We need to split between constrained and unconstrained delegation. Let's stay with uncontrained, simplest one.
For that to happen you need: * Enable it for the service account (acceptor side) * Set the delegate flag (also there is a policy) on the security context (initiator side) Try again. The best thing would be to do with with gss-client/gss-server which comes with MIT Kerberos otherwise you have too many variables in the game. Alternatively, use https://github.com/pythongssapi/python-gssapi. It has a fantastic interface to MIT Kerberos or Heimdal to exactly evaluate your environment. I use it as well. Michael On 2024/05/03 13:42:39 Tom Delaney wrote: > Thanks for the reply Michael, > > I'm trying to achieve retrieving delegated credentials. I'm confused by the > debug output because I'm being told that authentication succeeded but no > indication of why I'm not receiving delegated credentials other than there > are none.I have looked over the delegation rules for the service account > and SPN multiple times. When you mentioned "S4U is tried, but not > configured for that account. Totally fine" What does that mean? Is there a > specific place on Tomcat or Windows I need to look for this? > > What I'm expecting to see outputted "Delegated Creds have pname= > tdela...@subdomain.domain.com sname=krbtgt/SUBDOMAIN.DOMAIN.COM > authtime=null starttime={date/timestamp} endtime={date/timestamp}" > > P.S > I see in my ktpass command I made a typo and meant to put SA_EX_VAISSO > instead of "SA_EX_SSO" > > On Fri, May 3, 2024 at 8:26 AM Michael Osipov <micha...@apache.org> wrote: > > > On 2024/05/02 19:20:59 Tom Delaney wrote: > > > Hi All, > > > > > > Sorry for the duplicate requests. The first one was accidentally flagged > > > for Google's new Confidential Mode which happened to be flagged. > > > I have a red hat 9.2 server hosting a web application on a single > > instance > > > of Apache Tomcat. This instance is behind an apache HTTP server on > > version > > > 2.4.57.The application is hosted on Tomcat 9.0.54. > > > > > > Domain: subdomain.domain.com > > > Site: devexample.domain.com > > > > > > URL hit: https://example.subdomain.domain.com/webclient/ > > > <https://devexample.domain.com/webclient_devex/exclient.jsp>exclient.jsp > > > > > > *I keep getting this in the Tomcat Logs when accessing the application:* > > > *>>> Constrained deleg from GSSCaller{UNKNOWN}* > > > > You should first try to describe what you are trying to achieve and not > > what the debug output is. The debug message comes from: > > https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L540 > > The message is obviously caused by this call: > > https://github.com/openjdk/jdk8u-dev/blob/6b53212ef78ad50f9eede829c5ff87cadcdb434b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java#L254-L263 > > > > S4U is tried, but not configured for that account. Totally fine. > > > > BTW: The filter you use isn't from us. > > > > M > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org