subject:"Re\: Built\-in Tomcat Support for Windows Authentication"

RE: Built-in Tomcat Support for Windows Authentication

2014-10-24 Thread Philippe Wijdh

Thanks Terrence,

We will have a look at Waffle as well.


Kind regards,

Philippe Wijdh
Senior Programmer

Assai software services BV, Parallelweg Oost 13a, 4103 NC, Culemborg, The 
Netherlands
P:  +31 (0)345 516 663, E:  p.wi...@assai.nl, W: www.assai-software.com 

-Original Message-
From: Terence M. Bandoian [mailto:tere...@tmbsw.com] 
Sent: woensdag 22 oktober 2014 18:56
To: Tomcat Users List
Subject: Built-in Tomcat Support for Windows Authentication

On 10/22/2014 4:40 AM, Philippe Wijdh wrote:
> Hello,
>
> We have spent a long time now, trying to set up Apache Tomcat with Windows 
> Authentication.
> We followed the instructions as per 
> http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot 
> make it work properly, the logon dialog keeps appearing and trying to log on 
> fails.
> Additional to that we tried suggestions, like adding the registry key 
> AllowTgtSessionKey and setting it to 0x01 Seems like we are close but 
> we are missing something (see tomcat output below) Does anyone have a more 
> complete documentation or have any suggestions on how to make this work.
>
>
> Kind regards,
>
> Philippe Wijdh
>
>
>
> Extra information on the setup:
>
> Windows 2008 r2 sp1
> Apache Tomcat 7.0.54
> jdk1.7.0_60
>
> Tomcat is running as a service using account  
> HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the 
> port number, does not make a difference)
>
> Test is done with user testu...@assai.nl in IE11 on 
> different machines, with http://v3tcat4ad.assai.nl explicitly added to the 
> Intranet sites.


Hi, Philippe-

I have not used the built-in Tomcat Windows authentication but have had success 
using Waffle in a similar configuration.  You might try that if all else fails.

-Terence Bandoian


>
>
>
> Tomcat Output:
>
 KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, 
 readName(): HTTP KeyTabInputStream, readName(): 
 v3tcat4ad.assai.nl:8080
 KeyTab: load() entry length: 72; type: 23
> Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
> Loaded from Java config
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for 
> default_tkt_enctypes: 23 18 17.
 KdcAccessibility: reset
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for 
> default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number 
 of retries =3, #bytes=152
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt 
 =1, #bytes=152 KrbKdcReq send: #bytes read=173 Pre-Authentication 
 Data:
>  PA-DATA type = 11
>  PA-ETYPE-INFO etype = 23, salt =
>
 Pre-Authentication Data:
>  PA-DATA type = 19
>  PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
 Pre-Authentication Data:
>  PA-DATA type = 2
>  PA-ENC-TIMESTAMP
 Pre-Authentication Data:
>  PA-DATA type = 16
>
 Pre-Authentication Data:
>  PA-DATA type = 15
>
 KdcAccessibility: remove v3dom1.assai.nl:88
 KDCRep: init() encoding tag is 126 req type is 11
 KRBError:
>  sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
>  suSec is 403143
>  error code is 25
>  error Message is Additional pre-authentication required
>  realm is ASSAI.NL
>  sname is krbtgt/ASSAI.NL
>  eData provided.
>  msgType is 30
 Pre-Authentication Data:
>  PA-DATA type = 11
>  PA-ETYPE-INFO etype = 23, salt =
>
 Pre-Authentication Data:
>  PA-DATA type = 19
>  PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
 Pre-Authentication Data:
>  PA-DATA type = 2
>  PA-ENC-TIMESTAMP
 Pre-Authentication Data:
>  PA-DATA type = 16
>
 Pre-Authentication Data:
>  PA-DATA type = 15
>
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for 
> default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for 
> default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for 
> default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number 
 of retries =3, #bytes=235
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt 
 =1, #bytes=235 KrbKdcReq send: #bytes read=1446
 KdcAccessibility: remove v3dom1.assai.nl:88
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for 
> defaul

RE: Built-in Tomcat Support for Windows Authentication

2014-10-24 Thread Philippe Wijdh

Alright, thanks. We will try once more from scratch.

-Original Message-
From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] 
Sent: donderdag 23 oktober 2014 20:42
To: Tomcat Users List
Subject: Re: Built-in Tomcat Support for Windows Authentication

Am 23.10.2014 um 11:07 schrieb Philippe Wijdh:
> Hi,
>
> Thank you for the response.
> The initial setup of the spn and the keytab was without the port-number, the 
> registry key was a suggestion found on internet but this setting does not 
> change the outcome.
>
> The command kinit on the Tomcat server returns the following
>
>
> C:\MyPrograms\Tomcat7\conf>set 
> KRB5_CONFIG=C:\MyPrograms\Tomcat7\conf\krb5.conf
>
>
> C:\MyPrograms\Tomcat7\conf>c:\MyPrograms\Java\jdk1.7.0_60\bin\kinit 
> -J-Djava.sec urity.krb5.conf=C:\MyPrograms\Tomcat7\conf\krb5.conf 
> -J-Djava.security.auth.logi 
> n.config=C:\MyPrograms\Tomcat7\conf\jaas.conf 
> -J-Dsun.security.krb5.debug=true - k -t 
> C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab 
> HTTP/v3tcat4ad.assai.nl:8080@A SSAI.NL

HTTP/v3tcat4ad.assai.nl:8...@assai.nl is the wrong spn. You have to use one 
without the port number (as described in the docs).

Maybe it would be best to follow Mark's advice and start with a fresh system 
and follow step for step the documentation.

Felix
>>>> KinitOptions cache name is C:\Users\TestUser\krb5cc_testuser
> Principal is HTTP/v3tcat4ad.assai.nl:8...@assai.nl
>>>> Kinit using keytab
>>>> Kinit keytab file name: 
>>>> C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab
> Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
> Loaded from Java config
>>>> Kinit realm name is ASSAI.NL
>>>> Creating KrbAsReq
>>>> KrbKdcReq local addresses for V3TCAT4AD are:
>  V3TCAT4AD/10.1.0.67
> IPv4 address
>
>  V3TCAT4AD/fe80:0:0:0:d815:81c0:97e7:11d2%11
> IPv6 address
>>>> KdcAccessibility: reset
>>>> KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, 
>>>> readName(): HTTP KeyTabInputStream, readName(): 
>>>> v3tcat4ad.assai.nl:8080
>>>> KeyTab: load() entry length: 72; type: 23
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for 
> default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number 
>>>> of retries
>   =3, #bytes=198
>>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt 
>>>> =1, #byt
> es=198
>>>> KrbKdcReq send: #bytes read=173
>>>> Pre-Authentication Data:
>   PA-DATA type = 11
>   PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
>   PA-DATA type = 19
>   PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
>   PA-DATA type = 2
>   PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
>   PA-DATA type = 16
>
>>>> Pre-Authentication Data:
>   PA-DATA type = 15
>
>>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
>   sTime is Thu Oct 23 10:21:31 CEST 2014 1414052491000
>   suSec is 776700
>   error code is 25
>   error Message is Additional pre-authentication required
>   realm is ASSAI.NL
>   sname is krbtgt/ASSAI.NL
>   eData provided.
>   msgType is 30
>>>> Pre-Authentication Data:
>   PA-DATA type = 11
>   PA-ETYPE-INFO etype = 23, salt =
>
>>>> Pre-Authentication Data:
>   PA-DATA type = 19
>   PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
>>>> Pre-Authentication Data:
>   PA-DATA type = 2
>   PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
>   PA-DATA type = 16
>
>>>> Pre-Authentication Data:
>   PA-DATA type = 15
>
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for 
> default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for 
> default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list default etypes for 
> default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq creating message
>>&

Re: Built-in Tomcat Support for Windows Authentication

2014-10-23 Thread Felix Schumacher

:felix.schumac...@internetallee.de]
Sent: donderdag 23 oktober 2014 7:53
To: Tomcat Users List
Subject: Re: Built-in Tomcat Support for Windows Authentication

Am 22. Oktober 2014 11:40:56 MESZ, schrieb Philippe Wijdh :

Hello,

We have spent a long time now, trying to set up Apache Tomcat with
Windows Authentication.
We followed the instructions as per
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we
cannot make it work properly, the logon dialog keeps appearing and
trying to log on fails.
Additional to that we tried suggestions, like adding the registry key
AllowTgtSessionKey and setting it to 0x01

Haven't seen that recommendation in the tomcat documentation.

Seems like we are close but we are missing something (see tomcat output
below)
Does anyone have a more complete documentation or have any suggestions
on how to make this work.

Kind regards,

Philippe Wijdh

Extra information on the setup:

Windows 2008 r2 sp1
Apache Tomcat 7.0.54
jdk1.7.0_60

Tomcat is running as a service using account
HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the
port number, does not make a difference)

You will have to use the spn without the port.

Test is done with user testu...@assai.nl<mailto:testu...@assai.nl> in
IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly
added to the Intranet sites.

Tomcat Output:

KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream,
readName(): HTTP KeyTabInputStream, readName():
v3tcat4ad.assai.nl:8080

What is inside your keytab?

KeyTab: load() entry length: 72; type: 23

Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
Loaded from Java config
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.

KdcAccessibility: reset

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.

KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number

of retries =3, #bytes=152

KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt

=1, #bytes=152

KrbKdcReq send: #bytes read=173
Pre-Authentication Data:

PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:

PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:

PA-DATA type = 2
PA-ENC-TIMESTAMP

Pre-Authentication Data:

PA-DATA type = 16

Pre-Authentication Data:

PA-DATA type = 15

KdcAccessibility: remove v3dom1.assai.nl:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:

sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
suSec is 403143
error code is 25
error Message is Additional pre-authentication required
realm is ASSAI.NL
sname is krbtgt/ASSAI.NL
eData provided.
msgType is 30

Pre-Authentication Data:

PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:

PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:

PA-DATA type = 2
PA-ENC-TIMESTAMP

Pre-Authentication Data:

PA-DATA type = 16

Pre-Authentication Data:

PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for
default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number

of retries =3, #bytes=235

KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt

=1, #bytes=235

KrbKdcReq send: #bytes read=1446
KdcAccessibility: remove v3dom1.assai.nl:88

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080

This is the wrong spn. The port number should not be there.

Regards
Felix

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list default etypes for
default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (<>,
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<>,
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl
Added key: 23version: 0
Ordering keys wrt default

RE: Built-in Tomcat Support for Windows Authentication

2014-10-23 Thread Philippe Wijdh

Hi,

Thank you for the response.
The initial setup of the spn and the keytab was without the port-number, the 
registry key was a suggestion found on internet but this setting does not 
change the outcome.

The command kinit on the Tomcat server returns the following


C:\MyPrograms\Tomcat7\conf>set KRB5_CONFIG=C:\MyPrograms\Tomcat7\conf\krb5.conf


C:\MyPrograms\Tomcat7\conf>c:\MyPrograms\Java\jdk1.7.0_60\bin\kinit -J-Djava.sec
urity.krb5.conf=C:\MyPrograms\Tomcat7\conf\krb5.conf -J-Djava.security.auth.logi
n.config=C:\MyPrograms\Tomcat7\conf\jaas.conf -J-Dsun.security.krb5.debug=true -
k -t C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab HTTP/v3tcat4ad.assai.nl:8080@A
SSAI.NL
>>>KinitOptions cache name is C:\Users\TestUser\krb5cc_testuser
Principal is HTTP/v3tcat4ad.assai.nl:8...@assai.nl
>>> Kinit using keytab
>>> Kinit keytab file name: C:\MyPrograms\Tomcat7\conf\tomcat8080.keytab
Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
Loaded from Java config
>>> Kinit realm name is ASSAI.NL
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for V3TCAT4AD are:

V3TCAT4AD/10.1.0.67
IPv4 address

V3TCAT4AD/fe80:0:0:0:d815:81c0:97e7:11d2%11
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): ASSAI.NL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080
>>> KeyTab: load() entry length: 72; type: 23
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries
 =3, #bytes=198
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #byt
es=198
>>> KrbKdcReq send: #bytes read=173
>>>Pre-Authentication Data:
 PA-DATA type = 11
 PA-ETYPE-INFO etype = 23, salt =

>>>Pre-Authentication Data:
 PA-DATA type = 19
 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
 PA-DATA type = 2
 PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
 PA-DATA type = 16

>>>Pre-Authentication Data:
 PA-DATA type = 15

>>> KdcAccessibility: remove v3dom1.assai.nl:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
 sTime is Thu Oct 23 10:21:31 CEST 2014 1414052491000
 suSec is 776700
 error code is 25
 error Message is Additional pre-authentication required
 realm is ASSAI.NL
 sname is krbtgt/ASSAI.NL
 eData provided.
 msgType is 30
>>>Pre-Authentication Data:
 PA-DATA type = 11
 PA-ETYPE-INFO etype = 23, salt =

>>>Pre-Authentication Data:
 PA-DATA type = 19
 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
 PA-DATA type = 2
 PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
 PA-DATA type = 16

>>>Pre-Authentication Data:
 PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of retries
 =3, #bytes=283
>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, #byt
es=283
>>> KrbKdcReq send: #bytes read=88
>>> KrbKdcReq send: kdc=v3dom1.assai.nl TCP:88, timeout=3, number of retries
 =3, #bytes=283
>>> KDCCommunication: kdc=v3dom1.assai.nl TCP:88, timeout=3,Attempt =1, #byt
es=283
>>>DEBUG: TCPClient reading 1496 bytes
>>> KrbKdcReq send: #bytes read=1496
>>> KdcAccessibility: remove v3dom1.assai.nl:88
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080
New ticket is stored in cache file C:\Users\TestUser\krb5cc_testuser

C:\MyPrograms\Tomcat7\conf>klist

Current LogonId is 0:0x13380b5c

Cached Tickets: (0)




Kind regards,

Philippe Wijdh
Senior Programmer

Assai software services BV, Parallelweg Oost 13a, 4103 NC, Culemborg, The 
Netherlands
P:  +31 (0)345 5

Re: Built-in Tomcat Support for Windows Authentication

2014-10-23 Thread Mark Thomas

On 22/10/2014 10:40, Philippe Wijdh wrote:
> Hello,
> 
> We have spent a long time now, trying to set up Apache Tomcat with Windows 
> Authentication.
> We followed the instructions as per 
> http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot 
> make it work properly, the logon dialog keeps appearing and trying to log on 
> fails.
> Additional to that we tried suggestions, like adding the registry key 
> AllowTgtSessionKey and setting it to 0x01
> Seems like we are close but we are missing something (see tomcat output below)
> Does anyone have a more complete documentation or have any suggestions on how 
> to make this work.

The documentation is complete. If you follow the steps in that document
then you will end up with a working system.

Either you aren't following the documentation or something in your
environment differs from that described in the document.

> Kind regards,
> 
> Philippe Wijdh
> 
> 
> 
> Extra information on the setup:
> 
> Windows 2008 r2 sp1
> Apache Tomcat 7.0.54
> jdk1.7.0_60
> 
> Tomcat is running as a service using account  HTTP/v3tcat4ad.assai.nl:8080 
> (have created spn with and without the port number, does not make a 
> difference)
> 
> Test is done with user testu...@assai.nl in IE11 on 
> different machines, with http://v3tcat4ad.assai.nl explicitly added to the 
> Intranet sites.

You haven't provided any information on the Realm configuration or how
you have secured the page you are trying to test with.

You might have hit https://issues.apache.org/bugzilla/show_bug.cgi?id=57022

There are lots of configuration steps listed in the docs you haven't
mentioned.

Mark

> 
> 
> 
> Tomcat Output:
> 
 KeyTabInputStream, readName(): ASSAI.NL
 KeyTabInputStream, readName(): HTTP
 KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080
 KeyTab: load() entry length: 72; type: 23
> Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
> Loaded from Java config
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
 KdcAccessibility: reset
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of 
 retries =3, #bytes=152
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, 
 #bytes=152
 KrbKdcReq send: #bytes read=173
 Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
> 
 Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> 
 Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
 Pre-Authentication Data:
> PA-DATA type = 16
> 
 Pre-Authentication Data:
> PA-DATA type = 15
> 
 KdcAccessibility: remove v3dom1.assai.nl:88
 KDCRep: init() encoding tag is 126 req type is 11
 KRBError:
> sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
> suSec is 403143
> error code is 25
> error Message is Additional pre-authentication required
> realm is ASSAI.NL
> sname is krbtgt/ASSAI.NL
> eData provided.
> msgType is 30
 Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
> 
 Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
> 
 Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
 Pre-Authentication Data:
> PA-DATA type = 16
> 
 Pre-Authentication Data:
> PA-DATA type = 15
> 
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
> default etypes for default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number of 
 retries =3, #bytes=235
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt =1, 
 #bytes=235
 KrbKdcReq send: #bytes read=1446
 KdcAccessibility: remove v3dom1.assai.nl:88
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4a

Re: Built-in Tomcat Support for Windows Authentication

2014-10-22 Thread Felix Schumacher



Am 22. Oktober 2014 11:40:56 MESZ, schrieb Philippe Wijdh :
>Hello,
>
>We have spent a long time now, trying to set up Apache Tomcat with
>Windows Authentication.
>We followed the instructions as per
>http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we
>cannot make it work properly, the logon dialog keeps appearing and
>trying to log on fails.
>Additional to that we tried suggestions, like adding the registry key
>AllowTgtSessionKey and setting it to 0x01
Haven't seen that recommendation in the tomcat documentation.


>Seems like we are close but we are missing something (see tomcat output
>below)
>Does anyone have a more complete documentation or have any suggestions
>on how to make this work.
>
>
>Kind regards,
>
>Philippe Wijdh
>
>
>
>Extra information on the setup:
>
>Windows 2008 r2 sp1
>Apache Tomcat 7.0.54
>jdk1.7.0_60
>
>Tomcat is running as a service using account 
>HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the
>port number, does not make a difference)
You will have to use the spn without the port.

>
>Test is done with user testu...@assai.nl in
>IE11 on different machines, with http://v3tcat4ad.assai.nl explicitly
>added to the Intranet sites.
>
>
>
>Tomcat Output:
>
 KeyTabInputStream, readName(): ASSAI.NL
 KeyTabInputStream, readName(): HTTP
 KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080

What is inside your keytab?

 KeyTab: load() entry length: 72; type: 23
>Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
>Loaded from Java config
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
 KdcAccessibility: reset
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>default etypes for default_tkt_enctypes: 23 18 17.
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number
>of retries =3, #bytes=152
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt
>=1, #bytes=152
 KrbKdcReq send: #bytes read=173
Pre-Authentication Data:
>PA-DATA type = 11
>PA-ETYPE-INFO etype = 23, salt =
>
Pre-Authentication Data:
>PA-DATA type = 19
>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
Pre-Authentication Data:
>PA-DATA type = 2
>PA-ENC-TIMESTAMP
Pre-Authentication Data:
>PA-DATA type = 16
>
Pre-Authentication Data:
>PA-DATA type = 15
>
 KdcAccessibility: remove v3dom1.assai.nl:88
 KDCRep: init() encoding tag is 126 req type is 11
KRBError:
>sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
>suSec is 403143
>error code is 25
>error Message is Additional pre-authentication required
>realm is ASSAI.NL
>sname is krbtgt/ASSAI.NL
>eData provided.
>msgType is 30
Pre-Authentication Data:
>PA-DATA type = 11
>PA-ETYPE-INFO etype = 23, salt =
>
Pre-Authentication Data:
>PA-DATA type = 19
>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
Pre-Authentication Data:
>PA-DATA type = 2
>PA-ENC-TIMESTAMP
Pre-Authentication Data:
>PA-DATA type = 16
>
Pre-Authentication Data:
>PA-DATA type = 15
>
>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>default etypes for default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>default etypes for default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsReq creating message
 KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=3, number
>of retries =3, #bytes=235
 KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=3,Attempt
>=1, #bytes=235
 KrbKdcReq send: #bytes read=1446
 KdcAccessibility: remove v3dom1.assai.nl:88
>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
 EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
 KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080

This is the wrong spn. The port number should not be there. 

Regards
Felix

>Added key: 23version: 0
>Ordering keys wrt default_tkt_enctypes list
>default etypes for default_tkt_enctypes: 23 18 17.
>Search Subject for SPNEGO ACCEPT cred (<>,
>sun.security.jgss.spnego.SpNegoCredElement)
>Search Subject for Kerberos V5 ACCEPT cred (<>,
>sun.security.jgss.krb5.Krb5AcceptCredential)
>Found KeyTab
>Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl
>Added key: 23version: 0

Auto-Re: Built-in Tomcat Support for Windows Authentication

2014-10-22 Thread WLICSMB2014

ëN8ãx×}ëÝüßøÔ*'µéíO*^µìmþZw!j»

RE: Built-in Tomcat Support for Windows Authentication

RE: Built-in Tomcat Support for Windows Authentication

Re: Built-in Tomcat Support for Windows Authentication

RE: Built-in Tomcat Support for Windows Authentication

Re: Built-in Tomcat Support for Windows Authentication

Re: Built-in Tomcat Support for Windows Authentication

Auto-Re: Built-in Tomcat Support for Windows Authentication

7 matches

Site Navigation

Mail list logo

Footer information