Sorry thats :- > principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
under jaas.conf, it is set to the tomcat server DNS. ---------------------------------------- > From: dmars...@outlook.com > To: users@tomcat.apache.org > Subject: SPNEGO test configuration with Manager webapp > Date: Tue, 24 Mar 2015 20:02:04 +0000 > > I'm trying to get SPNEGO authentication working with Tomcat 8. > > I've created three Windows VMs :- > > Tomcat Server - Windows 8.1 32 bit VM > Test Client - Windows 8.1 32 bit VM > Domain Controller - Windows Server 2012 R2 64 bit VM > > The Tomcat Server and the Test Client are joined to the same domain > kerbtest.local, they are logged in with domain logins. > > The firewall is disabled on the Tomcat Server VM. > > I've followed the guidelines on the Apache Tomcat website. > > jaas.conf > > com.sun.security.jgss.krb5.initiate { > com.sun.security.auth.module.Krb5LoginModule required > doNotPrompt=true > principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL" > useKeyTab=true > keyTab="C:/Program Files/Apache Software Foundation/Tomcat > 8.0/conf/tomcat.keytab" > storeKey=true; > }; > > com.sun.security.jgss.krb5.accept { > com.sun.security.auth.module.Krb5LoginModule required > doNotPrompt=true > principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL" > useKeyTab=true > keyTab="C:/Program Files/Apache Software Foundation/Tomcat > 8.0/conf/tomcat.keytab" > storeKey=true; > }; > > krb5.ini > > [libdefaults] > default_realm = KERBTEST.LOCAL > default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat > 8.0\conf\tomcat.keytab > default_tkt_enctypes = > rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 > default_tgs_enctypes = > rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 > forwardable=true > > [realms] > KERBTEST.LOCAL = { > kdc = win-dc01.kerbtest.local:88 > } > > I want to use the tomcat manager app to test SPNEGO with Active Directory. > > I have tried to keep the setup as basic and vanilla to the instructions as > possible. > > Users were created as instructed. > > Spn was created as instructed > setspn -A HTTP/win-tc01.kerbtest.local tc01 > > keytab was created as instructed > ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 > > I have tried to test with firefox, chrome and IE, after ensuring > http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added > http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and > network.negotiate-auth.trusted-uris. > > Tomcat is running as a Windows service under the tc01@kerbtest.local account. > > Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in > firefox results in 401 three times. > > Looking at the Network tab in developer tools in firefox shows 401 response > with WWW-Authenticate: Negotiate response http header. > > The next has an Authorization request http header with long encrypted string. > > IE still prompts for credentials with a popup, not sure why as does chrome. > The setting User Authentication, Logon, Automatic Logon only in Intranet > Zone, is selected under trusted sites. > > It seems like authentication is never completed ? > > There are no errors in tomcat logs. > > Any ideas what is happening and what I can do to troubleshoot ? > > I'm quite happy to help improve the documentation and follow the > instructions, however I have tried that and cannot get a working basic set up. > > many thanks > > David > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org