I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :-
Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL" useKeyTab=true keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab" storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL" useKeyTab=true keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab" storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. The next has an Authorization request http header with long encrypted string. IE still prompts for credentials with a popup, not sure why as does chrome. The setting User Authentication, Logon, Automatic Logon only in Intranet Zone, is selected under trusted sites. It seems like authentication is never completed ? There are no errors in tomcat logs. Any ideas what is happening and what I can do to troubleshoot ? I'm quite happy to help improve the documentation and follow the instructions, however I have tried that and cannot get a working basic set up. many thanks David --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org