Broken trace :- 25-Mar-2015 15:46:22.131 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service Catalina 25-Mar-2015 15:46:22.133 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/8.0.20 25-Mar-2015 15:46:22.257 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD irectory Deploying web application directory C:\Program Files\Apache Software Foundation\Tomcat 8.0\ webapps\docs 25-Mar-2015 15:46:22.637 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD irectory Deployment of web application directory C:\Program Files\Apache Software Foundation\Tomcat 8.0\webapps\docs has finished in 380 ms 25-Mar-2015 15:46:22.639 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD irectory Deploying web application directory C:\Program Files\Apache Software Foundation\Tomcat 8.0\ webapps\manager 25-Mar-2015 15:46:22.710 FINE [localhost-startStop-1] org.apache.catalina.authenticator.Authenticato rBase.startInternal No SingleSignOn Valve is present 25-Mar-2015 15:46:22.733 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD irectory Deployment of web application directory C:\Program Files\Apache Software Foundation\Tomcat 8.0\webapps\manager has finished in 93 ms 25-Mar-2015 15:46:22.734 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD irectory Deploying web application directory C:\Program Files\Apache Software Foundation\Tomcat 8.0\ webapps\ROOT 25-Mar-2015 15:46:22.793 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployD irectory Deployment of web application directory C:\Program Files\Apache Software Foundation\Tomcat 8.0\webapps\ROOT has finished in 59 ms 25-Mar-2015 15:46:22.797 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl er ["http-nio-80"] 25-Mar-2015 15:46:22.806 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandl er ["ajp-nio-8009"] 25-Mar-2015 15:46:22.808 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 72 1 ms 25-Mar-2015 15:46:28.280 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Security checking request GET /manager/html 25-Mar-2015 15:46:28.284 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false 25-Mar-2015 15:46:28.286 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal se 25-Mar-2015 15:46:28.287 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false 25-Mar-2015 15:46:28.288 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G ET /html --> true 25-Mar-2015 15:46:28.290 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal se 25-Mar-2015 15:46:28.291 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false 25-Mar-2015 15:46:28.293 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G ET /html --> true 25-Mar-2015 15:46:28.296 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Calling hasUserDataPermission() 25-Mar-2015 15:46:28.299 FINE [http-nio-80-exec-1] org.apache.catalina.realm.RealmBase.hasUserDataPe rmission User data constraint has no restrictions 25-Mar-2015 15:46:28.302 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Calling authenticate() 25-Mar-2015 15:46:28.304 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.SpnegoAuthentic ator.authenticate No authorization header sent by client 25-Mar-2015 15:46:28.305 FINE [http-nio-80-exec-1] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Failed authenticate() test 25-Mar-2015 15:46:28.417 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Security checking request GET /manager/html 25-Mar-2015 15:46:28.420 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false 25-Mar-2015 15:46:28.422 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal se 25-Mar-2015 15:46:28.424 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false 25-Mar-2015 15:46:28.425 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G ET /html --> true 25-Mar-2015 15:46:28.427 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false 25-Mar-2015 15:46:28.428 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal se 25-Mar-2015 15:46:28.429 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false 25-Mar-2015 15:46:28.442 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G ET /html --> true 25-Mar-2015 15:46:28.444 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Calling hasUserDataPermission() 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2] org.apache.catalina.realm.RealmBase.hasUserDataPe rmission User data constraint has no restrictions 25-Mar-2015 15:46:28.445 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Calling authenticate() Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is nul l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config is false principal is HTTP/wi n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false >>> KeyTabInputStream, readName(): kerbtest.local >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local >>> KeyTab: load() entry length: 78; type: 23 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Java config name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\krb5.ini Loaded from Java config Added key: 23version: 3 >>> KdcAccessibility: reset Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 default etypes for default_tkt_enctypes: 23 18 17. >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes= 164 >>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt >>> =1, #bytes=164 >>> KrbKdcReq send: #bytes read=185 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 >>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Wed Mar 25 15:46:28 GMT 2015 1427298388000 suSec is 701709 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 default etypes for default_tkt_enctypes: 23 18 17. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes= 247 >>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt >>> =1, #bytes=247 >>> KrbKdcReq send: #bytes read=100 >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number of retries =3, #bytes= 247 >>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt >>> =1, #bytes=247 >>>DEBUG: TCPClient reading 1475 bytes >>> KrbKdcReq send: #bytes read=1475 >>> KdcAccessibility: remove win-dc01.kerbtest.local:88 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Will use keytab Commit Succeeded Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab C:\keytab\tomcat.keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found KeyTab C:\keytab\tomcat.keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST .LOCAL expiring on Thu Mar 26 01:46:28 GMT 2015 [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject 25-Mar-2015 15:46:28.995 FINE [http-nio-80-exec-2] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Failed authenticate() test 25-Mar-2015 15:46:29.010 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Security checking request GET /manager/html 25-Mar-2015 15:46:29.013 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false 25-Mar-2015 15:46:29.014 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal se 25-Mar-2015 15:46:29.015 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false 25-Mar-2015 15:46:29.016 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G ET /html --> true 25-Mar-2015 15:46:29.017 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Status interface]' against GET /html --> false 25-Mar-2015 15:46:29.018 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]' against GET /html --> fal se 25-Mar-2015 15:46:29.019 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[Text Manager interface (for scripts)]' against GET /html --> false 25-Mar-2015 15:46:29.021 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.findSecurityC onstraints Checking constraint 'SecurityConstraint[HTML Manager interface (for humans)]' against G ET /html --> true 25-Mar-2015 15:46:29.022 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Calling hasUserDataPermission() 25-Mar-2015 15:46:29.023 FINE [http-nio-80-exec-3] org.apache.catalina.realm.RealmBase.hasUserDataPe rmission User data constraint has no restrictions 25-Mar-2015 15:46:29.024 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Calling authenticate() Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is nul l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config is false principal is HTTP/wi n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 default etypes for default_tkt_enctypes: 23 18 17. >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes= 164 >>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt >>> =1, #bytes=164 >>> KrbKdcReq send: #bytes read=185 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 >>> KdcAccessibility: remove win-dc01.kerbtest.local:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Wed Mar 25 15:46:29 GMT 2015 1427298389000 suSec is 935731 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 23 18 17. Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 default etypes for default_tkt_enctypes: 23 18 17. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes= 247 >>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt >>> =1, #bytes=247 >>> KrbKdcReq send: #bytes read=100 >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number of retries =3, #bytes= 247 >>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt >>> =1, #bytes=247 >>>DEBUG: TCPClient reading 1475 bytes >>> KrbKdcReq send: #bytes read=1475 >>> KdcAccessibility: remove win-dc01.kerbtest.local:88 Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Added key: 23version: 3 >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Will use keytab Commit Succeeded Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement) Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential) Found KeyTab C:\keytab\tomcat.keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found KeyTab C:\keytab\tomcat.keytab for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST .LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015 25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.SpnegoAuthentic ator.authenticate Unable to login as the service principal java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G SSHeader did not find the right tag) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja va:243) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108 6) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav a:659) at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto col.java:223) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato r.java:336) at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato r.java:323) ... 18 more [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject 25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Failed authenticate() test ---------------------------------------- > Date: Mon, 30 Mar 2015 00:13:54 +0200 > From: a...@ice-sa.com > To: users@tomcat.apache.org > Subject: Re: SPNEGO test configuration with Manager webapp > > David Marsh wrote: >> I've tested all the following public JDKs >> >> jdk-7u45-windows-i586.exe >> jdk-7u65-windows-i586.exe >> jdk-7u75-windows-i586.exe >> jdk-8-windows-i586.exe >> jdk-8u5-windows-i586.exe >> jdk-8u11-windows-i586.exe >> jdk-8u20-windows-i586.exe >> jdk-8u25-windows-i586.exe >> jdk-8u31-windows-i586.exe >> jdk-8u40-windows-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token >> >> Seems a recent "fix" must broken it. > > That is really great info. Thanks. > > By the way, would you still have the Tomcat Kerberos logs that fail, in > comparison to one > where it works ? > > >> >> David >> >> ---------------------------------------- >>> Subject: Re: SPNEGO test configuration with Manager webapp >>> From: felix.schumac...@internetallee.de >>> Date: Sun, 29 Mar 2015 10:13:29 +0200 >>> To: users@tomcat.apache.org >>> >>> >>> >>> Am 28. März 2015 17:46:50 MEZ, schrieb Mark Thomas <ma...@apache.org>: >>>> On 28/03/2015 14:43, David Marsh wrote: >>>>> Ok so I went back to basics and created three new VM's. >>>>> >>>>> Windows Server 2008 R2 >>>>> Windows 7 Client >>>>> Windows 7 Tomcat >>>>> >>>>> I still had same issues, until I changed the Java on the tomcat >>>> server to JDK 7 u45. >>>>> It appears there are breaking changes to JAAS/GSS in newer JDKs ? >>>> Thank you for doing all this testing. That is useful information to >>>> know. The next step (for you, me or anyone who has the time and wants >>>> to >>>> help) is to test subsequent Java 7 releases and see at which version it >>>> stops working. I'd hope that a review of the relevant change log would >>>> identify the change that triggered the breakage and provide some clues >>>> on how to fix it. >>>> >>>> It would be worth testing the Java 8 releases the same way. >>> I read it, that jdk 7 works and jdk 8 is problematic. >>> >>> There are a few Kerberos related Chaves in jdk 8 ( >>> http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html). >>> >>> Interesting are the two changes: >>> >>> * DES is disabled by default >>> * constrained delegation is supported. >>> >>> My guess would be, that it would help (in this case) to reenable DES by >>> adding allow_weak_crypto=true in the krb5.conf. >>> >>> Regards >>> Felix >>>> Mark >>>> >>>> >>>>> David >>>>> >>>>> ---------------------------------------- >>>>>> From: dmars...@outlook.com >>>>>> To: users@tomcat.apache.org >>>>>> Subject: RE: SPNEGO test configuration with Manager webapp >>>>>> Date: Fri, 27 Mar 2015 23:40:06 +0000 >>>>>> >>>>>> By the way Tomcat 8 was running on JDK :- >>>>>> >>>>>> C:\Windows\system32>java -version >>>>>> java version "1.8.0_40" >>>>>> Java(TM) SE Runtime Environment (build 1.8.0_40-b26) >>>>>> Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode) >>>>>> >>>>>> Version update 40 should include some JRE fixes around GSS and >>>> SPNEGO, including ignoring parts of NegoEx, however >>>>>> it does not seem to work. >>>>>> >>>>>> I've also created a Windows 7 client with same config just different >>>> DNS of win-pc02.kerbtest.local >>>>>> It has the same issue going from firefox to >>>> http://win-tc01.kerbtest.local/manager/html >>>>>> I get the same three 401's and the Negotiate. >>>>>> >>>>>> ---------------------------------------- >>>>>>> Date: Thu, 26 Mar 2015 12:11:34 +0100 >>>>>>> From: a...@ice-sa.com >>>>>>> To: users@tomcat.apache.org >>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp >>>>>>> >>>>>>> David Marsh wrote: >>>>>>>> Hi Mark, >>>>>>>> >>>>>>>> Thanks for that, yes I've got 30 years windows experience, I can >>>> use Linux at a push but its not really my area expertise. >>>>>>>> I'm a Java / Windows programmer so I should be able to understand >>>> it, but not kerberos or Active Directory expert. >>>>>>>> I have used Waffle in the past with success and used JAAS/GSS-API >>>> in Java thick clients. >>>>>>>> I made the IE settings you outlined but it seems to still prompt. >>>>>>>> IE has win-tc01.kerbtest.local as a trusted site. >>>>>>>> Enable Windows Integrated Authentication is on >>>>>>>> Auto logon only in Intranet Zone is on >>>>>>>> >>>>>>>> I've been using Firefox to test and that does send 401 and >>>> negotiate, but causes the GSS token error mentioned. >>>>>>>> Active directory and krb5.ini are using eType 23 which is rc4-hmac >>>>>>>> >>>>>>>> The windows client OS and tomcat server OS has registry setting >>>> for allowtgtsessionkey set to 1 (enabled). >>>>>>>> Java kinit test works and stores a ticket in the Java session >>>> cache. >>>>>>>> So problem seems to be either :- >>>>>>>> >>>>>>>> 1. Browser sends bad token >>>>>>>> 2. Token is good but Oracle JDK 8 GSS-API cannot handle it >>>>>>>> >>>>>>> Another shot almost in the dark : while browsing hundreds of >>>> Kerberos-related pages on the >>>>>>> WWW, one other recommendation which seems to appear regularly (and >>>> Mark also mentioned >>>>>>> that somewhere), is that each time you make a change somewhere, you >>>> should reboot the >>>>>>> machine afterward, before re-testing. (Particularly on Windows >>>> machines). >>>>>>> I know it's a PITA, but I have also found the same to be true >>>> sometimes when merely >>>>>>> dealing with NTLM matters. There are probably some hidden caches >>>> that get cleared only in >>>>>>> that way. >>>>>>> >>>>>>> >>>>>>>> many thanks >>>>>>>> >>>>>>>> David >>>>>>>> >>>>>>>>> Date: Thu, 26 Mar 2015 11:32:39 +0100 >>>>>>>>> From: a...@ice-sa.com >>>>>>>>> To: users@tomcat.apache.org >>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp >>>>>>>>> >>>>>>>>> David Marsh wrote: >>>>>>>>>> Hi Mark, >>>>>>>>>> Thanks that would be great ! >>>>>>>>>> Do you have a good mechanism to test and ensure kerberos token >>>> is passed to tomcat and not NTLM token ? >>>>>>>>> I believe that I can answer that. >>>>>>>>> >>>>>>>>> And the basic answer is no. >>>>>>>>> >>>>>>>>> First the basic principle, valid for this and many many other >>>> areas : the server cannot >>>>>>>>> "impose" anything on the browser. The local user can always >>>> override anything received >>>>>>>>> from the server, by a setting in the browser. And a hacker can of >>>> course do anything. >>>>>>>>> All the server can do, is tell the browser what it will accept, >>>> and the browser can tell >>>>>>>>> the server ditto. >>>>>>>>> So, never assume the opposite, and you will save yourself a lot >>>> of fruitless searches and >>>>>>>>> dead-ends. >>>>>>>>> >>>>>>>>> Now more specific : >>>>>>>>> 1) For Kerberos to be used at all at the browser level, the >>>> server must send a 401 >>>>>>>>> response with "Negociate" as the requested authentication method. >>>> Unless it does that, >>>>>>>>> the browser will never even attempt to send a Kerberos >>>> "Authorization" back. >>>>>>>>> 2) for the browser to consider returning a Kerberos Authorization >>>> header to the server, >>>>>>>>> additional conditions depend on the browser. >>>>>>>>> For IE : >>>>>>>>> a) the "enable Windows Integrated Authentication" setting must be >>>> on (checked), whether >>>>>>>>> this is done locally by the user, or part of the standard IE >>>> settings company-wide, or >>>>>>>>> imposed by some "network policy" at corporate level. >>>>>>>>> b) the server to which the browser is talking, must be known to >>>> IE as either >>>>>>>>> - part of the "Intranet" >>>>>>>>> - or at least a "trusted" server >>>>>>>>> That is defined in IE's "security zones" (which again can be >>>> local, or corporation-wide). >>>>>>>>> If condition (a) is not met, when the server sends a 401 >>>> "Negociate", IE will fall back to >>>>>>>>> NTLM, always. And there is nothing you can do about that at the >>>> server level. >>>>>>>>> (Funnily enough, disabling the "enable Windows Integrated >>>> Authentication" at the IE level, >>>>>>>>> has the effect of disabling Kerberos, but not NTLM). >>>>>>>>> >>>>>>>>> If condition (b) is not met, IE will try neither Kerberos nor >>>> NTLM, and it /might/ fall >>>>>>>>> back to Basic authentication, if its other settings allow that. >>>> That's when you see the >>>>>>>>> browser popup login dialog; and in an SSO context, this is a sure >>>> sign that something >>>>>>>>> isn't working as expected. >>>>>>>>> >>>>>>>>> Some authentication modules, at the server level, are able to >>>> adapt to what the browser >>>>>>>>> sends, others not. I believe that Waffle can accept either >>>> browser NTLM or Kerberos >>>>>>>>> authentication. Waffle works only on a Windows Tomcat server, not >>>> on a Linux Tomcat server. >>>>>>>>> I do not know about the SPNEGO thing in Tomcat (from the name, it >>>> should). >>>>>>>>> The Jespa module from www.ioplex.com does not handle Kerberos, >>>> just NTLM, but it works >>>>>>>>> under both Windows and Linux. >>>>>>>>> >>>>>>>>> And finally, about your problems : it seems that you have fallen >>>> in a very specific kind >>>>>>>>> of hell, because you are trying to talk to a Windows-based >>>> Kerberos KDC (which is using >>>>>>>>> Windows Kerberos libraries and encryption method choices and >>>> hostname formats etc..), from >>>>>>>>> a Java JVM-based "client" (in this case the Tomcat server, >>>> whatever its underlying >>>>>>>>> platform is), which is using Java Kerberos libraries and >>>> encryption method choices etc... >>>>>>>>> And it seems that between this Java Kerberos part and the Windows >>>> Kerberos part, there >>>>>>>>> are a number of areas of mutual incomprehension (such as which >>>> key encryption methods they >>>>>>>>> each implement, or which ones are the "default" ones for each). >>>>>>>>> >>>>>>>>> And I am sure that the issue can be resolved. But it is probably >>>> a question of finding >>>>>>>>> out which among the 25 or more settings one can alter on each >>>> side, overlap and either >>>>>>>>> agree or contradict eachother. >>>>>>>>> >>>>>>>>> One underlying issue is that, as well in corporations as on the >>>> WWW, the "Windows people" >>>>>>>>> and the "Linux people" tend to be 2 separate groups. If you ask >>>> the "Windows people" how >>>>>>>>> to set this up, they will tell you "just do this and it works" >>>> (assuming that all the >>>>>>>>> moving parts are Windows-based); and if you ask the "Linux >>>> people", they will tell you >>>>>>>>> "just do this and it works" (assuming that all the moving parts >>>> are Linux-based). >>>>>>>>> And there are very few people (and web pages) which span both >>>> worlds with their various >>>>>>>>> combinations. >>>>>>>>> >>>>>>>>> >>>>>>>>>> David >>>>>>>>>> >>>>>>>>>>> Date: Thu, 26 Mar 2015 09:00:22 +0000 >>>>>>>>>>> From: ma...@apache.org >>>>>>>>>>> To: users@tomcat.apache.org >>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp >>>>>>>>>>> >>>>>>>>>>> On 26/03/2015 00:36, David Marsh wrote: >>>>>>>>>>>> Still getting :- >>>>>>>>>>>> java.security.PrivilegedActionException: GSSException: >>>> Defective token detected (Mechanism level: G >>>>>>>>>>>> SSHeader did not find the right tag) >>>>>>>>>>>> >>>>>>>>>>>> Folks here mention lack of NegoEx support or bugs in GSS-APi ? >>>>>>>>>>>> >>>>>>>>>>>> >>>> http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1 >>>>>>>>>>>> Does Tomcat 8 work with NegoEx ? >>>>>>>>>>>> >>>>>>>>>>>> Is Windows 8.1 and Windows Server 2012 RC2 supported ? >>>>>>>>>>> My test environment is Windows 2008 R2 server and Windows 7. It >>>> is >>>>>>>>>>> certainly possibly security has been tightened between those >>>> versions >>>>>>>>>>> and 2012/R2 + 8 that means things don't work by default with >>>> Java. >>>>>>>>>>> I'll see if I can find some time in the next few weeks to >>>> update my test >>>>>>>>>>> environment and do some more testing. >>>>>>>>>>> >>>>>>>>>>> Mark >>>>>>>>>>> >>>>>>>>>>> >>>> --------------------------------------------------------------------- >>>>>>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>>>>>>> >>>>>>>>> >>>> --------------------------------------------------------------------- >>>>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>>>>> >>>>>>> >>>>>>> >>>> --------------------------------------------------------------------- >>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>>> >>>>>> >>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org