tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <felix.schumac...@internetallee.de>
Subject RE: Tomcat windows authentication domain login issue
Date Wed, 15 Oct 2014 10:13:20 GMT


Am 15. Oktober 2014 11:05:59 MESZ, schrieb tantaryu <ming.sa@outlook.com>:
>Okay, this might sounds funny. But how do I add a newlines?

I don't know how to do it in your mail client. But generally I would try to configure it to
not use html (only).

You could try another mal Client or provider. Maybe it has saner defaults. 

Regards
Felix

>
>Date: Wed, 15 Oct 2014 01:37:42 -0700
>From: ml-node+s10n5023863h23@n6.nabble.com
>To: ming.sa@outlook.com
>Subject: Re: Tomcat windows authentication domain login issue
>
>
>
>	Am 15.10.2014 um 10:22 schrieb tantaryu:
>
>>> Let's hope it works this time.
>
>If this was your try to add newlines, than I think it failed.
>
>
>Felix
>
>>> I need some idea on what's wrong with my tomcat configuration for
>windows authentication. I followed the tomcat windows authentication
>tutorial and uses the "manager" web application comes with tomcat to do
>a poc. In my web.xml I change > <auth-method>BASIC</auth-method> > to>
><auth-method>SPNEGO</auth-method>> and also changes the auth-constraint
>to the following > <auth-constraint>>  <role-name>*</role-name>>
></auth-constraint>
>
>>> This is my krb5.ini > [libdefaults]> default_realm = ACME>
>default_keytab_name = FILE:C:\tomcat\conf\tomcat.keytab>
>default_tkt_enctypes =
>rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96>
>default_tgs_enctypes =
>rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96>
>forwardable=true> [realms]> ACME = {>        kdc = AD-Server:88>}>
>[domain_realm]> acme= ACME> .acme= ACME
>
>>> This is my jaas.conf > com.sun.security.jgss.krb5.initiate {>   
>com.sun.security.auth.module.Krb5LoginModule required>    debug=true>  
>doNotPrompt=true>    principal="HTTP/Client2@ACME">    useKeyTab=true> 
>keyTab="C:/tomcat/conf/tomcat.keytab">    //useTicketCache=true>   
>storeKey=true;> };> com.sun.security.jgss.krb5.accept {>   
>com.sun.security.auth.module.Krb5LoginModule required>    debug=true>  
>doNotPrompt=true>    principal="HTTP/Client2@ACME">    useKeyTab=true> 
>keyTab="C:/tomcat/conf/tomcat.keytab">    //useTicketCache=true>   
>storeKey=true;>};
>
>>> The weird thing is regardless of what username and password I put in
>when I accessed the tomcat manager web-app the debug message shown is
>the same.
>
>>> Debug is  true storeKey true useTicketCache false useKeyTab true
>doNotPrompt true ticketCache is null isInitiator true KeyTab is
>C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is
>HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass
>is false clearPass is false> >>> KeyTabInputStream, readName(): acme>
>>>> KeyTabInputStream, readName(): HTTP> >>> KeyTabInputStream,
>readName(): Client2> >>> KeyTab: load() entry length: 52; type: 23>
>Looking for keys for: HTTP/Client2@ACME> Java config name:
>C:\tomcat\conf\krb5.ini> Loaded from Java config> Added key: 23version:
>0> >>> KdcAccessibility: reset> Looking for keys for:
>HTTP/Client2@ACME> Added key: 23version: 0> default etypes for
>default_tkt_enctypes: 23 17.> >>> KrbAsReq creating message> >>>
>KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000, number of retries
>=3, #> bytes=124> >>> KDCCommunication: kdc=AD-Server UDP:88,
>timeout=30000,Attempt =1, #bytes=124
>
>>>>>> KrbKdcReq send: #bytes read=538> >>> KdcAccessibility:
remove
>AD-Server:88> Looking for keys for: HTTP/Client2@ACME> Added key:
>23version: 0> >>> EType:
>sun.security.krb5.internal.crypto.ArcFourHmacEType> >>> KrbAsRep cons
>in KrbAsReq.getReply HTTP/Client2> principal is HTTP/Client2@ACME> Will
>use keytab> Commit Succeeded
>
>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>sun.security.jgss.spnego.SpNegoCredElement)> Search Subject for
>Kerberos V5 ACCEPT cred (<<DEF>>,
>sun.security.jgss.krb5.Krb5AcceptCredential)> Found KeyTab
>C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found KeyTab
>C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found ticket for
>HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14
>02:49:29 CST 2014>                [Krb5LoginModule]: Entering logout>  
>             [Krb5LoginModule]: logged out Subject
>
>>> I added this in my server.xml > <Realm
>className="org.apache.catalina.realm.LockOutRealm">>	<Realm
>className="org.apache.catalina.realm.JAASRealm"
>appName="JspKerberosDemo" allRolesMode="strictAuthOnly" />> </Realm>
>
>>> When I tried login, it doesn't seem to recognize the valid
>credential. The app keeps on asking me to enter a valid credential.
>What do I need to change to make it work?
>
>> Date: Wed, 15 Oct 2014 00:56:33 -0700
>
>> From: [hidden email]
>
>> To: [hidden email]
>
>> Subject: Re: Tomcat windows authentication domain login issue
>
>>
>
>>
>
>>
>
>> 	Am 15.10.2014 um 03:48 schrieb tantaryu:
>
>>
>
>>> Okay, now I tried with a email client. Let's see if it works.
>
>>> I need some idea on what's wrong with my tomcat configuration for
>windows authentication. I followed the tomcat windows authentication
>tutorial and uses the "manager" web application comes with tomcat to do
>a poc. In my web.xml I change <auth-method>BASIC</auth-method> to
><auth-method>SPNEGO</auth-method> and also changes the auth-constraint
>to the following <auth-constraint> 
><role-name>*</role-name></auth-constraint>.
>
>>> This is my krb5.ini [libdefaults]default_realm =
>ACMEdefault_keytab_name =
>FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes =
>rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes
>=
>rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
>= {        kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
>
>>> This is my jaas.conf com.sun.security.jgss.krb5.initiate {   
>com.sun.security.auth.module.Krb5LoginModule required    debug=true   
>doNotPrompt=true    principal="HTTP/Client2@ACME"    useKeyTab=true   
>keyTab="C:/tomcat/conf/tomcat.keytab"    //useTicketCache=true   
>storeKey=true;};com.sun.security.jgss.krb5.accept {   
>com.sun.security.auth.module.Krb5LoginModule required    debug=true   
>doNotPrompt=true    principal="HTTP/Client2@ACME"    useKeyTab=true   
>keyTab="C:/tomcat/conf/tomcat.keytab"    //useTicketCache=true   
>storeKey=true;};
>
>>> The weird thing is regardless of what username and password I put in
>when I accessed the tomcat manager web-app the debug message shown is
>the same. Debug is  true storeKey true useTicketCache false useKeyTab
>true doNotPrompt true ticketCache is null isInitiator true KeyTab is
>C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is
>HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass
>is false clearPass is false>>> KeyTabInputStream, readName(): acme>>>
>KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName():
>Client2>>> KeyTab: load() entry length: 52; type: 23Looking for keys
>for: HTTP/Client2@ACMEJava config name: C:\tomcat\conf\krb5.iniLoaded
>from Java configAdded key: 23version: 0>>> KdcAccessibility:
>resetLooking for keys for: HTTP/Client2@ACMEAdded key: 23version:
>0default etypes for default_tkt_enctypes: 23 17.>>> KrbAsReq creating
>message>>> KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000, number
>of retries =3, #bytes=124>>> KDCCommunication: kdc=AD-Server UDP:88,
>timeout=30000,Attempt =1, #bytes=124
>
>> Could you try to add the missing newlines? It is really hard to read
>the
>
>>
>
>> text without them.
>
>>
>
>>
>
>> Regards Felix
>
>>
>
>>
>
>>>>>> KrbKdcReq send: #bytes read=538>>> KdcAccessibility: remove
>AD-Server:88Looking for keys for: HTTP/Client2@ACMEAdded key:
>23version: 0>>> EType:
>sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsRep cons in
>KrbAsReq.getReply HTTP/Client2principal is HTTP/Client2@ACMEWill use
>keytabCommit Succeeded
>
>>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
>sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos
>V5 ACCEPT cred (<<DEF>>,
>sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab
>C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab
>C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound ticket for
>HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring on Tue Oct 14
>02:49:29 CST 2014                [Krb5LoginModule]: Entering logout    
>           [Krb5LoginModule]: logged out Subject
>
>>> I added this in my server.xml <Realm
>className="org.apache.catalina.realm.LockOutRealm">	<Realm
>className="org.apache.catalina.realm.JAASRealm"
>appName="JspKerberosDemo" allRolesMode="strictAuthOnly" /> </Realm>
>
>>> When I tried login, it doesn't seem to recognize the valid
>credential. The app keeps on asking me to enter a valid credential.
>What do I need to change to make it work?
>
>>> Date: Tue, 14 Oct 2014 18:03:07 -0700
>
>>> From: [hidden email]
>
>>> To: [hidden email]
>
>>> Subject: RE: Tomcat windows authentication domain login issue
>
>>> 	> From: tantaryu [mailto:[hidden email]]
>
>>>> Subject: Re: Tomcat windows authentication domain login issue
>
>>>> Let me know if you can read it still. I didn't checked the "Message
>is in
>
>>>> HTML Format"  option.
>
>>> It didn't help.  Don't use Nabble - post to the user's list directly
>from an e-mail client.
>
>>>    - Chuck
>
>>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
>PROPRIETARY MATERIAL and is thus for use only by the intended
>recipient. If you received this in error, please contact the sender and
>delete the e-mail and its attachments from all computers.
>
>>>
>---------------------------------------------------------------------
>
>>> To unsubscribe, e-mail: [hidden email]
>
>>> For additional commands, e-mail: [hidden email]
>
>>> 	
>
>>> 	
>
>>> 	
>
>>> 	
>
>>> 	
>
>>> 	
>
>>> 	
>
>>> 		If you reply to this email, your message will be added to the
>discussion below:
>
>>>
>		http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html
>>> 	
>
>>> 	
>
>>> 		
>
>>> 		To unsubscribe from Tomcat windows authentication domain login
>issue, click here.
>
>>> 		NAML
>
>>> 	 		 	   		
>
>>> --
>
>>> View this message in context:
>http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023855.html
>>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>>
>
>>
>
>> ---------------------------------------------------------------------
>
>>
>
>> To unsubscribe, e-mail: [hidden email]
>
>>
>
>> For additional commands, e-mail: [hidden email]
>
>>
>
>>
>
>>
>
>>
>
>> 	
>
>> 	
>
>> 	
>
>> 	
>
>>
>
>> 	
>
>>
>
>> 	
>
>> 	
>
>> 		If you reply to this email, your message will be added to the
>discussion below:
>
>>
>		http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023861.html
>> 	
>
>> 	
>
>> 		
>
>> 		To unsubscribe from Tomcat windows authentication domain login
>issue, click here.
>
>>
>
>> 		NAML
>
>> 	 		 	   		
>
>>
>
>>
>
>>
>
>> --
>
>> View this message in context:
>http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023862.html
>> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
>
>---------------------------------------------------------------------
>
>To unsubscribe, e-mail: [hidden email]
>
>For additional commands, e-mail: [hidden email]
>
>
>
>
>	
>	
>	
>	
>
>	
>
>	
>	
>		If you reply to this email, your message will be added to the
>discussion below:
>		http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023863.html
>	
>	
>		
>		To unsubscribe from Tomcat windows authentication domain login issue,
>click here.
>
>		NAML
>	 		 	   		  
>
>
>
>--
>View this message in context:
>http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023866.html
>Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message