Put keytab in c:\keytab\tomcat.keytab, ensured owner was [email protected],
still same symptoms.
Ran klist on client after firefox test and the three 401 responses. :-
C:\Users\test.KERBTEST.000>klist
Current LogonId is 0:0x2fd7a
Cached Tickets: (2)
#0> Client: test @ KERBTEST.LOCAL
Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent nam
e_canonicalize
Start Time: 3/25/2015 14:46:43 (local)
End Time: 3/26/2015 0:46:43 (local)
Renew Time: 4/1/2015 14:46:43 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: 192.168.0.200
#1> Client: test @ KERBTEST.LOCAL
Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canoni
calize
Start Time: 3/25/2015 14:51:21 (local)
End Time: 3/26/2015 0:46:43 (local)
Renew Time: 4/1/2015 14:46:43 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: 192.168.0.200
Looks like I was granted a ticket for the SPN HTTP/win-tc01.kerbtest.local @
KERBTEST.LOCAL ?
If I have ticket why do I get 401 ?
----------------------------------------
> Date: Tue, 24 Mar 2015 22:46:15 +0000
> From: [email protected]
> To: [email protected]
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> On 24/03/2015 20:47, David Marsh wrote:
>> Hi Felix,
>> Thanks fort your help!
>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and
>> also added the same definitions to the Java parameters in Configure Tomcat
>> tool.I definitely got more information when using startup.bat, not sure the
>> settings get picked up by the windows service ?
>> I do not think authentication completes, certainly authorization does not as
>> I cant see the site and get 401 http status.
>> I have not configured a tomcat realm but I have put the test user a
>> manager-gui group in Active Directory.
>
> I've only given your config a quick scan, but the thing that jumps out
> at me is spaces in the some of the paths. I'm not sure how well krb5.ini
> will handle those. It might be fine. It might not be.
>
> Mark
>
>
>> David
>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>> From: [email protected]
>>> To: [email protected]
>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>
>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>> Everything is as described and still not working, except the jaas.conf is
>>>> :-
>>>>
>>>> com.sun.security.jgss.krb5.initiate {
>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>> doNotPrompt=true
>>>> principal="HTTP/[email protected]"
>>>> useKeyTab=true
>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>> 8.0/conf/tomcat.keytab"
>>>> storeKey=true;
>>>> };
>>>>
>>>> com.sun.security.jgss.krb5.accept {
>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>> doNotPrompt=true
>>>> principal="HTTP/[email protected]"
>>>> useKeyTab=true
>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>> 8.0/conf/tomcat.keytab"
>>>> storeKey=true;
>>>> };
>>>>
>>>> In other words the principal is the tomcat server as it should be.
>>>>
>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>> From: [email protected]
>>>>> To: [email protected]
>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>
>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>> Sorry thats :-
>>>>>>
>>>>>>> principal="HTTP/[email protected]"
>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>> Is it working with this configuration, or just to point out, that you
>>>>> copied the wrong jaas.conf for the mail?
>>>>>
>>>>> Felix
>>>>>> ----------------------------------------
>>>>>>> From: [email protected]
>>>>>>> To: [email protected]
>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>
>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
>>>>>>>
>>>>>>> I've created three Windows VMs :-
>>>>>>>
>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>
>>>>>>> The Tomcat Server and the Test Client are joined to the same domain
>>>>>>> kerbtest.local, they are logged in with domain logins.
>>>>>>>
>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>
>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>
>>>>>>> jaas.conf
>>>>>>>
>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>> doNotPrompt=true
>>>>>>> principal="HTTP/[email protected]"
>>>>>>> useKeyTab=true
>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>> storeKey=true;
>>>>>>> };
>>>>>>>
>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>> doNotPrompt=true
>>>>>>> principal="HTTP/[email protected]"
>>>>>>> useKeyTab=true
>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>> storeKey=true;
>>>>>>> };
>>>>>>>
>>>>>>> krb5.ini
>>>>>>>
>>>>>>> [libdefaults]
>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>> default_tkt_enctypes =
>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>> default_tgs_enctypes =
>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>> forwardable=true
>>>>>>>
>>>>>>> [realms]
>>>>>>> KERBTEST.LOCAL = {
>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>> }
>>>>>>>
>>>>>>> I want to use the tomcat manager app to test SPNEGO with Active
>>>>>>> Directory.
>>>>>>>
>>>>>>> I have tried to keep the setup as basic and vanilla to the instructions
>>>>>>> as possible.
>>>>>>>
>>>>>>> Users were created as instructed.
>>>>>>>
>>>>>>> Spn was created as instructed
>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>
>>>>>>> keytab was created as instructed
>>>>>>> ktpass /out c:\tomcat.keytab /mapuser [email protected] /princ
>>>>>>> HTTP/[email protected] /pass tc01pass /kvno 0
>>>>>>>
>>>>>>> I have tried to test with firefox, chrome and IE, after ensuring
>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I
>>>>>>> added http://win-tc01.kerbtest.local to
>>>>>>> network.negotiate-auth.delegation-uris and
>>>>>>> network.negotiate-auth.trusted-uris.
>>>>>>>
>>>>>>> Tomcat is running as a Windows service under the [email protected]
>>>>>>> account.
>>>>>>>
>>>>>>> Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local
>>>>>>> in firefox results in 401 three times.
>>>>>>>
>>>>>>> Looking at the Network tab in developer tools in firefox shows 401
>>>>>>> response with WWW-Authenticate: Negotiate response http header.
>>>>>>>
>>>>>>> The next has an Authorization request http header with long encrypted
>>>>>>> string.
>>> That means, that tomcat is believing, it can use kerberos/SPNEGO and
>>> firefox is able to get a service ticket, for the server and sends it
>>> back. That far it is looking promising. But I assume the authentication
>>> does not complete, right?
>>>
>>>
>>>>>>>
>>>>>>> IE still prompts for credentials with a popup, not sure why as does
>>>>>>> chrome.
>>>>>>> The setting User Authentication, Logon, Automatic Logon only in
>>>>>>> Intranet Zone, is selected under trusted sites.
>>>>>>>
>>>>>>> It seems like authentication is never completed ?
>>>>>>>
>>>>>>> There are no errors in tomcat logs.
>>>>>>>
>>>>>>> Any ideas what is happening and what I can do to troubleshoot ?
>>> You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that should
>>> print out a lot of debug information, which should end up in catalina.out.
>>>
>>> Felix
>>> ||
>>>>>>>
>>>>>>> I'm quite happy to help improve the documentation and follow the
>>>>>>> instructions, however I have tried that and cannot get a working basic
>>>>>>> set up.
>>>>>>>
>>>>>>> many thanks
>>>>>>>
>>>>>>> David
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: [email protected]
>>>>>>> For additional commands, e-mail: [email protected]
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: [email protected]
>>>>>> For additional commands, e-mail: [email protected]
>>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: [email protected]
>>>>> For additional commands, e-mail: [email protected]
>>>>>
>>>>
>>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
