Sorry thats :-
> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
under jaas.conf, it is set to the tomcat server DNS.
----------------------------------------
> From: dmars...@outlook.com
> To: users@tomcat.apache.org
> Subject: SPNEGO test configuration with Manager webapp
> Date: Tue, 24 Mar 2015 20:02:04 +0000
>
> I'm trying to get SPNEGO authentication working with Tomcat 8.
>
> I've created three Windows VMs :-
>
> Tomcat Server - Windows 8.1 32 bit VM
> Test Client - Windows 8.1 32 bit VM
> Domain Controller - Windows Server 2012 R2 64 bit VM
>
> The Tomcat Server and the Test Client are joined to the same domain
> kerbtest.local, they are logged in with domain logins.
>
> The firewall is disabled on the Tomcat Server VM.
>
> I've followed the guidelines on the Apache Tomcat website.
>
> jaas.conf
>
> com.sun.security.jgss.krb5.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
> useKeyTab=true
> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
> 8.0/conf/tomcat.keytab"
> storeKey=true;
> };
>
> com.sun.security.jgss.krb5.accept {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
> useKeyTab=true
> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
> 8.0/conf/tomcat.keytab"
> storeKey=true;
> };
>
> krb5.ini
>
> [libdefaults]
> default_realm = KERBTEST.LOCAL
> default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat
> 8.0\conf\tomcat.keytab
> default_tkt_enctypes =
> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> default_tgs_enctypes =
> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> forwardable=true
>
> [realms]
> KERBTEST.LOCAL = {
> kdc = win-dc01.kerbtest.local:88
> }
>
> I want to use the tomcat manager app to test SPNEGO with Active Directory.
>
> I have tried to keep the setup as basic and vanilla to the instructions as
> possible.
>
> Users were created as instructed.
>
> Spn was created as instructed
> setspn -A HTTP/win-tc01.kerbtest.local tc01
>
> keytab was created as instructed
> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ
> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
>
> I have tried to test with firefox, chrome and IE, after ensuring
> http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added
> http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and
> network.negotiate-auth.trusted-uris.
>
> Tomcat is running as a Windows service under the tc01@kerbtest.local account.
>
> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in
> firefox results in 401 three times.
>
> Looking at the Network tab in developer tools in firefox shows 401 response
> with WWW-Authenticate: Negotiate response http header.
>
> The next has an Authorization request http header with long encrypted string.
>
> IE still prompts for credentials with a popup, not sure why as does chrome.
> The setting User Authentication, Logon, Automatic Logon only in Intranet
> Zone, is selected under trusted sites.
>
> It seems like authentication is never completed ?
>
> There are no errors in tomcat logs.
>
> Any ideas what is happening and what I can do to troubleshoot ?
>
> I'm quite happy to help improve the documentation and follow the
> instructions, however I have tried that and cannot get a working basic set up.
>
> many thanks
>
> David
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
