Everything is as described and still not working, except the jaas.conf is :-
com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" useKeyTab=true keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab" storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" useKeyTab=true keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab" storeKey=true; }; In other words the principal is the tomcat server as it should be. > Date: Tue, 24 Mar 2015 21:17:59 +0100 > From: felix.schumac...@internetallee.de > To: users@tomcat.apache.org > Subject: Re: SPNEGO test configuration with Manager webapp > > Am 24.03.2015 um 21:05 schrieb David Marsh: >> Sorry thats :- >> >>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" >> under jaas.conf, it is set to the tomcat server DNS. > Is it working with this configuration, or just to point out, that you > copied the wrong jaas.conf for the mail? > > Felix >> >> ---------------------------------------- >>> From: dmars...@outlook.com >>> To: users@tomcat.apache.org >>> Subject: SPNEGO test configuration with Manager webapp >>> Date: Tue, 24 Mar 2015 20:02:04 +0000 >>> >>> I'm trying to get SPNEGO authentication working with Tomcat 8. >>> >>> I've created three Windows VMs :- >>> >>> Tomcat Server - Windows 8.1 32 bit VM >>> Test Client - Windows 8.1 32 bit VM >>> Domain Controller - Windows Server 2012 R2 64 bit VM >>> >>> The Tomcat Server and the Test Client are joined to the same domain >>> kerbtest.local, they are logged in with domain logins. >>> >>> The firewall is disabled on the Tomcat Server VM. >>> >>> I've followed the guidelines on the Apache Tomcat website. >>> >>> jaas.conf >>> >>> com.sun.security.jgss.krb5.initiate { >>> com.sun.security.auth.module.Krb5LoginModule required >>> doNotPrompt=true >>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL" >>> useKeyTab=true >>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>> 8.0/conf/tomcat.keytab" >>> storeKey=true; >>> }; >>> >>> com.sun.security.jgss.krb5.accept { >>> com.sun.security.auth.module.Krb5LoginModule required >>> doNotPrompt=true >>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL" >>> useKeyTab=true >>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>> 8.0/conf/tomcat.keytab" >>> storeKey=true; >>> }; >>> >>> krb5.ini >>> >>> [libdefaults] >>> default_realm = KERBTEST.LOCAL >>> default_keytab_name = FILE:C:\Program Files\Apache Software >>> Foundation\Tomcat 8.0\conf\tomcat.keytab >>> default_tkt_enctypes = >>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 >>> default_tgs_enctypes = >>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 >>> forwardable=true >>> >>> [realms] >>> KERBTEST.LOCAL = { >>> kdc = win-dc01.kerbtest.local:88 >>> } >>> >>> I want to use the tomcat manager app to test SPNEGO with Active Directory. >>> >>> I have tried to keep the setup as basic and vanilla to the instructions as >>> possible. >>> >>> Users were created as instructed. >>> >>> Spn was created as instructed >>> setspn -A HTTP/win-tc01.kerbtest.local tc01 >>> >>> keytab was created as instructed >>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ >>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0 >>> >>> I have tried to test with firefox, chrome and IE, after ensuring >>> http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added >>> http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris >>> and network.negotiate-auth.trusted-uris. >>> >>> Tomcat is running as a Windows service under the tc01@kerbtest.local >>> account. >>> >>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in >>> firefox results in 401 three times. >>> >>> Looking at the Network tab in developer tools in firefox shows 401 response >>> with WWW-Authenticate: Negotiate response http header. >>> >>> The next has an Authorization request http header with long encrypted >>> string. >>> >>> IE still prompts for credentials with a popup, not sure why as does chrome. >>> The setting User Authentication, Logon, Automatic Logon only in Intranet >>> Zone, is selected under trusted sites. >>> >>> It seems like authentication is never completed ? >>> >>> There are no errors in tomcat logs. >>> >>> Any ideas what is happening and what I can do to troubleshoot ? >>> >>> I'm quite happy to help improve the documentation and follow the >>> instructions, however I have tried that and cannot get a working basic set >>> up. >>> >>> many thanks >>> >>> David >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >