On 24/03/2015 20:47, David Marsh wrote:
> Hi Felix,
> Thanks fort your help!
> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and 
> also added the same definitions to the Java parameters in Configure Tomcat 
> tool.I definitely got more information when using startup.bat, not sure the 
> settings get picked up by the windows service ?
> I do not think authentication completes, certainly authorization does not as 
> I cant see the site and get 401 http status.
> I have not configured a tomcat realm but I have put the test user a 
> manager-gui group in Active Directory.

I've only given your config a quick scan, but the thing that jumps out
at me is spaces in the some of the paths. I'm not sure how well krb5.ini
will handle those. It might be fine. It might not be.


> David
>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>> From: felix.schumac...@internetallee.de
>> To: users@tomcat.apache.org
>> Subject: Re: SPNEGO test configuration with Manager webapp
>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>> Everything is as described and still not working, except the jaas.conf is :-
>>> com.sun.security.jgss.krb5.initiate {
>>>      com.sun.security.auth.module.Krb5LoginModule required
>>>      doNotPrompt=true
>>>      principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>      useKeyTab=true
>>>      keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
>>> 8.0/conf/tomcat.keytab"
>>>      storeKey=true;
>>> };
>>> com.sun.security.jgss.krb5.accept {
>>>      com.sun.security.auth.module.Krb5LoginModule required
>>>      doNotPrompt=true
>>>      principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>      useKeyTab=true
>>>      keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
>>> 8.0/conf/tomcat.keytab"
>>>      storeKey=true;
>>> };
>>> In other words the principal is the tomcat server as it should be.
>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>> From: felix.schumac...@internetallee.de
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>> Sorry thats :-
>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>> Is it working with this configuration, or just to point out, that you
>>>> copied the wrong jaas.conf for the mail?
>>>> Felix
>>>>> ----------------------------------------
>>>>>> From: dmars...@outlook.com
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
>>>>>> I've created three Windows VMs :-
>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>> The Tomcat Server and the Test Client are joined to the same domain 
>>>>>> kerbtest.local, they are logged in with domain logins.
>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>> jaas.conf
>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>> doNotPrompt=true
>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>> useKeyTab=true
>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
>>>>>> 8.0/conf/tomcat.keytab"
>>>>>> storeKey=true;
>>>>>> };
>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>> doNotPrompt=true
>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>> useKeyTab=true
>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat 
>>>>>> 8.0/conf/tomcat.keytab"
>>>>>> storeKey=true;
>>>>>> };
>>>>>> krb5.ini
>>>>>> [libdefaults]
>>>>>> default_realm = KERBTEST.LOCAL
>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software 
>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>> default_tkt_enctypes = 
>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>> default_tgs_enctypes = 
>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>> forwardable=true
>>>>>> [realms]
>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>> }
>>>>>> I want to use the tomcat manager app to test SPNEGO with Active 
>>>>>> Directory.
>>>>>> I have tried to keep the setup as basic and vanilla to the instructions 
>>>>>> as possible.
>>>>>> Users were created as instructed.
>>>>>> Spn was created as instructed
>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>> keytab was created as instructed
>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ 
>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
>>>>>> I have tried to test with firefox, chrome and IE, after ensuring 
>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I 
>>>>>> added http://win-tc01.kerbtest.local to 
>>>>>> network.negotiate-auth.delegation-uris and 
>>>>>> network.negotiate-auth.trusted-uris.
>>>>>> Tomcat is running as a Windows service under the tc01@kerbtest.local 
>>>>>> account.
>>>>>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local 
>>>>>> in firefox results in 401 three times.
>>>>>> Looking at the Network tab in developer tools in firefox shows 401 
>>>>>> response with WWW-Authenticate: Negotiate response http header.
>>>>>> The next has an Authorization request http header with long encrypted 
>>>>>> string.
>> That means, that tomcat is believing, it can use kerberos/SPNEGO and 
>> firefox is able to get a service ticket, for the server and sends it 
>> back. That far it is looking promising. But I assume the authentication 
>> does not complete, right?
>>>>>> IE still prompts for credentials with a popup, not sure why as does 
>>>>>> chrome.
>>>>>> The setting User Authentication, Logon, Automatic Logon only in Intranet 
>>>>>> Zone, is selected under trusted sites.
>>>>>> It seems like authentication is never completed ?
>>>>>> There are no errors in tomcat logs.
>>>>>> Any ideas what is happening and what I can do to troubleshoot ?
>> You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that should 
>> print out a lot of debug information, which should end up in catalina.out.
>> Felix
>> ||
>>>>>> I'm quite happy to help improve the documentation and follow the 
>>>>>> instructions, however I have tried that and cannot get a working basic 
>>>>>> set up.
>>>>>> many thanks
>>>>>> David
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>> For additional commands, e-mail: users-h...@tomcat.apache.org

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to