RE: Tomcat windows 7 authentication

2015-05-07 Thread David Marsh 
http://codermonkey65.blogspot.co.uk/2012/09/troubleshooting-kerberos.html
Look under NTP commands
w32tm /resyncnet start w32time

> From: ravindhar_ko...@persistent.com
> To: users@tomcat.apache.org
> Subject: RE: Tomcat windows 7 authentication
> Date: Thu, 7 May 2015 11:37:43 +
> 
> I have done NTP synchronization in AD
> still I am getting same error
> could you please help in this
> 
> -Original Message-
> From: David Marsh [mailto:dmars...@outlook.com] 
> Sent: Thursday, May 07, 2015 3:39 PM
> To: Tomcat Users List
> Subject: RE: Tomcat windows 7 authentication
> 
> Kerberos requires NTP synchronisation to be in place and working.
> Fix your clocks and the error should go away.
> 
> > From: ravindhar_ko...@persistent.com
> > To: users@tomcat.apache.org
> > Subject: Tomcat windows 7 authentication
> > Date: Thu, 7 May 2015 10:01:39 +
> > 
> > Hi
> > I am working on windows authentication with tomcat 7.
> > I have gone through the following doc.
> > windows-auth-howto 
> > Tomcat_instance_(Windows_server)<http://shodhganga.inflibnet.ac.in:8080/docs/windows-auth-howto.html#Tomcat_instance_(Windows_server)>
> > 
> > 
> > apache-tomcat-7.0.61
> > windows server 2008 R2
> > java 1.8.0_25
> > active directory machine ( DOMAIN-ad)
> > tomcat instance machine (windows-sso-demo)
> > username (ss0ad...@domain.com<mailto:ss0ad...@domain.com>)
> > password (XX)
> > 
> > setspn -A HTTP/WINDOWS-SSO-DEMO ssoadmin
> > ktpass /out c:\tomcat.keytab /mapuser ssoad...@domain.com /princ 
> > HTTP/windows-sso-d...@domain.com /pass X /kvno 0
> > 
> > C:\apache-tomcat-7.0.61\conf\jass.conf
> > 
> > com.sun.security.jgss.krb5.initiate {
> > com.sun.security.auth.module.Krb5LoginModule required
> > doNotPrompt=true
> > principal="HTTP/windows-sso-d...@domain.com"
> > useKeyTab=true
> > keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab"
> > storeKey=true;
> > };
> > 
> > com.sun.security.jgss.krb5.accept {
> > com.sun.security.auth.module.Krb5LoginModule required
> > doNotPrompt=true
> > principal="HTTP/windows-sso-d...@domain.com"
> > useKeyTab=true
> >keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab"
> > storeKey=true;
> > };
> > 
> > C:\apache-tomcat-7.0.61\conf\krb5.ini
> > 
> > [libdefaults]
> > default_realm = DOMAIN.COM
> > default_keytab_name = FILE:C:\apache-tomcat-7.0.61\conf\tomcat.keytab
> > default_tkt_enctypes = 
> > rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> > default_tgs_enctypes = 
> > rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> > forwardable=true
> > 
> > [realms]
> > DOMAIN.COM = {
> > kdc = DOMAIN-ad:88
> > }
> > 
> > [domain_realm]
> > dev.local= DOMAIN.COM
> > .dev.local= DOMAIN.COM
> > 
> > C:\apache-tomcat-7.0.61\conf\server.xml
> > 
> > 
> > 
> >  >resourceName="UserDatabase"/>
> > 
> >  > className="org.apache.catalina.realm.JNDIRealm"  debug="99"
> >connectionURL="ldap://DOMAIN-ad:389";
> >alternateURL="ldap://DOMAIN-ad:389";
> >connectionName="CN=ssoadmin,CN=Users,DC=DOMAIN,DC=com"
> >connectionPassword=""
> >referrals="follow"
> >userBase="CN=Users, DC=DOMAIN, DC=com"
> >userSearch="(sAMAccountName={0})"
> >userSubtree="true"
> >roleBase="CN=Users, DC=DOMAIN, DC=com"
> >roleName="CN"
> >roleSubtree="true"
> >roleSearch="(member={0})" />
> > 
> > 
> > 
> >   
> > 
> > 
> > C:\apache-tomcat-7.0.61\webapps\sample\META-INF\context.xnl
> > 
> > 
> > 
> > > />
> > 
> > 
> > 
> > 
> > C:\apache-tomcat-7.0.61\webapps\sample\WEB-INF\web.xml
> > 
> > 
> > http://java.sun.com/xml/ns/j2ee";
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> > xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
> > http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";
> > version="2.4">
> > 
> > 
> > 
> >

RE: Tomcat windows 7 authentication

2015-05-07 Thread David Marsh 
Kerberos requires NTP synchronisation to be in place and working.
Fix your clocks and the error should go away.

> From: ravindhar_ko...@persistent.com
> To: users@tomcat.apache.org
> Subject: Tomcat windows 7 authentication
> Date: Thu, 7 May 2015 10:01:39 +
> 
> Hi
> I am working on windows authentication with tomcat 7.
> I have gone through the following doc.
> windows-auth-howto 
> Tomcat_instance_(Windows_server)
> 
> 
> apache-tomcat-7.0.61
> windows server 2008 R2
> java 1.8.0_25
> active directory machine ( DOMAIN-ad)
> tomcat instance machine (windows-sso-demo)
> username (ss0ad...@domain.com)
> password (XX)
> 
> setspn -A HTTP/WINDOWS-SSO-DEMO ssoadmin
> ktpass /out c:\tomcat.keytab /mapuser ssoad...@domain.com /princ 
> HTTP/windows-sso-d...@domain.com /pass X /kvno 0
> 
> C:\apache-tomcat-7.0.61\conf\jass.conf
> 
> com.sun.security.jgss.krb5.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/windows-sso-d...@domain.com"
> useKeyTab=true
> keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab"
> storeKey=true;
> };
> 
> com.sun.security.jgss.krb5.accept {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/windows-sso-d...@domain.com"
> useKeyTab=true
>keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab"
> storeKey=true;
> };
> 
> C:\apache-tomcat-7.0.61\conf\krb5.ini
> 
> [libdefaults]
> default_realm = DOMAIN.COM
> default_keytab_name = FILE:C:\apache-tomcat-7.0.61\conf\tomcat.keytab
> default_tkt_enctypes = 
> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> default_tgs_enctypes = 
> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> forwardable=true
> 
> [realms]
> DOMAIN.COM = {
> kdc = DOMAIN-ad:88
> }
> 
> [domain_realm]
> dev.local= DOMAIN.COM
> .dev.local= DOMAIN.COM
> 
> C:\apache-tomcat-7.0.61\conf\server.xml
> 
> 
> 
> resourceName="UserDatabase"/>
> 
>  className="org.apache.catalina.realm.JNDIRealm"  debug="99"
>connectionURL="ldap://DOMAIN-ad:389";
>alternateURL="ldap://DOMAIN-ad:389";
>connectionName="CN=ssoadmin,CN=Users,DC=DOMAIN,DC=com"
>connectionPassword=""
>referrals="follow"
>userBase="CN=Users, DC=DOMAIN, DC=com"
>userSearch="(sAMAccountName={0})"
>userSubtree="true"
>roleBase="CN=Users, DC=DOMAIN, DC=com"
>roleName="CN"
>roleSubtree="true"
>roleSearch="(member={0})" />
> 
> 
> 
>   
> 
> 
> C:\apache-tomcat-7.0.61\webapps\sample\META-INF\context.xnl
> 
> 
> 
>
> 
> 
> 
> 
> C:\apache-tomcat-7.0.61\webapps\sample\WEB-INF\web.xml
> 
> 
> http://java.sun.com/xml/ns/j2ee";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
> http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";
> version="2.4">
> 
> 
> 
> 
> All users
> 
>   All requests
>   /*
> 
> 
>   *
> 
>   
> 
>   
> All users
> *
>   
> 
>   
> SPNEGO
>   
> 
> 
> Hello, World Application
> 
> This is a simple web application with a source code 
> organization
> based on the recommendations of the Application Developer's 
> Guide.
> 
> 
> 
> HelloServlet
> mypackage.Hello
> 
> 
> 
> HelloServlet
> /hello
> 
> 
> 
> 
> 
> 
> 
> My error is
> 
> SEVERE: Unable to login as the service principal
> javax.security.auth.login.LoginException: Clock skew too great (37)
> at 
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr
> b5LoginModule.java:804)
> at 
> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.ja
> va:617)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:62)
> at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:483)
> at 
> javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
> at 
> javax.security.auth.login.LoginContext.access$000(LoginContext.java:1
> 95)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
> at java.security.AccessController.doPrivileged(Native Method)
> at 
> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:6
> 80)
> at javax.security.auth.login.LoginContext.login(LoginContext.java:587)

RE: Debugging Tomcat Running in Vagrant using Port Forwarding

2015-04-30 Thread David Marsh 
8000 Is the HTTP port in development just in case you are using port 808433 Is 
similar for HTTPS22 Is SSH port
Normally you define a free port in a user range say 9009, to be your debug port.
Then you use a suitable java debugger to connect to that port.
I've never used vagrant, but it sounds like you'd also need that debug port say 
9009, to have port forwarding configured.
Once port forwarding is configured the debug port 9009 should be accessible 
outside the VM.

> Date: Thu, 30 Apr 2015 14:44:13 -0700
> Subject: Debugging Tomcat Running in Vagrant using Port Forwarding
> From: dlan...@gmail.com
> To: users@tomcat.apache.org
> 
> Hi,
> 
> I was wondering if anyone here might have any idea about this issue I was
> having debugging my Tomcat app. I posted this question on Stack Overflow
> several days ago but didn't get any responses (and it said it was only
> viewed 15 times despite having the Java and Tomcat tags which is weird).
> Anyway, here is the question, thanks:
> 
> 
> I'm trying to attach my Eclipse debugger running on my Windows host to a
> Tomcat 8 server running in my local Vagrant box (Virtual Box) running
> CentOS 7.
> 
> Here is the full error from the Eclipse logs:
> 
> java.net.SocketException: Connection reset
> at java.net.SocketInputStream.read(SocketInputStream.java:179)
> at java.io.DataInputStream.readFully(DataInputStream.java:189)
> at java.io.DataInputStream.readFully(DataInputStream.java:163)
> at
> org.eclipse.jdi.internal.connect.SocketTransportService.readHandshake(SocketTransportService.java:216)
> at
> org.eclipse.jdi.internal.connect.SocketTransportService.access$7(SocketTransportService.java:212)
> at
> org.eclipse.jdi.internal.connect.SocketTransportService$3.run(SocketTransportService.java:183)
> at java.lang.Thread.run(Thread.java:761)
> 
> 
> The output from `vagrant up` seems correct (port 8000 is the debugging
> port):
> 
> ==> default: Preparing network interfaces based on configuration...
> default: Adapter 1: nat
> ==> default: Forwarding ports...
> default: 8000 => 8000 (adapter 1)
> default: 8443 => 8443 (adapter 1)
> default: 22 =>  (adapter 1)
> 
> I can access my application (using https://localhost:8443/app) via a
> browser from my host without issue; connecting the debugger is the issue.
> The debugger is configured for a Remote Java Application with connection
> properties:
> 
> Host: localhost
> Port: 8000
> 
> Starting Tomcat of course displays the correct:
> 
> Listening for transport dt_socket at address: 8000
> 
> 
> Based on the some other questions, the answer maybe have something to do
> with configuring Tomcat to run on 0.0.0.0 instead of the default.
> 
> So I tried configuring the Connectors in Tomcat's server.xml with the line
> address="0.0.0.0" but the result was the same.
> 
> Any other ideas about getting this to work? Also, assuming the answer is
> something to do with changing the address to 0.0.0.0, why would I need to
> do that to get the debugger to work if accessing the app via browser is
> already fine on localhost:8443?
> 
> P.S. It is not a firewall issue.

RE: User Realm based Authorisation with Tomcat 8

2015-03-30 Thread David Marsh 
No worries fixed it :-

      ldap://win-dc01.kerbtest.local:389";
          userBase="cn=Users,dc=kerbtest,dc=local"
          userSearch="(cn={0})" 
  userRoleName="memberOf"
          roleBase="cn=Users,dc=kerbtest,dc=local"
          roleName="cn"
          roleSearch="(member={0})"
  debug="9"/>

Seems uniqueMember is no good as I have multiple groups...


> From: dmars...@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: User Realm based Authorisation with Tomcat 8
> Date: Mon, 30 Mar 2015 12:50:52 +0100
>
> Ok so I fixed my Realm :-
>
>  connectionURL="ldap://win-dc01.kerbtest.local:389";
> userBase="cn=Users,dc=kerbtest,dc=local"
> userSearch="(cn={0})"
> userRoleName="memberOf"
> roleBase="cn=Users,dc=kerbtest,dc=local"
> roleName="cn"
> roleSearch="(uniqueMember={0})"
> debug="9"/>
>
> 
> 
>
> However the AD group 'manager-gui' does not automatically become a role, how 
> do I define the group to role mapping ?
>
> Krb5Context.unwrap: data=[30 84 00 00 00 10 02 01 06 65 84 00 00 00 07 0a 01 
> 00 04 00 04 00 ]
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] 
> org.apache.catalina.realm.CombinedRealm.authentic
> ate Authenticated user "test@KERBTEST.LOCAL" with realm 
> "org.apache.catalina.realm.JNDIRealm"
> [Krb5LoginModule]: Entering logout
> [Krb5LoginModule]: logged out Subject
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] 
> org.apache.catalina.authenticator.AuthenticatorBa
> se.register Authenticated 'test' with type 'SPNEGO'
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] 
> org.apache.catalina.authenticator.AuthenticatorBa
> se.register Session ID changed on authentication from 
> [BA1A48564A9ECF1917107AF362AA9C2B] to [9BA70CD
> 7B088BEE077787CFD21FE4BC6]
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] 
> org.apache.catalina.authenticator.AuthenticatorBa
> se.invoke Calling accessControl()
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] 
> org.apache.catalina.realm.RealmBase.hasResourcePe
> rmission Checking roles 
> GenericPrincipal[test(CN=manager-gui,CN=Users,DC=kerbtest,DC=local,)]
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] 
> org.apache.catalina.realm.RealmBase.hasRole Usern
> ame test does NOT have role manager-gui
> 30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] 
> org.apache.catalina.realm.RealmBase.hasResourcePe
> rmission No role found: manager-gui
> 30-Mar-2015 12:46:44.182 FINE [http-nio-80-exec-2] 
> org.apache.catalina.authenticator.AuthenticatorBa
> se.invoke Failed accessControl() test
>
>
> thanks!
>
> David
>
> 
>> From: dmars...@outlook.com
>> To: users@tomcat.apache.org
>> Subject: User Realm based Authorisation with Tomcat 8
>> Date: Mon, 30 Mar 2015 12:09:47 +0100
>>
>> So I have SPNEGO working and I want to use the JNDI realm for authorisation.
>>
>> I have this configured :-
>>
>> > connectionURL="ldap://win-dc01.kerbtest.local:389";
>> userBase="ou=Users,dc=kerbtest,dc=local"
>> userSearch="(uid={0})"
>> userRoleName="memberOf"
>> roleBase="ou=Users,dc=kerbtest,dc=local"
>> roleName="cn"
>> roleSearch="(uniqueMember={0})"/>
>>
>> I would like to use AD groups to control authorisation in my application.
>>
>> However currently it appears the tomcat-users is being used :-
>>
>> 
>>
>> How do I configure tomcat Manager web app to use the realm and ignore the 
>> users file ?
>>
>> Alternatively is there other example code I can use with the JNDI realm ?
>>
>> many thanks
>>
>> David
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
  
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: User Realm based Authorisation with Tomcat 8

2015-03-30 Thread David Marsh 
Ok so I fixed my Realm :-

      ldap://win-dc01.kerbtest.local:389";
          userBase="cn=Users,dc=kerbtest,dc=local"
          userSearch="(cn={0})" 
          userRoleName="memberOf"
          roleBase="cn=Users,dc=kerbtest,dc=local"
          roleName="cn"
          roleSearch="(uniqueMember={0})"
  debug="9"/>

        


However the AD group 'manager-gui' does not automatically become a role, how do 
I define the group to role mapping ?

Krb5Context.unwrap: data=[30 84 00 00 00 10 02 01 06 65 84 00 00 00 07 0a 01 00 
04 00 04 00 ]
30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] 
org.apache.catalina.realm.CombinedRealm.authentic
ate Authenticated user "test@KERBTEST.LOCAL" with realm 
"org.apache.catalina.realm.JNDIRealm"
                [Krb5LoginModule]: Entering logout
                [Krb5LoginModule]: logged out Subject
30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] 
org.apache.catalina.authenticator.AuthenticatorBa
se.register Authenticated 'test' with type 'SPNEGO'
30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] 
org.apache.catalina.authenticator.AuthenticatorBa
se.register Session ID changed on authentication from 
[BA1A48564A9ECF1917107AF362AA9C2B] to [9BA70CD
7B088BEE077787CFD21FE4BC6]
30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] 
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke  Calling accessControl()
30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] 
org.apache.catalina.realm.RealmBase.hasResourcePe
rmission   Checking roles 
GenericPrincipal[test(CN=manager-gui,CN=Users,DC=kerbtest,DC=local,)]
30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] 
org.apache.catalina.realm.RealmBase.hasRole Usern
ame test does NOT have role manager-gui
30-Mar-2015 12:46:44.166 FINE [http-nio-80-exec-2] 
org.apache.catalina.realm.RealmBase.hasResourcePe
rmission No role found:  manager-gui
30-Mar-2015 12:46:44.182 FINE [http-nio-80-exec-2] 
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke  Failed accessControl() test


thanks!

David


> From: dmars...@outlook.com
> To: users@tomcat.apache.org
> Subject: User Realm based Authorisation with Tomcat 8
> Date: Mon, 30 Mar 2015 12:09:47 +0100
>
> So I have SPNEGO working and I want to use the JNDI realm for authorisation.
>
> I have this configured :-
>
>  connectionURL="ldap://win-dc01.kerbtest.local:389";
> userBase="ou=Users,dc=kerbtest,dc=local"
> userSearch="(uid={0})"
> userRoleName="memberOf"
> roleBase="ou=Users,dc=kerbtest,dc=local"
> roleName="cn"
> roleSearch="(uniqueMember={0})"/>
>
> I would like to use AD groups to control authorisation in my application.
>
> However currently it appears the tomcat-users is being used :-
>
> 
>
> How do I configure tomcat Manager web app to use the realm and ignore the 
> users file ?
>
> Alternatively is there other example code I can use with the JNDI realm ?
>
> many thanks
>
> David
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
  
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

User Realm based Authorisation with Tomcat 8

2015-03-30 Thread David Marsh 
So I have SPNEGO working and I want to use the JNDI realm for authorisation.

I have this configured :-

      ldap://win-dc01.kerbtest.local:389";
          userBase="ou=Users,dc=kerbtest,dc=local"
          userSearch="(uid={0})" 
          userRoleName="memberOf"
          roleBase="ou=Users,dc=kerbtest,dc=local"
          roleName="cn"
          roleSearch="(uniqueMember={0})"/>

I would like to use AD groups to control authorisation in my application.

However currently it appears the tomcat-users is being used :-

  

How do I configure tomcat Manager web app to use the realm and ignore the users 
file ?

Alternatively is there other example code I can use with the JNDI realm ?

many thanks

David 
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: SPNEGO test configuration with Manager webapp

2015-03-29 Thread David Marsh 
t;> =1,
#bytes=164
>>> KrbKdcReq send: #bytes read=185
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =

>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16

>>>Pre-Authentication Data:
PA-DATA type = 15

>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
suSec is 935731
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =

>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16

>>>Pre-Authentication Data:
PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=3, number of
retries =3, #bytes=
247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=3,Attempt 
>>> =1,
#bytes=247
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=3, number of
retries =3, #bytes=
247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=3,Attempt 
>>> =1,
#bytes=247
>>>DEBUG: TCPClient reading 1475 bytes
>>> KrbKdcReq send: #bytes read=1475
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Will use keytab
Commit Succeeded

Search Subject for SPNEGO ACCEPT cred (<>, 
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<>, 
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab C:\keytab\tomcat.keytab for 
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found KeyTab C:\keytab\tomcat.keytab for 
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to 
krbtgt/KERBTEST.LOCAL@KERBTEST
.LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3] 
org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate Unable to login as the service principal
java.security.PrivilegedActionException: GSSException: Defective token detected 
(Mechanism
level: G
SSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at 
org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
va:243)
at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at 
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)

at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
6)
at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
a:659)
at 
org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
col.java:223)
at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective tok

RE: SPNEGO test configuration with Manager webapp

2015-03-29 Thread David Marsh 
NE [http-nio-80-exec-4] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[JMX Proxy interface]' 
against GET /images/tomca
t.gif --> false
28-Mar-2015 14:21:28.739 FINE [http-nio-80-exec-4] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[HTML Manager interface 
(for humans)]' against G
ET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.754 FINE [http-nio-80-exec-4] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[Status interface]' against 
GET /images/tomcat.g
if --> false
28-Mar-2015 14:21:28.770 FINE [http-nio-80-exec-4] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[Text Manager interface 
(for scripts)]' against
GET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.786 FINE [http-nio-80-exec-4] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[JMX Proxy interface]' 
against GET /images/tomca
t.gif --> false
28-Mar-2015 14:21:28.801 FINE [http-nio-80-exec-4] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[HTML Manager interface 
(for humans)]' against G
ET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.817 FINE [http-nio-80-exec-4] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[Status interface]' against 
GET /images/tomcat.g
if --> false
28-Mar-2015 14:21:28.832 FINE [http-nio-80-exec-4] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[Text Manager interface 
(for scripts)]' against
GET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.848 FINE [http-nio-80-exec-4] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[JMX Proxy interface]' 
against GET /images/tomca
t.gif --> false
28-Mar-2015 14:21:28.864 FINE [http-nio-80-exec-4] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[HTML Manager interface 
(for humans)]' against G
ET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.879 FINE [http-nio-80-exec-4] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[Status interface]' against 
GET /images/tomcat.g
if --> false
28-Mar-2015 14:21:28.895 FINE [http-nio-80-exec-4] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[Text Manager interface 
(for scripts)]' against
GET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.910 FINE [http-nio-80-exec-4] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   Checking constraint 'SecurityConstraint[JMX Proxy interface]' 
against GET /images/tomca
t.gif --> false
28-Mar-2015 14:21:28.926 FINE [http-nio-80-exec-4] 
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints   No applicable constraint located
28-Mar-2015 14:21:28.926 FINE [http-nio-80-exec-4] 
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke  Not subject to any constraint



> Date: Mon, 30 Mar 2015 00:13:54 +0200
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> David Marsh wrote:
>> I've tested all the following public JDKs
>>
>> jdk-7u45-windows-i586.exe
>> jdk-7u65-windows-i586.exe
>> jdk-7u75-windows-i586.exe
>> jdk-8-windows-i586.exe
>> jdk-8u5-windows-i586.exe
>> jdk-8u11-windows-i586.exe
>> jdk-8u20-windows-i586.exe
>> jdk-8u25-windows-i586.exe
>> jdk-8u31-windows-i586.exe
>> jdk-8u40-windows-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token
>>
>> Seems a recent "fix" must broken it.
>
> That is really great info. Thanks.
>
> By the way, would you still have the Tomcat Kerberos logs that fail, in 
> comparison to one
> where it works ?
>
>
>>
>> David
>>
>> 
>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>> From: felix.schumac...@internetallee.de
>>> Date: Sun, 29 Mar 2015 10:13:29 +0200
>>> To: users@tomcat.apache.org
>>>
>>>
>>>
>>> Am 28. März 2015 17:46:50 MEZ, schrieb Mark Thomas :
>>>> On 28/03/2015 14:43, David Marsh wrote:
>>>>> Ok so I went back to basics and created three new VM's.
>>>>>
>>>>> Windows Server 2008 R2
>>>>> Windows 7 Client
>>>>> Wi

RE: SPNEGO test configuration with Manager webapp

2015-03-29 Thread David Marsh 
I've tested all the following public JDKs 

jdk-7u45-windows-i586.exe
jdk-7u65-windows-i586.exe
jdk-7u75-windows-i586.exe
jdk-8-windows-i586.exe
jdk-8u5-windows-i586.exe
jdk-8u11-windows-i586.exe
jdk-8u20-windows-i586.exe
jdk-8u25-windows-i586.exe
jdk-8u31-windows-i586.exe
jdk-8u40-windows-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token

Seems a recent "fix" must broken it.

David


> Subject: Re: SPNEGO test configuration with Manager webapp
> From: felix.schumac...@internetallee.de
> Date: Sun, 29 Mar 2015 10:13:29 +0200
> To: users@tomcat.apache.org
>
>
>
> Am 28. März 2015 17:46:50 MEZ, schrieb Mark Thomas :
>>On 28/03/2015 14:43, David Marsh wrote:
>>> Ok so I went back to basics and created three new VM's.
>>>
>>> Windows Server 2008 R2
>>> Windows 7 Client
>>> Windows 7 Tomcat
>>>
>>> I still had same issues, until I changed the Java on the tomcat
>>server to JDK 7 u45.
>>>
>>> It appears there are breaking changes to JAAS/GSS in newer JDKs ?
>>
>>Thank you for doing all this testing. That is useful information to
>>know. The next step (for you, me or anyone who has the time and wants
>>to
>>help) is to test subsequent Java 7 releases and see at which version it
>>stops working. I'd hope that a review of the relevant change log would
>>identify the change that triggered the breakage and provide some clues
>>on how to fix it.
>>
>>It would be worth testing the Java 8 releases the same way.
>
> I read it, that jdk 7 works and jdk 8 is problematic.
>
> There are a few Kerberos related Chaves in jdk 8 ( 
> http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html).
>
> Interesting are the two changes:
>
> * DES is disabled by default
> * constrained delegation is supported.
>
> My guess would be, that it would help (in this case) to reenable DES by 
> adding allow_weak_crypto=true in the krb5.conf.
>
> Regards
> Felix
>>
>>Mark
>>
>>
>>>
>>> David
>>>
>>> 
>>>> From: dmars...@outlook.com
>>>> To: users@tomcat.apache.org
>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>> Date: Fri, 27 Mar 2015 23:40:06 +
>>>>
>>>> By the way Tomcat 8 was running on JDK :-
>>>>
>>>> C:\Windows\system32>java -version
>>>> java version "1.8.0_40"
>>>> Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
>>>> Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)
>>>>
>>>> Version update 40 should include some JRE fixes around GSS and
>>SPNEGO, including ignoring parts of NegoEx, however
>>>> it does not seem to work.
>>>>
>>>> I've also created a Windows 7 client with same config just different
>>DNS of win-pc02.kerbtest.local
>>>>
>>>> It has the same issue going from firefox to
>>http://win-tc01.kerbtest.local/manager/html
>>>> I get the same three 401's and the Negotiate.
>>>>
>>>> 
>>>>> Date: Thu, 26 Mar 2015 12:11:34 +0100
>>>>> From: a...@ice-sa.com
>>>>> To: users@tomcat.apache.org
>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>
>>>>> David Marsh wrote:
>>>>>> Hi Mark,
>>>>>>
>>>>>> Thanks for that, yes I've got 30 years windows experience, I can
>>use Linux at a push but its not really my area expertise.
>>>>>>
>>>>>> I'm a Java / Windows programmer so I should be able to understand
>>it, but not kerberos or Active Directory expert.
>>>>>>
>>>>>> I have used Waffle in the past with success and used JAAS/GSS-API
>>in Java thick clients.
>>>>>>
>>>>>> I made the IE settings you outlined but it seems to still prompt.
>>>>>> IE has win-tc01.kerbtest.local as a trusted site.
>>>>>> Enable Windows Integrated Authentication is on
>>>>>> Auto logon only in Intranet Zone is on
>>>>>>
>>>>>> I've been using Firefox to test and that does send 401 and
>>negotiate, but causes the GSS token error mentioned.
>>>>>>
>>>>>> Active directory and krb5.ini are using eType 23 which is rc4-hmac
>>>>>>
>&g

RE: SPNEGO test configuration with Manager webapp

2015-03-28 Thread David Marsh 
Ok so I went back to basics and created three new VM's.

Windows Server 2008 R2
Windows 7 Client
Windows 7 Tomcat

I still had same issues, until I changed the Java on the tomcat server to JDK 7 
u45.

It appears there are breaking changes to JAAS/GSS in newer JDKs ?

David


> From: dmars...@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: SPNEGO test configuration with Manager webapp
> Date: Fri, 27 Mar 2015 23:40:06 +
>
> By the way Tomcat 8 was running on JDK :-
>
> C:\Windows\system32>java -version
> java version "1.8.0_40"
> Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
> Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)
>
> Version update 40 should include some JRE fixes around GSS and SPNEGO, 
> including ignoring parts of NegoEx, however
> it does not seem to work.
>
> I've also created a Windows 7 client with same config just different DNS of 
> win-pc02.kerbtest.local
>
> It has the same issue going from firefox to 
> http://win-tc01.kerbtest.local/manager/html
> I get the same three 401's and the Negotiate.
>
> 
>> Date: Thu, 26 Mar 2015 12:11:34 +0100
>> From: a...@ice-sa.com
>> To: users@tomcat.apache.org
>> Subject: Re: SPNEGO test configuration with Manager webapp
>>
>> David Marsh wrote:
>>> Hi Mark,
>>>
>>> Thanks for that, yes I've got 30 years windows experience, I can use Linux 
>>> at a push but its not really my area expertise.
>>>
>>> I'm a Java / Windows programmer so I should be able to understand it, but 
>>> not kerberos or Active Directory expert.
>>>
>>> I have used Waffle in the past with success and used JAAS/GSS-API in Java 
>>> thick clients.
>>>
>>> I made the IE settings you outlined but it seems to still prompt.
>>> IE has win-tc01.kerbtest.local as a trusted site.
>>> Enable Windows Integrated Authentication is on
>>> Auto logon only in Intranet Zone is on
>>>
>>> I've been using Firefox to test and that does send 401 and negotiate, but 
>>> causes the GSS token error mentioned.
>>>
>>> Active directory and krb5.ini are using eType 23 which is rc4-hmac
>>>
>>> The windows client OS and tomcat server OS has registry setting for 
>>> allowtgtsessionkey set to 1 (enabled).
>>>
>>> Java kinit test works and stores a ticket in the Java session cache.
>>>
>>> So problem seems to be either :-
>>>
>>> 1. Browser sends bad token
>>> 2. Token is good but Oracle JDK 8 GSS-API cannot handle it
>>>
>>
>> Another shot almost in the dark : while browsing hundreds of 
>> Kerberos-related pages on the
>> WWW, one other recommendation which seems to appear regularly (and Mark also 
>> mentioned
>> that somewhere), is that each time you make a change somewhere, you should 
>> reboot the
>> machine afterward, before re-testing. (Particularly on Windows machines).
>> I know it's a PITA, but I have also found the same to be true sometimes when 
>> merely
>> dealing with NTLM matters. There are probably some hidden caches that get 
>> cleared only in
>> that way.
>>
>>
>>> many thanks
>>>
>>> David
>>>
>>>> Date: Thu, 26 Mar 2015 11:32:39 +0100
>>>> From: a...@ice-sa.com
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>
>>>> David Marsh wrote:
>>>>> Hi Mark,
>>>>> Thanks that would be great !
>>>>> Do you have a good mechanism to test and ensure kerberos token is passed 
>>>>> to tomcat and not NTLM token ?
>>>> I believe that I can answer that.
>>>>
>>>> And the basic answer is no.
>>>>
>>>> First the basic principle, valid for this and many many other areas : the 
>>>> server cannot
>>>> "impose" anything on the browser. The local user can always override 
>>>> anything received
>>>> from the server, by a setting in the browser. And a hacker can of course 
>>>> do anything.
>>>> All the server can do, is tell the browser what it will accept, and the 
>>>> browser can tell
>>>> the server ditto.
>>>> So, never assume the opposite, and you will save yourself a lot of 
>>>> fruitless searches and
>>>> dead-ends.
>>>>
>>>> Now more spec

RE: SPNEGO test configuration with Manager webapp

2015-03-27 Thread David Marsh 
By the way Tomcat 8 was running on JDK  :-

C:\Windows\system32>java -version
java version "1.8.0_40"
Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)

Version update 40 should include some JRE fixes around GSS and SPNEGO, 
including ignoring parts of NegoEx, however
it does not seem to work.

I've also created a Windows 7 client with same config just different DNS of 
win-pc02.kerbtest.local

It has the same issue going from firefox to 
http://win-tc01.kerbtest.local/manager/html
I get the same three 401's and the Negotiate.


> Date: Thu, 26 Mar 2015 12:11:34 +0100
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> David Marsh wrote:
>> Hi Mark,
>>
>> Thanks for that, yes I've got 30 years windows experience, I can use Linux 
>> at a push but its not really my area expertise.
>>
>> I'm a Java / Windows programmer so I should be able to understand it, but 
>> not kerberos or Active Directory expert.
>>
>> I have used Waffle in the past with success and used JAAS/GSS-API in Java 
>> thick clients.
>>
>> I made the IE settings you outlined but it seems to still prompt.
>> IE has win-tc01.kerbtest.local as a trusted site.
>> Enable Windows Integrated Authentication is on
>> Auto logon only in Intranet Zone is on
>>
>> I've been using Firefox to test and that does send 401 and negotiate, but 
>> causes the GSS token error mentioned.
>>
>> Active directory and krb5.ini are using eType 23 which is rc4-hmac
>>
>> The windows client OS and tomcat server OS has registry setting for 
>> allowtgtsessionkey set to 1 (enabled).
>>
>> Java kinit test works and stores a ticket in the Java session cache.
>>
>> So problem seems to be either :-
>>
>> 1. Browser sends bad token
>> 2. Token is good but Oracle JDK 8 GSS-API cannot handle it
>>
>
> Another shot almost in the dark : while browsing hundreds of Kerberos-related 
> pages on the
> WWW, one other recommendation which seems to appear regularly (and Mark also 
> mentioned
> that somewhere), is that each time you make a change somewhere, you should 
> reboot the
> machine afterward, before re-testing. (Particularly on Windows machines).
> I know it's a PITA, but I have also found the same to be true sometimes when 
> merely
> dealing with NTLM matters. There are probably some hidden caches that get 
> cleared only in
> that way.
>
>
>> many thanks
>>
>> David
>>
>>> Date: Thu, 26 Mar 2015 11:32:39 +0100
>>> From: a...@ice-sa.com
>>> To: users@tomcat.apache.org
>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>
>>> David Marsh wrote:
>>>> Hi Mark,
>>>> Thanks that would be great !
>>>> Do you have a good mechanism to test and ensure kerberos token is passed 
>>>> to tomcat and not NTLM token ?
>>> I believe that I can answer that.
>>>
>>> And the basic answer is no.
>>>
>>> First the basic principle, valid for this and many many other areas : the 
>>> server cannot
>>> "impose" anything on the browser. The local user can always override 
>>> anything received
>>> from the server, by a setting in the browser. And a hacker can of course do 
>>> anything.
>>> All the server can do, is tell the browser what it will accept, and the 
>>> browser can tell
>>> the server ditto.
>>> So, never assume the opposite, and you will save yourself a lot of 
>>> fruitless searches and
>>> dead-ends.
>>>
>>> Now more specific :
>>> 1) For Kerberos to be used at all at the browser level, the server must 
>>> send a 401
>>> response with "Negociate" as the requested authentication method. Unless it 
>>> does that,
>>> the browser will never even attempt to send a Kerberos "Authorization" back.
>>> 2) for the browser to consider returning a Kerberos Authorization header to 
>>> the server,
>>> additional conditions depend on the browser.
>>> For IE :
>>> a) the "enable Windows Integrated Authentication" setting must be on 
>>> (checked), whether
>>> this is done locally by the user, or part of the standard IE settings 
>>> company-wide, or
>>> imposed by some "network policy" at corporate level.
>>> b) the server to which the browser is talking, must be kno

RE: SPNEGO test configuration with Manager webapp

2015-03-26 Thread David Marsh 
Hi Mark,

Thanks for that, yes I've got 30 years windows experience, I can use Linux at a 
push but its not really my area expertise.

I'm a Java / Windows programmer so I should be able to understand it, but not 
kerberos or Active Directory expert.

I have used Waffle in the past with success and used JAAS/GSS-API in Java thick 
clients.

I made the IE settings you outlined but it seems to still prompt.
IE has win-tc01.kerbtest.local as a trusted site.
Enable Windows Integrated Authentication is on
Auto logon only in Intranet Zone is on

I've been using Firefox to test and that does send 401 and negotiate, but 
causes the GSS token error mentioned.

Active directory and krb5.ini are using eType 23 which is rc4-hmac

The windows client OS and tomcat server OS has registry setting for  
allowtgtsessionkey set to 1 (enabled).

Java kinit test works and stores a ticket in the Java session cache.

So problem seems to be either :-

1. Browser sends bad token
2. Token is good but Oracle JDK 8 GSS-API cannot handle it

many thanks

David

> Date: Thu, 26 Mar 2015 11:32:39 +0100
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
> 
> David Marsh wrote:
>> Hi Mark,
>> Thanks that would be great !
>> Do you have a good mechanism to test and ensure kerberos token is passed to 
>> tomcat and not NTLM token ?
> 
> I believe that I can answer that.
> 
> And the basic answer is no.
> 
> First the basic principle, valid for this and many many other areas : the 
> server cannot 
> "impose" anything on the browser. The local user can always override anything 
> received 
> from the server, by a setting in the browser. And a hacker can of course do 
> anything.
> All the server can do, is tell the browser what it will accept, and the 
> browser can tell 
> the server ditto.
> So, never assume the opposite, and you will save yourself a lot of fruitless 
> searches and 
> dead-ends.
> 
> Now more specific :
> 1) For Kerberos to be used at all at the browser level, the server must send 
> a 401 
> response with "Negociate" as the requested authentication method. Unless it 
> does that, 
> the browser will never even attempt to send a Kerberos "Authorization" back.
> 2) for the browser to consider returning a Kerberos Authorization header to 
> the server, 
> additional conditions depend on the browser.
> For IE :
> a) the "enable Windows Integrated Authentication" setting must be on 
> (checked), whether 
> this is done locally by the user, or part of the standard IE settings 
> company-wide, or 
> imposed by some "network policy" at corporate level.
> b) the server to which the browser is talking, must be known to IE as either
> - part of the "Intranet"
> - or at least a "trusted" server
> That is defined in IE's "security zones" (which again can be local, or 
> corporation-wide).
> 
> If condition (a) is not met, when the server sends a 401 "Negociate", IE will 
> fall back to 
> NTLM, always. And there is nothing you can do about that at the server level.
> (Funnily enough, disabling the "enable Windows Integrated Authentication" at 
> the IE level, 
> has the effect of disabling Kerberos, but not NTLM).
> 
> If condition (b) is not met, IE will try neither Kerberos nor NTLM, and it 
> /might/ fall 
> back to Basic authentication, if its other settings allow that. That's when 
> you see the 
> browser popup login dialog; and in an SSO context, this is a sure sign that 
> something 
> isn't working as expected.
> 
> Some authentication modules, at the server level, are able to adapt to what 
> the browser 
> sends, others not. I believe that Waffle can accept either browser NTLM or 
> Kerberos 
> authentication. Waffle works only on a Windows Tomcat server, not on a Linux 
> Tomcat server.
> I do not know about the SPNEGO thing in Tomcat (from the name, it should).
> The Jespa module from www.ioplex.com does not handle Kerberos, just NTLM, but 
> it works 
> under both Windows and Linux.
> 
> And finally, about your problems : it seems that you have fallen in a very 
> specific kind 
> of hell, because you are trying to talk to a Windows-based Kerberos KDC 
> (which is using 
> Windows Kerberos libraries and encryption method choices and hostname formats 
> etc..), from 
> a Java JVM-based "client" (in this case the Tomcat server, whatever its 
> underlying 
> platform is), which is using Java Kerberos libraries and encryption method 
> choices etc... 
> And it seems that between this Java Kerberos part and the Windows Kerberos 
> part, there 
> are

RE: SPNEGO test configuration with Manager webapp

2015-03-26 Thread David Marsh 
Hi Mark,
Thanks that would be great !
Do you have a good mechanism to test and ensure kerberos token is passed to 
tomcat and not NTLM token ?
David

> Date: Thu, 26 Mar 2015 09:00:22 +
> From: ma...@apache.org
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
> 
> On 26/03/2015 00:36, David Marsh wrote:
> > Still getting :-
> >  java.security.PrivilegedActionException: GSSException: Defective token 
> > detected (Mechanism level: G
> > SSHeader did not find the right tag)
> > 
> > Folks here mention lack of NegoEx support or bugs in GSS-APi ?
> > 
> > http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
> > 
> > Does Tomcat 8 work with NegoEx ?
> > 
> > Is Windows 8.1 and Windows Server 2012 RC2 supported ?
> 
> My test environment is Windows 2008 R2 server and Windows 7. It is
> certainly possibly security has been tightened between those versions
> and 2012/R2 + 8 that means things don't work by default with Java.
> 
> I'll see if I can find some time in the next few weeks to update my test
> environment and do some more testing.
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

RE: SPNEGO test configuration with Manager webapp

2015-03-25 Thread David Marsh 
InputStream, readName(): HTTP
>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>> KeyTab: load() entry length: 70; type: 1
>>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>>> KeyTabInputStream, readName(): HTTP
>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>> KeyTab: load() entry length: 70; type: 3
>>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>>> KeyTabInputStream, readName(): HTTP
>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>> KeyTab: load() entry length: 78; type: 23
>>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>>> KeyTabInputStream, readName(): HTTP
>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>> KeyTab: load() entry length: 94; type: 18
>>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>>> KeyTabInputStream, readName(): HTTP
>>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>>> KeyTab: load() entry length: 78; type: 17
>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> Added key: 17version: 5
>>> Added key: 18version: 5
>>> Added key: 23version: 5
>>> Found unsupported keytype (3) for 
>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> Found unsupported keytype (1) for 
>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>> KrbAsReq creating message
>>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=3, 
>>>>>> number of
>>> retries =3, &bytes=216
>>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, 
>>>>>> timeout=3,Attempt
>>> =1, &bytes=216
>>>>>> KrbKdcReq send: &bytes read=213
>>>>>>Pre-Authentication Data:
>>> PA-DATA type = 19
>>> PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
>>> ocal, s2kparams = null
>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>
>>>>>>Pre-Authentication Data:
>>> PA-DATA type = 2
>>> PA-ENC-TIMESTAMP
>>>>>>Pre-Authentication Data:
>>> PA-DATA type = 16
>>>
>>>>>>Pre-Authentication Data:
>>> PA-DATA type = 15
>>>
>>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>>KRBError:
>>> sTime is Wed Mar 25 21:09:04 GMT 2015 1427317744000
>>> suSec is 382562
>>> error code is 25
>>> error Message is Additional pre-authentication required
>>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>> eData provided.
>>> msgType is 30
>>>>>>Pre-Authentication Data:
>>> PA-DATA type = 19
>>> PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
>>> ocal, s2kparams = null
>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>
>>>>>>Pre-Authentication Data:
>>> PA-DATA type = 2
>>> PA-ENC-TIMESTAMP
>>>>>>Pre-Authentication Data:
>>> PA-DATA type = 16
>>>
>>>>>>Pre-Authentication Data:
>>> PA-DATA type = 15
>>>
>>> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>> default etypes for default_tkt_enctypes: 23 18 17.
>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> Added key: 17version: 5
>>> Added key: 18version: 5
>>> Added key: 23version: 5
>>> Found unsupported keytype (3) for 
>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> Found unsupported keytype (1) for 
>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> Added key: 17version: 5
>>> Added key: 18version: 5
>>> Added key: 23version: 5
>>> Found unsupported keytype (3) for 
>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> Found unsupported keytype (1) for 
>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>> default etypes for default_tkt_enctypes: 23 18 17.
>>>>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>>>> KrbAsReq creating message
>>>>>&g

RE: SPNEGO test configuration with Manager webapp

2015-03-25 Thread David Marsh 
 HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Added key: 17version: 5
> > Added key: 18version: 5
> > Added key: 23version: 5
> > Found unsupported keytype (3) for 
> > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Found unsupported keytype (1) for 
> > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > default etypes for default_tkt_enctypes: 23 18 17.
> >>>> KrbAsReq creating message
> >>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=3, 
> >>>> number of
> > retries =3, #bytes=216
> >>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, 
> >>>> timeout=3,Attempt
> > =1, #bytes=216
> >>>> KrbKdcReq send: #bytes read=213
> >>>>Pre-Authentication Data:
> > PA-DATA type = 19
> > PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
> > ocal, s2kparams = null
> > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >
> >>>>Pre-Authentication Data:
> > PA-DATA type = 2
> > PA-ENC-TIMESTAMP
> >>>>Pre-Authentication Data:
> > PA-DATA type = 16
> >
> >>>>Pre-Authentication Data:
> > PA-DATA type = 15
> >
> >>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
> >>>> KDCRep: init() encoding tag is 126 req type is 11
> >>>>KRBError:
> > sTime is Wed Mar 25 21:09:04 GMT 2015 1427317744000
> > suSec is 382562
> > error code is 25
> > error Message is Additional pre-authentication required
> > sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
> > eData provided.
> > msgType is 30
> >>>>Pre-Authentication Data:
> > PA-DATA type = 19
> > PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
> > ocal, s2kparams = null
> > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >
> >>>>Pre-Authentication Data:
> > PA-DATA type = 2
> > PA-ENC-TIMESTAMP
> >>>>Pre-Authentication Data:
> > PA-DATA type = 16
> >
> >>>>Pre-Authentication Data:
> > PA-DATA type = 15
> >
> > KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> > default etypes for default_tkt_enctypes: 23 18 17.
> > Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Added key: 17version: 5
> > Added key: 18version: 5
> > Added key: 23version: 5
> > Found unsupported keytype (3) for 
> > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Found unsupported keytype (1) for 
> > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Added key: 17version: 5
> > Added key: 18version: 5
> > Added key: 23version: 5
> > Found unsupported keytype (3) for 
> > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Found unsupported keytype (1) for 
> > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > default etypes for default_tkt_enctypes: 23 18 17.
> >>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
> >>>> KrbAsReq creating message
> >>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=3, 
> >>>> number of
> > retries =3, #bytes=305
> >>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, 
> >>>> timeout=3,Attempt
> > =1, #bytes=305
> >>>> KrbKdcReq send: #bytes read=180
> >>>>Pre-Authentication Data:
> > PA-DATA type = 19
> > PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
> > ocal, s2kparams = null
> > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >
> >>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
> >>>> KDCRep: init() encoding tag is 126 req type is 11
> >>>>KRBError:
> > sTime is Wed Mar 25 21:09:08 GMT 2015 1427317748000
> > suSec is 600802
> > error code is 24
> > error Message is Pre-authentication information was invalid
> > sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
> > eData provided.
> > msgType is 30
> >>>>Pre-Authentication Data:
> > PA-DATA type = 19
> > PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
> > ocal, s2kparams = null
> > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> >
> > Exception: krb_error 24 Pre-authentication information was invalid (24) 
> > Pre-auth
> > entication information was invalid
> > KrbException: Pre-authentication information was invalid (24)
> > at

RE: SPNEGO test configuration with Manager webapp

2015-03-25 Thread David Marsh 
ytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> Added key: 17version: 5
> Added key: 18version: 5
> Added key: 23version: 5
> Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=3, number 
>>>> of
> retries =3, #bytes=305
>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=3,Attempt
> =1, #bytes=305
>>>> KrbKdcReq send: #bytes read=180
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
> ocal, s2kparams = null
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>KRBError:
> sTime is Wed Mar 25 21:09:08 GMT 2015 1427317748000
> suSec is 600802
> error code is 24
> error Message is Pre-authentication information was invalid
> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
> eData provided.
> msgType is 30
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
> ocal, s2kparams = null
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
> Exception: krb_error 24 Pre-authentication information was invalid (24) 
> Pre-auth
> entication information was invalid
> KrbException: Pre-authentication information was invalid (24)
> at sun.security.krb5.KrbAsRep.(Unknown Source)
> at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
> at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
> at sun.security.krb5.internal.tools.Kinit.(Unknown Source)
> at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
> Caused by: KrbException: Identifier doesn't match expected value (906)
> at sun.security.krb5.internal.KDCRep.init(Unknown Source)
> at sun.security.krb5.internal.ASRep.init(Unknown Source)
> at sun.security.krb5.internal.ASRep.(Unknown Source)
> ... 5 more
>
>
>
>> Date: Wed, 25 Mar 2015 22:00:13 +0100
>> From: a...@ice-sa.com
>> To: users@tomcat.apache.org
>> Subject: Re: SPNEGO test configuration with Manager webapp
>>
>> Felix Schumacher wrote:
>>> Am 25.03.2015 um 20:19 schrieb André Warnier:
>>>> David Marsh wrote:
>>>>> Javas version of kinit seems to report issue ?
>>>>>
>>>>> C:\Program Files\Apache Software Foundation\Tomcat
>>>>> 8.0\conf>"C:\Program Files\Ja
>>>>> va\jdk1.8.0_40\bin\kinit" -t -k c:\keytab\tomcat.keytab
>>>>> Exception: krb_error 0 Do not have keys of types listed in
>>>>> default_tkt_enctypes
>>>>> available; only have keys of following type: No error
>>>>> KrbException: Do not have keys of types listed in
>>>>> default_tkt_enctypes available
>>>>> ; only have keys of following type:
>>>>> at
>>>>> sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
>>>>> at
>>>>> sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
>>>>> at
>>>>> sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
>>>>> at
>>>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
>>>>> at sun.security.krb5.internal.tools.Kinit.(Kinit.java:219)
>>>>> at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
>>>>
>>>> That seems to indicate that between the Java Kerberos module in
>>>> Tomcat, and the KDC's Kerberos software, there is a mismatch in the
>>>> types of keys used (type of encryption), so they do not understand
>>>> eachother.
>>>> This may be relevant : https://community.igniterealtime.org/thread/49913
>>>>
>>>> It is also a bit strange that it says :
>>>> only have keys of following type:
>>>> (with nothing behind the :.. )
>>>>
>>>> From what I keep browsing on the WWW, it also seems that the types of
>>>> key encryptions that might match between Java Kerberos and Windows
>>>> Kerberos, depend on the versions of both Java and W

RE: SPNEGO test configuration with Manager webapp

2015-03-25 Thread David Marsh 
T.LOCAL
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 17version: 5
Added key: 18version: 5
Added key: 23version: 5
Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=3, number of
 retries =3, #bytes=305
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=3,Attempt
=1, #bytes=305
>>> KrbKdcReq send: #bytes read=180
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
ocal, s2kparams = null
         PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Wed Mar 25 21:09:08 GMT 2015 1427317748000
         suSec is 600802
         error code is 24
         error Message is Pre-authentication information was invalid
         sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
         eData provided.
         msgType is 30
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
ocal, s2kparams = null
         PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-auth
entication information was invalid
KrbException: Pre-authentication information was invalid (24)
        at sun.security.krb5.KrbAsRep.(Unknown Source)
        at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
        at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
        at sun.security.krb5.internal.tools.Kinit.(Unknown Source)
        at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(Unknown Source)
        at sun.security.krb5.internal.ASRep.init(Unknown Source)
        at sun.security.krb5.internal.ASRep.(Unknown Source)
        ... 5 more



> Date: Wed, 25 Mar 2015 22:00:13 +0100
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
> 
> Felix Schumacher wrote:
>> Am 25.03.2015 um 20:19 schrieb André Warnier:
>>> David Marsh wrote:
>>>> Javas version of kinit seems to report issue ?
>>>>
>>>> C:\Program Files\Apache Software Foundation\Tomcat 
>>>> 8.0\conf>"C:\Program Files\Ja
>>>> va\jdk1.8.0_40\bin\kinit" -t -k c:\keytab\tomcat.keytab
>>>> Exception: krb_error 0 Do not have keys of types listed in 
>>>> default_tkt_enctypes
>>>> available; only have keys of following type: No error
>>>> KrbException: Do not have keys of types listed in 
>>>> default_tkt_enctypes available
>>>> ; only have keys of following type:
>>>> at 
>>>> sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
>>>> at 
>>>> sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
>>>> at 
>>>> sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
>>>> at 
>>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
>>>> at sun.security.krb5.internal.tools.Kinit.(Kinit.java:219)
>>>> at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
>>>
>>> That seems to indicate that between the Java Kerberos module in 
>>> Tomcat, and the KDC's Kerberos software, there is a mismatch in the 
>>> types of keys used (type of encryption), so they do not understand 
>>> eachother.
>>> This may be relevant : https://community.igniterealtime.org/thread/49913
>>>
>>> It is also a bit strange that it says :
>>> only have keys of following type:
>>> (with nothing behind the :.. )
>>>
>>> From what I keep browsing on the WWW, it also seems that the types of 
>>> key encryptions that might match between Java Kerberos and Windows 
>>> Kerberos, depend on the versions of both Java and Windows Server..
>>>
>> +1 (read your answer to late, I found the same link and posted it :)
>>> Man, this thing is really a nightmare, isn't it ?
>> I especially like the error messages.
>> 
> 
> Yes, and the thing is : there are a lot of pages

RE: SPNEGO test configuration with Manager webapp

2015-03-25 Thread David Marsh 
ze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zwm+qhPF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E="
>
> Reponse WWW-Authenticate: "Negotiate"
>
> I'm not sure how long they should be, but they all end "=" so expect not 
> truncated ?
>
> 
>> Subject: RE: SPNEGO test configuration with Manager webapp
>> From: felix.schumac...@internetallee.de
>> Date: Wed, 25 Mar 2015 17:31:51 +0100
>> To: users@tomcat.apache.org
>>
>>
>>
>> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh :
>>>This is how the keytab was created :-
>>>
>>>ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
>>>tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>/pass tc01pass
>>>
>>>The password is the correct password for the user tc01 associated with
>>>the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local
>>>
>>>I managed to turn on some more logging around JAAS, see the error
>>>:- java.security.PrivilegedActionException: GSSException: Defective
>>>token detected
>> Do you talk directly to Tomcat, or is there any kind of proxy in between?
>> Could the header be truncated?
>>
>> Felix
>>>
>>>25-Mar-2015 15:46:22.131 INFO [main]
>>>org.apache.catalina.core.StandardService.startInternal Starting
>>>service Catalina
>>>25-Mar-2015 15:46:22.133 INFO [main]
>>>org.apache.catalina.core.StandardEngine.startInternal Starting
>>>Servlet Engine: Apache Tomcat/8.0.20
>>>25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
>>>org.apache.catalina.startup.HostConfig.deployD
>>>irectory Deploying web application directory C:\Program Files\Apache
>>>Software Foundation\Tomcat 8.0\
>>>webapps\docs
>>>25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
>>>org.apache.catalina.startup.HostConfig.deployD
>>>irectory Deployment of web application directory C:\Program
>>>Files\Apache Software Foundation\Tomcat
>>>8.0\webapps\docs has finished in 380 ms
>>>25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
>>>org.apache.catalina.startup.HostConfig.deployD
>>>irectory Deploying web application directory C:\Program Files\Apache
>>>Software Foundation\Tomcat 8.0\
>>>webapps\manager
>>>25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
>>>org.apache.catalina.authenticator.Authenticato
>>>rBase.startInternal No SingleSignOn Valve is present
>>>25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
>>>org.apache.catalina.startup.HostConfig.deployD
>>>irectory Deployment of web application directory C:\Program
>>>Files\Apache Software Foundation\Tomcat
>>>8.0\webapps\manager has finished in 93 ms
>>>25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
>>>org.apache.catalina.startup.HostConfig.deployD
>>>irectory Deploying web application directory C:\Program Files\Apache
>>>Software Foundation\Tomcat 8.0\
>>>webapps\ROOT
>>>25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
>>>org.apache.catalina.startup.HostConfig.deployD
>>>irectory Deployment of web application directory C:\Program
>>>Files\Apache Software Foundation\Tomcat
>>>8.0\webapps\ROOT has finished in 59 ms
>>>25-Mar-2015 15:46:22.797 INFO [main]
>>>org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>er ["http-nio-80"]
>>>25-Mar-2015 15:46:22.806 INFO [main]
>>>org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>>er ["ajp-nio-8009"]
>>>25-Mar-2015 15:46:22.808 INFO [main]
>>>org.apac

RE: SPNEGO test configuration with Manager webapp

2015-03-25 Thread David Marsh 
uncated ?


> Subject: RE: SPNEGO test configuration with Manager webapp
> From: felix.schumac...@internetallee.de
> Date: Wed, 25 Mar 2015 17:31:51 +0100
> To: users@tomcat.apache.org
>
>
>
> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh :
>>This is how the keytab was created :-
>>
>>ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
>>tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@kerbtest.local
>>/pass tc01pass
>>
>>The password is the correct password for the user tc01 associated with
>>the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local
>>
>>I managed to turn on some more logging around JAAS, see the error
>>:- java.security.PrivilegedActionException: GSSException: Defective
>>token detected
> Do you talk directly to Tomcat, or is there any kind of proxy in between?
> Could the header be truncated?
>
> Felix
>>
>>25-Mar-2015 15:46:22.131 INFO [main]
>>org.apache.catalina.core.StandardService.startInternal Starting
>>service Catalina
>>25-Mar-2015 15:46:22.133 INFO [main]
>>org.apache.catalina.core.StandardEngine.startInternal Starting
>>Servlet Engine: Apache Tomcat/8.0.20
>>25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
>>org.apache.catalina.startup.HostConfig.deployD
>>irectory Deploying web application directory C:\Program Files\Apache
>>Software Foundation\Tomcat 8.0\
>>webapps\docs
>>25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
>>org.apache.catalina.startup.HostConfig.deployD
>>irectory Deployment of web application directory C:\Program
>>Files\Apache Software Foundation\Tomcat
>>8.0\webapps\docs has finished in 380 ms
>>25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
>>org.apache.catalina.startup.HostConfig.deployD
>>irectory Deploying web application directory C:\Program Files\Apache
>>Software Foundation\Tomcat 8.0\
>>webapps\manager
>>25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
>>org.apache.catalina.authenticator.Authenticato
>>rBase.startInternal No SingleSignOn Valve is present
>>25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
>>org.apache.catalina.startup.HostConfig.deployD
>>irectory Deployment of web application directory C:\Program
>>Files\Apache Software Foundation\Tomcat
>>8.0\webapps\manager has finished in 93 ms
>>25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
>>org.apache.catalina.startup.HostConfig.deployD
>>irectory Deploying web application directory C:\Program Files\Apache
>>Software Foundation\Tomcat 8.0\
>>webapps\ROOT
>>25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
>>org.apache.catalina.startup.HostConfig.deployD
>>irectory Deployment of web application directory C:\Program
>>Files\Apache Software Foundation\Tomcat
>>8.0\webapps\ROOT has finished in 59 ms
>>25-Mar-2015 15:46:22.797 INFO [main]
>>org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>er ["http-nio-80"]
>>25-Mar-2015 15:46:22.806 INFO [main]
>>org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>er ["ajp-nio-8009"]
>>25-Mar-2015 15:46:22.808 INFO [main]
>>org.apache.catalina.startup.Catalina.start Server startup in 72
>>1 ms
>>25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Security checking request GET /manager/html
>>25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>against GET /html --> false
>>25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>interface]' against GET /html --> fal
>>se
>>25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>interface (for scripts)]' against
>>GET /html --> false
>>25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>interface (for humans)]' against G
>>ET /html --> true
>>25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>against GET /html --> fals

RE: SPNEGO test configuration with Manager webapp

2015-03-25 Thread David Marsh 
Http11NioProto
col.java:223)
at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader 
did not find the right
tag)
at sun.security.jgss.GSSHeader.(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at 
org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:336)
at 
org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:323)
... 18 more

[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3] 
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test





















































> Date: Wed, 25 Mar 2015 16:48:10 +0100
> From: felix.schumac...@internetallee.de
> To: users@tomcat.apache.org
> Subject: RE: SPNEGO test configuration with Manager webapp
>
> Am 25.03.2015 16:09, schrieb David Marsh:
>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
>> tc01@KERTEST.LOCAL, still same symptoms.
>>
>> Ran klist on client after firefox test and the three 401 responses. :-
>>
>> C:\Users\test.KERBTEST.000>klist
>>
>> Current LogonId is 0:0x2fd7a
>>
>> Cached Tickets: (2)
>>
>> #0> Client: test @ KERBTEST.LOCAL
>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
>> Ticket Flags 0x40e1 -> forwardable renewable initial
>> pre_authent nam
>> e_canonicalize
>> Start Time: 3/25/2015 14:46:43 (local)
>> End Time: 3/26/2015 0:46:43 (local)
>> Renew Time: 4/1/2015 14:46:43 (local)
>> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>> Cache Flags: 0x1 -> PRIMARY
>> Kdc Called: 192.168.0.200
>>
>> #1> Client: test @ KERBTEST.LOCAL
>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>> Ticket Flags 0x40a1 -> forwardable renewable pre_authent
>> name_canoni
>> calize
>> Start Time: 3/25/2015 14:51:21 (local)
>> End Time: 3/26/2015 0:46:43 (local)
>> Renew Time: 4/1/2015 14:46:43 (local)
>> Session Key Type: RSADSI RC4-HMAC(NT)
>> Cache Flags: 0
>> Kdc Called: 192.168.0.200
>>
>> Looks like I was granted a ticket for the SPN
>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
>>
>> If I have ticket why do I get 401 ?
> Your client has got a service ticket for HTTP/win-tc01... This is used
> by firefox for authentication. Firefox transmits
> this service ticket to the server (as base64 encoded in the
> WWW-Authenticate header).
>
> Your server has to decrypt this ticket using its own ticket to get at
> the user information. This is where your problems arise.
> It looks like your server has trouble to get its own ticket.
>
> Are you sure, that the password you used for keytab generation (on the
> server side), is correct? ktpass will probably accept
> any input as a password. Maybe you can check the keytab by using kinit
> (though I don't know, if it exists for windows, or how
> the java one is used).
>
> Felix
>
>>
>> 
>>> Date: Tue, 24 Mar 2015 22:46:15 +
>>> From: ma...@apache.org
>>> To: users@tomcat.apache.org
>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>
>>> On 24/03/2015 20:47, David Marsh wrote:
>>>> Hi Felix,
>>>> Thanks fort your help!
>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
>>>> startup.bat and also added the same definitions to the Java
>>>> parameters in Configure Tomcat tool.I definitely got more information
>>>> when using startup.bat, not sure the settings get picked up by the
>>>> windows service ?
>>>> I do not think authentication completes, certainly authorization does
>>>> not as I cant see the site and get 401 http status.
>>>> I have not configured a tomcat realm but I have put the test user a
>>>> manager-gui group in Active Directory.
>>>
>>> I've onl

RE: SPNEGO test configuration with Manager webapp

2015-03-25 Thread David Marsh 
Put keytab in c:\keytab\tomcat.keytab, ensured owner was tc01@KERTEST.LOCAL, 
still same symptoms.
 
Ran klist on client after firefox test and the three 401 responses. :-
 
 C:\Users\test.KERBTEST.000>klist

Current LogonId is 0:0x2fd7a

Cached Tickets: (2)

#0> Client: test @ KERBTEST.LOCAL
Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e1 -> forwardable renewable initial pre_authent nam
e_canonicalize
Start Time: 3/25/2015 14:46:43 (local)
End Time:   3/26/2015 0:46:43 (local)
Renew Time: 4/1/2015 14:46:43 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: 192.168.0.200

#1> Client: test @ KERBTEST.LOCAL
Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a1 -> forwardable renewable pre_authent name_canoni
calize
Start Time: 3/25/2015 14:51:21 (local)
End Time:   3/26/2015 0:46:43 (local)
Renew Time: 4/1/2015 14:46:43 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: 192.168.0.200

Looks like I was granted a ticket for the SPN HTTP/win-tc01.kerbtest.local @ 
KERBTEST.LOCAL ?

If I have ticket why do I get 401 ?
 

> Date: Tue, 24 Mar 2015 22:46:15 +
> From: ma...@apache.org
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> On 24/03/2015 20:47, David Marsh wrote:
>> Hi Felix,
>> Thanks fort your help!
>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and 
>> also added the same definitions to the Java parameters in Configure Tomcat 
>> tool.I definitely got more information when using startup.bat, not sure the 
>> settings get picked up by the windows service ?
>> I do not think authentication completes, certainly authorization does not as 
>> I cant see the site and get 401 http status.
>> I have not configured a tomcat realm but I have put the test user a 
>> manager-gui group in Active Directory.
>
> I've only given your config a quick scan, but the thing that jumps out
> at me is spaces in the some of the paths. I'm not sure how well krb5.ini
> will handle those. It might be fine. It might not be.
>
> Mark
>
>
>> David
>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>> From: felix.schumac...@internetallee.de
>>> To: users@tomcat.apache.org
>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>
>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>> Everything is as described and still not working, except the jaas.conf is 
>>>> :-
>>>>
>>>> com.sun.security.jgss.krb5.initiate {
>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>> doNotPrompt=true
>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>> useKeyTab=true
>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
>>>> 8.0/conf/tomcat.keytab"
>>>> storeKey=true;
>>>> };
>>>>
>>>> com.sun.security.jgss.krb5.accept {
>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>> doNotPrompt=true
>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>> useKeyTab=true
>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
>>>> 8.0/conf/tomcat.keytab"
>>>> storeKey=true;
>>>> };
>>>>
>>>> In other words the principal is the tomcat server as it should be.
>>>>
>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>> From: felix.schumac...@internetallee.de
>>>>> To: users@tomcat.apache.org
>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>
>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>> Sorry thats :-
>>>>>>
>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>> Is it working with this configuration, or just to point out, that you
>>>>> copied the wrong jaas.conf for the mail?
>>>>>
>>>>> Felix
>>>>>> 
>>>>>>> From: dmars...@outlook.com
>>>>>>> To: users@tomcat.apache.org
&g

RE: SPNEGO test configuration with Manager webapp

2015-03-24 Thread David Marsh 
 =

>>>Pre-Authentication Data:
 PA-DATA type = 19
 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
 PA-DATA type = 2
 PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
 PA-DATA type = 16

>>>Pre-Authentication Data:
 PA-DATA type = 15

>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
 sTime is Tue Mar 24 20:51:24 GMT 2015 1427230284000
 suSec is 581394
 error code is 25
 error Message is Additional pre-authentication required
 sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
 eData provided.
 msgType is 30
>>>Pre-Authentication Data:
 PA-DATA type = 11
 PA-ETYPE-INFO etype = 23, salt =

>>>Pre-Authentication Data:
 PA-DATA type = 19
 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
 PA-DATA type = 2
 PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
 PA-DATA type = 16

>>>Pre-Authentication Data:
 PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 17.
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
default etypes for default_tkt_enctypes: 23 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=3, number of
 retries =3, #bytes=247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=3,Attempt
=1, #bytes=247
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=3, number of
 retries =3, #bytes=247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=3,Attempt
=1, #bytes=247
>>>DEBUG: TCPClient reading 1483 bytes
>>> KrbKdcReq send: #bytes read=1483
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 0
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
Search Subject for SPNEGO ACCEPT cred (<>, sun.security.jgss.spnego.SpNegoC
redElement)
Search Subject for Kerberos V5 ACCEPT cred (<>, sun.security.jgss.krb5.Krb5
AcceptCredential)
Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.
keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.
keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KER
BTEST.LOCAL@KERBTEST.LOCAL expiring on Wed Mar 25 06:51:24 GMT 2015


> Date: Tue, 24 Mar 2015 21:39:38 +0100
> From: felix.schumac...@internetallee.de
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
> 
> Am 24.03.2015 um 21:25 schrieb David Marsh:
> > Everything is as described and still not working, except the jaas.conf is :-
> >
> > com.sun.security.jgss.krb5.initiate {
> >  com.sun.security.auth.module.Krb5LoginModule required
> >  doNotPrompt=true
> >  principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> >  useKeyTab=true
> >  keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
> > 8.0/conf/tomcat.keytab"
> >  storeKey=true;
> > };
> >
> > com.sun.security.jgss.krb5.accept {
> >  com.sun.security.auth.module.Krb5LoginModule required
> >  doNotPrompt=true
> >  principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> >  useKeyTab=true
> >  keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
> > 8.0/conf/tomcat.keytab"
> >  storeKey=true;
> > };
> >
> > In other words the principal is the tomcat server as it should be.
> >
> >> Date: Tue, 24 Mar 2015 21:17:59 +0100
> >> From: felix.schumac...@internetallee.de
> >> To: users@tomcat.apache.org
> >> Subject: Re: SPNEGO test configuration with Manager webapp
> >>
> >> Am 24.03.2015 um 21:05 schrieb David Marsh:
> >>> Sorry thats :-
> >>>
> >>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> >>> under jaas.conf, it is set to the tomcat server DNS.
> >> Is it working

RE: SPNEGO test configuration with Manager webapp

2015-03-24 Thread David Marsh 
Hi Felix,
Thanks fort your help!
I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and 
also added the same definitions to the Java parameters in Configure Tomcat 
tool.I definitely got more information when using startup.bat, not sure the 
settings get picked up by the windows service ?
I do not think authentication completes, certainly authorization does not as I 
cant see the site and get 401 http status.
I have not configured a tomcat realm but I have put the test user a manager-gui 
group in Active Directory.
David
> Date: Tue, 24 Mar 2015 21:39:38 +0100
> From: felix.schumac...@internetallee.de
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
> 
> Am 24.03.2015 um 21:25 schrieb David Marsh:
> > Everything is as described and still not working, except the jaas.conf is :-
> >
> > com.sun.security.jgss.krb5.initiate {
> >  com.sun.security.auth.module.Krb5LoginModule required
> >  doNotPrompt=true
> >  principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> >  useKeyTab=true
> >  keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
> > 8.0/conf/tomcat.keytab"
> >  storeKey=true;
> > };
> >
> > com.sun.security.jgss.krb5.accept {
> >  com.sun.security.auth.module.Krb5LoginModule required
> >  doNotPrompt=true
> >  principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> >  useKeyTab=true
> >  keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
> > 8.0/conf/tomcat.keytab"
> >  storeKey=true;
> > };
> >
> > In other words the principal is the tomcat server as it should be.
> >
> >> Date: Tue, 24 Mar 2015 21:17:59 +0100
> >> From: felix.schumac...@internetallee.de
> >> To: users@tomcat.apache.org
> >> Subject: Re: SPNEGO test configuration with Manager webapp
> >>
> >> Am 24.03.2015 um 21:05 schrieb David Marsh:
> >>> Sorry thats :-
> >>>
> >>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
> >>> under jaas.conf, it is set to the tomcat server DNS.
> >> Is it working with this configuration, or just to point out, that you
> >> copied the wrong jaas.conf for the mail?
> >>
> >> Felix
> >>> 
> >>>> From: dmars...@outlook.com
> >>>> To: users@tomcat.apache.org
> >>>> Subject: SPNEGO test configuration with Manager webapp
> >>>> Date: Tue, 24 Mar 2015 20:02:04 +
> >>>>
> >>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
> >>>>
> >>>> I've created three Windows VMs :-
> >>>>
> >>>> Tomcat Server - Windows 8.1 32 bit VM
> >>>> Test Client - Windows 8.1 32 bit VM
> >>>> Domain Controller - Windows Server 2012 R2 64 bit VM
> >>>>
> >>>> The Tomcat Server and the Test Client are joined to the same domain 
> >>>> kerbtest.local, they are logged in with domain logins.
> >>>>
> >>>> The firewall is disabled on the Tomcat Server VM.
> >>>>
> >>>> I've followed the guidelines on the Apache Tomcat website.
> >>>>
> >>>> jaas.conf
> >>>>
> >>>> com.sun.security.jgss.krb5.initiate {
> >>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>> doNotPrompt=true
> >>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
> >>>> useKeyTab=true
> >>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
> >>>> 8.0/conf/tomcat.keytab"
> >>>> storeKey=true;
> >>>> };
> >>>>
> >>>> com.sun.security.jgss.krb5.accept {
> >>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>> doNotPrompt=true
> >>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
> >>>> useKeyTab=true
> >>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
> >>>> 8.0/conf/tomcat.keytab"
> >>>> storeKey=true;
> >>>> };
> >>>>
> >>>> krb5.ini
> >>>>
> >>>> [libdefaults]
> >>>> default_realm = KERBTEST.LOCAL
> >>>> default_keytab_name = FILE:C:\Program Files\Apache Software 
> >>>> Foundati

RE: SPNEGO test configuration with Manager webapp

2015-03-24 Thread David Marsh 
I copied old config file to mail yes.


> Date: Tue, 24 Mar 2015 21:17:59 +0100
> From: felix.schumac...@internetallee.de
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> Am 24.03.2015 um 21:05 schrieb David Marsh:
>> Sorry thats :-
>>
>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>> under jaas.conf, it is set to the tomcat server DNS.
> Is it working with this configuration, or just to point out, that you
> copied the wrong jaas.conf for the mail?
>
> Felix
>>
>> 
>>> From: dmars...@outlook.com
>>> To: users@tomcat.apache.org
>>> Subject: SPNEGO test configuration with Manager webapp
>>> Date: Tue, 24 Mar 2015 20:02:04 +
>>>
>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
>>>
>>> I've created three Windows VMs :-
>>>
>>> Tomcat Server - Windows 8.1 32 bit VM
>>> Test Client - Windows 8.1 32 bit VM
>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>
>>> The Tomcat Server and the Test Client are joined to the same domain 
>>> kerbtest.local, they are logged in with domain logins.
>>>
>>> The firewall is disabled on the Tomcat Server VM.
>>>
>>> I've followed the guidelines on the Apache Tomcat website.
>>>
>>> jaas.conf
>>>
>>> com.sun.security.jgss.krb5.initiate {
>>> com.sun.security.auth.module.Krb5LoginModule required
>>> doNotPrompt=true
>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>> useKeyTab=true
>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
>>> 8.0/conf/tomcat.keytab"
>>> storeKey=true;
>>> };
>>>
>>> com.sun.security.jgss.krb5.accept {
>>> com.sun.security.auth.module.Krb5LoginModule required
>>> doNotPrompt=true
>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>> useKeyTab=true
>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
>>> 8.0/conf/tomcat.keytab"
>>> storeKey=true;
>>> };
>>>
>>> krb5.ini
>>>
>>> [libdefaults]
>>> default_realm = KERBTEST.LOCAL
>>> default_keytab_name = FILE:C:\Program Files\Apache Software 
>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>> default_tkt_enctypes = 
>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>> default_tgs_enctypes = 
>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>> forwardable=true
>>>
>>> [realms]
>>> KERBTEST.LOCAL = {
>>> kdc = win-dc01.kerbtest.local:88
>>> }
>>>
>>> I want to use the tomcat manager app to test SPNEGO with Active Directory.
>>>
>>> I have tried to keep the setup as basic and vanilla to the instructions as 
>>> possible.
>>>
>>> Users were created as instructed.
>>>
>>> Spn was created as instructed
>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>
>>> keytab was created as instructed
>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ 
>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
>>>
>>> I have tried to test with firefox, chrome and IE, after ensuring 
>>> http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added 
>>> http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris 
>>> and network.negotiate-auth.trusted-uris.
>>>
>>> Tomcat is running as a Windows service under the tc01@kerbtest.local 
>>> account.
>>>
>>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in 
>>> firefox results in 401 three times.
>>>
>>> Looking at the Network tab in developer tools in firefox shows 401 response 
>>> with WWW-Authenticate: Negotiate response http header.
>>>
>>> The next has an Authorization request http header with long encrypted 
>>> string.
>>>
>>> IE still prompts for credentials with a popup, not sure why as does chrome.
>>> The setting User Authentication, Logon, Automatic Logon only in Intranet 
>>> Zone, is selected under trusted sites.
>>>
>>> It seems like authentication is never completed ?
>>>
>>> There are no errors in tomcat logs.
>>>
>>> Any ideas wha

RE: SPNEGO test configuration with Manager webapp

2015-03-24 Thread David Marsh 
Everything is as described and still not working, except the jaas.conf is :-

com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
8.0/conf/tomcat.keytab"
storeKey=true;
};

com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
8.0/conf/tomcat.keytab"
storeKey=true;
};

In other words the principal is the tomcat server as it should be.

> Date: Tue, 24 Mar 2015 21:17:59 +0100
> From: felix.schumac...@internetallee.de
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
> 
> Am 24.03.2015 um 21:05 schrieb David Marsh:
>> Sorry thats :-
>>
>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>> under jaas.conf, it is set to the tomcat server DNS.
> Is it working with this configuration, or just to point out, that you 
> copied the wrong jaas.conf for the mail?
> 
> Felix
>>
>> 
>>> From: dmars...@outlook.com
>>> To: users@tomcat.apache.org
>>> Subject: SPNEGO test configuration with Manager webapp
>>> Date: Tue, 24 Mar 2015 20:02:04 +
>>>
>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
>>>
>>> I've created three Windows VMs :-
>>>
>>> Tomcat Server - Windows 8.1 32 bit VM
>>> Test Client - Windows 8.1 32 bit VM
>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>
>>> The Tomcat Server and the Test Client are joined to the same domain 
>>> kerbtest.local, they are logged in with domain logins.
>>>
>>> The firewall is disabled on the Tomcat Server VM.
>>>
>>> I've followed the guidelines on the Apache Tomcat website.
>>>
>>> jaas.conf
>>>
>>> com.sun.security.jgss.krb5.initiate {
>>> com.sun.security.auth.module.Krb5LoginModule required
>>> doNotPrompt=true
>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>> useKeyTab=true
>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
>>> 8.0/conf/tomcat.keytab"
>>> storeKey=true;
>>> };
>>>
>>> com.sun.security.jgss.krb5.accept {
>>> com.sun.security.auth.module.Krb5LoginModule required
>>> doNotPrompt=true
>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>> useKeyTab=true
>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
>>> 8.0/conf/tomcat.keytab"
>>> storeKey=true;
>>> };
>>>
>>> krb5.ini
>>>
>>> [libdefaults]
>>> default_realm = KERBTEST.LOCAL
>>> default_keytab_name = FILE:C:\Program Files\Apache Software 
>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>> default_tkt_enctypes = 
>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>> default_tgs_enctypes = 
>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>> forwardable=true
>>>
>>> [realms]
>>> KERBTEST.LOCAL = {
>>> kdc = win-dc01.kerbtest.local:88
>>> }
>>>
>>> I want to use the tomcat manager app to test SPNEGO with Active Directory.
>>>
>>> I have tried to keep the setup as basic and vanilla to the instructions as 
>>> possible.
>>>
>>> Users were created as instructed.
>>>
>>> Spn was created as instructed
>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>
>>> keytab was created as instructed
>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ 
>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
>>>
>>> I have tried to test with firefox, chrome and IE, after ensuring 
>>> http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added 
>>> http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris 
>>> and network.negotiate-auth.trusted-uris.
>>>
>>> Tomcat is running as a Windows service under the tc01@kerbtest.local 
>>> account.
>>>
>>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in 
>>> firefox results in 401 three time

RE: SPNEGO test configuration with Manager webapp

2015-03-24 Thread David Marsh 
Sorry thats :-

> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"

under jaas.conf, it is set to the tomcat server DNS.


> From: dmars...@outlook.com
> To: users@tomcat.apache.org
> Subject: SPNEGO test configuration with Manager webapp
> Date: Tue, 24 Mar 2015 20:02:04 +
>
> I'm trying to get SPNEGO authentication working with Tomcat 8.
>
> I've created three Windows VMs :-
>
> Tomcat Server - Windows 8.1 32 bit VM
> Test Client - Windows 8.1 32 bit VM
> Domain Controller - Windows Server 2012 R2 64 bit VM
>
> The Tomcat Server and the Test Client are joined to the same domain 
> kerbtest.local, they are logged in with domain logins.
>
> The firewall is disabled on the Tomcat Server VM.
>
> I've followed the guidelines on the Apache Tomcat website.
>
> jaas.conf
>
> com.sun.security.jgss.krb5.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
> useKeyTab=true
> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
> 8.0/conf/tomcat.keytab"
> storeKey=true;
> };
>
> com.sun.security.jgss.krb5.accept {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
> useKeyTab=true
> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
> 8.0/conf/tomcat.keytab"
> storeKey=true;
> };
>
> krb5.ini
>
> [libdefaults]
> default_realm = KERBTEST.LOCAL
> default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 
> 8.0\conf\tomcat.keytab
> default_tkt_enctypes = 
> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> default_tgs_enctypes = 
> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> forwardable=true
>
> [realms]
> KERBTEST.LOCAL = {
> kdc = win-dc01.kerbtest.local:88
> }
>
> I want to use the tomcat manager app to test SPNEGO with Active Directory.
>
> I have tried to keep the setup as basic and vanilla to the instructions as 
> possible.
>
> Users were created as instructed.
>
> Spn was created as instructed
> setspn -A HTTP/win-tc01.kerbtest.local tc01
>
> keytab was created as instructed
> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ 
> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
>
> I have tried to test with firefox, chrome and IE, after ensuring 
> http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added 
> http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and 
> network.negotiate-auth.trusted-uris.
>
> Tomcat is running as a Windows service under the tc01@kerbtest.local account.
>
> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in 
> firefox results in 401 three times.
>
> Looking at the Network tab in developer tools in firefox shows 401 response 
> with WWW-Authenticate: Negotiate response http header.
>
> The next has an Authorization request http header with long encrypted string.
>
> IE still prompts for credentials with a popup, not sure why as does chrome.
> The setting User Authentication, Logon, Automatic Logon only in Intranet 
> Zone, is selected under trusted sites.
>
> It seems like authentication is never completed ?
>
> There are no errors in tomcat logs.
>
> Any ideas what is happening and what I can do to troubleshoot ?
>
> I'm quite happy to help improve the documentation and follow the 
> instructions, however I have tried that and cannot get a working basic set up.
>
> many thanks
>
> David
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
  
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

SPNEGO test configuration with Manager webapp

2015-03-24 Thread David Marsh 
I'm trying to get SPNEGO authentication working with Tomcat 8. 

I've created three Windows VMs :-

Tomcat Server - Windows 8.1 32 bit VM
Test Client - Windows 8.1 32 bit VM
Domain Controller - Windows Server 2012 R2 64 bit VM 

The Tomcat Server and the Test Client are joined to the same domain 
kerbtest.local, they are logged in with domain logins.

The firewall is disabled on the Tomcat Server VM.

I've followed the guidelines on the Apache Tomcat website. 

jaas.conf 

com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
    useKeyTab=true
    keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
8.0/conf/tomcat.keytab"
    storeKey=true;
};

com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
    useKeyTab=true
    keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
8.0/conf/tomcat.keytab"
    storeKey=true;
};

krb5.ini 

[libdefaults]
default_realm = KERBTEST.LOCAL
default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 
8.0\conf\tomcat.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true

[realms]
KERBTEST.LOCAL = {
        kdc = win-dc01.kerbtest.local:88
}

I want to use the tomcat manager app to test SPNEGO with Active Directory.

I have tried to keep the setup as basic and vanilla to the instructions as 
possible.

Users were created as instructed.

Spn was created as instructed
setspn -A HTTP/win-tc01.kerbtest.local tc01

keytab was created as instructed
ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ 
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0

I have tried to test with firefox, chrome and IE, after ensuring 
http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added 
http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and 
network.negotiate-auth.trusted-uris.

Tomcat is running as a Windows service under the tc01@kerbtest.local account.

Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in 
firefox results in 401 three times.

Looking at the Network tab in developer tools in firefox shows 401 response 
with WWW-Authenticate: Negotiate response http header.

The next has an Authorization request http header with long encrypted string.

IE still prompts for credentials with a popup, not sure why as does chrome.
The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, 
is selected under trusted sites.

It seems like authentication is never completed ?

There are no errors in tomcat logs.

Any ideas what is happening and what I can do to troubleshoot ? 

I'm quite happy to help improve the documentation and follow the instructions, 
however I have tried that and cannot get a working basic set up.

many thanks

David

  
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: SPNEGO test configuration with Manager webapp

2015-03-24 Thread David Marsh 
I was using Internet explorer and had added the ip address of to domain 
controller/ tomcat server to the trusted sites list in the Intranet zone.I was 
not using https.I was using a Windows 8 client VM to talk to a Windows Server 
2012 VM.
I have now tried Firefox with SPNEGO and can confirm with this set up I get 
similar logs and http header WWW-Authenticate: Negotiate is sent.
In this test I do not get popup prompt but I still get 401 Http status.
almBase.hasUserDataPermission   User data constraint has no restrictionsLooking 
for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 
7Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 
23version: 7default etypes for default_tkt_enctypes: 23 18 17.>>> KrbAsReq 
creating message>>> KrbKdcReq send: kdc=Server2012dc.kerbtest.local UDP:88, 
timeout=3, number of retries =3, #bytes=160>>> KDCCommunication: 
kdc=Server2012dc.kerbtest.local UDP:88, timeout=3,Attempt =1, #bytes=160>>> 
KrbKdcReq send: #bytes read=185>>>Pre-Authentication Data: PA-DATA type 
= 11 PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 
>>>etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data: PA-DATA type = 2 
>>>PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16
>>>Pre-Authentication Data: PA-DATA type = 15
>>> KdcAccessibility: remove Server2012dc.kerbtest.local:88>>> KDCRep: init() 
>>> encoding tag is 126 req type is 11>>>KRBError: sTime is Tue Mar 24 
>>> 15:06:51 GMT 2015 1427209611000 suSec is 507817 error code 
>>> is 25 error Message is Additional pre-authentication required   
>>>   sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. 
>>> msgType is 30>>>Pre-Authentication Data: PA-DATA type = 11  
>>>PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 
>>>etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data: PA-DATA type = 2 
>>>PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16
>>>Pre-Authentication Data: PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQdefault etypes for 
default_tkt_enctypes: 23 18 17.Looking for keys for: 
HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7Looking for keys 
for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default 
etypes for default_tkt_enctypes: 23 18 17.>>> EType: 
sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsReq creating 
message>>> KrbKdcReq send: kdc=Server2012dc.kerbtest.local UDP:88, 
timeout=3, number of retries =3, #bytes=243>>> KDCCommunication: 
kdc=Server2012dc.kerbtest.local UDP:88, timeout=3,Attempt =1, #bytes=243>>> 
KrbKdcReq send: #bytes read=100>>> KrbKdcReq send: 
kdc=Server2012dc.kerbtest.local TCP:88, timeout=3, number of retries =3, 
#bytes=243>>> KDCCommunication: kdc=Server2012dc.kerbtest.local TCP:88, 
timeout=3,Attempt =1, #bytes=243>>>DEBUG: TCPClient reading 1467 bytes>>> 
KrbKdcReq send: #bytes read=1467>>> KdcAccessibility: remove 
Server2012dc.kerbtest.local:88Looking for keys for: 
HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7>>> EType: 
sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsRep cons in 
KrbAsReq.getReply HTTP/tc01.kerbtest.localSearch Subject for SPNEGO ACCEPT cred 
(<>, sun.security.jgss.spnego.SpNegoCredElement)Search Subject for 
Kerberos V5 ACCEPT cred (<>, 
sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab C:\Program 
Files\Apache Software Foundation\Tomcat 8.0\conf\tc01.keytab for 
HTTP/tc01.kerbtest.local@KERBTEST.LOCALFound KeyTab C:\Program Files\Apache 
Software Foundation\Tomcat 8.0\conf\tc01.keytab for 
HTTP/tc01.kerbtest.local@KERBTEST.LOCALFound ticket for 
HTTP/tc01.kerbtest.local@KERBTEST.LOCAL to go to 
krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL expiring on Wed Mar 25 01:06:51 GMT 2015

SPNEGO test configuration with Manager webapp

2015-03-24 Thread David Marsh 
Hello,
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've followed the guidelines on the website.
jaas.conf
com.sun.security.jgss.krb5.initiate {...};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule requireddoNotPrompt=true
principal="HTTP/tc01.kerbtest.local@KERBTEST.LOCAL"useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
8.0/conf/tc01.keytab"storeKey=true;};
krb5.ini
[libdefaults]default_realm = KERBTEST.LOCALdefault_keytab_name = 
FILE:C:\Program Files\Apache Software Foundation\Tomcat 
8.0\conf\tc01.keytabdefault_tkt_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true
[realms]KERBTEST.LOCAL = {kdc = Server2012dc.kerbtest.local:88}
[domain_realm]kerbtest.local= KERBTEST.LOCAL.kerbtest.local= KERBTEST.LOCAL
I want to use the tomcat manager app to test SPNEGO with Active Directory, 
Tomcat is currently installed on the domain controller.
It seems like authentication is never completed as in the browser I get 
prompted for credentials over and over.So there appear two issues :-1. 
Authentication is not succeeding2. SPNEGO accept header is not currently sent
I have created the tc01 and test users in active directory, and the keytab as 
instructed.
I run tomcat as tc01 user :-runas /env /user:tc01@kerbtest.local "startup.bat"
Output from running tomcat :-
Server startup in 3443 ms24-Mar-2015 10:26:56.485 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking 
constraint 'SecurityConstraint[Statusinterface]' against GET /html --> 
false24-Mar-2015 10:26:56.496 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking 
constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> 
false24-Mar-2015 10:26:56.510 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking 
constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against 
GET /html --> false24-Mar-2015 10:26:56.525 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking 
constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against 
GET /html --> true24-Mar-2015 10:26:56.544 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking 
constraint 'SecurityConstraint[Statusinterface]' against GET /html --> 
false24-Mar-2015 10:26:56.560 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking 
constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> 
false24-Mar-2015 10:26:56.575 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking 
constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against 
GET /html --> false24-Mar-2015 10:26:56.587 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking 
constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against 
GET /html --> true24-Mar-2015 10:26:56.599 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.hasUserDataPermission   User data 
constraint has no restrictions>>> KeyTabInputStream, readName(): 
kerbtest.local>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, 
readName(): tc01.kerbtest.local>>> KeyTab: load() entry length: 74; type: 
23Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALJava config 
name: C:\Program Files\Apache Software Foundation\Tomcat 
8.0\conf\krb5.iniLoaded from Java configAdded key: 23version: 7>>> 
KdcAccessibility: resetLooking for keys for: 
HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default etypes 
for default_tkt_enctypes: 23 18 17.>>> KrbAsReq creating message>>> KrbKdcReq 
send: kdc=Server2012dc.kerbtest.local UDP:88, timeout=3, number of retries 
=3, #bytes=160>>> KDCCommunication: kdc=Server2012dc.kerbtest.local UDP:88, 
timeout=3,Attempt =1, #bytes=160>>> KrbKdcReq send: #bytes 
read=185>>>Pre-Authentication Data: PA-DATA type = 11 
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 
>>>etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data: PA-DATA type = 2 
>>>PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16
>>>Pre-Authentication Data: PA-DATA type = 15
>>> KdcAccessibility: remove Server2012dc.kerbtest.local:88>>> KDCRep: init() 
>>> encoding tag is 126 req type is 11>>>KRBError: sTime is Tue Mar 24 
>>> 10:26:57 GMT 2015 1427192817000 suSec is 627351 error code 
>>> is 25 error Message is Additional pre-authentication required   
>>>   sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided.