tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tantaryu <>
Subject RE: Tomcat windows authentication domain login issue
Date Wed, 15 Oct 2014 01:48:16 GMT
Okay, now I tried with a email client. Let's see if it works.
I need some idea on what's wrong with my tomcat configuration for windows authentication.
I followed the tomcat windows authentication tutorial and uses the "manager" web application
comes with tomcat to do a poc. In my web.xml I change <auth-method>BASIC</auth-method>
to <auth-method>SPNEGO</auth-method> and also changes the auth-constraint to the
following <auth-constraint>  <role-name>*</role-name></auth-constraint>.

This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes
= rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
= {        kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME
This is my jaas.conf {
required    debug=true    doNotPrompt=true    principal="HTTP/Client2@ACME"    useKeyTab=true
   keyTab="C:/tomcat/conf/tomcat.keytab"    //useTicketCache=true    storeKey=true;};
{ required    debug=true    doNotPrompt=true
   principal="HTTP/Client2@ACME"    useKeyTab=true    keyTab="C:/tomcat/conf/tomcat.keytab"
   //useTicketCache=true    storeKey=true;};
The weird thing is regardless of what username and password I put in when I accessed the tomcat
manager web-app the debug message shown is the same. Debug is  true storeKey true useTicketCache
false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab
refreshKrb5Config is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass
is false storePass is false clearPass is false>>> KeyTabInputStream, readName():
acme>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName():
Client2>>> KeyTab: load() entry length: 52; type: 23Looking for keys for: HTTP/Client2@ACMEJava
config name: C:\tomcat\conf\krb5.iniLoaded from Java configAdded key: 23version: 0>>>
KdcAccessibility: resetLooking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0default
etypes for default_tkt_enctypes: 23 17.>>> KrbAsReq creating message>>>
KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000, number of retries =3, #bytes=124>>>
KDCCommunication: kdc=AD-Server UDP:88, timeout=30000,Attempt =1, #bytes=124
>>> KrbKdcReq send: #bytes read=538>>> KdcAccessibility: remove AD-Server:88Looking
for keys for: HTTP/Client2@ACMEAdded key: 23version: 0>>> EType:>>>
KrbAsRep cons in KrbAsReq.getReply HTTP/Client2principal is HTTP/Client2@ACMEWill use keytabCommit
Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab C:\tomcat\conf\tomcat.keytab
for HTTP/Client2@ACMEFound ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring
on Tue Oct 14 02:49:29 CST 2014                [Krb5LoginModule]: Entering logout        
       [Krb5LoginModule]: logged out Subject
I added this in my server.xml <Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.JAASRealm" appName="JspKerberosDemo" allRolesMode="strictAuthOnly"
/> </Realm>
When I tried login, it doesn't seem to recognize the valid credential. The app keeps on asking
me to enter a valid credential. What do I need to change to make it work?
Date: Tue, 14 Oct 2014 18:03:07 -0700
Subject: RE: Tomcat windows authentication domain login issue

	> From: tantaryu [mailto:[hidden email]] 

> Subject: Re: Tomcat windows authentication domain login issue

> Let me know if you can read it still. I didn't checked the "Message is in

> HTML Format"  option.

It didn't help.  Don't use Nabble - post to the user's list directly from an e-mail client.

 - Chuck

for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.


To unsubscribe, e-mail: [hidden email]

For additional commands, e-mail: [hidden email]



		If you reply to this email, your message will be added to the discussion below:
		To unsubscribe from Tomcat windows authentication domain login issue, click here.


View this message in context:
Sent from the Tomcat - User mailing list archive at
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message