Windows service under the
>>>>>>>>>>>> tc01@kerbtest.local account.
>>>>>>>>>>>>
>>>>>>>>>>>> Visiting URL from the Test Client VM :-
>>>>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401
>>>three
>>>>>>>>>>>> times.
>>>>>>>>>>>>
>>>>>>>>>>>> Looking at the Network tab in developer tools in firefox
>>>shows
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
Its possible I guess, although I would not expect that.
The test is :-
Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM
Firefox is not configured to use a proxy, its all in Vmware Workstation 10 using the Vmnet01 virtual network.
Firefox has three 401 responses with headers "Authorization" and "WWW-Authenticate" :-
1 :- Reponse WWW-Authenticate: "Negotiate"
2 :- Request Authorization: "Negotiate YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1bHVkmmuJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4="
Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg==
3 :- Request Authorization: "Negotiate oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zwm+qhPF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E="
Reponse WWW-Authenticate: "Negotiate"
I'm not sure how long they should be, but they all end "=" so expect not truncated ?
----------------------------------------
> Subject: RE: SPNEGO test configuration with Manager webapp
> From: felix.schumacher@internetallee.de
> Date: Wed, 25 Mar 2015 17:31:51 +0100
> To: users@tomcat.apache.org
>
>
>
> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh <dm...@outlook.com>:
>>This is how the keytab was created :-
>>
>>ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
>>tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@kerbtest.local
>>/pass tc01pass
>>
>>The password is the correct password for the user tc01 associated with
>>the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local
>>
>>I managed to turn on some more logging around JAAS, see the error
>>:- java.security.PrivilegedActionException: GSSException: Defective
>>token detected
> Do you talk directly to Tomcat, or is there any kind of proxy in between?
> Could the header be truncated?
>
> Felix
>>
>>25-Mar-2015 15:46:22.131 INFO [main]
>>org.apache.catalina.core.StandardService.startInternal Starting
>>service Catalina
>>25-Mar-2015 15:46:22.133 INFO [main]
>>org.apache.catalina.core.StandardEngine.startInternal Starting
>>Servlet Engine: Apache Tomcat/8.0.20
>>25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
>>org.apache.catalina.startup.HostConfig.deployD
>>irectory Deploying web application directory C:\Program Files\Apache
>>Software Foundation\Tomcat 8.0\
>>webapps\docs
>>25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
>>org.apache.catalina.startup.HostConfig.deployD
>>irectory Deployment of web application directory C:\Program
>>Files\Apache Software Foundation\Tomcat
>>8.0\webapps\docs has finished in 380 ms
>>25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
>>org.apache.catalina.startup.HostConfig.deployD
>>irectory Deploying web application directory C:\Program Files\Apache
>>Software Foundation\Tomcat 8.0\
>>webapps\manager
>>25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
>>org.apache.catalina.authenticator.Authenticato
>>rBase.startInternal No SingleSignOn Valve is present
>>25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
>>org.apache.catalina.startup.HostConfig.deployD
>>irectory Deployment of web application directory C:\Program
>>Files\Apache Software Foundation\Tomcat
>>8.0\webapps\manager has finished in 93 ms
>>25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
>>org.apache.catalina.startup.HostConfig.deployD
>>irectory Deploying web application directory C:\Program Files\Apache
>>Software Foundation\Tomcat 8.0\
>>webapps\ROOT
>>25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
>>org.apache.catalina.startup.HostConfig.deployD
>>irectory Deployment of web application directory C:\Program
>>Files\Apache Software Foundation\Tomcat
>>8.0\webapps\ROOT has finished in 59 ms
>>25-Mar-2015 15:46:22.797 INFO [main]
>>org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>er ["http-nio-80"]
>>25-Mar-2015 15:46:22.806 INFO [main]
>>org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>er ["ajp-nio-8009"]
>>25-Mar-2015 15:46:22.808 INFO [main]
>>org.apache.catalina.startup.Catalina.start Server startup in 72
>>1 ms
>>25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Security checking request GET /manager/html
>>25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>against GET /html --> false
>>25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>interface]' against GET /html --> fal
>>se
>>25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>interface (for scripts)]' against
>>GET /html --> false
>>25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>interface (for humans)]' against G
>>ET /html --> true
>>25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>against GET /html --> false
>>25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>interface]' against GET /html --> fal
>>se
>>25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>interface (for scripts)]' against
>>GET /html --> false
>>25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>interface (for humans)]' against G
>>ET /html --> true
>>25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Calling hasUserDataPermission()
>>25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.hasUserDataPe
>>rmission User data constraint has no restrictions
>>25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Calling authenticate()
>>25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1]
>>org.apache.catalina.authenticator.SpnegoAuthentic
>>ator.authenticate No authorization header sent by client
>>25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Failed authenticate() test
>>25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Security checking request GET /manager/html
>>25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>against GET /html --> false
>>25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>interface]' against GET /html --> fal
>>se
>>25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>interface (for scripts)]' against
>>GET /html --> false
>>25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>interface (for humans)]' against G
>>ET /html --> true
>>25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>against GET /html --> false
>>25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>interface]' against GET /html --> fal
>>se
>>25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>interface (for scripts)]' against
>>GET /html --> false
>>25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>interface (for humans)]' against G
>>ET /html --> true
>>25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Calling hasUserDataPermission()
>>25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>org.apache.catalina.realm.RealmBase.hasUserDataPe
>>rmission User data constraint has no restrictions
>>25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Calling authenticate()
>>Debug is true storeKey true useTicketCache false useKeyTab true
>>doNotPrompt true ticketCache is nul
>>l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config
>>is false principal is HTTP/wi
>>n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass
>>is false storePass is false
>>clearPass is false
>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>> KeyTabInputStream, readName(): HTTP
>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>> KeyTab: load() entry length: 78; type: 23
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Java config name: C:\Program Files\Apache Software Foundation\Tomcat
>>8.0\conf\krb5.ini
>>Loaded from Java config
>>Added key: 23version: 3
>>>>> KdcAccessibility: reset
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Added key: 23version: 3
>>default etypes for default_tkt_enctypes: 23 18 17.
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>number of retries =3, #bytes=
>>164
>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>timeout=30000,Attempt =1, #bytes=164
>>>>> KrbKdcReq send: #bytes read=185
>>>>>Pre-Authentication Data:
>>PA-DATA type = 11
>>PA-ETYPE-INFO etype = 23, salt =
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 19
>>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 2
>>PA-ENC-TIMESTAMP
>>>>>Pre-Authentication Data:
>>PA-DATA type = 16
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 15
>>
>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>KRBError:
>>sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
>>suSec is 701709
>>error code is 25
>>error Message is Additional pre-authentication required
>>sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>eData provided.
>>msgType is 30
>>>>>Pre-Authentication Data:
>>PA-DATA type = 11
>>PA-ETYPE-INFO etype = 23, salt =
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 19
>>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 2
>>PA-ENC-TIMESTAMP
>>>>>Pre-Authentication Data:
>>PA-DATA type = 16
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 15
>>
>>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>default etypes for default_tkt_enctypes: 23 18 17.
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Added key: 23version: 3
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Added key: 23version: 3
>>default etypes for default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>number of retries =3, #bytes=
>>247
>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>timeout=30000,Attempt =1, #bytes=247
>>>>> KrbKdcReq send: #bytes read=100
>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>number of retries =3, #bytes=
>>247
>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>timeout=30000,Attempt =1, #bytes=247
>>>>>DEBUG: TCPClient reading 1475 bytes
>>>>> KrbKdcReq send: #bytes read=1475
>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Added key: 23version: 3
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Will use keytab
>>Commit Succeeded
>>
>>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>sun.security.jgss.spnego.SpNegoCredElement)
>>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>sun.security.jgss.krb5.Krb5AcceptCredential)
>>Found KeyTab C:\keytab\tomcat.keytab for
>>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Found KeyTab C:\keytab\tomcat.keytab for
>>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>krbtgt/KERBTEST.LOCAL@KERBTEST
>>.LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
>>[Krb5LoginModule]: Entering logout
>>[Krb5LoginModule]: logged out Subject
>>25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Failed authenticate() test
>>25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Security checking request GET /manager/html
>>25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>against GET /html --> false
>>25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>interface]' against GET /html --> fal
>>se
>>25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>interface (for scripts)]' against
>>GET /html --> false
>>25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>interface (for humans)]' against G
>>ET /html --> true
>>25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>against GET /html --> false
>>25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>interface]' against GET /html --> fal
>>se
>>25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>interface (for scripts)]' against
>>GET /html --> false
>>25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>interface (for humans)]' against G
>>ET /html --> true
>>25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Calling hasUserDataPermission()
>>25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3]
>>org.apache.catalina.realm.RealmBase.hasUserDataPe
>>rmission User data constraint has no restrictions
>>25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Calling authenticate()
>>Debug is true storeKey true useTicketCache false useKeyTab true
>>doNotPrompt true ticketCache is nul
>>l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config
>>is false principal is HTTP/wi
>>n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass
>>is false storePass is false
>>clearPass is false
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Added key: 23version: 3
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Added key: 23version: 3
>>default etypes for default_tkt_enctypes: 23 18 17.
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>number of retries =3, #bytes=
>>164
>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>timeout=30000,Attempt =1, #bytes=164
>>>>> KrbKdcReq send: #bytes read=185
>>>>>Pre-Authentication Data:
>>PA-DATA type = 11
>>PA-ETYPE-INFO etype = 23, salt =
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 19
>>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 2
>>PA-ENC-TIMESTAMP
>>>>>Pre-Authentication Data:
>>PA-DATA type = 16
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 15
>>
>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>KRBError:
>>sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
>>suSec is 935731
>>error code is 25
>>error Message is Additional pre-authentication required
>>sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>eData provided.
>>msgType is 30
>>>>>Pre-Authentication Data:
>>PA-DATA type = 11
>>PA-ETYPE-INFO etype = 23, salt =
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 19
>>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 2
>>PA-ENC-TIMESTAMP
>>>>>Pre-Authentication Data:
>>PA-DATA type = 16
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 15
>>
>>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>default etypes for default_tkt_enctypes: 23 18 17.
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Added key: 23version: 3
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Added key: 23version: 3
>>default etypes for default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>number of retries =3, #bytes=
>>247
>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>timeout=30000,Attempt =1, #bytes=247
>>>>> KrbKdcReq send: #bytes read=100
>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>number of retries =3, #bytes=
>>247
>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>timeout=30000,Attempt =1, #bytes=247
>>>>>DEBUG: TCPClient reading 1475 bytes
>>>>> KrbKdcReq send: #bytes read=1475
>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Added key: 23version: 3
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Will use keytab
>>Commit Succeeded
>>
>>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>sun.security.jgss.spnego.SpNegoCredElement)
>>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>sun.security.jgss.krb5.Krb5AcceptCredential)
>>Found KeyTab C:\keytab\tomcat.keytab for
>>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Found KeyTab C:\keytab\tomcat.keytab for
>>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>krbtgt/KERBTEST.LOCAL@KERBTEST
>>.LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
>>25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3]
>>org.apache.catalina.authenticator.SpnegoAuthentic
>>ator.authenticate Unable to login as the service principal
>>java.security.PrivilegedActionException: GSSException: Defective token
>>detected (Mechanism level: G
>>SSHeader did not find the right tag)
>>at java.security.AccessController.doPrivileged(Native Method)
>>at javax.security.auth.Subject.doAs(Subject.java:422)
>>at
>>org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
>>va:243)
>>at
>>org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
>>at
>>org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
>>at
>>org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
>>at
>>org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
>>
>>at
>>org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
>>at
>>org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
>>at
>>org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
>>6)
>>at
>>org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
>>a:659)
>>at
>>org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
>>col.java:223)
>>at
>>org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
>>at
>>org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
>>at
>>java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>at
>>java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>at
>>org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>at java.lang.Thread.run(Thread.java:745)
>>Caused by: GSSException: Defective token detected (Mechanism level:
>>GSSHeader did not find the right
>>tag)
>>at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
>>at
>>sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
>>at
>>sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
>>at
>>org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>r.java:336)
>>at
>>org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>r.java:323)
>>... 18 more
>>
>>[Krb5LoginModule]: Entering logout
>>[Krb5LoginModule]: logged out Subject
>>25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Failed authenticate() test
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>> Date: Wed, 25 Mar 2015 16:48:10 +0100
>>> From: felix.schumacher@internetallee.de
>>> To: users@tomcat.apache.org
>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>
>>> Am 25.03.2015 16:09, schrieb David Marsh:
>>>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
>>>> tc01@KERTEST.LOCAL, still same symptoms.
>>>>
>>>> Ran klist on client after firefox test and the three 401 responses.
>>:-
>>>>
>>>> C:\Users\test.KERBTEST.000>klist
>>>>
>>>> Current LogonId is 0:0x2fd7a
>>>>
>>>> Cached Tickets: (2)
>>>>
>>>> #0> Client: test @ KERBTEST.LOCAL
>>>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
>>>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
>>>> Ticket Flags 0x40e10000 -> forwardable renewable initial
>>>> pre_authent nam
>>>> e_canonicalize
>>>> Start Time: 3/25/2015 14:46:43 (local)
>>>> End Time: 3/26/2015 0:46:43 (local)
>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>>>> Cache Flags: 0x1 -> PRIMARY
>>>> Kdc Called: 192.168.0.200
>>>>
>>>> #1> Client: test @ KERBTEST.LOCAL
>>>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
>>>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>>>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
>>>> name_canoni
>>>> calize
>>>> Start Time: 3/25/2015 14:51:21 (local)
>>>> End Time: 3/26/2015 0:46:43 (local)
>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>> Session Key Type: RSADSI RC4-HMAC(NT)
>>>> Cache Flags: 0
>>>> Kdc Called: 192.168.0.200
>>>>
>>>> Looks like I was granted a ticket for the SPN
>>>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
>>>>
>>>> If I have ticket why do I get 401 ?
>>> Your client has got a service ticket for HTTP/win-tc01... This is
>>used
>>> by firefox for authentication. Firefox transmits
>>> this service ticket to the server (as base64 encoded in the
>>> WWW-Authenticate header).
>>>
>>> Your server has to decrypt this ticket using its own ticket to get at
>>> the user information. This is where your problems arise.
>>> It looks like your server has trouble to get its own ticket.
>>>
>>> Are you sure, that the password you used for keytab generation (on
>>the
>>> server side), is correct? ktpass will probably accept
>>> any input as a password. Maybe you can check the keytab by using
>>kinit
>>> (though I don't know, if it exists for windows, or how
>>> the java one is used).
>>>
>>> Felix
>>>
>>>>
>>>> ----------------------------------------
>>>>> Date: Tue, 24 Mar 2015 22:46:15 +0000
>>>>> From: markt@apache.org
>>>>> To: users@tomcat.apache.org
>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>
>>>>> On 24/03/2015 20:47, David Marsh wrote:
>>>>>> Hi Felix,
>>>>>> Thanks fort your help!
>>>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
>>>>>> startup.bat and also added the same definitions to the Java
>>>>>> parameters in Configure Tomcat tool.I definitely got more
>>information
>>>>>> when using startup.bat, not sure the settings get picked up by the
>>>>>> windows service ?
>>>>>> I do not think authentication completes, certainly authorization
>>does
>>>>>> not as I cant see the site and get 401 http status.
>>>>>> I have not configured a tomcat realm but I have put the test user
>>a
>>>>>> manager-gui group in Active Directory.
>>>>>
>>>>> I've only given your config a quick scan, but the thing that jumps
>>out
>>>>> at me is spaces in the some of the paths. I'm not sure how well
>>>>> krb5.ini
>>>>> will handle those. It might be fine. It might not be.
>>>>>
>>>>> Mark
>>>>>
>>>>>
>>>>>> David
>>>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>> To: users@tomcat.apache.org
>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>
>>>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>>>>>> Everything is as described and still not working, except the
>>>>>>>> jaas.conf is :-
>>>>>>>>
>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>> doNotPrompt=true
>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>> useKeyTab=true
>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>> storeKey=true;
>>>>>>>> };
>>>>>>>>
>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>> doNotPrompt=true
>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>> useKeyTab=true
>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>> storeKey=true;
>>>>>>>> };
>>>>>>>>
>>>>>>>> In other words the principal is the tomcat server as it should
>>be.
>>>>>>>>
>>>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>
>>>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>>>>>> Sorry thats :-
>>>>>>>>>>
>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>>>>>> Is it working with this configuration, or just to point out,
>>that
>>>>>>>>> you
>>>>>>>>> copied the wrong jaas.conf for the mail?
>>>>>>>>>
>>>>>>>>> Felix
>>>>>>>>>> ----------------------------------------
>>>>>>>>>>> From: dmarsh26@outlook.com
>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>>>>>
>>>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat
>>8.
>>>>>>>>>>>
>>>>>>>>>>> I've created three Windows VMs :-
>>>>>>>>>>>
>>>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>>>>>
>>>>>>>>>>> The Tomcat Server and the Test Client are joined to the same
>>>>>>>>>>> domain kerbtest.local, they are logged in with domain logins.
>>>>>>>>>>>
>>>>>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>>>>>
>>>>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>>>>>
>>>>>>>>>>> jaas.conf
>>>>>>>>>>>
>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>> storeKey=true;
>>>>>>>>>>> };
>>>>>>>>>>>
>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>> storeKey=true;
>>>>>>>>>>> };
>>>>>>>>>>>
>>>>>>>>>>> krb5.ini
>>>>>>>>>>>
>>>>>>>>>>> [libdefaults]
>>>>>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
>>>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>>>>>> default_tkt_enctypes =
>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>> default_tgs_enctypes =
>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>> forwardable=true
>>>>>>>>>>>
>>>>>>>>>>> [realms]
>>>>>>>>>>> KERBTEST.LOCAL = {
>>>>>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>>>>>> }
>>>>>>>>>>>
>>>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with
>>Active
>>>>>>>>>>> Directory.
>>>>>>>>>>>
>>>>>>>>>>> I have tried to keep the setup as basic and vanilla to the
>>>>>>>>>>> instructions as possible.
>>>>>>>>>>>
>>>>>>>>>>> Users were created as instructed.
>>>>>>>>>>>
>>>>>>>>>>> Spn was created as instructed
>>>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>>>>>
>>>>>>>>>>> keytab was created as instructed
>>>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL
>>/princ
>>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass
>>/kvno
>>>>>>>>>>> 0
>>>>>>>>>>>
>>>>>>>>>>> I have tried to test with firefox, chrome and IE, after
>>ensuring
>>>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In
>>>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to
>>>>>>>>>>> network.negotiate-auth.delegation-uris and
>>>>>>>>>>> network.negotiate-auth.trusted-uris.
>>>>>>>>>>>
>>>>>>>>>>> Tomcat is running as a Windows service under the
>>>>>>>>>>> tc01@kerbtest.local account.
>>>>>>>>>>>
>>>>>>>>>>> Visiting URL from the Test Client VM :-
>>>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401
>>three
>>>>>>>>>>> times.
>>>>>>>>>>>
>>>>>>>>>>> Looking at the Network tab in developer tools in firefox
>>shows
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh <dm...@outlook.com>:
>This is how the keytab was created :-
>
>ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
>tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@kerbtest.local
>/pass tc01pass
>
>The password is the correct password for the user tc01 associated with
>the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local
>
>I managed to turn on some more logging around JAAS, see the error
>:- java.security.PrivilegedActionException: GSSException: Defective
>token detected
Do you talk directly to Tomcat, or is there any kind of proxy in between?
Could the header be truncated?
Felix
>
>25-Mar-2015 15:46:22.131 INFO [main]
>org.apache.catalina.core.StandardService.startInternal Starting
>service Catalina
>25-Mar-2015 15:46:22.133 INFO [main]
>org.apache.catalina.core.StandardEngine.startInternal Starting
>Servlet Engine: Apache Tomcat/8.0.20
>25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
>org.apache.catalina.startup.HostConfig.deployD
>irectory Deploying web application directory C:\Program Files\Apache
>Software Foundation\Tomcat 8.0\
>webapps\docs
>25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
>org.apache.catalina.startup.HostConfig.deployD
>irectory Deployment of web application directory C:\Program
>Files\Apache Software Foundation\Tomcat
>8.0\webapps\docs has finished in 380 ms
>25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
>org.apache.catalina.startup.HostConfig.deployD
>irectory Deploying web application directory C:\Program Files\Apache
>Software Foundation\Tomcat 8.0\
>webapps\manager
>25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
>org.apache.catalina.authenticator.Authenticato
>rBase.startInternal No SingleSignOn Valve is present
>25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
>org.apache.catalina.startup.HostConfig.deployD
>irectory Deployment of web application directory C:\Program
>Files\Apache Software Foundation\Tomcat
>8.0\webapps\manager has finished in 93 ms
>25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
>org.apache.catalina.startup.HostConfig.deployD
>irectory Deploying web application directory C:\Program Files\Apache
>Software Foundation\Tomcat 8.0\
>webapps\ROOT
>25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
>org.apache.catalina.startup.HostConfig.deployD
>irectory Deployment of web application directory C:\Program
>Files\Apache Software Foundation\Tomcat
>8.0\webapps\ROOT has finished in 59 ms
>25-Mar-2015 15:46:22.797 INFO [main]
>org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>er ["http-nio-80"]
>25-Mar-2015 15:46:22.806 INFO [main]
>org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>er ["ajp-nio-8009"]
>25-Mar-2015 15:46:22.808 INFO [main]
>org.apache.catalina.startup.Catalina.start Server startup in 72
>1 ms
>25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Security checking request GET /manager/html
>25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>against GET /html --> false
>25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>interface]' against GET /html --> fal
>se
>25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Text Manager
>interface (for scripts)]' against
>GET /html --> false
>25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>interface (for humans)]' against G
>ET /html --> true
>25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>against GET /html --> false
>25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>interface]' against GET /html --> fal
>se
>25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Text Manager
>interface (for scripts)]' against
>GET /html --> false
>25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>interface (for humans)]' against G
>ET /html --> true
>25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Calling hasUserDataPermission()
>25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1]
>org.apache.catalina.realm.RealmBase.hasUserDataPe
>rmission User data constraint has no restrictions
>25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Calling authenticate()
>25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1]
>org.apache.catalina.authenticator.SpnegoAuthentic
>ator.authenticate No authorization header sent by client
>25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Failed authenticate() test
>25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Security checking request GET /manager/html
>25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>against GET /html --> false
>25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>interface]' against GET /html --> fal
>se
>25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Text Manager
>interface (for scripts)]' against
>GET /html --> false
>25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>interface (for humans)]' against G
>ET /html --> true
>25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>against GET /html --> false
>25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>interface]' against GET /html --> fal
>se
>25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Text Manager
>interface (for scripts)]' against
>GET /html --> false
>25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>interface (for humans)]' against G
>ET /html --> true
>25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Calling hasUserDataPermission()
>25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>org.apache.catalina.realm.RealmBase.hasUserDataPe
>rmission User data constraint has no restrictions
>25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Calling authenticate()
>Debug is true storeKey true useTicketCache false useKeyTab true
>doNotPrompt true ticketCache is nul
>l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config
>is false principal is HTTP/wi
>n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass
>is false storePass is false
>clearPass is false
>>>> KeyTabInputStream, readName(): kerbtest.local
>>>> KeyTabInputStream, readName(): HTTP
>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>> KeyTab: load() entry length: 78; type: 23
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Java config name: C:\Program Files\Apache Software Foundation\Tomcat
>8.0\conf\krb5.ini
>Loaded from Java config
>Added key: 23version: 3
>>>> KdcAccessibility: reset
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Added key: 23version: 3
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>number of retries =3, #bytes=
>164
>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>timeout=30000,Attempt =1, #bytes=164
>>>> KrbKdcReq send: #bytes read=185
>>>>Pre-Authentication Data:
>PA-DATA type = 11
>PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
>PA-DATA type = 19
>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
>PA-DATA type = 2
>PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
>PA-DATA type = 16
>
>>>>Pre-Authentication Data:
>PA-DATA type = 15
>
>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>KRBError:
>sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
>suSec is 701709
>error code is 25
>error Message is Additional pre-authentication required
>sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>eData provided.
>msgType is 30
>>>>Pre-Authentication Data:
>PA-DATA type = 11
>PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
>PA-DATA type = 19
>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
>PA-DATA type = 2
>PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
>PA-DATA type = 16
>
>>>>Pre-Authentication Data:
>PA-DATA type = 15
>
>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>default etypes for default_tkt_enctypes: 23 18 17.
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Added key: 23version: 3
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Added key: 23version: 3
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>number of retries =3, #bytes=
>247
>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>timeout=30000,Attempt =1, #bytes=247
>>>> KrbKdcReq send: #bytes read=100
>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>number of retries =3, #bytes=
>247
>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>timeout=30000,Attempt =1, #bytes=247
>>>>DEBUG: TCPClient reading 1475 bytes
>>>> KrbKdcReq send: #bytes read=1475
>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Added key: 23version: 3
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Will use keytab
>Commit Succeeded
>
>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>sun.security.jgss.spnego.SpNegoCredElement)
>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>sun.security.jgss.krb5.Krb5AcceptCredential)
>Found KeyTab C:\keytab\tomcat.keytab for
>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Found KeyTab C:\keytab\tomcat.keytab for
>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>krbtgt/KERBTEST.LOCAL@KERBTEST
>.LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
>[Krb5LoginModule]: Entering logout
>[Krb5LoginModule]: logged out Subject
>25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Failed authenticate() test
>25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Security checking request GET /manager/html
>25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>against GET /html --> false
>25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>interface]' against GET /html --> fal
>se
>25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Text Manager
>interface (for scripts)]' against
>GET /html --> false
>25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>interface (for humans)]' against G
>ET /html --> true
>25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>against GET /html --> false
>25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>interface]' against GET /html --> fal
>se
>25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[Text Manager
>interface (for scripts)]' against
>GET /html --> false
>25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3]
>org.apache.catalina.realm.RealmBase.findSecurityC
>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>interface (for humans)]' against G
>ET /html --> true
>25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Calling hasUserDataPermission()
>25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3]
>org.apache.catalina.realm.RealmBase.hasUserDataPe
>rmission User data constraint has no restrictions
>25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Calling authenticate()
>Debug is true storeKey true useTicketCache false useKeyTab true
>doNotPrompt true ticketCache is nul
>l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config
>is false principal is HTTP/wi
>n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass
>is false storePass is false
>clearPass is false
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Added key: 23version: 3
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Added key: 23version: 3
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>number of retries =3, #bytes=
>164
>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>timeout=30000,Attempt =1, #bytes=164
>>>> KrbKdcReq send: #bytes read=185
>>>>Pre-Authentication Data:
>PA-DATA type = 11
>PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
>PA-DATA type = 19
>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
>PA-DATA type = 2
>PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
>PA-DATA type = 16
>
>>>>Pre-Authentication Data:
>PA-DATA type = 15
>
>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>KRBError:
>sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
>suSec is 935731
>error code is 25
>error Message is Additional pre-authentication required
>sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>eData provided.
>msgType is 30
>>>>Pre-Authentication Data:
>PA-DATA type = 11
>PA-ETYPE-INFO etype = 23, salt =
>
>>>>Pre-Authentication Data:
>PA-DATA type = 19
>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>>Pre-Authentication Data:
>PA-DATA type = 2
>PA-ENC-TIMESTAMP
>>>>Pre-Authentication Data:
>PA-DATA type = 16
>
>>>>Pre-Authentication Data:
>PA-DATA type = 15
>
>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>default etypes for default_tkt_enctypes: 23 18 17.
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Added key: 23version: 3
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Added key: 23version: 3
>default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>number of retries =3, #bytes=
>247
>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>timeout=30000,Attempt =1, #bytes=247
>>>> KrbKdcReq send: #bytes read=100
>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>number of retries =3, #bytes=
>247
>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>timeout=30000,Attempt =1, #bytes=247
>>>>DEBUG: TCPClient reading 1475 bytes
>>>> KrbKdcReq send: #bytes read=1475
>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Added key: 23version: 3
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Will use keytab
>Commit Succeeded
>
>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>sun.security.jgss.spnego.SpNegoCredElement)
>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>sun.security.jgss.krb5.Krb5AcceptCredential)
>Found KeyTab C:\keytab\tomcat.keytab for
>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Found KeyTab C:\keytab\tomcat.keytab for
>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>krbtgt/KERBTEST.LOCAL@KERBTEST
>.LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
>25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3]
>org.apache.catalina.authenticator.SpnegoAuthentic
>ator.authenticate Unable to login as the service principal
>java.security.PrivilegedActionException: GSSException: Defective token
>detected (Mechanism level: G
>SSHeader did not find the right tag)
>at java.security.AccessController.doPrivileged(Native Method)
>at javax.security.auth.Subject.doAs(Subject.java:422)
>at
>org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
>va:243)
>at
>org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
>at
>org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
>at
>org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
>at
>org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
>
>at
>org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
>at
>org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
>at
>org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
>6)
>at
>org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
>a:659)
>at
>org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
>col.java:223)
>at
>org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
>at
>org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
>at
>java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>at
>java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>at
>org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>at java.lang.Thread.run(Thread.java:745)
>Caused by: GSSException: Defective token detected (Mechanism level:
>GSSHeader did not find the right
>tag)
>at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
>at
>sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
>at
>sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
>at
>org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>r.java:336)
>at
>org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>r.java:323)
>... 18 more
>
>[Krb5LoginModule]: Entering logout
>[Krb5LoginModule]: logged out Subject
>25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3]
>org.apache.catalina.authenticator.AuthenticatorBa
>se.invoke Failed authenticate() test
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>> Date: Wed, 25 Mar 2015 16:48:10 +0100
>> From: felix.schumacher@internetallee.de
>> To: users@tomcat.apache.org
>> Subject: RE: SPNEGO test configuration with Manager webapp
>>
>> Am 25.03.2015 16:09, schrieb David Marsh:
>>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
>>> tc01@KERTEST.LOCAL, still same symptoms.
>>>
>>> Ran klist on client after firefox test and the three 401 responses.
>:-
>>>
>>> C:\Users\test.KERBTEST.000>klist
>>>
>>> Current LogonId is 0:0x2fd7a
>>>
>>> Cached Tickets: (2)
>>>
>>> #0> Client: test @ KERBTEST.LOCAL
>>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
>>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
>>> Ticket Flags 0x40e10000 -> forwardable renewable initial
>>> pre_authent nam
>>> e_canonicalize
>>> Start Time: 3/25/2015 14:46:43 (local)
>>> End Time: 3/26/2015 0:46:43 (local)
>>> Renew Time: 4/1/2015 14:46:43 (local)
>>> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>>> Cache Flags: 0x1 -> PRIMARY
>>> Kdc Called: 192.168.0.200
>>>
>>> #1> Client: test @ KERBTEST.LOCAL
>>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
>>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
>>> name_canoni
>>> calize
>>> Start Time: 3/25/2015 14:51:21 (local)
>>> End Time: 3/26/2015 0:46:43 (local)
>>> Renew Time: 4/1/2015 14:46:43 (local)
>>> Session Key Type: RSADSI RC4-HMAC(NT)
>>> Cache Flags: 0
>>> Kdc Called: 192.168.0.200
>>>
>>> Looks like I was granted a ticket for the SPN
>>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
>>>
>>> If I have ticket why do I get 401 ?
>> Your client has got a service ticket for HTTP/win-tc01... This is
>used
>> by firefox for authentication. Firefox transmits
>> this service ticket to the server (as base64 encoded in the
>> WWW-Authenticate header).
>>
>> Your server has to decrypt this ticket using its own ticket to get at
>> the user information. This is where your problems arise.
>> It looks like your server has trouble to get its own ticket.
>>
>> Are you sure, that the password you used for keytab generation (on
>the
>> server side), is correct? ktpass will probably accept
>> any input as a password. Maybe you can check the keytab by using
>kinit
>> (though I don't know, if it exists for windows, or how
>> the java one is used).
>>
>> Felix
>>
>>>
>>> ----------------------------------------
>>>> Date: Tue, 24 Mar 2015 22:46:15 +0000
>>>> From: markt@apache.org
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>
>>>> On 24/03/2015 20:47, David Marsh wrote:
>>>>> Hi Felix,
>>>>> Thanks fort your help!
>>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
>>>>> startup.bat and also added the same definitions to the Java
>>>>> parameters in Configure Tomcat tool.I definitely got more
>information
>>>>> when using startup.bat, not sure the settings get picked up by the
>>>>> windows service ?
>>>>> I do not think authentication completes, certainly authorization
>does
>>>>> not as I cant see the site and get 401 http status.
>>>>> I have not configured a tomcat realm but I have put the test user
>a
>>>>> manager-gui group in Active Directory.
>>>>
>>>> I've only given your config a quick scan, but the thing that jumps
>out
>>>> at me is spaces in the some of the paths. I'm not sure how well
>>>> krb5.ini
>>>> will handle those. It might be fine. It might not be.
>>>>
>>>> Mark
>>>>
>>>>
>>>>> David
>>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>>>>> From: felix.schumacher@internetallee.de
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>
>>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>>>>> Everything is as described and still not working, except the
>>>>>>> jaas.conf is :-
>>>>>>>
>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>> doNotPrompt=true
>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>> useKeyTab=true
>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>> storeKey=true;
>>>>>>> };
>>>>>>>
>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>> doNotPrompt=true
>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>> useKeyTab=true
>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>> storeKey=true;
>>>>>>> };
>>>>>>>
>>>>>>> In other words the principal is the tomcat server as it should
>be.
>>>>>>>
>>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>>> To: users@tomcat.apache.org
>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>
>>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>>>>> Sorry thats :-
>>>>>>>>>
>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>>>>> Is it working with this configuration, or just to point out,
>that
>>>>>>>> you
>>>>>>>> copied the wrong jaas.conf for the mail?
>>>>>>>>
>>>>>>>> Felix
>>>>>>>>> ----------------------------------------
>>>>>>>>>> From: dmarsh26@outlook.com
>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>>>>
>>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat
>8.
>>>>>>>>>>
>>>>>>>>>> I've created three Windows VMs :-
>>>>>>>>>>
>>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>>>>
>>>>>>>>>> The Tomcat Server and the Test Client are joined to the same
>>>>>>>>>> domain kerbtest.local, they are logged in with domain logins.
>>>>>>>>>>
>>>>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>>>>
>>>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>>>>
>>>>>>>>>> jaas.conf
>>>>>>>>>>
>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>> doNotPrompt=true
>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>> useKeyTab=true
>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>> storeKey=true;
>>>>>>>>>> };
>>>>>>>>>>
>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>> doNotPrompt=true
>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>> useKeyTab=true
>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>> storeKey=true;
>>>>>>>>>> };
>>>>>>>>>>
>>>>>>>>>> krb5.ini
>>>>>>>>>>
>>>>>>>>>> [libdefaults]
>>>>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
>>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>>>>> default_tkt_enctypes =
>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>> default_tgs_enctypes =
>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>> forwardable=true
>>>>>>>>>>
>>>>>>>>>> [realms]
>>>>>>>>>> KERBTEST.LOCAL = {
>>>>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with
>Active
>>>>>>>>>> Directory.
>>>>>>>>>>
>>>>>>>>>> I have tried to keep the setup as basic and vanilla to the
>>>>>>>>>> instructions as possible.
>>>>>>>>>>
>>>>>>>>>> Users were created as instructed.
>>>>>>>>>>
>>>>>>>>>> Spn was created as instructed
>>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>>>>
>>>>>>>>>> keytab was created as instructed
>>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL
>/princ
>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass
>/kvno
>>>>>>>>>> 0
>>>>>>>>>>
>>>>>>>>>> I have tried to test with firefox, chrome and IE, after
>ensuring
>>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In
>>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to
>>>>>>>>>> network.negotiate-auth.delegation-uris and
>>>>>>>>>> network.negotiate-auth.trusted-uris.
>>>>>>>>>>
>>>>>>>>>> Tomcat is running as a Windows service under the
>>>>>>>>>> tc01@kerbtest.local account.
>>>>>>>>>>
>>>>>>>>>> Visiting URL from the Test Client VM :-
>>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401
>three
>>>>>>>>>> times.
>>>>>>>>>>
>>>>>>>>>> Looking at the Network tab in developer tools in firefox
>shows
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
This is how the keytab was created :-
ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@kerbtest.local /pass tc01pass
The password is the correct password for the user tc01 associated with the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local
I managed to turn on some more logging around JAAS, see the error :- java.security.PrivilegedActionException: GSSException: Defective token detected
25-Mar-2015 15:46:22.131 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting
service Catalina
25-Mar-2015 15:46:22.133 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting
Servlet Engine: Apache Tomcat/8.0.20
25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files\Apache Software Foundation\Tomcat 8.0\
webapps\docs
25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files\Apache Software Foundation\Tomcat
8.0\webapps\docs has finished in 380 ms
25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files\Apache Software Foundation\Tomcat 8.0\
webapps\manager
25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1] org.apache.catalina.authenticator.Authenticato
rBase.startInternal No SingleSignOn Valve is present
25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files\Apache Software Foundation\Tomcat
8.0\webapps\manager has finished in 93 ms
25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files\Apache Software Foundation\Tomcat 8.0\
webapps\ROOT
25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files\Apache Software Foundation\Tomcat
8.0\webapps\ROOT has finished in 59 ms
25-Mar-2015 15:46:22.797 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
er ["http-nio-80"]
25-Mar-2015 15:46:22.806 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
er ["ajp-nio-8009"]
25-Mar-2015 15:46:22.808 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 72
1 ms
25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false
25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal
se
25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /html --> false
25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G
ET /html --> true
25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false
25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal
se
25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /html --> false
25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G
ET /html --> true
25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling hasUserDataPermission()
25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission User data constraint has no restrictions
25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling authenticate()
25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate No authorization header sent by client
25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false
25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal
se
25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /html --> false
25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G
ET /html --> true
25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false
25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal
se
25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /html --> false
25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G
ET /html --> true
25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling hasUserDataPermission()
25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission User data constraint has no restrictions
25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling authenticate()
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is nul
l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config is false principal is HTTP/wi
n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass is false storePass is false
clearPass is false
>>> KeyTabInputStream, readName(): kerbtest.local
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 78; type: 23
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Java config name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\krb5.ini
Loaded from Java config
Added key: 23version: 3
>>> KdcAccessibility: reset
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes=
164
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=164
>>> KrbKdcReq send: #bytes read=185
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
suSec is 701709
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes=
247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=247
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number of retries =3, #bytes=
247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt =1, #bytes=247
>>>DEBUG: TCPClient reading 1475 bytes
>>> KrbKdcReq send: #bytes read=1475
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Will use keytab
Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab C:\keytab\tomcat.keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found KeyTab C:\keytab\tomcat.keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST
.LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false
25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal
se
25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /html --> false
25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G
ET /html --> true
25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false
25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal
se
25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against
GET /html --> false
25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G
ET /html --> true
25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling hasUserDataPermission()
25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission User data constraint has no restrictions
25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling authenticate()
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is nul
l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config is false principal is HTTP/wi
n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass is false storePass is false
clearPass is false
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes=
164
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=164
>>> KrbKdcReq send: #bytes read=185
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
suSec is 935731
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes=
247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=247
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number of retries =3, #bytes=
247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt =1, #bytes=247
>>>DEBUG: TCPClient reading 1475 bytes
>>> KrbKdcReq send: #bytes read=1475
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Will use keytab
Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab C:\keytab\tomcat.keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found KeyTab C:\keytab\tomcat.keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST
.LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate Unable to login as the service principal
java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G
SSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
va:243)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
6)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
a:659)
at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
col.java:223)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right
tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:336)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:323)
... 18 more
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
> Date: Wed, 25 Mar 2015 16:48:10 +0100
> From: felix.schumacher@internetallee.de
> To: users@tomcat.apache.org
> Subject: RE: SPNEGO test configuration with Manager webapp
>
> Am 25.03.2015 16:09, schrieb David Marsh:
>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
>> tc01@KERTEST.LOCAL, still same symptoms.
>>
>> Ran klist on client after firefox test and the three 401 responses. :-
>>
>> C:\Users\test.KERBTEST.000>klist
>>
>> Current LogonId is 0:0x2fd7a
>>
>> Cached Tickets: (2)
>>
>> #0> Client: test @ KERBTEST.LOCAL
>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
>> Ticket Flags 0x40e10000 -> forwardable renewable initial
>> pre_authent nam
>> e_canonicalize
>> Start Time: 3/25/2015 14:46:43 (local)
>> End Time: 3/26/2015 0:46:43 (local)
>> Renew Time: 4/1/2015 14:46:43 (local)
>> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>> Cache Flags: 0x1 -> PRIMARY
>> Kdc Called: 192.168.0.200
>>
>> #1> Client: test @ KERBTEST.LOCAL
>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
>> name_canoni
>> calize
>> Start Time: 3/25/2015 14:51:21 (local)
>> End Time: 3/26/2015 0:46:43 (local)
>> Renew Time: 4/1/2015 14:46:43 (local)
>> Session Key Type: RSADSI RC4-HMAC(NT)
>> Cache Flags: 0
>> Kdc Called: 192.168.0.200
>>
>> Looks like I was granted a ticket for the SPN
>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
>>
>> If I have ticket why do I get 401 ?
> Your client has got a service ticket for HTTP/win-tc01... This is used
> by firefox for authentication. Firefox transmits
> this service ticket to the server (as base64 encoded in the
> WWW-Authenticate header).
>
> Your server has to decrypt this ticket using its own ticket to get at
> the user information. This is where your problems arise.
> It looks like your server has trouble to get its own ticket.
>
> Are you sure, that the password you used for keytab generation (on the
> server side), is correct? ktpass will probably accept
> any input as a password. Maybe you can check the keytab by using kinit
> (though I don't know, if it exists for windows, or how
> the java one is used).
>
> Felix
>
>>
>> ----------------------------------------
>>> Date: Tue, 24 Mar 2015 22:46:15 +0000
>>> From: markt@apache.org
>>> To: users@tomcat.apache.org
>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>
>>> On 24/03/2015 20:47, David Marsh wrote:
>>>> Hi Felix,
>>>> Thanks fort your help!
>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
>>>> startup.bat and also added the same definitions to the Java
>>>> parameters in Configure Tomcat tool.I definitely got more information
>>>> when using startup.bat, not sure the settings get picked up by the
>>>> windows service ?
>>>> I do not think authentication completes, certainly authorization does
>>>> not as I cant see the site and get 401 http status.
>>>> I have not configured a tomcat realm but I have put the test user a
>>>> manager-gui group in Active Directory.
>>>
>>> I've only given your config a quick scan, but the thing that jumps out
>>> at me is spaces in the some of the paths. I'm not sure how well
>>> krb5.ini
>>> will handle those. It might be fine. It might not be.
>>>
>>> Mark
>>>
>>>
>>>> David
>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>>>> From: felix.schumacher@internetallee.de
>>>>> To: users@tomcat.apache.org
>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>
>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>>>> Everything is as described and still not working, except the
>>>>>> jaas.conf is :-
>>>>>>
>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>> doNotPrompt=true
>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>> useKeyTab=true
>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>> 8.0/conf/tomcat.keytab"
>>>>>> storeKey=true;
>>>>>> };
>>>>>>
>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>> doNotPrompt=true
>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>> useKeyTab=true
>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>> 8.0/conf/tomcat.keytab"
>>>>>> storeKey=true;
>>>>>> };
>>>>>>
>>>>>> In other words the principal is the tomcat server as it should be.
>>>>>>
>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>>>> From: felix.schumacher@internetallee.de
>>>>>>> To: users@tomcat.apache.org
>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>
>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>>>> Sorry thats :-
>>>>>>>>
>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>>>> Is it working with this configuration, or just to point out, that
>>>>>>> you
>>>>>>> copied the wrong jaas.conf for the mail?
>>>>>>>
>>>>>>> Felix
>>>>>>>> ----------------------------------------
>>>>>>>>> From: dmarsh26@outlook.com
>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>>>
>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
>>>>>>>>>
>>>>>>>>> I've created three Windows VMs :-
>>>>>>>>>
>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>>>
>>>>>>>>> The Tomcat Server and the Test Client are joined to the same
>>>>>>>>> domain kerbtest.local, they are logged in with domain logins.
>>>>>>>>>
>>>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>>>
>>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>>>
>>>>>>>>> jaas.conf
>>>>>>>>>
>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>> doNotPrompt=true
>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>> useKeyTab=true
>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>> storeKey=true;
>>>>>>>>> };
>>>>>>>>>
>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>> doNotPrompt=true
>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>> useKeyTab=true
>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>> storeKey=true;
>>>>>>>>> };
>>>>>>>>>
>>>>>>>>> krb5.ini
>>>>>>>>>
>>>>>>>>> [libdefaults]
>>>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>>>> default_tkt_enctypes =
>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>> default_tgs_enctypes =
>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>> forwardable=true
>>>>>>>>>
>>>>>>>>> [realms]
>>>>>>>>> KERBTEST.LOCAL = {
>>>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with Active
>>>>>>>>> Directory.
>>>>>>>>>
>>>>>>>>> I have tried to keep the setup as basic and vanilla to the
>>>>>>>>> instructions as possible.
>>>>>>>>>
>>>>>>>>> Users were created as instructed.
>>>>>>>>>
>>>>>>>>> Spn was created as instructed
>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>>>
>>>>>>>>> keytab was created as instructed
>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ
>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno
>>>>>>>>> 0
>>>>>>>>>
>>>>>>>>> I have tried to test with firefox, chrome and IE, after ensuring
>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In
>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to
>>>>>>>>> network.negotiate-auth.delegation-uris and
>>>>>>>>> network.negotiate-auth.trusted-uris.
>>>>>>>>>
>>>>>>>>> Tomcat is running as a Windows service under the
>>>>>>>>> tc01@kerbtest.local account.
>>>>>>>>>
>>>>>>>>> Visiting URL from the Test Client VM :-
>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401 three
>>>>>>>>> times.
>>>>>>>>>
>>>>>>>>> Looking at the Network tab in developer tools in firefox shows
>>>>>>>>> 401 response with WWW-Authenticate: Negotiate response http
>>>>>>>>> header.
>>>>>>>>>
>>>>>>>>> The next has an Authorization request http header with long
>>>>>>>>> encrypted string.
>>>>> That means, that tomcat is believing, it can use kerberos/SPNEGO and
>>>>> firefox is able to get a service ticket, for the server and sends it
>>>>> back. That far it is looking promising. But I assume the
>>>>> authentication
>>>>> does not complete, right?
>>>>>
>>>>>
>>>>>>>>>
>>>>>>>>> IE still prompts for credentials with a popup, not sure why as
>>>>>>>>> does chrome.
>>>>>>>>> The setting User Authentication, Logon, Automatic Logon only in
>>>>>>>>> Intranet Zone, is selected under trusted sites.
>>>>>>>>>
>>>>>>>>> It seems like authentication is never completed ?
>>>>>>>>>
>>>>>>>>> There are no errors in tomcat logs.
>>>>>>>>>
>>>>>>>>> Any ideas what is happening and what I can do to troubleshoot ?
>>>>> You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that
>>>>> should
>>>>> print out a lot of debug information, which should end up in
>>>>> catalina.out.
>>>>>
>>>>> Felix
>>>>> ||
>>>>>>>>>
>>>>>>>>> I'm quite happy to help improve the documentation and follow the
>>>>>>>>> instructions, however I have tried that and cannot get a working
>>>>>>>>> basic set up.
>>>>>>>>>
>>>>>>>>> many thanks
>>>>>>>>>
>>>>>>>>> David
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>>
>>>>>>>> ---------------------------------------------------------------------
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 25.03.2015 16:09, schrieb David Marsh:
> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
> tc01@KERTEST.LOCAL, still same symptoms.
>
> Ran klist on client after firefox test and the three 401 responses. :-
>
> C:\Users\test.KERBTEST.000>klist
>
> Current LogonId is 0:0x2fd7a
>
> Cached Tickets: (2)
>
> #0> Client: test @ KERBTEST.LOCAL
> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
> Ticket Flags 0x40e10000 -> forwardable renewable initial
> pre_authent nam
> e_canonicalize
> Start Time: 3/25/2015 14:46:43 (local)
> End Time: 3/26/2015 0:46:43 (local)
> Renew Time: 4/1/2015 14:46:43 (local)
> Session Key Type: AES-256-CTS-HMAC-SHA1-96
> Cache Flags: 0x1 -> PRIMARY
> Kdc Called: 192.168.0.200
>
> #1> Client: test @ KERBTEST.LOCAL
> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
> name_canoni
> calize
> Start Time: 3/25/2015 14:51:21 (local)
> End Time: 3/26/2015 0:46:43 (local)
> Renew Time: 4/1/2015 14:46:43 (local)
> Session Key Type: RSADSI RC4-HMAC(NT)
> Cache Flags: 0
> Kdc Called: 192.168.0.200
>
> Looks like I was granted a ticket for the SPN
> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
>
> If I have ticket why do I get 401 ?
Your client has got a service ticket for HTTP/win-tc01... This is used
by firefox for authentication. Firefox transmits
this service ticket to the server (as base64 encoded in the
WWW-Authenticate header).
Your server has to decrypt this ticket using its own ticket to get at
the user information. This is where your problems arise.
It looks like your server has trouble to get its own ticket.
Are you sure, that the password you used for keytab generation (on the
server side), is correct? ktpass will probably accept
any input as a password. Maybe you can check the keytab by using kinit
(though I don't know, if it exists for windows, or how
the java one is used).
Felix
>
> ----------------------------------------
>> Date: Tue, 24 Mar 2015 22:46:15 +0000
>> From: markt@apache.org
>> To: users@tomcat.apache.org
>> Subject: Re: SPNEGO test configuration with Manager webapp
>>
>> On 24/03/2015 20:47, David Marsh wrote:
>>> Hi Felix,
>>> Thanks fort your help!
>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
>>> startup.bat and also added the same definitions to the Java
>>> parameters in Configure Tomcat tool.I definitely got more information
>>> when using startup.bat, not sure the settings get picked up by the
>>> windows service ?
>>> I do not think authentication completes, certainly authorization does
>>> not as I cant see the site and get 401 http status.
>>> I have not configured a tomcat realm but I have put the test user a
>>> manager-gui group in Active Directory.
>>
>> I've only given your config a quick scan, but the thing that jumps out
>> at me is spaces in the some of the paths. I'm not sure how well
>> krb5.ini
>> will handle those. It might be fine. It might not be.
>>
>> Mark
>>
>>
>>> David
>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>>> From: felix.schumacher@internetallee.de
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>
>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>>> Everything is as described and still not working, except the
>>>>> jaas.conf is :-
>>>>>
>>>>> com.sun.security.jgss.krb5.initiate {
>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>> doNotPrompt=true
>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>> useKeyTab=true
>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>> 8.0/conf/tomcat.keytab"
>>>>> storeKey=true;
>>>>> };
>>>>>
>>>>> com.sun.security.jgss.krb5.accept {
>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>> doNotPrompt=true
>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>> useKeyTab=true
>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>> 8.0/conf/tomcat.keytab"
>>>>> storeKey=true;
>>>>> };
>>>>>
>>>>> In other words the principal is the tomcat server as it should be.
>>>>>
>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>>> From: felix.schumacher@internetallee.de
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>
>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>>> Sorry thats :-
>>>>>>>
>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>>> Is it working with this configuration, or just to point out, that
>>>>>> you
>>>>>> copied the wrong jaas.conf for the mail?
>>>>>>
>>>>>> Felix
>>>>>>> ----------------------------------------
>>>>>>>> From: dmarsh26@outlook.com
>>>>>>>> To: users@tomcat.apache.org
>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>>
>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
>>>>>>>>
>>>>>>>> I've created three Windows VMs :-
>>>>>>>>
>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>>
>>>>>>>> The Tomcat Server and the Test Client are joined to the same
>>>>>>>> domain kerbtest.local, they are logged in with domain logins.
>>>>>>>>
>>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>>
>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>>
>>>>>>>> jaas.conf
>>>>>>>>
>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>> doNotPrompt=true
>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>> useKeyTab=true
>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>> storeKey=true;
>>>>>>>> };
>>>>>>>>
>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>> doNotPrompt=true
>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>> useKeyTab=true
>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>> storeKey=true;
>>>>>>>> };
>>>>>>>>
>>>>>>>> krb5.ini
>>>>>>>>
>>>>>>>> [libdefaults]
>>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>>> default_tkt_enctypes =
>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>> default_tgs_enctypes =
>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>> forwardable=true
>>>>>>>>
>>>>>>>> [realms]
>>>>>>>> KERBTEST.LOCAL = {
>>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>>> }
>>>>>>>>
>>>>>>>> I want to use the tomcat manager app to test SPNEGO with Active
>>>>>>>> Directory.
>>>>>>>>
>>>>>>>> I have tried to keep the setup as basic and vanilla to the
>>>>>>>> instructions as possible.
>>>>>>>>
>>>>>>>> Users were created as instructed.
>>>>>>>>
>>>>>>>> Spn was created as instructed
>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>>
>>>>>>>> keytab was created as instructed
>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ
>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno
>>>>>>>> 0
>>>>>>>>
>>>>>>>> I have tried to test with firefox, chrome and IE, after ensuring
>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In
>>>>>>>> firefox I added http://win-tc01.kerbtest.local to
>>>>>>>> network.negotiate-auth.delegation-uris and
>>>>>>>> network.negotiate-auth.trusted-uris.
>>>>>>>>
>>>>>>>> Tomcat is running as a Windows service under the
>>>>>>>> tc01@kerbtest.local account.
>>>>>>>>
>>>>>>>> Visiting URL from the Test Client VM :-
>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401 three
>>>>>>>> times.
>>>>>>>>
>>>>>>>> Looking at the Network tab in developer tools in firefox shows
>>>>>>>> 401 response with WWW-Authenticate: Negotiate response http
>>>>>>>> header.
>>>>>>>>
>>>>>>>> The next has an Authorization request http header with long
>>>>>>>> encrypted string.
>>>> That means, that tomcat is believing, it can use kerberos/SPNEGO and
>>>> firefox is able to get a service ticket, for the server and sends it
>>>> back. That far it is looking promising. But I assume the
>>>> authentication
>>>> does not complete, right?
>>>>
>>>>
>>>>>>>>
>>>>>>>> IE still prompts for credentials with a popup, not sure why as
>>>>>>>> does chrome.
>>>>>>>> The setting User Authentication, Logon, Automatic Logon only in
>>>>>>>> Intranet Zone, is selected under trusted sites.
>>>>>>>>
>>>>>>>> It seems like authentication is never completed ?
>>>>>>>>
>>>>>>>> There are no errors in tomcat logs.
>>>>>>>>
>>>>>>>> Any ideas what is happening and what I can do to troubleshoot ?
>>>> You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that
>>>> should
>>>> print out a lot of debug information, which should end up in
>>>> catalina.out.
>>>>
>>>> Felix
>>>> ||
>>>>>>>>
>>>>>>>> I'm quite happy to help improve the documentation and follow the
>>>>>>>> instructions, however I have tried that and cannot get a working
>>>>>>>> basic set up.
>>>>>>>>
>>>>>>>> many thanks
>>>>>>>>
>>>>>>>> David
>>>>>>>>
>>>>>>>>
>>>>>>>> ---------------------------------------------------------------------
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>
>>>>
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Posted by André Warnier <aw...@ice-sa.com>.
David Marsh wrote:
> Put keytab in c:\keytab\tomcat.keytab, ensured owner was tc01@KERTEST.LOCAL, still same symptoms.
>
> Ran klist on client after firefox test and the three 401 responses. :-
>
> C:\Users\test.KERBTEST.000>klist
>
> Current LogonId is 0:0x2fd7a
>
> Cached Tickets: (2)
>
> #0> Client: test @ KERBTEST.LOCAL
> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
> Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam
> e_canonicalize
> Start Time: 3/25/2015 14:46:43 (local)
> End Time: 3/26/2015 0:46:43 (local)
> Renew Time: 4/1/2015 14:46:43 (local)
> Session Key Type: AES-256-CTS-HMAC-SHA1-96
> Cache Flags: 0x1 -> PRIMARY
> Kdc Called: 192.168.0.200
>
> #1> Client: test @ KERBTEST.LOCAL
> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canoni
> calize
> Start Time: 3/25/2015 14:51:21 (local)
> End Time: 3/26/2015 0:46:43 (local)
> Renew Time: 4/1/2015 14:46:43 (local)
> Session Key Type: RSADSI RC4-HMAC(NT)
> Cache Flags: 0
> Kdc Called: 192.168.0.200
>
> Looks like I was granted a ticket for the SPN HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
>
> If I have ticket why do I get 401 ?
Maybe because these things come from 2 different places ?
- ticket # 0 is a general "ticket-granting ticket" ("krbtgt") obtained by the client
directly from the KDC
- ticket # 1 is a ticket to access HTTP/Tomcat, obtained by the client directly from the
KDC (after presenting his "ticket-granting ticket")
- the 401 response is a response from Tomcat, when the client tries to access it by
presenting his HTTP/Tomcat ticket
So the problem could be that Tomcat is unable to validate the client ticket, for some
reason proper to Tomcat itself, not to the client ticket per se (which is probably valid)
Again, in your (presumably Tomcat) Kerberos log, it looked as if Tomcat was having trouble
"pre-authenticating" itself, whatever that means. Maybe such a succesful
pre-authentication is a pre-requisite for Tomcat to be able to recognise client tickets to
itself ?
>
> ----------------------------------------
>> Date: Tue, 24 Mar 2015 22:46:15 +0000
>> From: markt@apache.org
>> To: users@tomcat.apache.org
>> Subject: Re: SPNEGO test configuration with Manager webapp
>>
>> On 24/03/2015 20:47, David Marsh wrote:
>>> Hi Felix,
>>> Thanks fort your help!
>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and also added the same definitions to the Java parameters in Configure Tomcat tool.I definitely got more information when using startup.bat, not sure the settings get picked up by the windows service ?
>>> I do not think authentication completes, certainly authorization does not as I cant see the site and get 401 http status.
>>> I have not configured a tomcat realm but I have put the test user a manager-gui group in Active Directory.
>> I've only given your config a quick scan, but the thing that jumps out
>> at me is spaces in the some of the paths. I'm not sure how well krb5.ini
>> will handle those. It might be fine. It might not be.
>>
>> Mark
>>
>>
>>> David
>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>>> From: felix.schumacher@internetallee.de
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>
>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>>> Everything is as described and still not working, except the jaas.conf is :-
>>>>>
>>>>> com.sun.security.jgss.krb5.initiate {
>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>> doNotPrompt=true
>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>> useKeyTab=true
>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>>>> storeKey=true;
>>>>> };
>>>>>
>>>>> com.sun.security.jgss.krb5.accept {
>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>> doNotPrompt=true
>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>> useKeyTab=true
>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>>>> storeKey=true;
>>>>> };
>>>>>
>>>>> In other words the principal is the tomcat server as it should be.
>>>>>
>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>>> From: felix.schumacher@internetallee.de
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>
>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>>> Sorry thats :-
>>>>>>>
>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>>> Is it working with this configuration, or just to point out, that you
>>>>>> copied the wrong jaas.conf for the mail?
>>>>>>
>>>>>> Felix
>>>>>>> ----------------------------------------
>>>>>>>> From: dmarsh26@outlook.com
>>>>>>>> To: users@tomcat.apache.org
>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>>
>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
>>>>>>>>
>>>>>>>> I've created three Windows VMs :-
>>>>>>>>
>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>>
>>>>>>>> The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins.
>>>>>>>>
>>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>>
>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>>
>>>>>>>> jaas.conf
>>>>>>>>
>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>> doNotPrompt=true
>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>> useKeyTab=true
>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>>>>>>> storeKey=true;
>>>>>>>> };
>>>>>>>>
>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>> doNotPrompt=true
>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>> useKeyTab=true
>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>>>>>>> storeKey=true;
>>>>>>>> };
>>>>>>>>
>>>>>>>> krb5.ini
>>>>>>>>
>>>>>>>> [libdefaults]
>>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>>> default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>> default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>> forwardable=true
>>>>>>>>
>>>>>>>> [realms]
>>>>>>>> KERBTEST.LOCAL = {
>>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>>> }
>>>>>>>>
>>>>>>>> I want to use the tomcat manager app to test SPNEGO with Active Directory.
>>>>>>>>
>>>>>>>> I have tried to keep the setup as basic and vanilla to the instructions as possible.
>>>>>>>>
>>>>>>>> Users were created as instructed.
>>>>>>>>
>>>>>>>> Spn was created as instructed
>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>>
>>>>>>>> keytab was created as instructed
>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
>>>>>>>>
>>>>>>>> I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.
>>>>>>>>
>>>>>>>> Tomcat is running as a Windows service under the tc01@kerbtest.local account.
>>>>>>>>
>>>>>>>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times.
>>>>>>>>
>>>>>>>> Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header.
>>>>>>>>
>>>>>>>> The next has an Authorization request http header with long encrypted string.
>>>> That means, that tomcat is believing, it can use kerberos/SPNEGO and
>>>> firefox is able to get a service ticket, for the server and sends it
>>>> back. That far it is looking promising. But I assume the authentication
>>>> does not complete, right?
>>>>
>>>>
>>>>>>>> IE still prompts for credentials with a popup, not sure why as does chrome.
>>>>>>>> The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites.
>>>>>>>>
>>>>>>>> It seems like authentication is never completed ?
>>>>>>>>
>>>>>>>> There are no errors in tomcat logs.
>>>>>>>>
>>>>>>>> Any ideas what is happening and what I can do to troubleshoot ?
>>>> You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that should
>>>> print out a lot of debug information, which should end up in catalina.out.
>>>>
>>>> Felix
>>>> ||
>>>>>>>> I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up.
>>>>>>>>
>>>>>>>> many thanks
>>>>>>>>
>>>>>>>> David
>>>>>>>>
>>>>>>>>
>>>>>>>> ---------------------------------------------------------------------
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
Put keytab in c:\keytab\tomcat.keytab, ensured owner was tc01@KERTEST.LOCAL, still same symptoms.
Ran klist on client after firefox test and the three 401 responses. :-
C:\Users\test.KERBTEST.000>klist
Current LogonId is 0:0x2fd7a
Cached Tickets: (2)
#0> Client: test @ KERBTEST.LOCAL
Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam
e_canonicalize
Start Time: 3/25/2015 14:46:43 (local)
End Time: 3/26/2015 0:46:43 (local)
Renew Time: 4/1/2015 14:46:43 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: 192.168.0.200
#1> Client: test @ KERBTEST.LOCAL
Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canoni
calize
Start Time: 3/25/2015 14:51:21 (local)
End Time: 3/26/2015 0:46:43 (local)
Renew Time: 4/1/2015 14:46:43 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: 192.168.0.200
Looks like I was granted a ticket for the SPN HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
If I have ticket why do I get 401 ?
----------------------------------------
> Date: Tue, 24 Mar 2015 22:46:15 +0000
> From: markt@apache.org
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> On 24/03/2015 20:47, David Marsh wrote:
>> Hi Felix,
>> Thanks fort your help!
>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and also added the same definitions to the Java parameters in Configure Tomcat tool.I definitely got more information when using startup.bat, not sure the settings get picked up by the windows service ?
>> I do not think authentication completes, certainly authorization does not as I cant see the site and get 401 http status.
>> I have not configured a tomcat realm but I have put the test user a manager-gui group in Active Directory.
>
> I've only given your config a quick scan, but the thing that jumps out
> at me is spaces in the some of the paths. I'm not sure how well krb5.ini
> will handle those. It might be fine. It might not be.
>
> Mark
>
>
>> David
>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>> From: felix.schumacher@internetallee.de
>>> To: users@tomcat.apache.org
>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>
>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>> Everything is as described and still not working, except the jaas.conf is :-
>>>>
>>>> com.sun.security.jgss.krb5.initiate {
>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>> doNotPrompt=true
>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>> useKeyTab=true
>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>>> storeKey=true;
>>>> };
>>>>
>>>> com.sun.security.jgss.krb5.accept {
>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>> doNotPrompt=true
>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>> useKeyTab=true
>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>>> storeKey=true;
>>>> };
>>>>
>>>> In other words the principal is the tomcat server as it should be.
>>>>
>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>> From: felix.schumacher@internetallee.de
>>>>> To: users@tomcat.apache.org
>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>
>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>> Sorry thats :-
>>>>>>
>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>> Is it working with this configuration, or just to point out, that you
>>>>> copied the wrong jaas.conf for the mail?
>>>>>
>>>>> Felix
>>>>>> ----------------------------------------
>>>>>>> From: dmarsh26@outlook.com
>>>>>>> To: users@tomcat.apache.org
>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>
>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
>>>>>>>
>>>>>>> I've created three Windows VMs :-
>>>>>>>
>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>
>>>>>>> The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins.
>>>>>>>
>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>
>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>
>>>>>>> jaas.conf
>>>>>>>
>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>> doNotPrompt=true
>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>> useKeyTab=true
>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>>>>>> storeKey=true;
>>>>>>> };
>>>>>>>
>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>> doNotPrompt=true
>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>> useKeyTab=true
>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>>>>>> storeKey=true;
>>>>>>> };
>>>>>>>
>>>>>>> krb5.ini
>>>>>>>
>>>>>>> [libdefaults]
>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>> default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>> default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>> forwardable=true
>>>>>>>
>>>>>>> [realms]
>>>>>>> KERBTEST.LOCAL = {
>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>> }
>>>>>>>
>>>>>>> I want to use the tomcat manager app to test SPNEGO with Active Directory.
>>>>>>>
>>>>>>> I have tried to keep the setup as basic and vanilla to the instructions as possible.
>>>>>>>
>>>>>>> Users were created as instructed.
>>>>>>>
>>>>>>> Spn was created as instructed
>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>
>>>>>>> keytab was created as instructed
>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
>>>>>>>
>>>>>>> I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.
>>>>>>>
>>>>>>> Tomcat is running as a Windows service under the tc01@kerbtest.local account.
>>>>>>>
>>>>>>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times.
>>>>>>>
>>>>>>> Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header.
>>>>>>>
>>>>>>> The next has an Authorization request http header with long encrypted string.
>>> That means, that tomcat is believing, it can use kerberos/SPNEGO and
>>> firefox is able to get a service ticket, for the server and sends it
>>> back. That far it is looking promising. But I assume the authentication
>>> does not complete, right?
>>>
>>>
>>>>>>>
>>>>>>> IE still prompts for credentials with a popup, not sure why as does chrome.
>>>>>>> The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites.
>>>>>>>
>>>>>>> It seems like authentication is never completed ?
>>>>>>>
>>>>>>> There are no errors in tomcat logs.
>>>>>>>
>>>>>>> Any ideas what is happening and what I can do to troubleshoot ?
>>> You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that should
>>> print out a lot of debug information, which should end up in catalina.out.
>>>
>>> Felix
>>> ||
>>>>>>>
>>>>>>> I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up.
>>>>>>>
>>>>>>> many thanks
>>>>>>>
>>>>>>> David
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>
>>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: SPNEGO test configuration with Manager webapp
Posted by Mark Thomas <ma...@apache.org>.
On 24/03/2015 20:47, David Marsh wrote:
> Hi Felix,
> Thanks fort your help!
> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and also added the same definitions to the Java parameters in Configure Tomcat tool.I definitely got more information when using startup.bat, not sure the settings get picked up by the windows service ?
> I do not think authentication completes, certainly authorization does not as I cant see the site and get 401 http status.
> I have not configured a tomcat realm but I have put the test user a manager-gui group in Active Directory.
I've only given your config a quick scan, but the thing that jumps out
at me is spaces in the some of the paths. I'm not sure how well krb5.ini
will handle those. It might be fine. It might not be.
Mark
> David
>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>> From: felix.schumacher@internetallee.de
>> To: users@tomcat.apache.org
>> Subject: Re: SPNEGO test configuration with Manager webapp
>>
>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>> Everything is as described and still not working, except the jaas.conf is :-
>>>
>>> com.sun.security.jgss.krb5.initiate {
>>> com.sun.security.auth.module.Krb5LoginModule required
>>> doNotPrompt=true
>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>> useKeyTab=true
>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>> storeKey=true;
>>> };
>>>
>>> com.sun.security.jgss.krb5.accept {
>>> com.sun.security.auth.module.Krb5LoginModule required
>>> doNotPrompt=true
>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>> useKeyTab=true
>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>> storeKey=true;
>>> };
>>>
>>> In other words the principal is the tomcat server as it should be.
>>>
>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>> From: felix.schumacher@internetallee.de
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>
>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>> Sorry thats :-
>>>>>
>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>> Is it working with this configuration, or just to point out, that you
>>>> copied the wrong jaas.conf for the mail?
>>>>
>>>> Felix
>>>>> ----------------------------------------
>>>>>> From: dmarsh26@outlook.com
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>
>>>>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
>>>>>>
>>>>>> I've created three Windows VMs :-
>>>>>>
>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>
>>>>>> The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins.
>>>>>>
>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>
>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>
>>>>>> jaas.conf
>>>>>>
>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>> doNotPrompt=true
>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>> useKeyTab=true
>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>>>>> storeKey=true;
>>>>>> };
>>>>>>
>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>> doNotPrompt=true
>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>> useKeyTab=true
>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>>>>> storeKey=true;
>>>>>> };
>>>>>>
>>>>>> krb5.ini
>>>>>>
>>>>>> [libdefaults]
>>>>>> default_realm = KERBTEST.LOCAL
>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>> default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>> default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>> forwardable=true
>>>>>>
>>>>>> [realms]
>>>>>> KERBTEST.LOCAL = {
>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>> }
>>>>>>
>>>>>> I want to use the tomcat manager app to test SPNEGO with Active Directory.
>>>>>>
>>>>>> I have tried to keep the setup as basic and vanilla to the instructions as possible.
>>>>>>
>>>>>> Users were created as instructed.
>>>>>>
>>>>>> Spn was created as instructed
>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>
>>>>>> keytab was created as instructed
>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
>>>>>>
>>>>>> I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.
>>>>>>
>>>>>> Tomcat is running as a Windows service under the tc01@kerbtest.local account.
>>>>>>
>>>>>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times.
>>>>>>
>>>>>> Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header.
>>>>>>
>>>>>> The next has an Authorization request http header with long encrypted string.
>> That means, that tomcat is believing, it can use kerberos/SPNEGO and
>> firefox is able to get a service ticket, for the server and sends it
>> back. That far it is looking promising. But I assume the authentication
>> does not complete, right?
>>
>>
>>>>>>
>>>>>> IE still prompts for credentials with a popup, not sure why as does chrome.
>>>>>> The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites.
>>>>>>
>>>>>> It seems like authentication is never completed ?
>>>>>>
>>>>>> There are no errors in tomcat logs.
>>>>>>
>>>>>> Any ideas what is happening and what I can do to troubleshoot ?
>> You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that should
>> print out a lot of debug information, which should end up in catalina.out.
>>
>> Felix
>> ||
>>>>>>
>>>>>> I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up.
>>>>>>
>>>>>> many thanks
>>>>>>
>>>>>> David
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
Hi Felix,
Thanks fort your help!
I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and also added the same definitions to the Java parameters in Configure Tomcat tool.I definitely got more information when using startup.bat, not sure the settings get picked up by the windows service ?
I do not think authentication completes, certainly authorization does not as I cant see the site and get 401 http status.
I have not configured a tomcat realm but I have put the test user a manager-gui group in Active Directory.
David
> Date: Tue, 24 Mar 2015 21:39:38 +0100
> From: felix.schumacher@internetallee.de
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> Am 24.03.2015 um 21:25 schrieb David Marsh:
> > Everything is as described and still not working, except the jaas.conf is :-
> >
> > com.sun.security.jgss.krb5.initiate {
> > com.sun.security.auth.module.Krb5LoginModule required
> > doNotPrompt=true
> > principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> > useKeyTab=true
> > keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
> > storeKey=true;
> > };
> >
> > com.sun.security.jgss.krb5.accept {
> > com.sun.security.auth.module.Krb5LoginModule required
> > doNotPrompt=true
> > principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> > useKeyTab=true
> > keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
> > storeKey=true;
> > };
> >
> > In other words the principal is the tomcat server as it should be.
> >
> >> Date: Tue, 24 Mar 2015 21:17:59 +0100
> >> From: felix.schumacher@internetallee.de
> >> To: users@tomcat.apache.org
> >> Subject: Re: SPNEGO test configuration with Manager webapp
> >>
> >> Am 24.03.2015 um 21:05 schrieb David Marsh:
> >>> Sorry thats :-
> >>>
> >>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> >>> under jaas.conf, it is set to the tomcat server DNS.
> >> Is it working with this configuration, or just to point out, that you
> >> copied the wrong jaas.conf for the mail?
> >>
> >> Felix
> >>> ----------------------------------------
> >>>> From: dmarsh26@outlook.com
> >>>> To: users@tomcat.apache.org
> >>>> Subject: SPNEGO test configuration with Manager webapp
> >>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
> >>>>
> >>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
> >>>>
> >>>> I've created three Windows VMs :-
> >>>>
> >>>> Tomcat Server - Windows 8.1 32 bit VM
> >>>> Test Client - Windows 8.1 32 bit VM
> >>>> Domain Controller - Windows Server 2012 R2 64 bit VM
> >>>>
> >>>> The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins.
> >>>>
> >>>> The firewall is disabled on the Tomcat Server VM.
> >>>>
> >>>> I've followed the guidelines on the Apache Tomcat website.
> >>>>
> >>>> jaas.conf
> >>>>
> >>>> com.sun.security.jgss.krb5.initiate {
> >>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>> doNotPrompt=true
> >>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
> >>>> useKeyTab=true
> >>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
> >>>> storeKey=true;
> >>>> };
> >>>>
> >>>> com.sun.security.jgss.krb5.accept {
> >>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>> doNotPrompt=true
> >>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
> >>>> useKeyTab=true
> >>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
> >>>> storeKey=true;
> >>>> };
> >>>>
> >>>> krb5.ini
> >>>>
> >>>> [libdefaults]
> >>>> default_realm = KERBTEST.LOCAL
> >>>> default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab
> >>>> default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> >>>> default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> >>>> forwardable=true
> >>>>
> >>>> [realms]
> >>>> KERBTEST.LOCAL = {
> >>>> kdc = win-dc01.kerbtest.local:88
> >>>> }
> >>>>
> >>>> I want to use the tomcat manager app to test SPNEGO with Active Directory.
> >>>>
> >>>> I have tried to keep the setup as basic and vanilla to the instructions as possible.
> >>>>
> >>>> Users were created as instructed.
> >>>>
> >>>> Spn was created as instructed
> >>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
> >>>>
> >>>> keytab was created as instructed
> >>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
> >>>>
> >>>> I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.
> >>>>
> >>>> Tomcat is running as a Windows service under the tc01@kerbtest.local account.
> >>>>
> >>>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times.
> >>>>
> >>>> Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header.
> >>>>
> >>>> The next has an Authorization request http header with long encrypted string.
> That means, that tomcat is believing, it can use kerberos/SPNEGO and
> firefox is able to get a service ticket, for the server and sends it
> back. That far it is looking promising. But I assume the authentication
> does not complete, right?
>
>
> >>>>
> >>>> IE still prompts for credentials with a popup, not sure why as does chrome.
> >>>> The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites.
> >>>>
> >>>> It seems like authentication is never completed ?
> >>>>
> >>>> There are no errors in tomcat logs.
> >>>>
> >>>> Any ideas what is happening and what I can do to troubleshoot ?
> You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that should
> print out a lot of debug information, which should end up in catalina.out.
>
> Felix
> ||
> >>>>
> >>>> I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up.
> >>>>
> >>>> many thanks
> >>>>
> >>>> David
> >>>>
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >
>
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
Using startup.bat to launch tomcat :-
runas /env /user:tc01@kerbtest.local "startup.bat"
Here are the logs with the kerberos debug :-
Server startup in 509 ms
>>> KeyTabInputStream, readName(): KERBTEST.LOCAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 78; type: 23
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Java config name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\kr
b5.ini
Loaded from Java config
Added key: 23version: 0
>>> KdcAccessibility: reset
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
retries =3, #bytes=164
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
=1, #bytes=164
>>> KrbKdcReq send: #bytes read=185
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Mar 24 20:51:24 GMT 2015 1427230284000
suSec is 441380
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 17.
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
retries =3, #bytes=247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
=1, #bytes=247
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number of
retries =3, #bytes=247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt
=1, #bytes=247
>>>DEBUG: TCPClient reading 1483 bytes
>>> KrbKdcReq send: #bytes read=1483
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoC
redElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5
AcceptCredential)
Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.
keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.
keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KER
BTEST.LOCAL@KERBTEST.LOCAL expiring on Wed Mar 25 06:51:24 GMT 2015
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
retries =3, #bytes=164
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
=1, #bytes=164
>>> KrbKdcReq send: #bytes read=185
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Mar 24 20:51:24 GMT 2015 1427230284000
suSec is 581394
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 17.
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
retries =3, #bytes=247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
=1, #bytes=247
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number of
retries =3, #bytes=247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt
=1, #bytes=247
>>>DEBUG: TCPClient reading 1483 bytes
>>> KrbKdcReq send: #bytes read=1483
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoC
redElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5
AcceptCredential)
Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.
keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.
keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KER
BTEST.LOCAL@KERBTEST.LOCAL expiring on Wed Mar 25 06:51:24 GMT 2015
> Date: Tue, 24 Mar 2015 21:39:38 +0100
> From: felix.schumacher@internetallee.de
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> Am 24.03.2015 um 21:25 schrieb David Marsh:
> > Everything is as described and still not working, except the jaas.conf is :-
> >
> > com.sun.security.jgss.krb5.initiate {
> > com.sun.security.auth.module.Krb5LoginModule required
> > doNotPrompt=true
> > principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> > useKeyTab=true
> > keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
> > storeKey=true;
> > };
> >
> > com.sun.security.jgss.krb5.accept {
> > com.sun.security.auth.module.Krb5LoginModule required
> > doNotPrompt=true
> > principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> > useKeyTab=true
> > keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
> > storeKey=true;
> > };
> >
> > In other words the principal is the tomcat server as it should be.
> >
> >> Date: Tue, 24 Mar 2015 21:17:59 +0100
> >> From: felix.schumacher@internetallee.de
> >> To: users@tomcat.apache.org
> >> Subject: Re: SPNEGO test configuration with Manager webapp
> >>
> >> Am 24.03.2015 um 21:05 schrieb David Marsh:
> >>> Sorry thats :-
> >>>
> >>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> >>> under jaas.conf, it is set to the tomcat server DNS.
> >> Is it working with this configuration, or just to point out, that you
> >> copied the wrong jaas.conf for the mail?
> >>
> >> Felix
> >>> ----------------------------------------
> >>>> From: dmarsh26@outlook.com
> >>>> To: users@tomcat.apache.org
> >>>> Subject: SPNEGO test configuration with Manager webapp
> >>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
> >>>>
> >>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
> >>>>
> >>>> I've created three Windows VMs :-
> >>>>
> >>>> Tomcat Server - Windows 8.1 32 bit VM
> >>>> Test Client - Windows 8.1 32 bit VM
> >>>> Domain Controller - Windows Server 2012 R2 64 bit VM
> >>>>
> >>>> The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins.
> >>>>
> >>>> The firewall is disabled on the Tomcat Server VM.
> >>>>
> >>>> I've followed the guidelines on the Apache Tomcat website.
> >>>>
> >>>> jaas.conf
> >>>>
> >>>> com.sun.security.jgss.krb5.initiate {
> >>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>> doNotPrompt=true
> >>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
> >>>> useKeyTab=true
> >>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
> >>>> storeKey=true;
> >>>> };
> >>>>
> >>>> com.sun.security.jgss.krb5.accept {
> >>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>> doNotPrompt=true
> >>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
> >>>> useKeyTab=true
> >>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
> >>>> storeKey=true;
> >>>> };
> >>>>
> >>>> krb5.ini
> >>>>
> >>>> [libdefaults]
> >>>> default_realm = KERBTEST.LOCAL
> >>>> default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab
> >>>> default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> >>>> default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> >>>> forwardable=true
> >>>>
> >>>> [realms]
> >>>> KERBTEST.LOCAL = {
> >>>> kdc = win-dc01.kerbtest.local:88
> >>>> }
> >>>>
> >>>> I want to use the tomcat manager app to test SPNEGO with Active Directory.
> >>>>
> >>>> I have tried to keep the setup as basic and vanilla to the instructions as possible.
> >>>>
> >>>> Users were created as instructed.
> >>>>
> >>>> Spn was created as instructed
> >>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
> >>>>
> >>>> keytab was created as instructed
> >>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
> >>>>
> >>>> I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.
> >>>>
> >>>> Tomcat is running as a Windows service under the tc01@kerbtest.local account.
> >>>>
> >>>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times.
> >>>>
> >>>> Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header.
> >>>>
> >>>> The next has an Authorization request http header with long encrypted string.
> That means, that tomcat is believing, it can use kerberos/SPNEGO and
> firefox is able to get a service ticket, for the server and sends it
> back. That far it is looking promising. But I assume the authentication
> does not complete, right?
>
>
> >>>>
> >>>> IE still prompts for credentials with a popup, not sure why as does chrome.
> >>>> The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites.
> >>>>
> >>>> It seems like authentication is never completed ?
> >>>>
> >>>> There are no errors in tomcat logs.
> >>>>
> >>>> Any ideas what is happening and what I can do to troubleshoot ?
> You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that should
> print out a lot of debug information, which should end up in catalina.out.
>
> Felix
> ||
> >>>>
> >>>> I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up.
> >>>>
> >>>> many thanks
> >>>>
> >>>> David
> >>>>
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >
>
Re: SPNEGO test configuration with Manager webapp
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 24.03.2015 um 21:25 schrieb David Marsh:
> Everything is as described and still not working, except the jaas.conf is :-
>
> com.sun.security.jgss.krb5.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> useKeyTab=true
> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
> storeKey=true;
> };
>
> com.sun.security.jgss.krb5.accept {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> useKeyTab=true
> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
> storeKey=true;
> };
>
> In other words the principal is the tomcat server as it should be.
>
>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>> From: felix.schumacher@internetallee.de
>> To: users@tomcat.apache.org
>> Subject: Re: SPNEGO test configuration with Manager webapp
>>
>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>> Sorry thats :-
>>>
>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>> under jaas.conf, it is set to the tomcat server DNS.
>> Is it working with this configuration, or just to point out, that you
>> copied the wrong jaas.conf for the mail?
>>
>> Felix
>>> ----------------------------------------
>>>> From: dmarsh26@outlook.com
>>>> To: users@tomcat.apache.org
>>>> Subject: SPNEGO test configuration with Manager webapp
>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>
>>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
>>>>
>>>> I've created three Windows VMs :-
>>>>
>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>> Test Client - Windows 8.1 32 bit VM
>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>
>>>> The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins.
>>>>
>>>> The firewall is disabled on the Tomcat Server VM.
>>>>
>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>
>>>> jaas.conf
>>>>
>>>> com.sun.security.jgss.krb5.initiate {
>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>> doNotPrompt=true
>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>> useKeyTab=true
>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>>> storeKey=true;
>>>> };
>>>>
>>>> com.sun.security.jgss.krb5.accept {
>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>> doNotPrompt=true
>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>> useKeyTab=true
>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>>> storeKey=true;
>>>> };
>>>>
>>>> krb5.ini
>>>>
>>>> [libdefaults]
>>>> default_realm = KERBTEST.LOCAL
>>>> default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>> default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>> default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>> forwardable=true
>>>>
>>>> [realms]
>>>> KERBTEST.LOCAL = {
>>>> kdc = win-dc01.kerbtest.local:88
>>>> }
>>>>
>>>> I want to use the tomcat manager app to test SPNEGO with Active Directory.
>>>>
>>>> I have tried to keep the setup as basic and vanilla to the instructions as possible.
>>>>
>>>> Users were created as instructed.
>>>>
>>>> Spn was created as instructed
>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>
>>>> keytab was created as instructed
>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
>>>>
>>>> I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.
>>>>
>>>> Tomcat is running as a Windows service under the tc01@kerbtest.local account.
>>>>
>>>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times.
>>>>
>>>> Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header.
>>>>
>>>> The next has an Authorization request http header with long encrypted string.
That means, that tomcat is believing, it can use kerberos/SPNEGO and
firefox is able to get a service ticket, for the server and sends it
back. That far it is looking promising. But I assume the authentication
does not complete, right?
>>>>
>>>> IE still prompts for credentials with a popup, not sure why as does chrome.
>>>> The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites.
>>>>
>>>> It seems like authentication is never completed ?
>>>>
>>>> There are no errors in tomcat logs.
>>>>
>>>> Any ideas what is happening and what I can do to troubleshoot ?
You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that should
print out a lot of debug information, which should end up in catalina.out.
Felix
||
>>>>
>>>> I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up.
>>>>
>>>> many thanks
>>>>
>>>> David
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
Re: SPNEGO test configuration with Manager webapp
Posted by André Warnier <aw...@ice-sa.com>.
Hi.
Just nitpicking, but with Kerberos everything has to be "just right" :
Is the keytab file used by Tomcat owned by the user under which Tomcat runs ?
(This may or may not matter under Windows, but it is absolutely mandatory under Linux, so
you may want to check).
Also verify that your SPNs are really in the form required by Windows AD/Kerberos. I seem
to remember that there was something special there for the form of the services/hostnames,
as compared to a Linux-style environment.
tip : (maybe you already did that in a previous post) : there exists a Kerberos
command-line utility which allows to check, from the client side, that this client (at the
Windows level) can login to the Kerberos DC. Unfortunately, I do not remember its exact
name, nor if it is available under Windows. (kinit ?)
(You may need to install the MIT Kerberos binaries for Windows :
http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0.html)
tip : in an environment supposed to do SSO, you are right in thinking that if you see a
login dialog from the browser, it is already a sign that something in the settings is not
right. That browser login dialog is kind of a browser's "last resort" if something else
before did not work.
Related tip : under Linux, there is a Kerberos config file at the webserver level, and
inside it there is a parameter :
KrbMethodK5Passwd on/off
If "off", you should never see a browser login dialog (*). If "on", you may see one (but
see previous tip).
I do not know if the same config file or parameter type is also used under
windows/Tomcat/Kerberos.
(*) you may instead just see a blank browser page
This is one of the most complete articles I've seen so far, about what settings are
exactly needed at browser level (and what happens otherwise) :
https://ping.force.com/Support/PingIdentityArticle?id=kA3400000008RiECAU
(make sure that you *really* follow every detail; Kerberos stuff is *really* picky)
More useful pages :
http://web.mit.edu/kerberos/
http://web.mit.edu/kerberos/krb5-1.13/doc/index.html
http://web.mit.edu/kerberos/krb5-latest/doc/user/tkt_mgmt.html#obtaining-tickets-with-kinit
(and display them with klist)
And finally, here is a hodgepodge of pages which I found relevant during a recent bout of
fighting with Kerberos auth (that was with Apache httpd, not Tomcat, but the underlying
stuff is the same). A lot of information is repeated over these pages, and some of it is
contradictory, but it might save you some hours of browsing anyway :
http://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-debian-and-windows-server-2008-r2/
https://www.drupal.org/node/2123615
http://stackoverflow.com/questions/19842318/apache-kerberos-authentication-client-didnt-delegate-us-their-credential
http://blogs.msdn.com/b/friis/archive/2009/12/31/things-to-check-when-kerberos-authentication-fails-using-iis-ie.aspx
https://msdn.microsoft.com/library/aa480609.aspx#wss_ch7_kerbtechsupp_topic5
https://www.johnthedeveloper.co.uk/single-sign-on-active-directory-php-ubuntu
http://seriousbirder.com/blogs/apache-with-kerberos-active-directory-authentication/
http://fluxcoil.net/doku.php/software/kerberos/kerberized_apache
http://serverfault.com/questions/641974/apache-kerberos-authentication-to-active-directory-not-happening-is-krb5kdc-er
http://www.websense.com/content/support/library/shared/v76/auth_service_config/test_ie8.aspx
http://www.microhowto.info/howto/add_a_host_or_service_principal_to_a_keytab_using_mit_kerberos.html
http://windowsitpro.com/security/kerberos-active-directory
David Marsh wrote:
> Everything is as described and still not working, except the jaas.conf is :-
>
> com.sun.security.jgss.krb5.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> useKeyTab=true
> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
> storeKey=true;
> };
>
> com.sun.security.jgss.krb5.accept {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> useKeyTab=true
> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
> storeKey=true;
> };
>
> In other words the principal is the tomcat server as it should be.
>
>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>> From: felix.schumacher@internetallee.de
>> To: users@tomcat.apache.org
>> Subject: Re: SPNEGO test configuration with Manager webapp
>>
>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>> Sorry thats :-
>>>
>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>> under jaas.conf, it is set to the tomcat server DNS.
>> Is it working with this configuration, or just to point out, that you
>> copied the wrong jaas.conf for the mail?
>>
>> Felix
>>> ----------------------------------------
>>>> From: dmarsh26@outlook.com
>>>> To: users@tomcat.apache.org
>>>> Subject: SPNEGO test configuration with Manager webapp
>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>
>>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
>>>>
>>>> I've created three Windows VMs :-
>>>>
>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>> Test Client - Windows 8.1 32 bit VM
>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>
>>>> The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins.
>>>>
>>>> The firewall is disabled on the Tomcat Server VM.
>>>>
>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>
>>>> jaas.conf
>>>>
>>>> com.sun.security.jgss.krb5.initiate {
>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>> doNotPrompt=true
>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>> useKeyTab=true
>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>>> storeKey=true;
>>>> };
>>>>
>>>> com.sun.security.jgss.krb5.accept {
>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>> doNotPrompt=true
>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>> useKeyTab=true
>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>>> storeKey=true;
>>>> };
>>>>
>>>> krb5.ini
>>>>
>>>> [libdefaults]
>>>> default_realm = KERBTEST.LOCAL
>>>> default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>> default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>> default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>> forwardable=true
>>>>
>>>> [realms]
>>>> KERBTEST.LOCAL = {
>>>> kdc = win-dc01.kerbtest.local:88
>>>> }
>>>>
>>>> I want to use the tomcat manager app to test SPNEGO with Active Directory.
>>>>
>>>> I have tried to keep the setup as basic and vanilla to the instructions as possible.
>>>>
>>>> Users were created as instructed.
>>>>
>>>> Spn was created as instructed
>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>
>>>> keytab was created as instructed
>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
>>>>
>>>> I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.
>>>>
>>>> Tomcat is running as a Windows service under the tc01@kerbtest.local account.
>>>>
>>>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times.
>>>>
>>>> Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header.
>>>>
>>>> The next has an Authorization request http header with long encrypted string.
>>>>
>>>> IE still prompts for credentials with a popup, not sure why as does chrome.
>>>> The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites.
>>>>
>>>> It seems like authentication is never completed ?
>>>>
>>>> There are no errors in tomcat logs.
>>>>
>>>> Any ideas what is happening and what I can do to troubleshoot ?
>>>>
>>>> I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up.
>>>>
>>>> many thanks
>>>>
>>>> David
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
Everything is as described and still not working, except the jaas.conf is :-
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
storeKey=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
storeKey=true;
};
In other words the principal is the tomcat server as it should be.
> Date: Tue, 24 Mar 2015 21:17:59 +0100
> From: felix.schumacher@internetallee.de
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> Am 24.03.2015 um 21:05 schrieb David Marsh:
>> Sorry thats :-
>>
>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>> under jaas.conf, it is set to the tomcat server DNS.
> Is it working with this configuration, or just to point out, that you
> copied the wrong jaas.conf for the mail?
>
> Felix
>>
>> ----------------------------------------
>>> From: dmarsh26@outlook.com
>>> To: users@tomcat.apache.org
>>> Subject: SPNEGO test configuration with Manager webapp
>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>
>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
>>>
>>> I've created three Windows VMs :-
>>>
>>> Tomcat Server - Windows 8.1 32 bit VM
>>> Test Client - Windows 8.1 32 bit VM
>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>
>>> The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins.
>>>
>>> The firewall is disabled on the Tomcat Server VM.
>>>
>>> I've followed the guidelines on the Apache Tomcat website.
>>>
>>> jaas.conf
>>>
>>> com.sun.security.jgss.krb5.initiate {
>>> com.sun.security.auth.module.Krb5LoginModule required
>>> doNotPrompt=true
>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>> useKeyTab=true
>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>> storeKey=true;
>>> };
>>>
>>> com.sun.security.jgss.krb5.accept {
>>> com.sun.security.auth.module.Krb5LoginModule required
>>> doNotPrompt=true
>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>> useKeyTab=true
>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>> storeKey=true;
>>> };
>>>
>>> krb5.ini
>>>
>>> [libdefaults]
>>> default_realm = KERBTEST.LOCAL
>>> default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab
>>> default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>> default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>> forwardable=true
>>>
>>> [realms]
>>> KERBTEST.LOCAL = {
>>> kdc = win-dc01.kerbtest.local:88
>>> }
>>>
>>> I want to use the tomcat manager app to test SPNEGO with Active Directory.
>>>
>>> I have tried to keep the setup as basic and vanilla to the instructions as possible.
>>>
>>> Users were created as instructed.
>>>
>>> Spn was created as instructed
>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>
>>> keytab was created as instructed
>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
>>>
>>> I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.
>>>
>>> Tomcat is running as a Windows service under the tc01@kerbtest.local account.
>>>
>>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times.
>>>
>>> Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header.
>>>
>>> The next has an Authorization request http header with long encrypted string.
>>>
>>> IE still prompts for credentials with a popup, not sure why as does chrome.
>>> The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites.
>>>
>>> It seems like authentication is never completed ?
>>>
>>> There are no errors in tomcat logs.
>>>
>>> Any ideas what is happening and what I can do to troubleshoot ?
>>>
>>> I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up.
>>>
>>> many thanks
>>>
>>> David
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
I copied old config file to mail yes.
----------------------------------------
> Date: Tue, 24 Mar 2015 21:17:59 +0100
> From: felix.schumacher@internetallee.de
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> Am 24.03.2015 um 21:05 schrieb David Marsh:
>> Sorry thats :-
>>
>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>> under jaas.conf, it is set to the tomcat server DNS.
> Is it working with this configuration, or just to point out, that you
> copied the wrong jaas.conf for the mail?
>
> Felix
>>
>> ----------------------------------------
>>> From: dmarsh26@outlook.com
>>> To: users@tomcat.apache.org
>>> Subject: SPNEGO test configuration with Manager webapp
>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>
>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
>>>
>>> I've created three Windows VMs :-
>>>
>>> Tomcat Server - Windows 8.1 32 bit VM
>>> Test Client - Windows 8.1 32 bit VM
>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>
>>> The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins.
>>>
>>> The firewall is disabled on the Tomcat Server VM.
>>>
>>> I've followed the guidelines on the Apache Tomcat website.
>>>
>>> jaas.conf
>>>
>>> com.sun.security.jgss.krb5.initiate {
>>> com.sun.security.auth.module.Krb5LoginModule required
>>> doNotPrompt=true
>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>> useKeyTab=true
>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>> storeKey=true;
>>> };
>>>
>>> com.sun.security.jgss.krb5.accept {
>>> com.sun.security.auth.module.Krb5LoginModule required
>>> doNotPrompt=true
>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>> useKeyTab=true
>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>>> storeKey=true;
>>> };
>>>
>>> krb5.ini
>>>
>>> [libdefaults]
>>> default_realm = KERBTEST.LOCAL
>>> default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab
>>> default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>> default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>> forwardable=true
>>>
>>> [realms]
>>> KERBTEST.LOCAL = {
>>> kdc = win-dc01.kerbtest.local:88
>>> }
>>>
>>> I want to use the tomcat manager app to test SPNEGO with Active Directory.
>>>
>>> I have tried to keep the setup as basic and vanilla to the instructions as possible.
>>>
>>> Users were created as instructed.
>>>
>>> Spn was created as instructed
>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>
>>> keytab was created as instructed
>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
>>>
>>> I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.
>>>
>>> Tomcat is running as a Windows service under the tc01@kerbtest.local account.
>>>
>>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times.
>>>
>>> Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header.
>>>
>>> The next has an Authorization request http header with long encrypted string.
>>>
>>> IE still prompts for credentials with a popup, not sure why as does chrome.
>>> The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites.
>>>
>>> It seems like authentication is never completed ?
>>>
>>> There are no errors in tomcat logs.
>>>
>>> Any ideas what is happening and what I can do to troubleshoot ?
>>>
>>> I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up.
>>>
>>> many thanks
>>>
>>> David
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 24.03.2015 um 21:05 schrieb David Marsh:
> Sorry thats :-
>
>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> under jaas.conf, it is set to the tomcat server DNS.
Is it working with this configuration, or just to point out, that you
copied the wrong jaas.conf for the mail?
Felix
>
> ----------------------------------------
>> From: dmarsh26@outlook.com
>> To: users@tomcat.apache.org
>> Subject: SPNEGO test configuration with Manager webapp
>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>
>> I'm trying to get SPNEGO authentication working with Tomcat 8.
>>
>> I've created three Windows VMs :-
>>
>> Tomcat Server - Windows 8.1 32 bit VM
>> Test Client - Windows 8.1 32 bit VM
>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>
>> The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins.
>>
>> The firewall is disabled on the Tomcat Server VM.
>>
>> I've followed the guidelines on the Apache Tomcat website.
>>
>> jaas.conf
>>
>> com.sun.security.jgss.krb5.initiate {
>> com.sun.security.auth.module.Krb5LoginModule required
>> doNotPrompt=true
>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>> useKeyTab=true
>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>> storeKey=true;
>> };
>>
>> com.sun.security.jgss.krb5.accept {
>> com.sun.security.auth.module.Krb5LoginModule required
>> doNotPrompt=true
>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>> useKeyTab=true
>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
>> storeKey=true;
>> };
>>
>> krb5.ini
>>
>> [libdefaults]
>> default_realm = KERBTEST.LOCAL
>> default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab
>> default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>> default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>> forwardable=true
>>
>> [realms]
>> KERBTEST.LOCAL = {
>> kdc = win-dc01.kerbtest.local:88
>> }
>>
>> I want to use the tomcat manager app to test SPNEGO with Active Directory.
>>
>> I have tried to keep the setup as basic and vanilla to the instructions as possible.
>>
>> Users were created as instructed.
>>
>> Spn was created as instructed
>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>
>> keytab was created as instructed
>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
>>
>> I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.
>>
>> Tomcat is running as a Windows service under the tc01@kerbtest.local account.
>>
>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times.
>>
>> Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header.
>>
>> The next has an Authorization request http header with long encrypted string.
>>
>> IE still prompts for credentials with a popup, not sure why as does chrome.
>> The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites.
>>
>> It seems like authentication is never completed ?
>>
>> There are no errors in tomcat logs.
>>
>> Any ideas what is happening and what I can do to troubleshoot ?
>>
>> I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up.
>>
>> many thanks
>>
>> David
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
Sorry thats :-
> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
under jaas.conf, it is set to the tomcat server DNS.
----------------------------------------
> From: dmarsh26@outlook.com
> To: users@tomcat.apache.org
> Subject: SPNEGO test configuration with Manager webapp
> Date: Tue, 24 Mar 2015 20:02:04 +0000
>
> I'm trying to get SPNEGO authentication working with Tomcat 8.
>
> I've created three Windows VMs :-
>
> Tomcat Server - Windows 8.1 32 bit VM
> Test Client - Windows 8.1 32 bit VM
> Domain Controller - Windows Server 2012 R2 64 bit VM
>
> The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins.
>
> The firewall is disabled on the Tomcat Server VM.
>
> I've followed the guidelines on the Apache Tomcat website.
>
> jaas.conf
>
> com.sun.security.jgss.krb5.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
> useKeyTab=true
> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
> storeKey=true;
> };
>
> com.sun.security.jgss.krb5.accept {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
> useKeyTab=true
> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
> storeKey=true;
> };
>
> krb5.ini
>
> [libdefaults]
> default_realm = KERBTEST.LOCAL
> default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab
> default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> forwardable=true
>
> [realms]
> KERBTEST.LOCAL = {
> kdc = win-dc01.kerbtest.local:88
> }
>
> I want to use the tomcat manager app to test SPNEGO with Active Directory.
>
> I have tried to keep the setup as basic and vanilla to the instructions as possible.
>
> Users were created as instructed.
>
> Spn was created as instructed
> setspn -A HTTP/win-tc01.kerbtest.local tc01
>
> keytab was created as instructed
> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
>
> I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.
>
> Tomcat is running as a Windows service under the tc01@kerbtest.local account.
>
> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times.
>
> Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header.
>
> The next has an Authorization request http header with long encrypted string.
>
> IE still prompts for credentials with a popup, not sure why as does chrome.
> The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites.
>
> It seems like authentication is never completed ?
>
> There are no errors in tomcat logs.
>
> Any ideas what is happening and what I can do to troubleshoot ?
>
> I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up.
>
> many thanks
>
> David
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 24.03.2015 um 21:02 schrieb David Marsh:
> I'm trying to get SPNEGO authentication working with Tomcat 8.
>
> I've created three Windows VMs :-
>
> Tomcat Server - Windows 8.1 32 bit VM
> Test Client - Windows 8.1 32 bit VM
> Domain Controller - Windows Server 2012 R2 64 bit VM
>
> The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins.
>
> The firewall is disabled on the Tomcat Server VM.
>
> I've followed the guidelines on the Apache Tomcat website.
>
> jaas.conf
>
> com.sun.security.jgss.krb5.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
The documentation refers to HTTP/win-*tc01*... not *dc01*.
This is important. It has to be the alias for the tomcat server!
Regards
Felix
> useKeyTab=true
> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
> storeKey=true;
> };
>
> com.sun.security.jgss.krb5.accept {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
> useKeyTab=true
> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
> storeKey=true;
> };
>
> krb5.ini
>
> [libdefaults]
> default_realm = KERBTEST.LOCAL
> default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab
> default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> forwardable=true
>
> [realms]
> KERBTEST.LOCAL = {
> kdc = win-dc01.kerbtest.local:88
> }
>
> I want to use the tomcat manager app to test SPNEGO with Active Directory.
>
> I have tried to keep the setup as basic and vanilla to the instructions as possible.
>
> Users were created as instructed.
>
> Spn was created as instructed
> setspn -A HTTP/win-tc01.kerbtest.local tc01
>
> keytab was created as instructed
> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
>
> I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.
>
> Tomcat is running as a Windows service under the tc01@kerbtest.local account.
>
> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times.
>
> Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header.
>
> The next has an Authorization request http header with long encrypted string.
>
> IE still prompts for credentials with a popup, not sure why as does chrome.
> The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites.
>
> It seems like authentication is never completed ?
>
> There are no errors in tomcat logs.
>
> Any ideas what is happening and what I can do to troubleshoot ?
>
> I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up.
>
> many thanks
>
> David
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
SPNEGO test configuration with Manager webapp
Posted by David Marsh <dm...@outlook.com>.
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've created three Windows VMs :-
Tomcat Server - Windows 8.1 32 bit VM
Test Client - Windows 8.1 32 bit VM
Domain Controller - Windows Server 2012 R2 64 bit VM
The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins.
The firewall is disabled on the Tomcat Server VM.
I've followed the guidelines on the Apache Tomcat website.
jaas.conf
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
storeKey=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
storeKey=true;
};
krb5.ini
[libdefaults]
default_realm = KERBTEST.LOCAL
default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
[realms]
KERBTEST.LOCAL = {
kdc = win-dc01.kerbtest.local:88
}
I want to use the tomcat manager app to test SPNEGO with Active Directory.
I have tried to keep the setup as basic and vanilla to the instructions as possible.
Users were created as instructed.
Spn was created as instructed
setspn -A HTTP/win-tc01.kerbtest.local tc01
keytab was created as instructed
ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris.
Tomcat is running as a Windows service under the tc01@kerbtest.local account.
Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times.
Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header.
The next has an Authorization request http header with long encrypted string.
IE still prompts for credentials with a popup, not sure why as does chrome.
The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites.
It seems like authentication is never completed ?
There are no errors in tomcat logs.
Any ideas what is happening and what I can do to troubleshoot ?
I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up.
many thanks
David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SPNEGO test configuration with Manager webapp
Posted by André Warnier <aw...@ice-sa.com>.
David Marsh wrote:
> Hello,
> I'm trying to get SPNEGO authentication working with Tomcat 8.
> I've followed the guidelines on the website.
> jaas.conf
> com.sun.security.jgss.krb5.initiate {...};
> com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="HTTP/tc01.kerbtest.local@KERBTEST.LOCAL" useKeyTab=true keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tc01.keytab" storeKey=true;};
> krb5.ini
> [libdefaults]default_realm = KERBTEST.LOCALdefault_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tc01.keytabdefault_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true
> [realms]KERBTEST.LOCAL = { kdc = Server2012dc.kerbtest.local:88}
> [domain_realm]kerbtest.local= KERBTEST.LOCAL.kerbtest.local= KERBTEST.LOCAL
> I want to use the tomcat manager app to test SPNEGO with Active Directory, Tomcat is currently installed on the domain controller.
And that may well be the problem.
> It seems like authentication is never completed as in the browser
(which is where ? also on the same host ? what browser are you using ?)
(if it is IE : does it have "enable Windows Integrated Authentication" checked ? and is
the tomcat server recognised as being part of the "Intranet zone" ?)
Also let us know what kind of platforms are involved at
- the browser level
- the tomcat level
- the KDC level (yes, I know, currenty the same as tomcat; but maybe not in future)
Recently I was having some problems also with Kerberos authentication, and while digging
the web for information, I remember reading somewhere that it would not work if the
browser was on the same host as the server (I do not remember if this counted also for the
Tomcat webserver, and I do not remember if this was platform-specific). But maybe your
problem is a variation of the same issue ?
So basically, what I am telling you is to search in Google more specifically for things
such as "Kerberos and localhost" or similar..
Also, get an appropriate browser plugin to be able to really trace what kind of HTTP
headers are passed back and forth between the browser and the Tomcat server.
I get prompted for credentials over and over.
That is where the browser plugin (Fiddler, HttpFox, LiveHttpHeaders, etc..) is invaluable.
It will tell you if the browser is even /trying/ to perform Kerberos authentication e.g.
So there appear two issues :-1. Authentication is not succeeding2. SPNEGO accept header is
not currently sent
> I have created the tc01 and test users in active directory, and the keytab as instructed.
> I run tomcat as tc01 user :-runas /env /user:tc01@kerbtest.local "startup.bat"
> Output from running tomcat :-
> Server startup in 3443 ms24-Mar-2015 10:26:56.485 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Statusinterface]' against GET /html --> false24-Mar-2015 10:26:56.496 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> false24-Mar-2015 10:26:56.510 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false24-Mar-2015 10:26:56.525 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html --> true24-Mar-2015 10:26:56.544 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking cons
traint 'SecurityConstraint[Statusinterface]' against GET /html --> false24-Mar-2015 10:26:56.560 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> false24-Mar-2015 10:26:56.575 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false24-Mar-2015 10:26:56.587 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against GET /html --> true24-Mar-2015 10:26:56.599 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions>>> KeyTabInputStream, readName(): kerbtest.local>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): tc01.k
erbtest.local>>> KeyTab: load() entry length: 74; type: 23Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALJava config name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\krb5.iniLoaded from Java configAdded key: 23version: 7>>> KdcAccessibility: resetLooking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default etypes for default_tkt_enctypes: 23 18 17.>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=Server2012dc.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes=160>>> KDCCommunication: kdc=Server2012dc.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=160>>> KrbKdcReq send: #bytes read=185>>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt =
>>>> Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>> Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16
>>>> Pre-Authentication Data: PA-DATA type = 15
>>>> KdcAccessibility: remove Server2012dc.kerbtest.local:88>>> KDCRep: init() encoding tag is 126 req type is 11>>>KRBError: sTime is Tue Mar 24 10:26:57 GMT 2015 1427192817000 suSec is 627351 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. msgType is 30>>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt =
>>>> Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>> Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16
>>>> Pre-Authentication Data: PA-DATA type = 15
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQdefault etypes for default_tkt_enctypes: 23 18 17.Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default etypes for default_tkt_enctypes: 23 18 17.>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=Server2012dc.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes=243>>> KDCCommunication: kdc=Server2012dc.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=243>>> KrbKdcReq send: #bytes read=100>>> KrbKdcReq send: kdc=Server2012dc.kerbtest.local TCP:88, timeout=30000, number of retries =3, #bytes=243>>> KDCCommunication: kdc=Server2012dc.kerbtest.local TCP:88, timeout=30000,Attempt =1, #bytes=243>>>DEBUG: TCPClient reading 1467 bytes>>> KrbKdcReq send: #bytes read=1467>>> KdcAccessibility: remove Server2012dc.kerbtest.local:88
Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsRep cons in KrbAsReq.getReply HTTP/tc01.kerbtest.localSearch Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tc01.keytab for HTTP/tc01.kerbtest.local@KERBTEST.LOCALFound KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tc01.keytab for HTTP/tc01.kerbtest.local@KERBTEST.LOCALFound ticket for HTTP/tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL expiring on Tue Mar 24 20:26:57 GMT 2015
> I create a realm in server.xml :-
> <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://192.168.78.8:389" userBase="ou=Users,dc=kerbtest,dc=local" userSearch="(mail={0})" userRoleName="memberOf" roleBase="ou=Users,dc=kerbtest,dc=local" roleName="cn" roleSearch="(uniqueMember={0})"/>
> web.xml for manager web app has auth method set :-
> <!-- Define the Login Configuration for this Application --> <login-config> <!-- <auth-method>BASIC</auth-method> --> <auth-method>SPNEGO</auth-method> <realm-name>Tomcat Manager Application</realm-name> </login-config>
> Any ideas what is happening and what I can do to troubleshoot ?
> many thanks
> David
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org