Its possible I guess, although I would not expect that. The test is :-
Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM Firefox is not configured to use a proxy, its all in Vmware Workstation 10 using the Vmnet01 virtual network. Firefox has three 401 responses with headers "Authorization" and "WWW-Authenticate" :- 1 :- Reponse WWW-Authenticate: "Negotiate" 2 :- Request Authorization: "Negotiate YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1bHVkmmuJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4=" Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg== 3 :- Request Authorization: "Negotiate oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zwm+qhPF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E=" Reponse WWW-Authenticate: "Negotiate" I'm not sure how long they should be, but they all end "=" so expect not truncated ? ---------------------------------------- > Subject: RE: SPNEGO test configuration with Manager webapp > From: felix.schumac...@internetallee.de > Date: Wed, 25 Mar 2015 17:31:51 +0100 > To: users@tomcat.apache.org > > > > Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh <dmars...@outlook.com>: >>This is how the keytab was created :- >> >>ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser >>tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@kerbtest.local >>/pass tc01pass >> >>The password is the correct password for the user tc01 associated with >>the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local >> >>I managed to turn on some more logging around JAAS, see the error >>:- java.security.PrivilegedActionException: GSSException: Defective >>token detected > Do you talk directly to Tomcat, or is there any kind of proxy in between? > Could the header be truncated? > > Felix >> >>25-Mar-2015 15:46:22.131 INFO [main] >>org.apache.catalina.core.StandardService.startInternal Starting >>service Catalina >>25-Mar-2015 15:46:22.133 INFO [main] >>org.apache.catalina.core.StandardEngine.startInternal Starting >>Servlet Engine: Apache Tomcat/8.0.20 >>25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1] >>org.apache.catalina.startup.HostConfig.deployD >>irectory Deploying web application directory C:\Program Files\Apache >>Software Foundation\Tomcat 8.0\ >>webapps\docs >>25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1] >>org.apache.catalina.startup.HostConfig.deployD >>irectory Deployment of web application directory C:\Program >>Files\Apache Software Foundation\Tomcat >>8.0\webapps\docs has finished in 380 ms >>25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1] >>org.apache.catalina.startup.HostConfig.deployD >>irectory Deploying web application directory C:\Program Files\Apache >>Software Foundation\Tomcat 8.0\ >>webapps\manager >>25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1] >>org.apache.catalina.authenticator.Authenticato >>rBase.startInternal No SingleSignOn Valve is present >>25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1] >>org.apache.catalina.startup.HostConfig.deployD >>irectory Deployment of web application directory C:\Program >>Files\Apache Software Foundation\Tomcat >>8.0\webapps\manager has finished in 93 ms >>25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1] >>org.apache.catalina.startup.HostConfig.deployD >>irectory Deploying web application directory C:\Program Files\Apache >>Software Foundation\Tomcat 8.0\ >>webapps\ROOT >>25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1] >>org.apache.catalina.startup.HostConfig.deployD >>irectory Deployment of web application directory C:\Program >>Files\Apache Software Foundation\Tomcat >>8.0\webapps\ROOT has finished in 59 ms >>25-Mar-2015 15:46:22.797 INFO [main] >>org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl >>er ["http-nio-80"] >>25-Mar-2015 15:46:22.806 INFO [main] >>org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl >>er ["ajp-nio-8009"] >>25-Mar-2015 15:46:22.808 INFO [main] >>org.apache.catalina.startup.Catalina.start Server startup in 72 >>1 ms >>25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1] >>org.apache.catalina.authenticator.AuthenticatorBa >>se.invoke Security checking request GET /manager/html >>25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[Status interface]' >>against GET /html --> false >>25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[JMX Proxy >>interface]' against GET /html --> fal >>se >>25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[Text Manager >>interface (for scripts)]' against >>GET /html --> false >>25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[HTML Manager >>interface (for humans)]' against G >>ET /html --> true >>25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[Status interface]' >>against GET /html --> false >>25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[JMX Proxy >>interface]' against GET /html --> fal >>se >>25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[Text Manager >>interface (for scripts)]' against >>GET /html --> false >>25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[HTML Manager >>interface (for humans)]' against G >>ET /html --> true >>25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1] >>org.apache.catalina.authenticator.AuthenticatorBa >>se.invoke Calling hasUserDataPermission() >>25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1] >>org.apache.catalina.realm.RealmBase.hasUserDataPe >>rmission User data constraint has no restrictions >>25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1] >>org.apache.catalina.authenticator.AuthenticatorBa >>se.invoke Calling authenticate() >>25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1] >>org.apache.catalina.authenticator.SpnegoAuthentic >>ator.authenticate No authorization header sent by client >>25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1] >>org.apache.catalina.authenticator.AuthenticatorBa >>se.invoke Failed authenticate() test >>25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2] >>org.apache.catalina.authenticator.AuthenticatorBa >>se.invoke Security checking request GET /manager/html >>25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[Status interface]' >>against GET /html --> false >>25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[JMX Proxy >>interface]' against GET /html --> fal >>se >>25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[Text Manager >>interface (for scripts)]' against >>GET /html --> false >>25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[HTML Manager >>interface (for humans)]' against G >>ET /html --> true >>25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[Status interface]' >>against GET /html --> false >>25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[JMX Proxy >>interface]' against GET /html --> fal >>se >>25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[Text Manager >>interface (for scripts)]' against >>GET /html --> false >>25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[HTML Manager >>interface (for humans)]' against G >>ET /html --> true >>25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2] >>org.apache.catalina.authenticator.AuthenticatorBa >>se.invoke Calling hasUserDataPermission() >>25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2] >>org.apache.catalina.realm.RealmBase.hasUserDataPe >>rmission User data constraint has no restrictions >>25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2] >>org.apache.catalina.authenticator.AuthenticatorBa >>se.invoke Calling authenticate() >>Debug is true storeKey true useTicketCache false useKeyTab true >>doNotPrompt true ticketCache is nul >>l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config >>is false principal is HTTP/wi >>n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass >>is false storePass is false >>clearPass is false >>>>> KeyTabInputStream, readName(): kerbtest.local >>>>> KeyTabInputStream, readName(): HTTP >>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>>>> KeyTab: load() entry length: 78; type: 23 >>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>Java config name: C:\Program Files\Apache Software Foundation\Tomcat >>8.0\conf\krb5.ini >>Loaded from Java config >>Added key: 23version: 3 >>>>> KdcAccessibility: reset >>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>Added key: 23version: 3 >>default etypes for default_tkt_enctypes: 23 18 17. >>>>> KrbAsReq creating message >>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, >>number of retries =3, #bytes= >>164 >>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, >>timeout=30000,Attempt =1, #bytes=164 >>>>> KrbKdcReq send: #bytes read=185 >>>>>Pre-Authentication Data: >>PA-DATA type = 11 >>PA-ETYPE-INFO etype = 23, salt = >> >>>>>Pre-Authentication Data: >>PA-DATA type = 19 >>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >> >>>>>Pre-Authentication Data: >>PA-DATA type = 2 >>PA-ENC-TIMESTAMP >>>>>Pre-Authentication Data: >>PA-DATA type = 16 >> >>>>>Pre-Authentication Data: >>PA-DATA type = 15 >> >>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>>KRBError: >>sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000 >>suSec is 701709 >>error code is 25 >>error Message is Additional pre-authentication required >>sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL >>eData provided. >>msgType is 30 >>>>>Pre-Authentication Data: >>PA-DATA type = 11 >>PA-ETYPE-INFO etype = 23, salt = >> >>>>>Pre-Authentication Data: >>PA-DATA type = 19 >>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >> >>>>>Pre-Authentication Data: >>PA-DATA type = 2 >>PA-ENC-TIMESTAMP >>>>>Pre-Authentication Data: >>PA-DATA type = 16 >> >>>>>Pre-Authentication Data: >>PA-DATA type = 15 >> >>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ >>default etypes for default_tkt_enctypes: 23 18 17. >>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>Added key: 23version: 3 >>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>Added key: 23version: 3 >>default etypes for default_tkt_enctypes: 23 18 17. >>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>>> KrbAsReq creating message >>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, >>number of retries =3, #bytes= >>247 >>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, >>timeout=30000,Attempt =1, #bytes=247 >>>>> KrbKdcReq send: #bytes read=100 >>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, >>number of retries =3, #bytes= >>247 >>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, >>timeout=30000,Attempt =1, #bytes=247 >>>>>DEBUG: TCPClient reading 1475 bytes >>>>> KrbKdcReq send: #bytes read=1475 >>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>Added key: 23version: 3 >>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local >>principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>Will use keytab >>Commit Succeeded >> >>Search Subject for SPNEGO ACCEPT cred (<<DEF>>, >>sun.security.jgss.spnego.SpNegoCredElement) >>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, >>sun.security.jgss.krb5.Krb5AcceptCredential) >>Found KeyTab C:\keytab\tomcat.keytab for >>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>Found KeyTab C:\keytab\tomcat.keytab for >>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to >>krbtgt/KERBTEST.LOCAL@KERBTEST >>.LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015 >>[Krb5LoginModule]: Entering logout >>[Krb5LoginModule]: logged out Subject >>25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2] >>org.apache.catalina.authenticator.AuthenticatorBa >>se.invoke Failed authenticate() test >>25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3] >>org.apache.catalina.authenticator.AuthenticatorBa >>se.invoke Security checking request GET /manager/html >>25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[Status interface]' >>against GET /html --> false >>25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[JMX Proxy >>interface]' against GET /html --> fal >>se >>25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[Text Manager >>interface (for scripts)]' against >>GET /html --> false >>25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[HTML Manager >>interface (for humans)]' against G >>ET /html --> true >>25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[Status interface]' >>against GET /html --> false >>25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[JMX Proxy >>interface]' against GET /html --> fal >>se >>25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[Text Manager >>interface (for scripts)]' against >>GET /html --> false >>25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3] >>org.apache.catalina.realm.RealmBase.findSecurityC >>onstraints Checking constraint 'SecurityConstraint[HTML Manager >>interface (for humans)]' against G >>ET /html --> true >>25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3] >>org.apache.catalina.authenticator.AuthenticatorBa >>se.invoke Calling hasUserDataPermission() >>25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3] >>org.apache.catalina.realm.RealmBase.hasUserDataPe >>rmission User data constraint has no restrictions >>25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3] >>org.apache.catalina.authenticator.AuthenticatorBa >>se.invoke Calling authenticate() >>Debug is true storeKey true useTicketCache false useKeyTab true >>doNotPrompt true ticketCache is nul >>l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config >>is false principal is HTTP/wi >>n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass >>is false storePass is false >>clearPass is false >>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>Added key: 23version: 3 >>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>Added key: 23version: 3 >>default etypes for default_tkt_enctypes: 23 18 17. >>>>> KrbAsReq creating message >>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, >>number of retries =3, #bytes= >>164 >>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, >>timeout=30000,Attempt =1, #bytes=164 >>>>> KrbKdcReq send: #bytes read=185 >>>>>Pre-Authentication Data: >>PA-DATA type = 11 >>PA-ETYPE-INFO etype = 23, salt = >> >>>>>Pre-Authentication Data: >>PA-DATA type = 19 >>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >> >>>>>Pre-Authentication Data: >>PA-DATA type = 2 >>PA-ENC-TIMESTAMP >>>>>Pre-Authentication Data: >>PA-DATA type = 16 >> >>>>>Pre-Authentication Data: >>PA-DATA type = 15 >> >>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>>>> KDCRep: init() encoding tag is 126 req type is 11 >>>>>KRBError: >>sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000 >>suSec is 935731 >>error code is 25 >>error Message is Additional pre-authentication required >>sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL >>eData provided. >>msgType is 30 >>>>>Pre-Authentication Data: >>PA-DATA type = 11 >>PA-ETYPE-INFO etype = 23, salt = >> >>>>>Pre-Authentication Data: >>PA-DATA type = 19 >>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >> >>>>>Pre-Authentication Data: >>PA-DATA type = 2 >>PA-ENC-TIMESTAMP >>>>>Pre-Authentication Data: >>PA-DATA type = 16 >> >>>>>Pre-Authentication Data: >>PA-DATA type = 15 >> >>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ >>default etypes for default_tkt_enctypes: 23 18 17. >>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>Added key: 23version: 3 >>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>Added key: 23version: 3 >>default etypes for default_tkt_enctypes: 23 18 17. >>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>>> KrbAsReq creating message >>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, >>number of retries =3, #bytes= >>247 >>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, >>timeout=30000,Attempt =1, #bytes=247 >>>>> KrbKdcReq send: #bytes read=100 >>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, >>number of retries =3, #bytes= >>247 >>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, >>timeout=30000,Attempt =1, #bytes=247 >>>>>DEBUG: TCPClient reading 1475 bytes >>>>> KrbKdcReq send: #bytes read=1475 >>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>Added key: 23version: 3 >>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local >>principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>Will use keytab >>Commit Succeeded >> >>Search Subject for SPNEGO ACCEPT cred (<<DEF>>, >>sun.security.jgss.spnego.SpNegoCredElement) >>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, >>sun.security.jgss.krb5.Krb5AcceptCredential) >>Found KeyTab C:\keytab\tomcat.keytab for >>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>Found KeyTab C:\keytab\tomcat.keytab for >>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL >>Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to >>krbtgt/KERBTEST.LOCAL@KERBTEST >>.LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015 >>25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3] >>org.apache.catalina.authenticator.SpnegoAuthentic >>ator.authenticate Unable to login as the service principal >>java.security.PrivilegedActionException: GSSException: Defective token >>detected (Mechanism level: G >>SSHeader did not find the right tag) >>at java.security.AccessController.doPrivileged(Native Method) >>at javax.security.auth.Subject.doAs(Subject.java:422) >>at >>org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja >>va:243) >>at >>org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576) >>at >>org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) >>at >>org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) >>at >>org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) >> >>at >>org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) >>at >>org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) >>at >>org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108 >>6) >>at >>org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav >>a:659) >>at >>org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto >>col.java:223) >>at >>org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) >>at >>org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) >>at >>java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>at >>java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>at >>org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >>at java.lang.Thread.run(Thread.java:745) >>Caused by: GSSException: Defective token detected (Mechanism level: >>GSSHeader did not find the right >>tag) >>at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97) >>at >>sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306) >>at >>sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) >>at >>org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato >>r.java:336) >>at >>org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato >>r.java:323) >>... 18 more >> >>[Krb5LoginModule]: Entering logout >>[Krb5LoginModule]: logged out Subject >>25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3] >>org.apache.catalina.authenticator.AuthenticatorBa >>se.invoke Failed authenticate() test >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >>> Date: Wed, 25 Mar 2015 16:48:10 +0100 >>> From: felix.schumac...@internetallee.de >>> To: users@tomcat.apache.org >>> Subject: RE: SPNEGO test configuration with Manager webapp >>> >>> Am 25.03.2015 16:09, schrieb David Marsh: >>>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was >>>> tc01@KERTEST.LOCAL, still same symptoms. >>>> >>>> Ran klist on client after firefox test and the three 401 responses. >>:- >>>> >>>> C:\Users\test.KERBTEST.000>klist >>>> >>>> Current LogonId is 0:0x2fd7a >>>> >>>> Cached Tickets: (2) >>>> >>>> #0> Client: test @ KERBTEST.LOCAL >>>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL >>>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 >>>> Ticket Flags 0x40e10000 -> forwardable renewable initial >>>> pre_authent nam >>>> e_canonicalize >>>> Start Time: 3/25/2015 14:46:43 (local) >>>> End Time: 3/26/2015 0:46:43 (local) >>>> Renew Time: 4/1/2015 14:46:43 (local) >>>> Session Key Type: AES-256-CTS-HMAC-SHA1-96 >>>> Cache Flags: 0x1 -> PRIMARY >>>> Kdc Called: 192.168.0.200 >>>> >>>> #1> Client: test @ KERBTEST.LOCAL >>>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL >>>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) >>>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent >>>> name_canoni >>>> calize >>>> Start Time: 3/25/2015 14:51:21 (local) >>>> End Time: 3/26/2015 0:46:43 (local) >>>> Renew Time: 4/1/2015 14:46:43 (local) >>>> Session Key Type: RSADSI RC4-HMAC(NT) >>>> Cache Flags: 0 >>>> Kdc Called: 192.168.0.200 >>>> >>>> Looks like I was granted a ticket for the SPN >>>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ? >>>> >>>> If I have ticket why do I get 401 ? >>> Your client has got a service ticket for HTTP/win-tc01... This is >>used >>> by firefox for authentication. Firefox transmits >>> this service ticket to the server (as base64 encoded in the >>> WWW-Authenticate header). >>> >>> Your server has to decrypt this ticket using its own ticket to get at >>> the user information. This is where your problems arise. >>> It looks like your server has trouble to get its own ticket. >>> >>> Are you sure, that the password you used for keytab generation (on >>the >>> server side), is correct? ktpass will probably accept >>> any input as a password. Maybe you can check the keytab by using >>kinit >>> (though I don't know, if it exists for windows, or how >>> the java one is used). >>> >>> Felix >>> >>>> >>>> ---------------------------------------- >>>>> Date: Tue, 24 Mar 2015 22:46:15 +0000 >>>>> From: ma...@apache.org >>>>> To: users@tomcat.apache.org >>>>> Subject: Re: SPNEGO test configuration with Manager webapp >>>>> >>>>> On 24/03/2015 20:47, David Marsh wrote: >>>>>> Hi Felix, >>>>>> Thanks fort your help! >>>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in >>>>>> startup.bat and also added the same definitions to the Java >>>>>> parameters in Configure Tomcat tool.I definitely got more >>information >>>>>> when using startup.bat, not sure the settings get picked up by the >>>>>> windows service ? >>>>>> I do not think authentication completes, certainly authorization >>does >>>>>> not as I cant see the site and get 401 http status. >>>>>> I have not configured a tomcat realm but I have put the test user >>a >>>>>> manager-gui group in Active Directory. >>>>> >>>>> I've only given your config a quick scan, but the thing that jumps >>out >>>>> at me is spaces in the some of the paths. I'm not sure how well >>>>> krb5.ini >>>>> will handle those. It might be fine. It might not be. >>>>> >>>>> Mark >>>>> >>>>> >>>>>> David >>>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100 >>>>>>> From: felix.schumac...@internetallee.de >>>>>>> To: users@tomcat.apache.org >>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp >>>>>>> >>>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh: >>>>>>>> Everything is as described and still not working, except the >>>>>>>> jaas.conf is :- >>>>>>>> >>>>>>>> com.sun.security.jgss.krb5.initiate { >>>>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>>>> doNotPrompt=true >>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>>> useKeyTab=true >>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>>>>>> 8.0/conf/tomcat.keytab" >>>>>>>> storeKey=true; >>>>>>>> }; >>>>>>>> >>>>>>>> com.sun.security.jgss.krb5.accept { >>>>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>>>> doNotPrompt=true >>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>>> useKeyTab=true >>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>>>>>> 8.0/conf/tomcat.keytab" >>>>>>>> storeKey=true; >>>>>>>> }; >>>>>>>> >>>>>>>> In other words the principal is the tomcat server as it should >>be. >>>>>>>> >>>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100 >>>>>>>>> From: felix.schumac...@internetallee.de >>>>>>>>> To: users@tomcat.apache.org >>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp >>>>>>>>> >>>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh: >>>>>>>>>> Sorry thats :- >>>>>>>>>> >>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>>>>> under jaas.conf, it is set to the tomcat server DNS. >>>>>>>>> Is it working with this configuration, or just to point out, >>that >>>>>>>>> you >>>>>>>>> copied the wrong jaas.conf for the mail? >>>>>>>>> >>>>>>>>> Felix >>>>>>>>>> ---------------------------------------- >>>>>>>>>>> From: dmars...@outlook.com >>>>>>>>>>> To: users@tomcat.apache.org >>>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp >>>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000 >>>>>>>>>>> >>>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat >>8. >>>>>>>>>>> >>>>>>>>>>> I've created three Windows VMs :- >>>>>>>>>>> >>>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM >>>>>>>>>>> Test Client - Windows 8.1 32 bit VM >>>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM >>>>>>>>>>> >>>>>>>>>>> The Tomcat Server and the Test Client are joined to the same >>>>>>>>>>> domain kerbtest.local, they are logged in with domain logins. >>>>>>>>>>> >>>>>>>>>>> The firewall is disabled on the Tomcat Server VM. >>>>>>>>>>> >>>>>>>>>>> I've followed the guidelines on the Apache Tomcat website. >>>>>>>>>>> >>>>>>>>>>> jaas.conf >>>>>>>>>>> >>>>>>>>>>> com.sun.security.jgss.krb5.initiate { >>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>>>>>>> doNotPrompt=true >>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>>>>>> useKeyTab=true >>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>>>>>>>>> 8.0/conf/tomcat.keytab" >>>>>>>>>>> storeKey=true; >>>>>>>>>>> }; >>>>>>>>>>> >>>>>>>>>>> com.sun.security.jgss.krb5.accept { >>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>>>>>>> doNotPrompt=true >>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL" >>>>>>>>>>> useKeyTab=true >>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat >>>>>>>>>>> 8.0/conf/tomcat.keytab" >>>>>>>>>>> storeKey=true; >>>>>>>>>>> }; >>>>>>>>>>> >>>>>>>>>>> krb5.ini >>>>>>>>>>> >>>>>>>>>>> [libdefaults] >>>>>>>>>>> default_realm = KERBTEST.LOCAL >>>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software >>>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab >>>>>>>>>>> default_tkt_enctypes = >>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 >>>>>>>>>>> default_tgs_enctypes = >>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 >>>>>>>>>>> forwardable=true >>>>>>>>>>> >>>>>>>>>>> [realms] >>>>>>>>>>> KERBTEST.LOCAL = { >>>>>>>>>>> kdc = win-dc01.kerbtest.local:88 >>>>>>>>>>> } >>>>>>>>>>> >>>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with >>Active >>>>>>>>>>> Directory. >>>>>>>>>>> >>>>>>>>>>> I have tried to keep the setup as basic and vanilla to the >>>>>>>>>>> instructions as possible. >>>>>>>>>>> >>>>>>>>>>> Users were created as instructed. >>>>>>>>>>> >>>>>>>>>>> Spn was created as instructed >>>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01 >>>>>>>>>>> >>>>>>>>>>> keytab was created as instructed >>>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL >>/princ >>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass >>/kvno >>>>>>>>>>> 0 >>>>>>>>>>> >>>>>>>>>>> I have tried to test with firefox, chrome and IE, after >>ensuring >>>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In >>>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to >>>>>>>>>>> network.negotiate-auth.delegation-uris and >>>>>>>>>>> network.negotiate-auth.trusted-uris. >>>>>>>>>>> >>>>>>>>>>> Tomcat is running as a Windows service under the >>>>>>>>>>> tc01@kerbtest.local account. >>>>>>>>>>> >>>>>>>>>>> Visiting URL from the Test Client VM :- >>>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401 >>three >>>>>>>>>>> times. >>>>>>>>>>> >>>>>>>>>>> Looking at the Network tab in developer tools in firefox >>shows > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org