RE: SPNEGO test configuration with Manager webapp

Wed, 25 Mar 2015 09:52:02 -0700 

Its possible I guess, although I would not expect that.

The test is :-

Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM

Firefox is not configured to use a proxy, its all in Vmware Workstation 10 
using the Vmnet01 virtual network.

Firefox has three 401 responses with headers "Authorization" and 
"WWW-Authenticate" :-

1 :- Reponse WWW-Authenticate: "Negotiate"

2 :- Request Authorization: "Negotiate 
YIIGUgYGKwYBBQUCoIIGRjCCBkKgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJv04NvH3OA0+sXGdCWanthHZBM9DIq0AknWszbwm9z+7da/DThLEAnnozvO84tK/DD7fC/AnSWKXnqchILMdjPnZA5Bg3yjS4Y1rJFawc9fDNUmTCn4ILjjl6SSETMbJSFjzarv4wEfy5VU16DNBzWUxEJNH8PvsXTTfdzcwdsYnFwHGZbrcNxaJUtp3xpyoG/1EAgNk9i1UtewL1bHVkmmuJXUXXetL7v4RzMuVD5q68q8nWDB1toKgcEjHEgEHWjODwSD/zoYwZrn1nCtnRm8aN9xKr097iK5K8ZUJKxWr4SlmAI6tZSyaVJGWJSzRvb47SZ9TVfk6Xft+vV+pVjxXdNAKIqHqA4tUfPCKgWff6iGmQI4fnJG5yYyyNFXOajz0qMYpfnbNLjc+nhsxjOUvZKOT4xTvhuOTCmdtabMybTVx4uNJEQ/4="

Response WWW-Authenticate: Negotiate oRQwEqADCgEBoQsGCSqGSIb3EgECAg==

3 :- Request Authorization: "Negotiate 
oYIGGTCCBhWgAwoBAaKCBgwEggYIYIIGBAYJKoZIhvcSAQICAQBuggXzMIIF76ADAgEFoQMCAQ6iBwMFACAAAACjggR6YYIEdjCCBHKgAwIBBaEQGw5LRVJCVEVTVC5MT0NBTKIqMCigAwIBAqEhMB8bBEhUVFAbF3dpbi10YzAxLmtlcmJ0ZXN0LmxvY2Fso4IEKzCCBCegAwIBF6EDAgEDooIEGQSCBBVToJwn2tPBboTTk5BBzJktj/GIuSekyM94atYd2nmQZr+LRVHUS1CD27iufu9aGtRLNT2YStbH3VgBpxcB0mEdOGcqfwif2htDkbFbSr6bmvZLz7PDMZv0mpUw2jcLnuVYpJjcw0fygonPpLYNTKnwrJJQA7eYMqY5DWI2ntF5RACw0qHJrXY2yFBQ3GOo8+1PHz9WcuxmTdUsLgx9QbFvEjTdksor5xvsInRNWOdjwgObnnhzGEF2RbAyD3HYanU4pdK9QL7HIEL5AI61czl2RfgVzDIGokBlW3k6R7jEp6jUBOwBjTnJC8gZthlAfTIqRlyZOntbFeHboeNY6YYtFukdewgBSuFKRTPd7wv4cvSBrF+FsvwIM0wiy2Kkp6fvyh3O/fHRXSR5AaJvnbIj+XtIUX86K5TGG0GmA9hnLjt4sacfxxz05aqlpQ1ttPBt67MEMECQiZZB4Ck1BsMpLSf22tCSVUwZEZF0MdtKiQTe7U0GDOEcm5oZfhpn8ecDkEosinyk10jGFK1cyr23TcwIlLH6yC0YaksB19EAADSF9dQKbftRUVcTjUgOdGcf7eEcUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkcoKk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMGgBdtzg76+whlvjOkG0J4MjUbFy1iLvfOkIWXgHRChGeMCrphv64NmfgHQmOiYPdqtTgYlAvyW9riL1kci7Xz+D1XwfxJpdimsakfyRqpjIEkgU+QEN+aL8/1X8lRTu8uTepXVReBlSx2Am+DFgesBlkjWuYmIuj84mUH0Lcc7yHytOyfO5OJ4mI5O5YNkl167xMcI9akaH7LtS+c1OnfHwtlJsatLnOyLYwYP9KWpkh0i2d4DNV0EYs3B68UbsY3f4+bZcHW9SQ/PthGjzk5FTdOKh5dD0BLf1ADl+Rp5hegl0iGS6cVpZFnu8n3wPd2eenwQn0EDvyx3nuMyeETqqXEuLjTbqbMpzIxSxFl5s/1Nwaf4Up0a8wcEDNj3acnHicis8ELEORo+wtJnd0wyMIpfC+tFRsewhEHDttjWnqxkHbfpbOnChZkLOL04YoflhHK3ZrsBXk0Yu0udKIZBoJ7Pf5qiOdE36lEjAkWLB/2wVD+zvxfIKd7r9FSxAfYz0UsVYVyBX0RtF5GCpTPqLAk9ImL4xxpkijpUUwjlM9WylH8jafaHGwfmpUM9pIIBWjCCAVagAwIBF6KCAU0EggFJxK5PpTX/g5phbQ2bv8XrnUCfC+cfDkPjAOnpnsiX7fRtA7k5qaEtUI/9KlqcAbV0jG3nQolKK5zEL6ftBXPW3FgZRRGmiYMQVpjBtIKapE1A+V/dveIrnnkxuuRmWrIJFYagOijzyilZj6cIIJqtmqI+QE4vKGIQl6lMwcgao9ZNZ2t2vLI5cD/BSjkFNbmgqLAuDZW357KVd5uoUJbHDpQHGWKw4A4x9vpvv+NUv1IrUaBe19PDQup/SILLHlUA8zr/OsHMytfPpVSv99fLBY7mcr0zwm+qhPF9Pos+Ch8y4hkocVOMXKEOcF+AKbxrzYhOydMFqanW6vNYQqB7Azz3GtP0YkFhU38JBG9UeKinEw2KT1Ii2pjCmTlF3/Q7gG2uqw6T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E="

Reponse WWW-Authenticate: "Negotiate"

I'm not sure how long they should be, but they all end "=" so expect not 
truncated ?

----------------------------------------
> Subject: RE: SPNEGO test configuration with Manager webapp
> From: felix.schumac...@internetallee.de
> Date: Wed, 25 Mar 2015 17:31:51 +0100
> To: users@tomcat.apache.org
>
>
>
> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh <dmars...@outlook.com>:
>>This is how the keytab was created :-
>>
>>ktpass -ptype KRB5_NT_PRINCIPAL /out c:\tomcat.keytab /mapuser
>>tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@kerbtest.local
>>/pass tc01pass
>>
>>The password is the correct password for the user tc01 associated with
>>the SPN HTTP/win-tc01.kerbtest.local@kerbtest.local
>>
>>I managed to turn on some more logging around JAAS, see the error
>>:- java.security.PrivilegedActionException: GSSException: Defective
>>token detected
> Do you talk directly to Tomcat, or is there any kind of proxy in between?
> Could the header be truncated?
>
> Felix
>>
>>25-Mar-2015 15:46:22.131 INFO [main]
>>org.apache.catalina.core.StandardService.startInternal Starting
>>service Catalina
>>25-Mar-2015 15:46:22.133 INFO [main]
>>org.apache.catalina.core.StandardEngine.startInternal Starting
>>Servlet Engine: Apache Tomcat/8.0.20
>>25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1]
>>org.apache.catalina.startup.HostConfig.deployD
>>irectory Deploying web application directory C:\Program Files\Apache
>>Software Foundation\Tomcat 8.0\
>>webapps\docs
>>25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1]
>>org.apache.catalina.startup.HostConfig.deployD
>>irectory Deployment of web application directory C:\Program
>>Files\Apache Software Foundation\Tomcat
>>8.0\webapps\docs has finished in 380 ms
>>25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1]
>>org.apache.catalina.startup.HostConfig.deployD
>>irectory Deploying web application directory C:\Program Files\Apache
>>Software Foundation\Tomcat 8.0\
>>webapps\manager
>>25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1]
>>org.apache.catalina.authenticator.Authenticato
>>rBase.startInternal No SingleSignOn Valve is present
>>25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1]
>>org.apache.catalina.startup.HostConfig.deployD
>>irectory Deployment of web application directory C:\Program
>>Files\Apache Software Foundation\Tomcat
>>8.0\webapps\manager has finished in 93 ms
>>25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1]
>>org.apache.catalina.startup.HostConfig.deployD
>>irectory Deploying web application directory C:\Program Files\Apache
>>Software Foundation\Tomcat 8.0\
>>webapps\ROOT
>>25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1]
>>org.apache.catalina.startup.HostConfig.deployD
>>irectory Deployment of web application directory C:\Program
>>Files\Apache Software Foundation\Tomcat
>>8.0\webapps\ROOT has finished in 59 ms
>>25-Mar-2015 15:46:22.797 INFO [main]
>>org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>er ["http-nio-80"]
>>25-Mar-2015 15:46:22.806 INFO [main]
>>org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl
>>er ["ajp-nio-8009"]
>>25-Mar-2015 15:46:22.808 INFO [main]
>>org.apache.catalina.startup.Catalina.start Server startup in 72
>>1 ms
>>25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Security checking request GET /manager/html
>>25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>against GET /html --> false
>>25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>interface]' against GET /html --> fal
>>se
>>25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>interface (for scripts)]' against
>>GET /html --> false
>>25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>interface (for humans)]' against G
>>ET /html --> true
>>25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>against GET /html --> false
>>25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>interface]' against GET /html --> fal
>>se
>>25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>interface (for scripts)]' against
>>GET /html --> false
>>25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>interface (for humans)]' against G
>>ET /html --> true
>>25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Calling hasUserDataPermission()
>>25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1]
>>org.apache.catalina.realm.RealmBase.hasUserDataPe
>>rmission User data constraint has no restrictions
>>25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Calling authenticate()
>>25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1]
>>org.apache.catalina.authenticator.SpnegoAuthentic
>>ator.authenticate No authorization header sent by client
>>25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Failed authenticate() test
>>25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Security checking request GET /manager/html
>>25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>against GET /html --> false
>>25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>interface]' against GET /html --> fal
>>se
>>25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>interface (for scripts)]' against
>>GET /html --> false
>>25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>interface (for humans)]' against G
>>ET /html --> true
>>25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>against GET /html --> false
>>25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>interface]' against GET /html --> fal
>>se
>>25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>interface (for scripts)]' against
>>GET /html --> false
>>25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>interface (for humans)]' against G
>>ET /html --> true
>>25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Calling hasUserDataPermission()
>>25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>org.apache.catalina.realm.RealmBase.hasUserDataPe
>>rmission User data constraint has no restrictions
>>25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Calling authenticate()
>>Debug is true storeKey true useTicketCache false useKeyTab true
>>doNotPrompt true ticketCache is nul
>>l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config
>>is false principal is HTTP/wi
>>n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass
>>is false storePass is false
>>clearPass is false
>>>>> KeyTabInputStream, readName(): kerbtest.local
>>>>> KeyTabInputStream, readName(): HTTP
>>>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>>>> KeyTab: load() entry length: 78; type: 23
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Java config name: C:\Program Files\Apache Software Foundation\Tomcat
>>8.0\conf\krb5.ini
>>Loaded from Java config
>>Added key: 23version: 3
>>>>> KdcAccessibility: reset
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Added key: 23version: 3
>>default etypes for default_tkt_enctypes: 23 18 17.
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>number of retries =3, #bytes=
>>164
>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>timeout=30000,Attempt =1, #bytes=164
>>>>> KrbKdcReq send: #bytes read=185
>>>>>Pre-Authentication Data:
>>PA-DATA type = 11
>>PA-ETYPE-INFO etype = 23, salt =
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 19
>>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 2
>>PA-ENC-TIMESTAMP
>>>>>Pre-Authentication Data:
>>PA-DATA type = 16
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 15
>>
>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>KRBError:
>>sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000
>>suSec is 701709
>>error code is 25
>>error Message is Additional pre-authentication required
>>sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>eData provided.
>>msgType is 30
>>>>>Pre-Authentication Data:
>>PA-DATA type = 11
>>PA-ETYPE-INFO etype = 23, salt =
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 19
>>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 2
>>PA-ENC-TIMESTAMP
>>>>>Pre-Authentication Data:
>>PA-DATA type = 16
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 15
>>
>>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>default etypes for default_tkt_enctypes: 23 18 17.
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Added key: 23version: 3
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Added key: 23version: 3
>>default etypes for default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>number of retries =3, #bytes=
>>247
>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>timeout=30000,Attempt =1, #bytes=247
>>>>> KrbKdcReq send: #bytes read=100
>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>number of retries =3, #bytes=
>>247
>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>timeout=30000,Attempt =1, #bytes=247
>>>>>DEBUG: TCPClient reading 1475 bytes
>>>>> KrbKdcReq send: #bytes read=1475
>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Added key: 23version: 3
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Will use keytab
>>Commit Succeeded
>>
>>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>sun.security.jgss.spnego.SpNegoCredElement)
>>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>sun.security.jgss.krb5.Krb5AcceptCredential)
>>Found KeyTab C:\keytab\tomcat.keytab for
>>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Found KeyTab C:\keytab\tomcat.keytab for
>>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>krbtgt/KERBTEST.LOCAL@KERBTEST
>>.LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015
>>[Krb5LoginModule]: Entering logout
>>[Krb5LoginModule]: logged out Subject
>>25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Failed authenticate() test
>>25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Security checking request GET /manager/html
>>25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>against GET /html --> false
>>25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>interface]' against GET /html --> fal
>>se
>>25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>interface (for scripts)]' against
>>GET /html --> false
>>25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>interface (for humans)]' against G
>>ET /html --> true
>>25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Status interface]'
>>against GET /html --> false
>>25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[JMX Proxy
>>interface]' against GET /html --> fal
>>se
>>25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[Text Manager
>>interface (for scripts)]' against
>>GET /html --> false
>>25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3]
>>org.apache.catalina.realm.RealmBase.findSecurityC
>>onstraints Checking constraint 'SecurityConstraint[HTML Manager
>>interface (for humans)]' against G
>>ET /html --> true
>>25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Calling hasUserDataPermission()
>>25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3]
>>org.apache.catalina.realm.RealmBase.hasUserDataPe
>>rmission User data constraint has no restrictions
>>25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Calling authenticate()
>>Debug is true storeKey true useTicketCache false useKeyTab true
>>doNotPrompt true ticketCache is nul
>>l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config
>>is false principal is HTTP/wi
>>n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass
>>is false storePass is false
>>clearPass is false
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Added key: 23version: 3
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Added key: 23version: 3
>>default etypes for default_tkt_enctypes: 23 18 17.
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>number of retries =3, #bytes=
>>164
>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>timeout=30000,Attempt =1, #bytes=164
>>>>> KrbKdcReq send: #bytes read=185
>>>>>Pre-Authentication Data:
>>PA-DATA type = 11
>>PA-ETYPE-INFO etype = 23, salt =
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 19
>>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 2
>>PA-ENC-TIMESTAMP
>>>>>Pre-Authentication Data:
>>PA-DATA type = 16
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 15
>>
>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>>>KRBError:
>>sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000
>>suSec is 935731
>>error code is 25
>>error Message is Additional pre-authentication required
>>sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
>>eData provided.
>>msgType is 30
>>>>>Pre-Authentication Data:
>>PA-DATA type = 11
>>PA-ETYPE-INFO etype = 23, salt =
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 19
>>PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 2
>>PA-ENC-TIMESTAMP
>>>>>Pre-Authentication Data:
>>PA-DATA type = 16
>>
>>>>>Pre-Authentication Data:
>>PA-DATA type = 15
>>
>>KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
>>default etypes for default_tkt_enctypes: 23 18 17.
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Added key: 23version: 3
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Added key: 23version: 3
>>default etypes for default_tkt_enctypes: 23 18 17.
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsReq creating message
>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,
>>number of retries =3, #bytes=
>>247
>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88,
>>timeout=30000,Attempt =1, #bytes=247
>>>>> KrbKdcReq send: #bytes read=100
>>>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,
>>number of retries =3, #bytes=
>>247
>>>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88,
>>timeout=30000,Attempt =1, #bytes=247
>>>>>DEBUG: TCPClient reading 1475 bytes
>>>>> KrbKdcReq send: #bytes read=1475
>>>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Added key: 23version: 3
>>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
>>principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Will use keytab
>>Commit Succeeded
>>
>>Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>>sun.security.jgss.spnego.SpNegoCredElement)
>>Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
>>sun.security.jgss.krb5.Krb5AcceptCredential)
>>Found KeyTab C:\keytab\tomcat.keytab for
>>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Found KeyTab C:\keytab\tomcat.keytab for
>>HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
>>Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
>>krbtgt/KERBTEST.LOCAL@KERBTEST
>>.LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
>>25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3]
>>org.apache.catalina.authenticator.SpnegoAuthentic
>>ator.authenticate Unable to login as the service principal
>>java.security.PrivilegedActionException: GSSException: Defective token
>>detected (Mechanism level: G
>>SSHeader did not find the right tag)
>>at java.security.AccessController.doPrivileged(Native Method)
>>at javax.security.auth.Subject.doAs(Subject.java:422)
>>at
>>org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
>>va:243)
>>at
>>org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
>>at
>>org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
>>at
>>org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
>>at
>>org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
>>
>>at
>>org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
>>at
>>org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
>>at
>>org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
>>6)
>>at
>>org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
>>a:659)
>>at
>>org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
>>col.java:223)
>>at
>>org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
>>at
>>org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
>>at
>>java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>at
>>java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>at
>>org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>>at java.lang.Thread.run(Thread.java:745)
>>Caused by: GSSException: Defective token detected (Mechanism level:
>>GSSHeader did not find the right
>>tag)
>>at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
>>at
>>sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
>>at
>>sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
>>at
>>org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>r.java:336)
>>at
>>org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
>>r.java:323)
>>... 18 more
>>
>>[Krb5LoginModule]: Entering logout
>>[Krb5LoginModule]: logged out Subject
>>25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3]
>>org.apache.catalina.authenticator.AuthenticatorBa
>>se.invoke Failed authenticate() test
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>> Date: Wed, 25 Mar 2015 16:48:10 +0100
>>> From: felix.schumac...@internetallee.de
>>> To: users@tomcat.apache.org
>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>
>>> Am 25.03.2015 16:09, schrieb David Marsh:
>>>> Put keytab in c:\keytab\tomcat.keytab, ensured owner was
>>>> tc01@KERTEST.LOCAL, still same symptoms.
>>>>
>>>> Ran klist on client after firefox test and the three 401 responses.
>>:-
>>>>
>>>> C:\Users\test.KERBTEST.000>klist
>>>>
>>>> Current LogonId is 0:0x2fd7a
>>>>
>>>> Cached Tickets: (2)
>>>>
>>>> #0> Client: test @ KERBTEST.LOCAL
>>>> Server: krbtgt/KERBTEST.LOCAL @ KERBTEST.LOCAL
>>>> KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
>>>> Ticket Flags 0x40e10000 -> forwardable renewable initial
>>>> pre_authent nam
>>>> e_canonicalize
>>>> Start Time: 3/25/2015 14:46:43 (local)
>>>> End Time: 3/26/2015 0:46:43 (local)
>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>> Session Key Type: AES-256-CTS-HMAC-SHA1-96
>>>> Cache Flags: 0x1 -> PRIMARY
>>>> Kdc Called: 192.168.0.200
>>>>
>>>> #1> Client: test @ KERBTEST.LOCAL
>>>> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
>>>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>>>> Ticket Flags 0x40a10000 -> forwardable renewable pre_authent
>>>> name_canoni
>>>> calize
>>>> Start Time: 3/25/2015 14:51:21 (local)
>>>> End Time: 3/26/2015 0:46:43 (local)
>>>> Renew Time: 4/1/2015 14:46:43 (local)
>>>> Session Key Type: RSADSI RC4-HMAC(NT)
>>>> Cache Flags: 0
>>>> Kdc Called: 192.168.0.200
>>>>
>>>> Looks like I was granted a ticket for the SPN
>>>> HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL ?
>>>>
>>>> If I have ticket why do I get 401 ?
>>> Your client has got a service ticket for HTTP/win-tc01... This is
>>used
>>> by firefox for authentication. Firefox transmits
>>> this service ticket to the server (as base64 encoded in the
>>> WWW-Authenticate header).
>>>
>>> Your server has to decrypt this ticket using its own ticket to get at
>>> the user information. This is where your problems arise.
>>> It looks like your server has trouble to get its own ticket.
>>>
>>> Are you sure, that the password you used for keytab generation (on
>>the
>>> server side), is correct? ktpass will probably accept
>>> any input as a password. Maybe you can check the keytab by using
>>kinit
>>> (though I don't know, if it exists for windows, or how
>>> the java one is used).
>>>
>>> Felix
>>>
>>>>
>>>> ----------------------------------------
>>>>> Date: Tue, 24 Mar 2015 22:46:15 +0000
>>>>> From: ma...@apache.org
>>>>> To: users@tomcat.apache.org
>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>
>>>>> On 24/03/2015 20:47, David Marsh wrote:
>>>>>> Hi Felix,
>>>>>> Thanks fort your help!
>>>>>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in
>>>>>> startup.bat and also added the same definitions to the Java
>>>>>> parameters in Configure Tomcat tool.I definitely got more
>>information
>>>>>> when using startup.bat, not sure the settings get picked up by the
>>>>>> windows service ?
>>>>>> I do not think authentication completes, certainly authorization
>>does
>>>>>> not as I cant see the site and get 401 http status.
>>>>>> I have not configured a tomcat realm but I have put the test user
>>a
>>>>>> manager-gui group in Active Directory.
>>>>>
>>>>> I've only given your config a quick scan, but the thing that jumps
>>out
>>>>> at me is spaces in the some of the paths. I'm not sure how well
>>>>> krb5.ini
>>>>> will handle those. It might be fine. It might not be.
>>>>>
>>>>> Mark
>>>>>
>>>>>
>>>>>> David
>>>>>>> Date: Tue, 24 Mar 2015 21:39:38 +0100
>>>>>>> From: felix.schumac...@internetallee.de
>>>>>>> To: users@tomcat.apache.org
>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>
>>>>>>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>>>>>>> Everything is as described and still not working, except the
>>>>>>>> jaas.conf is :-
>>>>>>>>
>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>> doNotPrompt=true
>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>> useKeyTab=true
>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>> storeKey=true;
>>>>>>>> };
>>>>>>>>
>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>> doNotPrompt=true
>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>> useKeyTab=true
>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>> storeKey=true;
>>>>>>>> };
>>>>>>>>
>>>>>>>> In other words the principal is the tomcat server as it should
>>be.
>>>>>>>>
>>>>>>>>> Date: Tue, 24 Mar 2015 21:17:59 +0100
>>>>>>>>> From: felix.schumac...@internetallee.de
>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>
>>>>>>>>> Am 24.03.2015 um 21:05 schrieb David Marsh:
>>>>>>>>>> Sorry thats :-
>>>>>>>>>>
>>>>>>>>>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>> under jaas.conf, it is set to the tomcat server DNS.
>>>>>>>>> Is it working with this configuration, or just to point out,
>>that
>>>>>>>>> you
>>>>>>>>> copied the wrong jaas.conf for the mail?
>>>>>>>>>
>>>>>>>>> Felix
>>>>>>>>>> ----------------------------------------
>>>>>>>>>>> From: dmars...@outlook.com
>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>> Subject: SPNEGO test configuration with Manager webapp
>>>>>>>>>>> Date: Tue, 24 Mar 2015 20:02:04 +0000
>>>>>>>>>>>
>>>>>>>>>>> I'm trying to get SPNEGO authentication working with Tomcat
>>8.
>>>>>>>>>>>
>>>>>>>>>>> I've created three Windows VMs :-
>>>>>>>>>>>
>>>>>>>>>>> Tomcat Server - Windows 8.1 32 bit VM
>>>>>>>>>>> Test Client - Windows 8.1 32 bit VM
>>>>>>>>>>> Domain Controller - Windows Server 2012 R2 64 bit VM
>>>>>>>>>>>
>>>>>>>>>>> The Tomcat Server and the Test Client are joined to the same
>>>>>>>>>>> domain kerbtest.local, they are logged in with domain logins.
>>>>>>>>>>>
>>>>>>>>>>> The firewall is disabled on the Tomcat Server VM.
>>>>>>>>>>>
>>>>>>>>>>> I've followed the guidelines on the Apache Tomcat website.
>>>>>>>>>>>
>>>>>>>>>>> jaas.conf
>>>>>>>>>>>
>>>>>>>>>>> com.sun.security.jgss.krb5.initiate {
>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>> storeKey=true;
>>>>>>>>>>> };
>>>>>>>>>>>
>>>>>>>>>>> com.sun.security.jgss.krb5.accept {
>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule required
>>>>>>>>>>> doNotPrompt=true
>>>>>>>>>>> principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
>>>>>>>>>>> useKeyTab=true
>>>>>>>>>>> keyTab="C:/Program Files/Apache Software Foundation/Tomcat
>>>>>>>>>>> 8.0/conf/tomcat.keytab"
>>>>>>>>>>> storeKey=true;
>>>>>>>>>>> };
>>>>>>>>>>>
>>>>>>>>>>> krb5.ini
>>>>>>>>>>>
>>>>>>>>>>> [libdefaults]
>>>>>>>>>>> default_realm = KERBTEST.LOCAL
>>>>>>>>>>> default_keytab_name = FILE:C:\Program Files\Apache Software
>>>>>>>>>>> Foundation\Tomcat 8.0\conf\tomcat.keytab
>>>>>>>>>>> default_tkt_enctypes =
>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>> default_tgs_enctypes =
>>>>>>>>>>> rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
>>>>>>>>>>> forwardable=true
>>>>>>>>>>>
>>>>>>>>>>> [realms]
>>>>>>>>>>> KERBTEST.LOCAL = {
>>>>>>>>>>> kdc = win-dc01.kerbtest.local:88
>>>>>>>>>>> }
>>>>>>>>>>>
>>>>>>>>>>> I want to use the tomcat manager app to test SPNEGO with
>>Active
>>>>>>>>>>> Directory.
>>>>>>>>>>>
>>>>>>>>>>> I have tried to keep the setup as basic and vanilla to the
>>>>>>>>>>> instructions as possible.
>>>>>>>>>>>
>>>>>>>>>>> Users were created as instructed.
>>>>>>>>>>>
>>>>>>>>>>> Spn was created as instructed
>>>>>>>>>>> setspn -A HTTP/win-tc01.kerbtest.local tc01
>>>>>>>>>>>
>>>>>>>>>>> keytab was created as instructed
>>>>>>>>>>> ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL
>>/princ
>>>>>>>>>>> HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass
>>/kvno
>>>>>>>>>>> 0
>>>>>>>>>>>
>>>>>>>>>>> I have tried to test with firefox, chrome and IE, after
>>ensuring
>>>>>>>>>>> http://win-tc01.kerbtest.local is a trusted site in IE. In
>>>>>>>>>>> firefox I added http://win-tc01.kerbtest.local to
>>>>>>>>>>> network.negotiate-auth.delegation-uris and
>>>>>>>>>>> network.negotiate-auth.trusted-uris.
>>>>>>>>>>>
>>>>>>>>>>> Tomcat is running as a Windows service under the
>>>>>>>>>>> tc01@kerbtest.local account.
>>>>>>>>>>>
>>>>>>>>>>> Visiting URL from the Test Client VM :-
>>>>>>>>>>> http://win-tc01.kerbtest.local in firefox results in 401
>>three
>>>>>>>>>>> times.
>>>>>>>>>>>
>>>>>>>>>>> Looking at the Network tab in developer tools in firefox
>>shows
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
                                          
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to