Re: SPNEGO GSSCaller {UNKNOWN} No Delegated Creds

2024-05-07 Thread Michael Osipov 
We need to split between constrained and unconstrained delegation. Let's stay 
with uncontrained, simplest one.

For that to happen you need:
* Enable it for the service account (acceptor side)
* Set the delegate flag (also there is a policy) on the security context 
(initiator side)

Try again. The best thing would be to do with with gss-client/gss-server which 
comes with MIT Kerberos otherwise  you have too many variables in the game.

Alternatively, use https://github.com/pythongssapi/python-gssapi. It has a 
fantastic interface to MIT Kerberos or Heimdal to exactly evaluate your 
environment. I use it as well.

Michael

On 2024/05/03 13:42:39 Tom Delaney wrote:
> Thanks for the reply Michael,
> 
> I'm trying to achieve retrieving delegated credentials. I'm confused by the
> debug output because I'm being told that authentication succeeded but no
> indication of why I'm not receiving delegated credentials other than there
> are none.I have looked over the delegation rules for the service account
> and SPN multiple times. When you mentioned "S4U is tried, but not
> configured for that account. Totally fine" What does that mean? Is there a
> specific place on Tomcat or Windows I need to look for this?
> 
> What I'm expecting to see outputted "Delegated Creds have pname=
> tdela...@subdomain.domain.com sname=krbtgt/SUBDOMAIN.DOMAIN.COM
> authtime=null starttime={date/timestamp} endtime={date/timestamp}"
> 
> P.S
> I see in my ktpass command I made a typo and meant to put SA_EX_VAISSO
> instead of "SA_EX_SSO"
> 
> On Fri, May 3, 2024 at 8:26 AM Michael Osipov  wrote:
> 
> > On 2024/05/02 19:20:59 Tom Delaney wrote:
> > > Hi All,
> > >
> > > Sorry for the duplicate requests. The first one was accidentally flagged
> > > for Google's new Confidential Mode which happened to be flagged.
> > > I have a red hat 9.2 server hosting a web application on a single
> > instance
> > > of Apache Tomcat. This instance is behind an apache HTTP server on
> > version
> > > 2.4.57.The application is hosted on Tomcat 9.0.54.
> > >
> > > Domain: subdomain.domain.com
> > > Site: devexample.domain.com
> > >
> > > URL hit: https://example.subdomain.domain.com/webclient/
> > > exclient.jsp
> > >
> > > *I keep getting this in the Tomcat Logs when accessing the application:*
> > > *>>> Constrained deleg from GSSCaller{UNKNOWN}*
> >
> > You should first try to describe what you are trying to achieve and not
> > what the debug output is. The debug message comes from:
> > https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L540
> > The message is obviously caused by this call:
> > https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L254-L263
> >
> > S4U is tried, but not configured for that account. Totally fine.
> >
> > BTW: The filter you use isn't from us.
> >
> > M
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SPNEGO GSSCaller {UNKNOWN} No Delegated Creds

2024-05-03 Thread Tom Delaney 
Thanks for the reply Michael,

I'm trying to achieve retrieving delegated credentials. I'm confused by the
debug output because I'm being told that authentication succeeded but no
indication of why I'm not receiving delegated credentials other than there
are none.I have looked over the delegation rules for the service account
and SPN multiple times. When you mentioned "S4U is tried, but not
configured for that account. Totally fine" What does that mean? Is there a
specific place on Tomcat or Windows I need to look for this?

What I'm expecting to see outputted "Delegated Creds have pname=
tdela...@subdomain.domain.com sname=krbtgt/SUBDOMAIN.DOMAIN.COM
authtime=null starttime={date/timestamp} endtime={date/timestamp}"

P.S
I see in my ktpass command I made a typo and meant to put SA_EX_VAISSO
instead of "SA_EX_SSO"

On Fri, May 3, 2024 at 8:26 AM Michael Osipov  wrote:

> On 2024/05/02 19:20:59 Tom Delaney wrote:
> > Hi All,
> >
> > Sorry for the duplicate requests. The first one was accidentally flagged
> > for Google's new Confidential Mode which happened to be flagged.
> > I have a red hat 9.2 server hosting a web application on a single
> instance
> > of Apache Tomcat. This instance is behind an apache HTTP server on
> version
> > 2.4.57.The application is hosted on Tomcat 9.0.54.
> >
> > Domain: subdomain.domain.com
> > Site: devexample.domain.com
> >
> > URL hit: https://example.subdomain.domain.com/webclient/
> > exclient.jsp
> >
> > *I keep getting this in the Tomcat Logs when accessing the application:*
> > *>>> Constrained deleg from GSSCaller{UNKNOWN}*
>
> You should first try to describe what you are trying to achieve and not
> what the debug output is. The debug message comes from:
> https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L540
> The message is obviously caused by this call:
> https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L254-L263
>
> S4U is tried, but not configured for that account. Totally fine.
>
> BTW: The filter you use isn't from us.
>
> M
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: SPNEGO GSSCaller {UNKNOWN} No Delegated Creds

2024-05-03 Thread Michael Osipov 
On 2024/05/02 19:20:59 Tom Delaney wrote:
> Hi All,
> 
> Sorry for the duplicate requests. The first one was accidentally flagged
> for Google's new Confidential Mode which happened to be flagged.
> I have a red hat 9.2 server hosting a web application on a single instance
> of Apache Tomcat. This instance is behind an apache HTTP server on version
> 2.4.57.The application is hosted on Tomcat 9.0.54.
> 
> Domain: subdomain.domain.com
> Site: devexample.domain.com
> 
> URL hit: https://example.subdomain.domain.com/webclient/
> exclient.jsp
> 
> *I keep getting this in the Tomcat Logs when accessing the application:*
> *>>> Constrained deleg from GSSCaller{UNKNOWN}*

You should first try to describe what you are trying to achieve and not what 
the debug output is. The debug message comes from: 
https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L540
 The message is obviously caused by this call: 
https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L254-L263

S4U is tried, but not configured for that account. Totally fine.

BTW: The filter you use isn't from us.

M

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SPNEGO GSSCaller {UNKNOWN} No Delegated Creds

2024-05-02 Thread Tom Delaney 

Tom Delaney has sent you an email via Gmail confidential mode:

[image: Gmail logo]Re: SPNEGO GSSCaller {UNKNOWN} No Delegated Creds 
<https://confidential-mail.google.com/msg/AJ05YhfeGMtaULvQONHydor3-HWpWsb1xJ3tZJ35SH0U8kxvJIPpKEc9wRaa7uacfDUwg1PbwWJJZqFQzDl26IiNtrsAyHw3t4XjnbAx4Qn6Lj7vtEi-Xcxt6tJnUUfej7SO3Sne2qWRO10Ugp6Co4_iag==>

This message was sent on May 2, 2024 at 6:21:50 AM PDT
You can open it by clicking the link below. This link will only work for 
users@tomcat.apache.org.

View the email 
<https://confidential-mail.google.com/msg/AJ05YhfeGMtaULvQONHydor3-HWpWsb1xJ3tZJ35SH0U8kxvJIPpKEc9wRaa7uacfDUwg1PbwWJJZqFQzDl26IiNtrsAyHw3t4XjnbAx4Qn6Lj7vtEi-Xcxt6tJnUUfej7SO3Sne2qWRO10Ugp6Co4_iag==>

Gmail confidential mode gives you more control over the messages you send. The 
sender may have chosen to set an expiration time, disable printing or 
forwarding, or track access to this message. Learn more 
<https://support.google.com/mail/answer/7674059>
Gmail: Email by Google
Use is subject to the Google Privacy Policy 
<https://myaccount.google.com/privacypolicy?hl=en>
Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
You have received this message because someone sent you an email via Gmail 
confidential mode.
[image: Google logo]