Thanks Terrence, We will have a look at Waffle as well.
Kind regards, Philippe Wijdh Senior Programmer Assai software services BV, Parallelweg Oost 13a, 4103 NC, Culemborg, The Netherlands P: +31 (0)345 516 663, E: p.wi...@assai.nl, W: www.assai-software.com -----Original Message----- From: Terence M. Bandoian [mailto:tere...@tmbsw.com] Sent: woensdag 22 oktober 2014 18:56 To: Tomcat Users List Subject: Built-in Tomcat Support for Windows Authentication On 10/22/2014 4:40 AM, Philippe Wijdh wrote: > Hello, > > We have spent a long time now, trying to set up Apache Tomcat with Windows > Authentication. > We followed the instructions as per > http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot > make it work properly, the logon dialog keeps appearing and trying to log on > fails. > Additional to that we tried suggestions, like adding the registry key > AllowTgtSessionKey and setting it to 0x01 Seems like we are close but > we are missing something (see tomcat output below) Does anyone have a more > complete documentation or have any suggestions on how to make this work. > > > Kind regards, > > Philippe Wijdh > > > > Extra information on the setup: > > Windows 2008 r2 sp1 > Apache Tomcat 7.0.54 > jdk1.7.0_60 > > Tomcat is running as a service using account > HTTP/v3tcat4ad.assai.nl:8080 (have created spn with and without the > port number, does not make a difference) > > Test is done with user testu...@assai.nl<mailto:testu...@assai.nl> in IE11 on > different machines, with http://v3tcat4ad.assai.nl explicitly added to the > Intranet sites. Hi, Philippe- I have not used the built-in Tomcat Windows authentication but have had success using Waffle in a similar configuration. You might try that if all else fails. -Terence Bandoian > > > > Tomcat Output: > >>>> KeyTabInputStream, readName(): ASSAI.NL KeyTabInputStream, >>>> readName(): HTTP KeyTabInputStream, readName(): >>>> v3tcat4ad.assai.nl:8080 >>>> KeyTab: load() entry length: 72; type: 23 > Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf > Loaded from Java config > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. >>>> KdcAccessibility: reset > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. > default etypes for default_tkt_enctypes: 23 18 17. >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >>>> of retries =3, #bytes=152 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >>>> =1, #bytes=152 KrbKdcReq send: #bytes read=173 Pre-Authentication >>>> Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>> Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>> Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>> Pre-Authentication Data: > PA-DATA type = 16 > >>>> Pre-Authentication Data: > PA-DATA type = 15 > >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >>>> KDCRep: init() encoding tag is 126 req type is 11 >>>> KRBError: > sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000 > suSec is 403143 > error code is 25 > error Message is Additional pre-authentication required > realm is ASSAI.NL > sname is krbtgt/ASSAI.NL > eData provided. > msgType is 30 >>>> Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>> Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>> Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>> Pre-Authentication Data: > PA-DATA type = 16 > >>>> Pre-Authentication Data: > PA-DATA type = 15 > > KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for > default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. > default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >>>> of retries =3, #bytes=235 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >>>> =1, #bytes=235 KrbKdcReq send: #bytes read=1446 >>>> KdcAccessibility: remove v3dom1.assai.nl:88 > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. > Search Subject for SPNEGO ACCEPT cred (<<DEF>>, > sun.security.jgss.spnego.SpNegoCredElement) > Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, > sun.security.jgss.krb5.Krb5AcceptCredential) > Found KeyTab > Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. > default etypes for default_tkt_enctypes: 23 18 17. >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >>>> of retries =3, #bytes=152 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >>>> =1, #bytes=152 KrbKdcReq send: #bytes read=173 Pre-Authentication >>>> Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>> Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>> Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>> Pre-Authentication Data: > PA-DATA type = 16 > >>>> Pre-Authentication Data: > PA-DATA type = 15 > >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >>>> KDCRep: init() encoding tag is 126 req type is 11 >>>> KRBError: > sTime is Wed Oct 22 09:54:12 CEST 2014 1413964452000 > suSec is 996893 > error code is 25 > error Message is Additional pre-authentication required > realm is ASSAI.NL > sname is krbtgt/ASSAI.NL > eData provided. > msgType is 30 >>>> Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>> Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>> Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>> Pre-Authentication Data: > PA-DATA type = 16 > >>>> Pre-Authentication Data: > PA-DATA type = 15 > > KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for > default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. > default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >>>> of retries =3, #bytes=235 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >>>> =1, #bytes=235 KrbKdcReq send: #bytes read=1446 >>>> KdcAccessibility: remove v3dom1.assai.nl:88 > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. > Search Subject for SPNEGO ACCEPT cred (<<DEF>>, > sun.security.jgss.spnego.SpNegoCredElement) > Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, > sun.security.jgss.krb5.Krb5AcceptCredential) > Found KeyTab > Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl > Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key: > 23version: 0 Ordering keys wrt default_tkt_enctypes list default > etypes for default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. > default etypes for default_tkt_enctypes: 23 18 17. >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >>>> of retries =3, #bytes=152 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >>>> =1, #bytes=152 KrbKdcReq send: #bytes read=173 Pre-Authentication >>>> Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>> Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>> Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>> Pre-Authentication Data: > PA-DATA type = 16 > >>>> Pre-Authentication Data: > PA-DATA type = 15 > >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >>>> KDCRep: init() encoding tag is 126 req type is 11 >>>> KRBError: > sTime is Wed Oct 22 09:54:56 CEST 2014 1413964496000 > suSec is 543768 > error code is 25 > error Message is Additional pre-authentication required > realm is ASSAI.NL > sname is krbtgt/ASSAI.NL > eData provided. > msgType is 30 >>>> Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>> Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>> Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>> Pre-Authentication Data: > PA-DATA type = 16 > >>>> Pre-Authentication Data: > PA-DATA type = 15 > > KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for > default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. > default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >>>> of retries =3, #bytes=235 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >>>> =1, #bytes=235 KrbKdcReq send: #bytes read=1446 >>>> KdcAccessibility: remove v3dom1.assai.nl:88 > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. > Search Subject for SPNEGO ACCEPT cred (<<DEF>>, > sun.security.jgss.spnego.SpNegoCredElement) > Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, > sun.security.jgss.krb5.Krb5AcceptCredential) > Found KeyTab > Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl > 09:55:00.008 [QuartzScheduler_Worker-1] DEBUG > org.quartz.core.JobRunShell - Calling execute on job > DEFAULT.reportsJob > 09:55:00.008 [QuartzScheduler_Worker-1] DEBUG > org.quartz.core.JobRunShell - Calling execute on job > DEFAULT.reportsJob Added key: 23version: 0 Ordering keys wrt > default_tkt_enctypes list default etypes for default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. > default etypes for default_tkt_enctypes: 23 18 17. >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >>>> of retries =3, #bytes=152 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >>>> =1, #bytes=152 KrbKdcReq send: #bytes read=173 Pre-Authentication >>>> Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>> Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>> Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>> Pre-Authentication Data: > PA-DATA type = 16 > >>>> Pre-Authentication Data: > PA-DATA type = 15 > >>>> KdcAccessibility: remove v3dom1.assai.nl:88 >>>> KDCRep: init() encoding tag is 126 req type is 11 >>>> KRBError: > sTime is Wed Oct 22 09:55:15 CEST 2014 1413964515000 > suSec is 715643 > error code is 25 > error Message is Additional pre-authentication required > realm is ASSAI.NL > sname is krbtgt/ASSAI.NL > eData provided. > msgType is 30 >>>> Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23, salt = > >>>> Pre-Authentication Data: > PA-DATA type = 19 > PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null > >>>> Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP >>>> Pre-Authentication Data: > PA-DATA type = 16 > >>>> Pre-Authentication Data: > PA-DATA type = 15 > > KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for > default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. > default etypes for default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsReq creating message >>>> KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number >>>> of retries =3, #bytes=235 >>>> KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt >>>> =1, #bytes=235 KrbKdcReq send: #bytes read=1446 >>>> KdcAccessibility: remove v3dom1.assai.nl:88 > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. >>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>> KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080 > Added key: 23version: 0 > Ordering keys wrt default_tkt_enctypes list default etypes for > default_tkt_enctypes: 23 18 17. > Search Subject for SPNEGO ACCEPT cred (<<DEF>>, > sun.security.jgss.spnego.SpNegoCredElement) > Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, > sun.security.jgss.krb5.Krb5AcceptCredential) > Found KeyTab > Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl > Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key: > 23version: 0 Ordering keys wrt default_tkt_enctypes list default > etypes for default_tkt_enctypes: 23 18 17. > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
