I copied old config file to mail yes.
----------------------------------------
> Date: Tue, 24 Mar 2015 21:17:59 +0100
> From: felix.schumac...@internetallee.de
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> Am 24.03.2015 um 21:05 schrieb David Marsh:
>> Sorry thats :-
>>
>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>> under jaas.conf, it is set to the tomcat server DNS.
> Is it working with this configuration, or just to point out, that you
> copied the wrong jaas.conf for the mail?
>
> Felix
>>
>> ----------------------------------------
>>> From: dmars...@outlook.com
>>> To: users@tomcat.apache.org
>>> Subject: SPNEGO test configuration with Manager webapp
>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>
>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
>>>
>>> I've created three Windows VMs :-
>>>
>>> Tomcat Server - Windows 8.1 32 bit VM
>>> Test Client - Windows 8.1 32 bit VM
>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>
>>> The Tomcat Server and the Test Client are joined to the same domain
>>> kerbtest.local, they are logged in with domain logins.
>>>
>>> The firewall is disabled on the Tomcat Server VM.
>>>
>>> I've followed the guidelines on the Apache Tomcat website.
>>>
>>> jaas.conf
>>>
>>> com.sun.security.jgss.krb5.initiate {
>>> com.sun.security.auth.module.Krb5LoginModule required
>>> doNotPrompt=true
>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>> useKeyTab=true
>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>> 8.0/conf/tomcat.keytab"
>>> storeKey=true;
>>> };
>>>
>>> com.sun.security.jgss.krb5.accept {
>>> com.sun.security.auth.module.Krb5LoginModule required
>>> doNotPrompt=true
>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>> useKeyTab=true
>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>> 8.0/conf/tomcat.keytab"
>>> storeKey=true;
>>> };
>>>
>>> krb5.ini
>>>
>>> [libdefaults]
>>> default_realm = KERBTEST.LOCAL
>>> default_keytab_name = FILE:C:\Program Files\Apache Software
>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>> default_tkt_enctypes =
>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>> default_tgs_enctypes =
>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>> forwardable=true
>>>
>>> [realms]
>>> KERBTEST.LOCAL = {
>>> kdc = win-dc01.kerbtest.local:88
>>> }
>>>
>>> I want to use the tomcat manager app to test SPNEGO with Active Directory.
>>>
>>> I have tried to keep the setup as basic and vanilla to the instructions as
>>> possible.
>>>
>>> Users were created as instructed.
>>>
>>> Spn was created as instructed
>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>
>>> keytab was created as instructed
>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ
>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
>>>
>>> I have tried to test with firefox, chrome and IE, after ensuring
>>> http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added
>>> http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris
>>> and network.negotiate-auth.trusted-uris.
>>>
>>> Tomcat is running as a Windows service under the tc01@kerbtest.local
>>> account.
>>>
>>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in
>>> firefox results in 401 three times.
>>>
>>> Looking at the Network tab in developer tools in firefox shows 401 response
>>> with WWW-Authenticate: Negotiate response http header.
>>>
>>> The next has an Authorization request http header with long encrypted
>>> string.
>>>
>>> IE still prompts for credentials with a popup, not sure why as does chrome.
>>> The setting User Authentication, Logon, Automatic Logon only in Intranet
>>> Zone, is selected under trusted sites.
>>>
>>> It seems like authentication is never completed ?
>>>
>>> There are no errors in tomcat logs.
>>>
>>> Any ideas what is happening and what I can do to troubleshoot ?
>>>
>>> I'm quite happy to help improve the documentation and follow the
>>> instructions, however I have tried that and cannot get a working basic set
>>> up.
>>>
>>> many thanks
>>>
>>> David
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
