SPNEGO test configuration with Manager webapp

David Marsh Tue, 24 Mar 2015 03:38:31 -0700
Hello,
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've followed the guidelines on the website.
jaas.conf
com.sun.security.jgss.krb5.initiate {...};
com.sun.security.jgss.krb5.accept {    
com.sun.security.auth.module.Krb5LoginModule required    doNotPrompt=true    
principal="HTTP/tc01.kerbtest.local@KERBTEST.LOCAL"    useKeyTab=true    
keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
8.0/conf/tc01.keytab"    storeKey=true;};
krb5.ini
[libdefaults]default_realm = KERBTEST.LOCALdefault_keytab_name = 
FILE:C:\Program Files\Apache Software Foundation\Tomcat 
8.0\conf\tc01.keytabdefault_tkt_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = 
rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true
[realms]KERBTEST.LOCAL = {        kdc = Server2012dc.kerbtest.local:88}
[domain_realm]kerbtest.local= KERBTEST.LOCAL.kerbtest.local= KERBTEST.LOCAL
I want to use the tomcat manager app to test SPNEGO with Active Directory, 
Tomcat is currently installed on the domain controller.
It seems like authentication is never completed as in the browser I get 
prompted for credentials over and over.So there appear two issues :-1. 
Authentication is not succeeding2. SPNEGO accept header is not currently sent
I have created the tc01 and test users in active directory, and the keytab as 
instructed.
I run tomcat as tc01 user :-runas /env /user:tc01@kerbtest.local "startup.bat"
Output from running tomcat :-
Server startup in 3443 ms24-Mar-2015 10:26:56.485 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking 
constraint 'SecurityConstraint[Statusinterface]' against GET /html --> 
false24-Mar-2015 10:26:56.496 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking 
constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> 
false24-Mar-2015 10:26:56.510 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking 
constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against 
GET /html --> false24-Mar-2015 10:26:56.525 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking 
constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against 
GET /html --> true24-Mar-2015 10:26:56.544 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking 
constraint 'SecurityConstraint[Statusinterface]' against GET /html --> 
false24-Mar-2015 10:26:56.560 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking 
constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> 
false24-Mar-2015 10:26:56.575 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking 
constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against 
GET /html --> false24-Mar-2015 10:26:56.587 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking 
constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against 
GET /html --> true24-Mar-2015 10:26:56.599 FINE [http-nio-80-exec-1] 
org.apache.catalina.realm.RealmBase.hasUserDataPermission   User data 
constraint has no restrictions>>> KeyTabInputStream, readName(): 
kerbtest.local>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, 
readName(): tc01.kerbtest.local>>> KeyTab: load() entry length: 74; type: 
23Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALJava config 
name: C:\Program Files\Apache Software Foundation\Tomcat 
8.0\conf\krb5.iniLoaded from Java configAdded key: 23version: 7>>> 
KdcAccessibility: resetLooking for keys for: 
HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default etypes 
for default_tkt_enctypes: 23 18 17.>>> KrbAsReq creating message>>> KrbKdcReq 
send: kdc=Server2012dc.kerbtest.local UDP:88, timeout=30000, number of retries 
=3, #bytes=160>>> KDCCommunication: kdc=Server2012dc.kerbtest.local UDP:88, 
timeout=30000,Attempt =1, #bytes=160>>> KrbKdcReq send: #bytes 
read=185>>>Pre-Authentication Data:         PA-DATA type = 11         
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:         PA-DATA type = 19         PA-ETYPE-INFO2 
>>>etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:         PA-DATA type = 2         
>>>PA-ENC-TIMESTAMP>>>Pre-Authentication Data:         PA-DATA type = 16
>>>Pre-Authentication Data:         PA-DATA type = 15
>>> KdcAccessibility: remove Server2012dc.kerbtest.local:88>>> KDCRep: init() 
>>> encoding tag is 126 req type is 11>>>KRBError:         sTime is Tue Mar 24 
>>> 10:26:57 GMT 2015 1427192817000         suSec is 627351         error code 
>>> is 25         error Message is Additional pre-authentication required       
>>>   sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL         eData provided.     
>>>     msgType is 30>>>Pre-Authentication Data:         PA-DATA type = 11      
>>>    PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:         PA-DATA type = 19         PA-ETYPE-INFO2 
>>>etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:         PA-DATA type = 2         
>>>PA-ENC-TIMESTAMP>>>Pre-Authentication Data:         PA-DATA type = 16
>>>Pre-Authentication Data:         PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQdefault etypes for 
default_tkt_enctypes: 23 18 17.Looking for keys for: 
HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7Looking for keys 
for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default 
etypes for default_tkt_enctypes: 23 18 17.>>> EType: 
sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsReq creating 
message>>> KrbKdcReq send: kdc=Server2012dc.kerbtest.local UDP:88, 
timeout=30000, number of retries =3, #bytes=243>>> KDCCommunication: 
kdc=Server2012dc.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=243>>> 
KrbKdcReq send: #bytes read=100>>> KrbKdcReq send: 
kdc=Server2012dc.kerbtest.local TCP:88, timeout=30000, number of retries =3, 
#bytes=243>>> KDCCommunication: kdc=Server2012dc.kerbtest.local TCP:88, 
timeout=30000,Attempt =1, #bytes=243>>>DEBUG: TCPClient reading 1467 bytes>>> 
KrbKdcReq send: #bytes read=1467>>> KdcAccessibility: remove 
Server2012dc.kerbtest.local:88Looking for keys for: 
HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7>>> EType: 
sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsRep cons in 
KrbAsReq.getReply HTTP/tc01.kerbtest.localSearch Subject for SPNEGO ACCEPT cred 
(<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)Search Subject for 
Kerberos V5 ACCEPT cred (<<DEF>>, 
sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab C:\Program 
Files\Apache Software Foundation\Tomcat 8.0\conf\tc01.keytab for 
HTTP/tc01.kerbtest.local@KERBTEST.LOCALFound KeyTab C:\Program Files\Apache 
Software Foundation\Tomcat 8.0\conf\tc01.keytab for 
HTTP/tc01.kerbtest.local@KERBTEST.LOCALFound ticket for 
HTTP/tc01.kerbtest.local@KERBTEST.LOCAL to go to 
krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL expiring on Tue Mar 24 20:26:57 GMT 2015
I create a realm in server.xml :-
      <Realm className="org.apache.catalina.realm.JNDIRealm"          
connectionURL="ldap://192.168.78.8:389";          
userBase="ou=Users,dc=kerbtest,dc=local"          userSearch="(mail={0})"       
   userRoleName="memberOf"          roleBase="ou=Users,dc=kerbtest,dc=local"    
      roleName="cn"          roleSearch="(uniqueMember={0})"/>
web.xml for manager web app has auth method set :-
  <!-- Define the Login Configuration for this Application -->  <login-config>  
  <!-- <auth-method>BASIC</auth-method> -->    
<auth-method>SPNEGO</auth-method>    <realm-name>Tomcat Manager 
Application</realm-name>  </login-config>
Any ideas what is happening and what I can do to troubleshoot ?
many thanks
David
SPNEGO test configuration with Manager webapp

Reply via email to
