We need to split between constrained and unconstrained delegation. Let's stay
with uncontrained, simplest one.
For that to happen you need:
* Enable it for the service account (acceptor side)
* Set the delegate flag (also there is a policy) on the security context
(initiator side)
Try again. Th
Thanks for the reply Michael,
I'm trying to achieve retrieving delegated credentials. I'm confused by the
debug output because I'm being told that authentication succeeded but no
indication of why I'm not receiving delegated credentials other than there
are none.I have looked over the delegation r
On 2024/05/02 19:20:59 Tom Delaney wrote:
> Hi All,
>
> Sorry for the duplicate requests. The first one was accidentally flagged
> for Google's new Confidential Mode which happened to be flagged.
> I have a red hat 9.2 server hosting a web application on a single instance
> of Apache Tomcat. This
oken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
SpNegoToken NegTokenInit: reading Mech Token
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext: negotiated mechan
Tom Delaney has sent you an email via Gmail confidential mode:
[image: Gmail logo]Re: SPNEGO GSSCaller {UNKNOWN} No Delegated Creds
<https://confidential-mail.google.com/msg/AJ05YhfeGMtaULvQONHydor3-HWpWsb1xJ3tZJ35SH0U8kxvJIPpKEc9wRaa7uacfDUwg1PbwWJJZqFQzDl26IiNtrsAyHw3t4XjnbAx4Qn6Lj7v
Tom Delaney has sent you an email via Gmail confidential mode:
[image: Gmail logo]SPNEGO GSSCaller {UNKNOWN} No Delegated Creds
<https://confidential-mail.google.com/msg/AJ05YhfSWzjP5hETcDm0c4Q_HGCDBEAybeYFYy-yB0-TEBBYkOGaFXoQ9wOEK-QsVlOWdz36OHsf4GYg6nS92w7CA518JhBWiCItJAFCZyNSZ8XenmGKryRDY
.
On Fri, Feb 23, 2024 at 11:36 AM Thomas Delaney
wrote:
>
>
> Hi all,
>
> I have a redhat 9.2 server hosting a web application on 5 seperate
> instances of Apache Tomcat. I have configured SPNEGO on instances 1,2,3 and
> 4. These instances are behind an apache proxy load ba
Hi all,
I have a redhat 9.2 server hosting a web application on 5 seperate
instances of Apache Tomcat. I have configured SPNEGO on instances 1,2,3 and
4. These instances are behind an apache proxy load balancer on version
2.4.57. Instance 1,2, and 3 are load balanced. While 4 and 5 are not. The
]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Tomcat SPNEGO Login Example]' against
GET /favicon.ico --> true
13-Feb-2019 14:07:56.817 FINE [http-nio-8080-exec-5]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checki
On 08/02/2019 21:43, Michael Osipov wrote:
> Am 2019-02-08 um 12:54 schrieb Tommy Schneider:
>> Hello,
>>
>> I'm trying to set up Tomcat 8.5 with SPNEGO in the following environment:
>>
>> Tomcat: 8.5.37 built: Dec 12 2018 12:07:02 UTC
>> Platform/OS:
Am 2019-02-08 um 12:54 schrieb Tommy Schneider:
Hello,
I'm trying to set up Tomcat 8.5 with SPNEGO in the following environment:
Tomcat: 8.5.37 built: Dec 12 2018 12:07:02 UTC
Platform/OS: AIX 7.2 ppc64
Java: Eclipse OpenJ9 9-internal+0-adhoc.jenkins
From what I can see in the cat
Hello,
I'm trying to set up Tomcat 8.5 with SPNEGO in the following environment:
Tomcat: 8.5.37 built: Dec 12 2018 12:07:02 UTC
Platform/OS: AIX 7.2 ppc64
Java: Eclipse OpenJ9 9-internal+0-adhoc.jenkins
>From what I can see in the catalina log I think it's almost workin
t; It would be good for this information to be updated on the Tomcat Windows
> Authentication How-To docs to help others along.
>
> I also think a Tomcat patch/feature to implement a new Realm for
> SPNEGO/CLIENT-CERT is a good id
.
I also think a Tomcat patch/feature to implement a new Realm for
SPNEGO/CLIENT-CERT is a good idea. +1
Thanks again for your help!
Randy
> On Apr 25, 2018, at 6:51 AM, Mark Thomas wrote:
>
> On 25/04/18 03:29, Randy Oun wrote:
>> Thanks Mark. I adjusted the web.xml for the
custom Realm (see NullRealm for an example) that does something like:
@Override
protected Principal getPrincipal(String username) {
return new GenericalPrincipal(username, null, null);
}
For authentication mechanisms that essentially validate the user (I'm
thinking CLIENT-CERT,
> Currently I'm configuring Tomcat 8.5 with Integrated Windows
> > Authentication/SPNEGO and have a question on proper roles in security
> > and auth contraints. I have completed the instructions in the
> > Integrated Windows Authentication doc
> > (https://tomcat.a
On 23/04/18 12:27, Randy Oun wrote:
> Currently I'm configuring Tomcat 8.5 with Integrated Windows
> Authentication/SPNEGO and have a question on proper roles in security
> and auth contraints. I have completed the instructions in the
> Integrated Windows Authentica
Currently I'm configuring Tomcat 8.5 with Integrated Windows
Authentication/SPNEGO and have a question on proper roles in security
and auth contraints. I have completed the instructions in the
Integrated Windows Authentication doc
(https://tomcat.apache.org/tomcat-8.5-doc/windows-auth-howto
Hi Ken,
Would you mind posting the patch? :-)
On Thu, Jun 30, 2016 at 3:52 PM, ken edward wrote:
> I did get it to work. Simply merged existing spnego and form auth valves
> together, I will try to post later..
>
> On Fri, Jun 24, 2016 at 6:21 PM, Terence M. Bandoian
> wrote:
&g
On 6/30/2016 7:52 AM, ken edward wrote:
I did get it to work. Simply merged existing spnego and form auth valves
together, I will try to post later..
On Fri, Jun 24, 2016 at 6:21 PM, Terence M. Bandoian
wrote:
On 6/24/2016 10:45 AM, ken edward wrote:
On Fri, Jun 24, 2016 at 11:26 AM, Mark
I did get it to work. Simply merged existing spnego and form auth valves
together, I will try to post later..
On Fri, Jun 24, 2016 at 6:21 PM, Terence M. Bandoian
wrote:
> On 6/24/2016 10:45 AM, ken edward wrote:
>
>> On Fri, Jun 24, 2016 at 11:26 AM, Mark Thomas wrote:
>>
&
>>> On 24 June 2016 14:22:32 BST, ken edward wrote:
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I have tomcat 8 on linux, configured with kerberos/SPNEGO
>>>>>> authentication.
>>>>>> All works w
kerberos/SPNEGO
authentication.
All works well, but if the client cannot use kerberos to authenticate,
it
will not fallback to FORM authentication.
I see some references that tomcat 8 does not do fallback negotiation
for
FORM auth. True?
Yes
Any workarounds?
Nothing simple. Both SPNEGO and FORM
kerberos/SPNEGO
authentication.
All works well, but if the client cannot use kerberos to authenticate,
it
will not fallback to FORM authentication.
I see some references that tomcat 8 does not do fallback negotiation
for
FORM auth. True?
Yes
Any workarounds?
Nothing simple. Both SPNEGO and FORM
On Fri, Jun 24, 2016 at 11:26 AM, Mark Thomas wrote:
> On 24/06/2016 16:17, ken edward wrote:
> > On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas wrote:
> >
> >> On 24 June 2016 14:22:32 BST, ken edward wrote:
> >>> Hello,
> >>>
> >>&g
On 24/06/2016 16:17, ken edward wrote:
> On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas wrote:
>
>> On 24 June 2016 14:22:32 BST, ken edward wrote:
>>> Hello,
>>>
>>> I have tomcat 8 on linux, configured with kerberos/SPNEGO
>>> authentication.
On Fri, Jun 24, 2016 at 10:46 AM, Mark Thomas wrote:
> On 24 June 2016 14:22:32 BST, ken edward wrote:
> >Hello,
> >
> >I have tomcat 8 on linux, configured with kerberos/SPNEGO
> >authentication.
> >All works well, but if the client cannot use kerberos t
On 24 June 2016 14:22:32 BST, ken edward wrote:
>Hello,
>
>I have tomcat 8 on linux, configured with kerberos/SPNEGO
>authentication.
>All works well, but if the client cannot use kerberos to authenticate,
>it
>will not fallback to FORM authentication.
>
>I see some re
Hello,
I have tomcat 8 on linux, configured with kerberos/SPNEGO authentication.
All works well, but if the client cannot use kerberos to authenticate, it
will not fallback to FORM authentication.
I see some references that tomcat 8 does not do fallback negotiation for
FORM auth. True? Any
"(member={0})" roleName="cn" roleSubtree="true"
roleBase="dc=mycompany,dc=com" />
3) modify web.xml to change authentication
SPNEGO Manager GUI
IIAG_HER_Everyone (this is the AD group name)
The result is still not able to authenticate. Based on the log, I don't see
the tomcat try to authenticate using the Kerberos. Pleae advice further
65-windows-i586.exe
>>>> jdk-7u75-windows-i586.exe
>>>> jdk-8-windows-i586.exe
>>>> jdk-8u5-windows-i586.exe
>>>> jdk-8u11-windows-i586.exe
>>>> jdk-8u20-windows-i586.exe
>>>> jdk-8u25-windows-i586.exe
>>>> jdk-8u
gt;> jdk-8-windows-i586.exe
>>> jdk-8u5-windows-i586.exe
>>> jdk-8u11-windows-i586.exe
>>> jdk-8u20-windows-i586.exe
>>> jdk-8u25-windows-i586.exe
>>> jdk-8u31-windows-i586.exe
>>> jdk-8u40-windows-i586.exe <-- Only this one fails SPNEGO / B
> jdk-8u11-windows-i586.exe
>> jdk-8u20-windows-i586.exe
>> jdk-8u25-windows-i586.exe
>> jdk-8u31-windows-i586.exe
>> jdk-8u40-windows-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token
>>
>> Seems a recent "fix" must broken it.
>
> T
munication: kdc=win-dc01.kerbtest.local TCP:88, timeout=3,Attempt
>>> =1,
#bytes=247
>>>DEBUG: TCPClient reading 1475 bytes
>>> KrbKdcReq send: #bytes read=1475
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
Looking for keys for: HTTP/win-tc01.kerbtest.loc
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
Added key: 23version: 4
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply
e
jdk-8u40-windows-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token
Seems a recent "fix" must broken it.
That is really great info. Thanks.
By the way, would you still have the Tomcat Kerberos logs that fail, in comparison to one
where it
-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token
Seems a recent "fix" must broken it.
David
----
> Subject: Re: SPNEGO test configuration with Manager webapp
> From: felix.schumac...@internetallee.de
> Date: Sun, 29 Mar 2015
ult
* constrained delegation is supported.
My guess would be, that it would help (in this case) to reenable DES by adding
allow_weak_crypto=true in the krb5.conf.
Regards
Felix
>
>Mark
>
>
>>
>> David
>>
>>
>>> Fro
From: dmars...@outlook.com
>> To: users@tomcat.apache.org
>> Subject: RE: SPNEGO test configuration with Manager webapp
>> Date: Fri, 27 Mar 2015 23:40:06 +
>>
>> By the way Tomcat 8 was running on JDK :-
>>
>> C:\Windows\system32>java -version
>>
David
> From: dmars...@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: SPNEGO test configuration with Manager webapp
> Date: Fri, 27 Mar 2015 23:40:06 +
>
> By the way Tomcat 8 was running on JDK :-
>
> C:\Windows\system32>java -version
>
By the way Tomcat 8 was running on JDK :-
C:\Windows\system32>java -version
java version "1.8.0_40"
Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)
Version update 40 should include some JRE fixes around GSS and SPNEG
y
dealing with NTLM matters. There are probably some hidden caches that get cleared only in
that way.
many thanks
David
Date: Thu, 26 Mar 2015 11:32:39 +0100
From: a...@ice-sa.com
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
David Marsh wrote:
ket in the Java session cache.
So problem seems to be either :-
1. Browser sends bad token
2. Token is good but Oracle JDK 8 GSS-API cannot handle it
many thanks
David
> Date: Thu, 26 Mar 2015 11:32:39 +0100
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test
sends, others not. I believe that Waffle can accept either browser NTLM or Kerberos
authentication. Waffle works only on a Windows Tomcat server, not on a Linux Tomcat server.
I do not know about the SPNEGO thing in Tomcat (from the name, it should).
The Jespa module from www.ioplex.com does not ha
Hi Mark,
Thanks that would be great !
Do you have a good mechanism to test and ensure kerberos token is passed to
tomcat and not NTLM token ?
David
> Date: Thu, 26 Mar 2015 09:00:22 +
> From: ma...@apache.org
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration
SS-APi ?
>
> http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
>
> Does Tomcat 8 work with NegoEx ?
>
> Is Windows 8.1 and Windows Server 2012 RC2 supported ?
My test environment is Windows 2008 R2 server and Windows 7. It is
certainly possibly security has been tight
rberos and Windows
Kerberos, depend on the versions of both Java and Windows Server..
Man, this thing is really a nightmare, isn't it ?
From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: RE: SPNEGO test configuration with Manager webapp
Still getting :-
java.security.PrivilegedActionException: GSSException: Defective token
detected (Mechanism level: G
SSHeader did not find the right tag)
Folks here mention lack of NegoEx support or bugs in GSS-APi ?
http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
With the correct keytab and krb5.ini I can get kinit to pass...
Still cannot get SPNEGO in tomcat to work, have the same 401 three times.
C:\Windows>java -Dsun.security.krb5.debug=true
-Djava.security.krb5.conf=c:\windows\krb5.ini
sun.security.krb5.internal.tools.Kinit -k -t c:\key
)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.(Unknown Source)
... 5 more
> From: dmars...@outlook.co
bAsReqBuilder.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: KrbException: Identifier doesn't match e
utlook.com
To: users@tomcat.apache.org
Subject: RE: SPNEGO test configuration with Manager webapp
Date: Wed, 25 Mar 2015 16:50:47 +
Its possible I guess, although I would not expect that.
The test is :-
Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM
Firefox is not con
--
From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: RE: SPNEGO test configuration with Manager webapp
Date: Wed, 25 Mar 2015 16:50:47 +
Its possible I guess, although I would not expect that.
The test is :-
Client Test Windows 8.1 VM with Firefox -> Tomcat Server Wind
ES-CBC-CRC" to the ktpass call (as in
https://community.oracle.com/thread/1527560).
Felix
From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: RE: SPNEGO test configuration with Manager webapp
Date: Wed, 25 Mar 2015 16:50:47 +000
h Java and Windows Server..
Man, this thing is really a nightmare, isn't it ?
From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: RE: SPNEGO test configuration with Manager webapp
Date: Wed, 25 Mar 2015 16:50:47 +
Its possible I
init.java:113)
> From: dmars...@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: SPNEGO test configuration with Manager webapp
> Date: Wed, 25 Mar 2015 16:50:47 +
>
> Its possible I guess, although I would not expect that.
>
> The test
T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E="
Reponse WWW-Authenticate: "Negotiate"
I'm not sure how long they should be, but they all end "=" so expect not
truncated ?
> Subject: RE: SPNEGO test configuration with Man
ata:
>PA-DATA type = 15
>
>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>default etypes for default_tkt_enctypes: 23 18 17.
>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>Added key: 23version: 3
>Looking for keys for:
7
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=3, number
>>> of retries =3, #bytes=
247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=3,Attempt
>>> =1, #bytes=247
>>>DEB
ndows, or how
the java one is used).
Felix
Date: Tue, 24 Mar 2015 22:46:15 +
From: ma...@apache.org
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
On 24/03/2015 20:47, David Marsh wrote:
Hi Felix,
Thanks
te: Tue, 24 Mar 2015 22:46:15 +
From: ma...@apache.org
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
On 24/03/2015 20:47, David Marsh wrote:
Hi Felix,
Thanks fort your help!
I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and
; From: ma...@apache.org
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> On 24/03/2015 20:47, David Marsh wrote:
>> Hi Felix,
>> Thanks fort your help!
>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in star
is not in evidence here for now.
Maybe the SPNs don't match, between the KDC and the Tomcat server ?
"ktlist" may be a good tool on both, to list what's there and compare.
David
Date: Tue, 24 Mar 2015 21:39:38 +0100
From: felix.schumac...@internetallee.de
To: users@
24 Mar 2015 21:39:38 +0100
>> From: felix.schumac...@internetallee.de
>> To: users@tomcat.apache.org
>> Subject: Re: SPNEGO test configuration with Manager webapp
>>
>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>> Everything is as described and s
btest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
In other words the principal is the tomcat server as it should be.
Date: Tue, 24 Mar 2015 21:17:59 +0100
From: felix.schu
ocal TCP:88, timeout=3,Attempt
=1, #bytes=247
>>>DEBUG: TCPClient reading 1483 bytes
>>> KrbKdcReq send: #bytes read=1483
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23versio
; From: felix.schumac...@internetallee.de
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> Am 24.03.2015 um 21:25 schrieb David Marsh:
> > Everything is as described and still not working, except the jaas.conf is :-
> >
> >
om: felix.schumac...@internetallee.de
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
Am 24.03.2015 um 21:05 schrieb David Marsh:
Sorry thats :-
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
under jaas.conf, it is set to the tomcat serv
I copied old config file to mail yes.
> Date: Tue, 24 Mar 2015 21:17:59 +0100
> From: felix.schumac...@internetallee.de
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> Am 24.03.2015 um 2
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
In other words the principal is the tomcat server as it should be.
> Date: Tue, 24 Mar 2015 21:17:59 +0100
> From: felix.schumac...@internetallee.de
> To: u
l?
Felix
From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: SPNEGO test configuration with Manager webapp
Date: Tue, 24 Mar 2015 20:02:04 +
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've created three Windows V
Am 24.03.2015 um 21:02 schrieb David Marsh:
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've created three Windows VMs :-
Tomcat Server - Windows 8.1 32 bit VM
Test Client - Windows 8.1 32 bit VM
Domain Controller - Windows Server 2012 R2 64 bit VM
The Tomcat Serv
Sorry thats :-
> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
under jaas.conf, it is set to the tomcat server DNS.
> From: dmars...@outlook.com
> To: users@tomcat.apache.org
> Subject: SPNEGO test configuration with Mana
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've created three Windows VMs :-
Tomcat Server - Windows 8.1 32 bit VM
Test Client - Windows 8.1 32 bit VM
Domain Controller - Windows Server 2012 R2 64 bit VM
The Tomcat Server and the Test Client are joined to the s
On 24/03/2015 15:17, David Marsh wrote:
SPNEGO is fickle. Sometimes the smallest change can cause problems.
Set up a test environment as close to the How-To as possible. You should
definitely be using three separate machines (or VMs).
Get this working. If your test environment doesn't
I was using Internet explorer and had added the ip address of to domain
controller/ tomcat server to the trusted sites list in the Intranet zone.I was
not using https.I was using a Windows 8 client VM to talk to a Windows Server
2012 VM.
I have now tried Firefox with SPNEGO and can confirm with
David Marsh wrote:
Hello,
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've followed the guidelines on the website.
jaas.conf
com.sun.security.jgss.krb5.initiate {...};
com.sun.security.jgss.krb5.accept {com.sun.security.auth.module.Krb5LoginModule required
d
Hello,
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've followed the guidelines on the website.
jaas.conf
com.sun.security.jgss.krb5.initiate {...};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule requireddoNotPrompt=true
:00 Konstantin Kolinko :
> 2014-09-26 2:24 GMT+04:00 :
> > Hello everyone,
> >I'm successfully using Tomcat 7.0.55 configured with Spnego
> > authentication against Active Directory running Windows 2008 Server and
> Java
> > 1.7.0.51. However, after switchi
2014-09-26 2:24 GMT+04:00 :
> Hello everyone,
>I'm successfully using Tomcat 7.0.55 configured with Spnego
> authentication against Active Directory running Windows 2008 Server and Java
> 1.7.0.51. However, after switching to Java 1.8.0_20, authentication does not
> work
Hello everyone,
I'm successfully using Tomcat 7.0.55 configured with Spnego
authentication against Active Directory running Windows 2008 Server and
Java 1.7.0.51. However, after switching to Java 1.8.0_20, authentication
does not work anymore, Tomcat logs the following error message:
S
Am 29.08.2014 um 15:44 schrieb Seshadri, Usha:
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Friday, August 29, 2014 1:44 AM
To: Tomcat Users List
Subject: EXTERNAL: Re: Spnego authentication with Tomcat 7.0.55 on Linux 6.5
returns null from request.getremoteUser
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Friday, August 29, 2014 1:44 AM
To: Tomcat Users List
Subject: EXTERNAL: Re: Spnego authentication with Tomcat 7.0.55 on Linux 6.5
returns null from request.getremoteUser
On 29/08/2014 03:51, Seshadri, Usha wrote:
>
On 29/08/2014 03:51, Seshadri, Usha wrote:
> Hi,
> I am trying to configure spnego out of the box on tomcat 7.0.55 on Linux 6.5,
> with directions given at
> http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. And I am
> trying to test the configuratio
Hi,
I am trying to configure spnego out of the box on tomcat 7.0.55 on Linux 6.5,
with directions given at
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. And I am
trying to test the configuration with a sample hello_spnego.jsp file given
below. When I load http://localhost
Konstantin Kolinko wrote:
2014-06-04 17:02 GMT+04:00 Maarten van Hulsentop :
Hello all,
We are encountering an issue with the use of the SingleSignOn valve and
SPNego and are looking for a best practice on this. Let me describe our
situation;
Our suite consists of multiple end-user
2014-06-04 17:02 GMT+04:00 Maarten van Hulsentop :
> Hello all,
>
> We are encountering an issue with the use of the SingleSignOn valve and
> SPNego and are looking for a best practice on this. Let me describe our
> situation;
> Our suite consists of multiple end-user webappli
Hello all,
We are encountering an issue with the use of the SingleSignOn valve and
SPNego and are looking for a best practice on this. Let me describe our
situation;
Our suite consists of multiple end-user webapplications but also a few
webapplications that accept interaction from other systems
How-To Authenticate with built-in SPNEGO and Authorize with a
DataSourceRealm or JAAS database role lookup.
Hi Ron,
On 1. Mai 2014 16:52:13 MESZ, "Troyer, Ron" wrote:
>Hi Felix,
>
>Thanks for the response.
>
>Maybe I am thinking about this the wrong way. In my mind I
have to configure the login-config element to use SPNEGO instead of BASIC
or FORMS. If you do this tomcat will add a kerberos/spnego aware authentication
valve to your context.
This valve will use the jaas config that is mentioned in the windows
authentication page. You don't need the jaas
JBoss so I guess I have
some pre-conceived ideas.
Thanks
Ron
-Original Message-
From: Felix Schumacher [mailto:felix.schumac...@internetallee.de]
Sent: Wednesday, April 30, 2014 2:44 PM
To: Tomcat Users List
Subject: Re: Need How-To Authenticate with built-in SPNEGO and Author
;Authentication, but I am confused at this point. From the
>documentation I have been unable to determine how to configure my
>realms and JAAS to authenticate with SPNEGO and authorize with a
>database lookup. For one thing I don't understand the difference
>between th
determine how to configure my realms and JAAS to authenticate with SPNEGO and
authorize with a database lookup. For one thing I don't understand the
difference between the krb5 initiate and accept entries in the example JAAS
configuration. Looking at the documentation for the Realms, it looks l
Is using the JNDI the best option? Any examples of this or other/better
methods?
Thanks
Chris
On 25/09/2013 07:32, Geoffrey Seanor wrote:
> Hi,
>
> I'm running Tomcat 7.0.32 on jdk1.6.0_06 and am having problems with
> client browser (IE8) SPNEGO authentication.
>
> I referred to this page when checking the browser configuration, which
> runs on Windows X
Hi,
I'm running Tomcat 7.0.32 on jdk1.6.0_06 and am having problems with
client browser (IE8) SPNEGO authentication.
I referred to this page when checking the browser configuration, which
runs on Windows XP.
http://www.oracle.com/technetwork/articles/idm/weblogic-sso-kerberos-161
9890
oginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
But the page always returns 401 if I try to use it:
10.241.162.107 - - [10/Jun/2013:17:21:23 -0400] "GET /webeditors/hello
HTTP/1.1" 401 951
We have another page that uses spring SPNEGO and it works fine with e
3:31 PM
To: Tomcat Users List
Subject: RE: Tomcat7 and SPNEGO configuration questions
Felix,
Thanks for the example. And yes, I agree -- my setup isn't getting far enough to attempt an
authentication of an end user. I *think* I've got the keytab and MSA aspect working. So two
poss
onf/tomcat-users.xml. Regarding the web.xml, the HowTo only mentions that SPNEGO is to be
used, vice BASIC. Other than swapping the string BASIC for SPNEGO, though, I'm out of
guesses on that point in the instruction. Is there something more needed in the web.xml?
No, there is nothi
@tomcat.apache.org
Subject: RE: Tomcat7 and SPNEGO configuration questions
I am in a similar situation to Edward.
My authentication says something like:
principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 18 17.
>>> Kr
1 - 100 of 128 matches
Mail list logo
