This is how the keytab was created :-
ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@kerbtest.local /pass
tc01pass
The password is the correct password for the user tc01 associated with the SPN
HTTP/win-tc01.kerbtest.local@kerbtest.local
I managed to turn on some more logging around JAAS, see the error :-
java.security.PrivilegedActionException: GSSException: Defective token detected
25-Mar-2015 15:46:22.131 INFO [main]
org.apache.catalina.core.StandardService.startInternal Starting
service Catalina
25-Mar-2015 15:46:22.133 INFO [main]
org.apache.catalina.core.StandardEngine.startInternal Starting
Servlet Engine: Apache Tomcat/8.0.20
25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files\Apache Software
Foundation\Tomcat 8.0\
webapps\docs
25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files\Apache
Software Foundation\Tomcat
8.0\webapps\docs has finished in 380 ms
25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files\Apache Software
Foundation\Tomcat 8.0\
webapps\manager
25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
org.apache.catalina.authenticator.Authenticato
rBase.startInternal No SingleSignOn Valve is present
25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files\Apache
Software Foundation\Tomcat
8.0\webapps\manager has finished in 93 ms
25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files\Apache Software
Foundation\Tomcat 8.0\
webapps\ROOT
25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files\Apache
Software Foundation\Tomcat
8.0\webapps\ROOT has finished in 59 ms
25-Mar-2015 15:46:22.797 INFO [main] org.apache.coyote.AbstractProtocol.start
Starting ProtocolHandl
er ["http-nio-80"]
25-Mar-2015 15:46:22.806 INFO [main] org.apache.coyote.AbstractProtocol.start
Starting ProtocolHandl
er ["ajp-nio-8009"]
25-Mar-2015 15:46:22.808 INFO [main] org.apache.catalina.startup.Catalina.start
Server startup in 72
1 ms
25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against
GET /html --> false
25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /html --> fal
se
25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for
scripts)]' against
GET /html --> false
25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for
humans)]' against G
ET /html --> true
25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against
GET /html --> false
25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /html --> fal
se
25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for
scripts)]' against
GET /html --> false
25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for
humans)]' against G
ET /html --> true
25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling hasUserDataPermission()
25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission User data constraint has no restrictions
25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling authenticate()
25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1]
org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate No authorization header sent by client
25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against
GET /html --> false
25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /html --> fal
se
25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for
scripts)]' against
GET /html --> false
25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for
humans)]' against G
ET /html --> true
25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against
GET /html --> false
25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /html --> fal
se
25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for
scripts)]' against
GET /html --> false
25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for
humans)]' against G
ET /html --> true
25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling hasUserDataPermission()
25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission User data constraint has no restrictions
25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling authenticate()
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt
true ticketCache is nul
l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config is false
principal is HTTP/wi
n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass is
false storePass is false
clearPass is false
>>> KeyTabInputStream, readName(): kerbtest.local
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 78; type: 23
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Java config name: C:\Program Files\Apache Software Foundation\Tomcat
8.0\conf\krb5.ini
Loaded from Java config
Added key: 23version: 3
>>> KdcAccessibility: reset
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number
>>> of retries =3, #bytes=
164
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
>>> =1, #bytes=164
>>> KrbKdcReq send: #bytes read=185
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
suSec is 701709
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number
>>> of retries =3, #bytes=
247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
>>> =1, #bytes=247
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number
>>> of retries =3, #bytes=
247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt
>>> =1, #bytes=247
>>>DEBUG: TCPClient reading 1475 bytes
>>> KrbKdcReq send: #bytes read=1475
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Will use keytab
Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab C:\keytab\tomcat.keytab for
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found KeyTab C:\keytab\tomcat.keytab for
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
krbtgt/KERBTEST.LOCAL@KERBTEST
.LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against
GET /html --> false
25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /html --> fal
se
25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for
scripts)]' against
GET /html --> false
25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for
humans)]' against G
ET /html --> true
25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against
GET /html --> false
25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /html --> fal
se
25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for
scripts)]' against
GET /html --> false
25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for
humans)]' against G
ET /html --> true
25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling hasUserDataPermission()
25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission User data constraint has no restrictions
25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling authenticate()
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt
true ticketCache is nul
l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config is false
principal is HTTP/wi
n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass is
false storePass is false
clearPass is false
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number
>>> of retries =3, #bytes=
164
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
>>> =1, #bytes=164
>>> KrbKdcReq send: #bytes read=185
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
suSec is 935731
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number
>>> of retries =3, #bytes=
247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
>>> =1, #bytes=247
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number
>>> of retries =3, #bytes=
247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt
>>> =1, #bytes=247
>>>DEBUG: TCPClient reading 1475 bytes
>>> KrbKdcReq send: #bytes read=1475
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Added key: 23version: 3
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Will use keytab
Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab C:\keytab\tomcat.keytab for
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found KeyTab C:\keytab\tomcat.keytab for
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
krbtgt/KERBTEST.LOCAL@KERBTEST
.LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3]
org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate Unable to login as the service principal
java.security.PrivilegedActionException: GSSException: Defective token detected
(Mechanism level: G
SSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
va:243)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
6)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
a:659)
at
org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
col.java:223)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader
did not find the right
tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at
org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:336)
at
org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:323)
... 18 more
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
> Date: Wed, 25 Mar 2015 16:48:10 +0100
> From: felix.schumac...@internetallee.de
> To: users@tomcat.apache.org
> Subject: RE: SPNEGO test configuration with Manager webapp
>
> Am 25.03.2015 16:09, schrieb David Marsh:
>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
>> tc01@KERTEST.LOCAL, still same symptoms.
>>
>> Ran klist on client after firefox test and the three 401 responses. :-
>>
>> C:\Users\test.KERBTEST.000>klist
>>
>> Current LogonId is 0:0x2fd7a
>>
>> Cached Tickets: (2)
>>
>> #0> Client: test @ KERBTEST.LOCAL
>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
>> Ticket Flags 0x40e10000 -> forwardable renewable initial
>> pre_authent nam
>> e_canonicalize
>> Start Time: 3/25/2015 14:46:43 (local)
>> End Time: 3/26/2015 0:46:43 (local)
>> Renew Time: 4/1/2015 14:46:43 (local)
>> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>> Cache Flags: 0x1 -> PRIMARY
>> Kdc Called: 192.168.0.200
>>
>> #1> Client: test @ KERBTEST.LOCAL
>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
>> name_canoni
>> calize
>> Start Time: 3/25/2015 14:51:21 (local)
>> End Time: 3/26/2015 0:46:43 (local)
>> Renew Time: 4/1/2015 14:46:43 (local)
>> Session Key Type: RSADSI RC4-HMAC(NT)
>> Cache Flags: 0
>> Kdc Called: 192.168.0.200
>>
>> Looks like I was granted a ticket for the SPN
>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
>>
>> If I have ticket why do I get 401 ?
> Your client has got a service ticket for HTTP/win-tc01... This is used
> by firefox for authentication. Firefox transmits
> this service ticket to the server (as base64 encoded in the
> WWW-Authenticate header).
>
> Your server has to decrypt this ticket using its own ticket to get at
> the user information. This is where your problems arise.
> It looks like your server has trouble to get its own ticket.
>
> Are you sure, that the password you used for keytab generation (on the
> server side), is correct? ktpass will probably accept
> any input as a password. Maybe you can check the keytab by using kinit
> (though I don't know, if it exists for windows, or how
> the java one is used).
>
> Felix
>
>>
>> ----------------------------------------
>>> Date: Tue, 24 Mar 2015 22:46:15 +0000
>>> From: ma...@apache.org
>>> To: users@tomcat.apache.org
>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>
>>> On 24/03/2015 20:47, David Marsh wrote:
>>>> Hi Felix,
>>>> Thanks fort your help!
>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
>>>> startup.bat and also added the same definitions to the Java
>>>> parameters in Configure Tomcat tool.I definitely got more information
>>>> when using startup.bat, not sure the settings get picked up by the
>>>> windows service ?
>>>> I do not think authentication completes, certainly authorization does
>>>> not as I cant see the site and get 401 http status.
>>>> I have not configured a tomcat realm but I have put the test user a
>>>> manager-gui group in Active Directory.
>>>
>>> I've only given your config a quick scan, but the thing that jumps out
>>> at me is spaces in the some of the paths. I'm not sure how well
>>> krb5.ini
>>> will handle those. It might be fine. It might not be.
>>>
>>> Mark
>>>
>>>
>>>> David
>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>>>> From: felix.schumac...@internetallee.de
>>>>> To: users@tomcat.apache.org
>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>
>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>>>> Everything is as described and still not working, except the
>>>>>> jaas.conf is :-
>>>>>>
>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>> doNotPrompt=true
>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>> useKeyTab=true
>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>> 8.0/conf/tomcat.keytab"
>>>>>> storeKey=true;
>>>>>> };
>>>>>>
>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>> doNotPrompt=true
>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>> useKeyTab=true
>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>> 8.0/conf/tomcat.keytab"
>>>>>> storeKey=true;
>>>>>> };
>>>>>>
>>>>>> In other words the principal is the tomcat server as it should be.
>>>>>>
>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>>>> From: felix.schumac...@internetallee.de
>>>>>>> To: users@tomcat.apache.org
>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>
>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>>>> Sorry thats :-
>>>>>>>>
>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>>>> Is it working with this configuration, or just to point out, that
>>>>>>> you
>>>>>>> copied the wrong jaas.conf for the mail?
>>>>>>>
>>>>>>> Felix
>>>>>>>> ----------------------------------------
>>>>>>>>> From: dmars...@outlook.com
>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>>>
>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat 8.
>>>>>>>>>
>>>>>>>>> I've created three Windows VMs :-
>>>>>>>>>
>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>>>
>>>>>>>>> The Tomcat Server and the Test Client are joined to the same
>>>>>>>>> domain kerbtest.local, they are logged in with domain logins.
>>>>>>>>>
>>>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>>>
>>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>>>
>>>>>>>>> jaas.conf
>>>>>>>>>
>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>> doNotPrompt=true
>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>> useKeyTab=true
>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>> storeKey=true;
>>>>>>>>> };
>>>>>>>>>
>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>> doNotPrompt=true
>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>> useKeyTab=true
>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>> storeKey=true;
>>>>>>>>> };
>>>>>>>>>
>>>>>>>>> krb5.ini
>>>>>>>>>
>>>>>>>>> [libdefaults]
>>>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>>>> default_tkt_enctypes =
>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>> default_tgs_enctypes =
>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>> forwardable=true
>>>>>>>>>
>>>>>>>>> [realms]
>>>>>>>>> KERBTEST.LOCAL = {
>>>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with Active
>>>>>>>>> Directory.
>>>>>>>>>
>>>>>>>>> I have tried to keep the setup as basic and vanilla to the
>>>>>>>>> instructions as possible.
>>>>>>>>>
>>>>>>>>> Users were created as instructed.
>>>>>>>>>
>>>>>>>>> Spn was created as instructed
>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>>>
>>>>>>>>> keytab was created as instructed
>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ
>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno
>>>>>>>>> 0
>>>>>>>>>
>>>>>>>>> I have tried to test with firefox, chrome and IE, after ensuring
>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In
>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to
>>>>>>>>> network.negotiate-auth.delegation-uris and
>>>>>>>>> network.negotiate-auth.trusted-uris.
>>>>>>>>>
>>>>>>>>> Tomcat is running as a Windows service under the
>>>>>>>>> tc01@kerbtest.local account.
>>>>>>>>>
>>>>>>>>> Visiting URL from the Test Client VM :-
>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401 three
>>>>>>>>> times.
>>>>>>>>>
>>>>>>>>> Looking at the Network tab in developer tools in firefox shows
>>>>>>>>> 401 response with WWW-Authenticate: Negotiate response http
>>>>>>>>> header.
>>>>>>>>>
>>>>>>>>> The next has an Authorization request http header with long
>>>>>>>>> encrypted string.
>>>>> That means, that tomcat is believing, it can use kerberos/SPNEGO and
>>>>> firefox is able to get a service ticket, for the server and sends it
>>>>> back. That far it is looking promising. But I assume the
>>>>> authentication
>>>>> does not complete, right?
>>>>>
>>>>>
>>>>>>>>>
>>>>>>>>> IE still prompts for credentials with a popup, not sure why as
>>>>>>>>> does chrome.
>>>>>>>>> The setting User Authentication, Logon, Automatic Logon only in
>>>>>>>>> Intranet Zone, is selected under trusted sites.
>>>>>>>>>
>>>>>>>>> It seems like authentication is never completed ?
>>>>>>>>>
>>>>>>>>> There are no errors in tomcat logs.
>>>>>>>>>
>>>>>>>>> Any ideas what is happening and what I can do to troubleshoot ?
>>>>> You can add -Dsun.security.krb5.debug=true to CATALINA_OPTS. that
>>>>> should
>>>>> print out a lot of debug information, which should end up in
>>>>> catalina.out.
>>>>>
>>>>> Felix
>>>>> ||
>>>>>>>>>
>>>>>>>>> I'm quite happy to help improve the documentation and follow the
>>>>>>>>> instructions, however I have tried that and cannot get a working
>>>>>>>>> basic set up.
>>>>>>>>>
>>>>>>>>> many thanks
>>>>>>>>>
>>>>>>>>> David
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>>>>>>
>>>>>>>> ---------------------------------------------------------------------
>>>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
