Okay, this might sounds funny. But how do I add a newlines?
Date: Wed, 15 Oct 2014 01:37:42 -0700
From: [email protected]
To: [email protected]
Subject: Re: Tomcat windows authentication domain login issue
Am 15.10.2014 um 10:22 schrieb tantaryu:
>> Let's hope it works this time.
If this was your try to add newlines, than I think it failed.
Felix
>> I need some idea on what's wrong with my tomcat configuration for windows
>> authentication. I followed the tomcat windows authentication tutorial and
>> uses the "manager" web application comes with tomcat to do a poc. In my
>> web.xml I change > <auth-method>BASIC</auth-method> > to>
>> <auth-method>SPNEGO</auth-method>> and also changes the auth-constraint to
>> the following > <auth-constraint>> <role-name>*</role-name>>
>> </auth-constraint>
>> This is my krb5.ini > [libdefaults]> default_realm = ACME>
>> default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab>
>> default_tkt_enctypes =
>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96>
>> default_tgs_enctypes =
>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> forwardable=true>
>> [realms]> ACME = {> kdc = AD-Server:88>}> [domain_realm]> acme= ACME>
>> .acme= ACME
>> This is my jaas.conf > com.sun.security.jgss.krb5.initiate {>
>> com.sun.security.auth.module.Krb5LoginModule required> debug=true>
>> doNotPrompt=true> principal="HTTP/Client2@ACME"> useKeyTab=true>
>> keyTab="C:/tomcat/conf/tomcat.keytab"> //useTicketCache=true>
>> storeKey=true;> };> com.sun.security.jgss.krb5.accept {>
>> com.sun.security.auth.module.Krb5LoginModule required> debug=true>
>> doNotPrompt=true> principal="HTTP/Client2@ACME"> useKeyTab=true>
>> keyTab="C:/tomcat/conf/tomcat.keytab"> //useTicketCache=true>
>> storeKey=true;>};
>> The weird thing is regardless of what username and password I put in when I
>> accessed the tomcat manager web-app the debug message shown is the same.
>> Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt
>> true ticketCache is null isInitiator true KeyTab is
>> C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is
>> HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is
>> false clearPass is false> >>> KeyTabInputStream, readName(): acme> >>>
>> KeyTabInputStream, readName(): HTTP> >>> KeyTabInputStream, readName():
>> Client2> >>> KeyTab: load() entry length: 52; type: 23> Looking for keys
>> for: HTTP/Client2@ACME> Java config name: C:\tomcat\conf\krb5.ini> Loaded
>> from Java config> Added key: 23version: 0> >>> KdcAccessibility: reset>
>> Looking for keys for: HTTP/Client2@ACME> Added key: 23version: 0> default
>> etypes for default_tkt_enctypes: 23 17.> >>> KrbAsReq creating message> >>>
>> KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000, number of retries =3,
>> #> bytes=124> >>> KDCCommunication: kdc=AD-Server UDP:88,
>> timeout=30000,Attempt =1, #bytes=124
>>>>> KrbKdcReq send: #bytes read=538> >>> KdcAccessibility: remove
>>>>> AD-Server:88> Looking for keys for: HTTP/Client2@ACME> Added key:
>>>>> 23version: 0> >>> EType:
>>>>> sun.security.krb5.internal.crypto.ArcFourHmacEType> >>> KrbAsRep cons in
>>>>> KrbAsReq.getReply HTTP/Client2> principal is HTTP/Client2@ACME> Will use
>>>>> keytab> Commit Succeeded
>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>> sun.security.jgss.spnego.SpNegoCredElement)> Search Subject for Kerberos V5
>> ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)> Found
>> KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found KeyTab
>> C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found ticket for
>> HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29
>> CST 2014> [Krb5LoginModule]: Entering logout>
>> [Krb5LoginModule]: logged out Subject
>> I added this in my server.xml > <Realm
>> className="org.apache.catalina.realm.LockOutRealm">> <Realm
>> className="org.apache.catalina.realm.JAASRealm" appName="JspKerberosDemo"
>> allRolesMode="strictAuthOnly" />> </Realm>
>> When I tried login, it doesn't seem to recognize the valid credential. The
>> app keeps on asking me to enter a valid credential. What do I need to change
>> to make it work?
> Date: Wed, 15 Oct 2014 00:56:33 -0700
> From: [hidden email]
> To: [hidden email]
> Subject: Re: Tomcat windows authentication domain login issue
>
>
>
> Am 15.10.2014 um 03:48 schrieb tantaryu:
>
>> Okay, now I tried with a email client. Let's see if it works.
>> I need some idea on what's wrong with my tomcat configuration for windows
>> authentication. I followed the tomcat windows authentication tutorial and
>> uses the "manager" web application comes with tomcat to do a poc. In my
>> web.xml I change <auth-method>BASIC</auth-method> to
>> <auth-method>SPNEGO</auth-method> and also changes the auth-constraint to
>> the following <auth-constraint> <role-name>*</role-name></auth-constraint>.
>> This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name =
>> FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes =
>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes
>> =
>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
>> = { kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
>> This is my jaas.conf com.sun.security.jgss.krb5.initiate {
>> com.sun.security.auth.module.Krb5LoginModule required debug=true
>> doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true
>> keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true
>> storeKey=true;};com.sun.security.jgss.krb5.accept {
>> com.sun.security.auth.module.Krb5LoginModule required debug=true
>> doNotPrompt=true principal="HTTP/Client2@ACME" useKeyTab=true
>> keyTab="C:/tomcat/conf/tomcat.keytab" //useTicketCache=true
>> storeKey=true;};
>> The weird thing is regardless of what username and password I put in when I
>> accessed the tomcat manager web-app the debug message shown is the same.
>> Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt
>> true ticketCache is null isInitiator true KeyTab is
>> C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is
>> HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass is
>> false clearPass is false>>> KeyTabInputStream, readName(): acme>>>
>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName():
>> Client2>>> KeyTab: load() entry length: 52; type: 23Looking for keys for:
>> HTTP/Client2@ACMEJava config name: C:\tomcat\conf\krb5.iniLoaded from Java
>> configAdded key: 23version: 0>>> KdcAccessibility: resetLooking for keys
>> for: HTTP/Client2@ACMEAdded key: 23version: 0default etypes for
>> default_tkt_enctypes: 23 17.>>> KrbAsReq creating message>>> KrbKdcReq send:
>> kdc=AD-Server UDP:88, timeout=30000, number of retries =3, #bytes=124>>>
>> KDCCommunication: kdc=AD-Server UDP:88, timeout=30000,Attempt =1, #bytes=124
> Could you try to add the missing newlines? It is really hard to read the
>
> text without them.
>
>
> Regards Felix
>
>
>>>>> KrbKdcReq send: #bytes read=538>>> KdcAccessibility: remove
>>>>> AD-Server:88Looking for keys for: HTTP/Client2@ACMEAdded key: 23version:
>>>>> 0>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType>>>
>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/Client2principal is
>>>>> HTTP/Client2@ACMEWill use keytabCommit Succeeded
>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>> sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5
>> ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)Found
>> KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab
>> C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound ticket for
>> HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14 02:49:29
>> CST 2014 [Krb5LoginModule]: Entering logout
>> [Krb5LoginModule]: logged out Subject
>> I added this in my server.xml <Realm
>> className="org.apache.catalina.realm.LockOutRealm"> <Realm
>> className="org.apache.catalina.realm.JAASRealm" appName="JspKerberosDemo"
>> allRolesMode="strictAuthOnly" /> </Realm>
>> When I tried login, it doesn't seem to recognize the valid credential. The
>> app keeps on asking me to enter a valid credential. What do I need to change
>> to make it work?
>> Date: Tue, 14 Oct 2014 18:03:07 -0700
>> From: [hidden email]
>> To: [hidden email]
>> Subject: RE: Tomcat windows authentication domain login issue
>> > From: tantaryu [mailto:[hidden email]]
>>> Subject: Re: Tomcat windows authentication domain login issue
>>> Let me know if you can read it still. I didn't checked the "Message is in
>>> HTML Format" option.
>> It didn't help. Don't use Nabble - post to the user's list directly from an
>> e-mail client.
>> - Chuck
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you received
>> this in error, please contact the sender and delete the e-mail and its
>> attachments from all computers.
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>>
>>
>>
>>
>>
>> If you reply to this email, your message will be added to the
>> discussion below:
>>
>> http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html
>>
>>
>>
>> To unsubscribe from Tomcat windows authentication domain login
>> issue, click here.
>> NAML
>>
>> --
>> View this message in context:
>> http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023855.html
>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: [hidden email]
>
> For additional commands, e-mail: [hidden email]
>
>
>
>
>
>
>
>
>
>
>
>
>
> If you reply to this email, your message will be added to the
> discussion below:
>
> http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023861.html
>
>
>
> To unsubscribe from Tomcat windows authentication domain login
> issue, click here.
>
> NAML
>
>
>
>
> --
> View this message in context:
> http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023862.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
If you reply to this email, your message will be added to the
discussion below:
http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023863.html
To unsubscribe from Tomcat windows authentication domain login
issue, click here.
NAML
--
View this message in context:
http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023866.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
