This is how the keytab was created :- ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@kerbtest.local /pass tc01pass
The password is the correct password for the user tc01 associated with the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local I managed to turn on some more logging around JAAS, see the error :- java.security.PrivilegedActionException: GSSException: Defective token detected 25-Mar-2015 15:46:22.131 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service Catalina 25-Mar-2015 15:46:22.133 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/8.0.20 25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD irectory Deploying web application directory C:\Program Files\Apache Software Foundation\Tomcat 8.0\ webapps\docs 25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD irectory Deployment of web application directory C:\Program Files\Apache Software Foundation\Tomcat 8.0\webapps\docs has finished in 380 ms 25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD irectory Deploying web application directory C:\Program Files\Apache Software Foundation\Tomcat 8.0\ webapps\manager 25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1] org.apache.catalina.authenticator.Authenticato rBase.startInternal No SingleSignOn Valve is present 25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD irectory Deployment of web application directory C:\Program Files\Apache Software Foundation\Tomcat 8.0\webapps\manager has finished in 93 ms 25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD irectory Deploying web application directory C:\Program Files\Apache Software Foundation\Tomcat 8.0\ webapps\ROOT 25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD irectory Deployment of web application directory C:\Program Files\Apache Software Foundation\Tomcat 8.0\webapps\ROOT has finished in 59 ms 25-Mar-2015 15:46:22.797 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl er ["http-nio-80"] 25-Mar-2015 15:46:22.806 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl er ["ajp-nio-8009"] 25-Mar-2015 15:46:22.808 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 72 1 ms 25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Security checking request GET /manager/html 25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false 25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal se 25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false 25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G ET /html --> true 25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal se 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false 25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G ET /html --> true 25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Calling hasUserDataPermission() 25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.hasUserDataPe rmission User data constraint has no restrictions 25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Calling authenticate() 25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.SpnegoAuthentic ator.authenticate No authorization header sent by client 25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Failed authenticate() test 25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Security checking request GET /manager/html 25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false 25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal se 25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false 25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G ET /html --> true 25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false 25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal se 25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false 25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G ET /html --> true 25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Calling hasUserDataPermission() 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.hasUserDataPe rmission User data constraint has no restrictions 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Calling authenticate() Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is nul l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config is false principal is HTTP/wi n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false >>> KeyTabInputStream, readName(): kerbtest.local >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>> KeyTab: load() entry length: 78; type: 23 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Java config name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\krb5.ini Loaded from Java config Added key: 23version: 3 >>> KdcAccessibility: reset Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 default etypes for default_tkt_enctypes: 23 18 17. >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number >>> of retries =3, #bytes= 164 >>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt >>> =1, #bytes=164 >>> KrbKdcReq send: #bytes read=185 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 >>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000 suSec is 701709 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 default etypes for default_tkt_enctypes: 23 18 17. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number >>> of retries =3, #bytes= 247 >>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt >>> =1, #bytes=247 >>> KrbKdcReq send: #bytes read=100 >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number >>> of retries =3, #bytes= 247 >>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt >>> =1, #bytes=247 >>>DEBUG: TCPClient reading 1475 bytes >>> KrbKdcReq send: #bytes read=1475 >>> KdcAccessibility: remove win-dc01.kerbtest.local:88 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Will use keytab Commit Succeeded Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab C:\keytab\tomcat.keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found KeyTab C:\keytab\tomcat.keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST .LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015 [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject 25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Failed authenticate() test 25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Security checking request GET /manager/html 25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false 25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal se 25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false 25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G ET /html --> true 25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false 25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal se 25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false 25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G ET /html --> true 25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Calling hasUserDataPermission() 25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.hasUserDataPe rmission User data constraint has no restrictions 25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Calling authenticate() Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is nul l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config is false principal is HTTP/wi n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 default etypes for default_tkt_enctypes: 23 18 17. >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number >>> of retries =3, #bytes= 164 >>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt >>> =1, #bytes=164 >>> KrbKdcReq send: #bytes read=185 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 >>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000 suSec is 935731 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 default etypes for default_tkt_enctypes: 23 18 17. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number >>> of retries =3, #bytes= 247 >>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt >>> =1, #bytes=247 >>> KrbKdcReq send: #bytes read=100 >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number >>> of retries =3, #bytes= 247 >>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt >>> =1, #bytes=247 >>>DEBUG: TCPClient reading 1475 bytes >>> KrbKdcReq send: #bytes read=1475 >>> KdcAccessibility: remove win-dc01.kerbtest.local:88 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Will use keytab Commit Succeeded Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab C:\keytab\tomcat.keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found KeyTab C:\keytab\tomcat.keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST .LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015 25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.SpnegoAuthentic ator.authenticate Unable to login as the service principal java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G SSHeader did not find the right tag) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja va:243) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108 6) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav a:659) at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto col.java:223) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato r.java:336) at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato r.java:323) ... 18 more [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject 25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Failed authenticate() test > Date: Wed, 25 Mar 2015 16:48:10 +0100 > From: felix.schumac...@internetallee.de > To: users@tomcat.apache.org > Subject: RE: SPNEGO test configuration with Manager webapp > > Am 25.03.2015 16:09, schrieb David Marsh: >> Put keytab in c:\keytab\tomcat.keytab, ensured owner was >> tc01@KERTEST.LOCAL, still same symptoms. >> >> Ran klist on client after firefox test and the three 401 responses. :- >> >> C:\Users\test.KERBTEST.000>klist >> >> Current LogonId is 0:0x2fd7a >> >> Cached Tickets: (2) >> >> #0> Client: test @ KERBTEST.LOCAL >> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL >> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 >> Ticket Flags 0x40e10000 -> forwardable renewable initial >> pre_authent nam >> e_canonicalize >> Start Time: 3/25/2015 14:46:43 (local) >> End Time: 3/26/2015 0:46:43 (local) >> Renew Time: 4/1/2015 14:46:43 (local) >> Session Key Type: AES-256-CTS-HMAC-SHA1-96 >> Cache Flags: 0x1 -> PRIMARY >> Kdc Called: 192.168.0.200 >> >> #1> Client: test @ KERBTEST.LOCAL >> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL >> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) >> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent >> name_canoni >> calize >> Start Time: 3/25/2015 14:51:21 (local) >> End Time: 3/26/2015 0:46:43 (local) >> Renew Time: 4/1/2015 14:46:43 (local) >> Session Key Type: RSADSI RC4-HMAC(NT) >> Cache Flags: 0 >> Kdc Called: 192.168.0.200 >> >> Looks like I was granted a ticket for the SPN >> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ? >> >> If I have ticket why do I get 401 ? > Your client has got a service ticket for HTTP/win-tc01... This is used > by firefox for authentication. Firefox transmits > this service ticket to the server (as base64 encoded in the > WWW-Authenticate header). > > Your server has to decrypt this ticket using its own ticket to get at > the user information. This is where your problems arise. > It looks like your server has trouble to get its own ticket. > > Are you sure, that the password you used for keytab generation (on the > server side), is correct? ktpass will probably accept > any input as a password. Maybe you can check the keytab by using kinit > (though I don't know, if it exists for windows, or how > the java one is used). > > Felix > >> >> ---------------------------------------- >>> Date: Tue, 24 Mar 2015 22:46:15 +0000 >>> From: ma...@apache.org >>> To: users@tomcat.apache.org >>> Subject: Re: SPNEGO test configuration with Manager webapp >>> >>> On 24/03/2015 20:47, David Marsh wrote: >>>> Hi Felix, >>>> Thanks fort your help! >>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in >>>> startup.bat and also added the same definitions to the Java >>>> parameters in Configure Tomcat tool.I definitely got more information >>>> when using startup.bat, not sure the settings get picked up by the >>>> windows service ? >>>> I do not think authentication completes, certainly authorization does >>>> not as I cant see the site and get 401 http status. >>>> I have not configured a tomcat realm but I have put the test user a >>>> manager-gui group in Active Directory. >>> >>> I've only given your config a quick scan, but the thing that jumps out >>> at me is spaces in the some of the paths. I'm not sure how well >>> krb5.ini >>> will handle those. It might be fine. It might not be. >>> >>> Mark >>> >>> >>>> David >>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100 >>>>> From: felix.schumac...@internetallee.de >>>>> To: users@tomcat.apache.org >>>>> Subject: Re: SPNEGO test configuration with Manager webapp >>>>> >>>>> Am 24.03.2015 um 21:25 schrieb David Marsh: >>>>>> Everything is as described and still not working, except the >>>>>> jaas.conf is :- >>>>>> >>>>>> com.sun.security.jgss.krb5.initiate { >>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>> doNotPrompt=true >>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" >>>>>> useKeyTab=true >>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>>>> 8.0/conf/tomcat.keytab" >>>>>> storeKey=true; >>>>>> }; >>>>>> >>>>>> com.sun.security.jgss.krb5.accept { >>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>> doNotPrompt=true >>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" >>>>>> useKeyTab=true >>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>>>> 8.0/conf/tomcat.keytab" >>>>>> storeKey=true; >>>>>> }; >>>>>> >>>>>> In other words the principal is the tomcat server as it should be. >>>>>> >>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100 >>>>>>> From: felix.schumac...@internetallee.de >>>>>>> To: users@tomcat.apache.org >>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp >>>>>>> >>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh: >>>>>>>> Sorry thats :- >>>>>>>> >>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>>> under jaas.conf, it is set to the tomcat server DNS. >>>>>>> Is it working with this configuration, or just to point out, that >>>>>>> you >>>>>>> copied the wrong jaas.conf for the mail? >>>>>>> >>>>>>> Felix >>>>>>>> ---------------------------------------- >>>>>>>>> From: dmars...@outlook.com >>>>>>>>> To: users@tomcat.apache.org >>>>>>>>> Subject: SPNEGO test configuration with Manager webapp >>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000 >>>>>>>>> >>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat 8. >>>>>>>>> >>>>>>>>> I've created three Windows VMs :- >>>>>>>>> >>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM >>>>>>>>> Test Client - Windows 8.1 32 bit VM >>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM >>>>>>>>> >>>>>>>>> The Tomcat Server and the Test Client are joined to the same >>>>>>>>> domain kerbtest.local, they are logged in with domain logins. >>>>>>>>> >>>>>>>>> The firewall is disabled on the Tomcat Server VM. >>>>>>>>> >>>>>>>>> I've followed the guidelines on the Apache Tomcat website. >>>>>>>>> >>>>>>>>> jaas.conf >>>>>>>>> >>>>>>>>> com.sun.security.jgss.krb5.initiate { >>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>>>>> doNotPrompt=true >>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>>>> useKeyTab=true >>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>>>>>>> 8.0/conf/tomcat.keytab" >>>>>>>>> storeKey=true; >>>>>>>>> }; >>>>>>>>> >>>>>>>>> com.sun.security.jgss.krb5.accept { >>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>>>>> doNotPrompt=true >>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>>>> useKeyTab=true >>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>>>>>>> 8.0/conf/tomcat.keytab" >>>>>>>>> storeKey=true; >>>>>>>>> }; >>>>>>>>> >>>>>>>>> krb5.ini >>>>>>>>> >>>>>>>>> [libdefaults] >>>>>>>>> default_realm = KERBTEST.LOCAL >>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software >>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab >>>>>>>>> default_tkt_enctypes = >>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 >>>>>>>>> default_tgs_enctypes = >>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 >>>>>>>>> forwardable=true >>>>>>>>> >>>>>>>>> [realms] >>>>>>>>> KERBTEST.LOCAL = { >>>>>>>>> kdc = win-dc01.kerbtest.local:88 >>>>>>>>> } >>>>>>>>> >>>>>>>>> I want to use the tomcat manager app to test SPNEGO with Active >>>>>>>>> Directory. >>>>>>>>> >>>>>>>>> I have tried to keep the setup as basic and vanilla to the >>>>>>>>> instructions as possible. >>>>>>>>> >>>>>>>>> Users were created as instructed. >>>>>>>>> >>>>>>>>> Spn was created as instructed >>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01 >>>>>>>>> >>>>>>>>> keytab was created as instructed >>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ >>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno >>>>>>>>> 0 >>>>>>>>> >>>>>>>>> I have tried to test with firefox, chrome and IE, after ensuring >>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In >>>>>>>>> firefox I added http://win-tc01.kerbtest.local to >>>>>>>>> network.negotiate-auth.delegation-uris and >>>>>>>>> network.negotiate-auth.trusted-uris. >>>>>>>>> >>>>>>>>> Tomcat is running as a Windows service under the >>>>>>>>> tc01@kerbtest.local account. >>>>>>>>> >>>>>>>>> Visiting URL from the Test Client VM :- >>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401 three >>>>>>>>> times. >>>>>>>>> >>>>>>>>> Looking at the Network tab in developer tools in firefox shows >>>>>>>>> 401 response with WWW-Authenticate: Negotiate response http >>>>>>>>> header. >>>>>>>>> >>>>>>>>> The next has an Authorization request http header with long >>>>>>>>> encrypted string. >>>>> That means, that tomcat is believing, it can use kerberos/SPNEGO and >>>>> firefox is able to get a service ticket, for the server and sends it >>>>> back. That far it is looking promising. But I assume the >>>>> authentication >>>>> does not complete, right? >>>>> >>>>> >>>>>>>>> >>>>>>>>> IE still prompts for credentials with a popup, not sure why as >>>>>>>>> does chrome. >>>>>>>>> The setting User Authentication, Logon, Automatic Logon only in >>>>>>>>> Intranet Zone, is selected under trusted sites. >>>>>>>>> >>>>>>>>> It seems like authentication is never completed ? >>>>>>>>> >>>>>>>>> There are no errors in tomcat logs. >>>>>>>>> >>>>>>>>> Any ideas what is happening and what I can do to troubleshoot ? >>>>> You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that >>>>> should >>>>> print out a lot of debug information, which should end up in >>>>> catalina.out. >>>>> >>>>> Felix >>>>> || >>>>>>>>> >>>>>>>>> I'm quite happy to help improve the documentation and follow the >>>>>>>>> instructions, however I have tried that and cannot get a working >>>>>>>>> basic set up. >>>>>>>>> >>>>>>>>> many thanks >>>>>>>>> >>>>>>>>> David >>>>>>>>> >>>>>>>>> >>>>>>>>> --------------------------------------------------------------------- >>>>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>>>>> >>>>>>>> --------------------------------------------------------------------- >>>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>>>> >>>>>>> >>>>>>> --------------------------------------------------------------------- >>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>>> >>>>>> >>>>> >>>> >>>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org