tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tantaryu <ming...@outlook.com>
Subject RE: Tomcat windows authentication domain login issue
Date Wed, 15 Oct 2014 09:05:59 GMT
Okay, this might sounds funny. But how do I add a newlines?

Date: Wed, 15 Oct 2014 01:37:42 -0700
From: ml-node+s10n5023863h23@n6.nabble.com
To: ming.sa@outlook.com
Subject: Re: Tomcat windows authentication domain login issue



	Am 15.10.2014 um 10:22 schrieb tantaryu:

>> Let's hope it works this time.

If this was your try to add newlines, than I think it failed.


Felix

>> I need some idea on what's wrong with my tomcat configuration for windows authentication.
I followed the tomcat windows authentication tutorial and uses the "manager" web application
comes with tomcat to do a poc. In my web.xml I change > <auth-method>BASIC</auth-method>
> to> <auth-method>SPNEGO</auth-method>> and also changes the auth-constraint
to the following > <auth-constraint>>  <role-name>*</role-name>>
</auth-constraint>

>> This is my krb5.ini > [libdefaults]> default_realm = ACME> default_keytab_name
= FILE:C:\tomcat\conf\tomcat.keytab> default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96>
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96> forwardable=true>
[realms]> ACME = {>        kdc = AD-Server:88>}> [domain_realm]> acme= ACME>
.acme= ACME

>> This is my jaas.conf > com.sun.security.jgss.krb5.initiate {>    com.sun.security.auth.module.Krb5LoginModule
required>    debug=true>    doNotPrompt=true>    principal="HTTP/Client2@ACME">
   useKeyTab=true>    keyTab="C:/tomcat/conf/tomcat.keytab">    //useTicketCache=true>
   storeKey=true;> };> com.sun.security.jgss.krb5.accept {>    com.sun.security.auth.module.Krb5LoginModule
required>    debug=true>    doNotPrompt=true>    principal="HTTP/Client2@ACME">
   useKeyTab=true>    keyTab="C:/tomcat/conf/tomcat.keytab">    //useTicketCache=true>
   storeKey=true;>};

>> The weird thing is regardless of what username and password I put in when I accessed
the tomcat manager web-app the debug message shown is the same.

>> Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true
ticketCache is null isInitiator true KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config
is false principal is HTTP/Client2@ACME tryFirstPass is false useFirstPass is false storePass
is false clearPass is false> >>> KeyTabInputStream, readName(): acme> >>>
KeyTabInputStream, readName(): HTTP> >>> KeyTabInputStream, readName(): Client2>
>>> KeyTab: load() entry length: 52; type: 23> Looking for keys for: HTTP/Client2@ACME>
Java config name: C:\tomcat\conf\krb5.ini> Loaded from Java config> Added key: 23version:
0> >>> KdcAccessibility: reset> Looking for keys for: HTTP/Client2@ACME>
Added key: 23version: 0> default etypes for default_tkt_enctypes: 23 17.> >>>
KrbAsReq creating message> >>> KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000,
number of retries =3, #> bytes=124> >>> KDCCommunication: kdc=AD-Server UDP:88,
timeout=30000,Attempt =1, #bytes=124

>>>>> KrbKdcReq send: #bytes read=538> >>> KdcAccessibility: remove
AD-Server:88> Looking for keys for: HTTP/Client2@ACME> Added key: 23version: 0> >>>
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType> >>> KrbAsRep cons in
KrbAsReq.getReply HTTP/Client2> principal is HTTP/Client2@ACME> Will use keytab>
Commit Succeeded

>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)>
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)>
Found KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACME> Found KeyTab C:\tomcat\conf\tomcat.keytab
for HTTP/Client2@ACME> Found ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring
on Tue Oct 14 02:49:29 CST 2014>                [Krb5LoginModule]: Entering logout>
               [Krb5LoginModule]: logged out Subject

>> I added this in my server.xml > <Realm className="org.apache.catalina.realm.LockOutRealm">>
<Realm className="org.apache.catalina.realm.JAASRealm" appName="JspKerberosDemo" allRolesMode="strictAuthOnly"
/>> </Realm>

>> When I tried login, it doesn't seem to recognize the valid credential. The app keeps
on asking me to enter a valid credential. What do I need to change to make it work?

> Date: Wed, 15 Oct 2014 00:56:33 -0700

> From: [hidden email]

> To: [hidden email]

> Subject: Re: Tomcat windows authentication domain login issue

>

>

>

> 	Am 15.10.2014 um 03:48 schrieb tantaryu:

>

>> Okay, now I tried with a email client. Let's see if it works.

>> I need some idea on what's wrong with my tomcat configuration for windows authentication.
I followed the tomcat windows authentication tutorial and uses the "manager" web application
comes with tomcat to do a poc. In my web.xml I change <auth-method>BASIC</auth-method>
to <auth-method>SPNEGO</auth-method> and also changes the auth-constraint to the
following <auth-constraint>  <role-name>*</role-name></auth-constraint>.

>> This is my krb5.ini [libdefaults]default_realm = ACMEdefault_keytab_name = FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes
= rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=true[realms]ACME
= {        kdc = AD-Server:88}[domain_realm]acme= ACME.acme= ACME

>> This is my jaas.conf com.sun.security.jgss.krb5.initiate {    com.sun.security.auth.module.Krb5LoginModule
required    debug=true    doNotPrompt=true    principal="HTTP/Client2@ACME"    useKeyTab=true
   keyTab="C:/tomcat/conf/tomcat.keytab"    //useTicketCache=true    storeKey=true;};com.sun.security.jgss.krb5.accept
{    com.sun.security.auth.module.Krb5LoginModule required    debug=true    doNotPrompt=true
   principal="HTTP/Client2@ACME"    useKeyTab=true    keyTab="C:/tomcat/conf/tomcat.keytab"
   //useTicketCache=true    storeKey=true;};

>> The weird thing is regardless of what username and password I put in when I accessed
the tomcat manager web-app the debug message shown is the same. Debug is  true storeKey true
useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true
KeyTab is C:/tomcat/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACME
tryFirstPass is false useFirstPass is false storePass is false clearPass is false>>>
KeyTabInputStream, readName(): acme>>> KeyTabInputStream, readName(): HTTP>>>
KeyTabInputStream, readName(): Client2>>> KeyTab: load() entry length: 52; type:
23Looking for keys for: HTTP/Client2@ACMEJava config name: C:\tomcat\conf\krb5.iniLoaded from
Java configAdded key: 23version: 0>>> KdcAccessibility: resetLooking for keys for:
HTTP/Client2@ACMEAdded key: 23version: 0default etypes for default_tkt_enctypes: 23 17.>>>
KrbAsReq creating message>>> KrbKdcReq send: kdc=AD-Server UDP:88, timeout=30000,
number of retries =3, #bytes=124>>> KDCCommunication: kdc=AD-Server UDP:88, timeout=30000,Attempt
=1, #bytes=124

> Could you try to add the missing newlines? It is really hard to read the

>

> text without them.

>

>

> Regards Felix

>

>

>>>>> KrbKdcReq send: #bytes read=538>>> KdcAccessibility: remove
AD-Server:88Looking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0>>> EType:
sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsRep cons in KrbAsReq.getReply
HTTP/Client2principal is HTTP/Client2@ACMEWill use keytabCommit Succeeded

>> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)Search
Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)Found
KeyTab C:\tomcat\conf\tomcat.keytab for HTTP/Client2@ACMEFound KeyTab C:\tomcat\conf\tomcat.keytab
for HTTP/Client2@ACMEFound ticket for HTTP/Client2@ACME to go to krbtgt/ACME@ACME expiring
on Tue Oct 14 02:49:29 CST 2014                [Krb5LoginModule]: Entering logout        
       [Krb5LoginModule]: logged out Subject

>> I added this in my server.xml <Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.JAASRealm" appName="JspKerberosDemo" allRolesMode="strictAuthOnly"
/> </Realm>

>> When I tried login, it doesn't seem to recognize the valid credential. The app keeps
on asking me to enter a valid credential. What do I need to change to make it work?

>> Date: Tue, 14 Oct 2014 18:03:07 -0700

>> From: [hidden email]

>> To: [hidden email]

>> Subject: RE: Tomcat windows authentication domain login issue

>> 	> From: tantaryu [mailto:[hidden email]]

>>> Subject: Re: Tomcat windows authentication domain login issue

>>> Let me know if you can read it still. I didn't checked the "Message is in

>>> HTML Format"  option.

>> It didn't help.  Don't use Nabble - post to the user's list directly from an e-mail
client.

>>    - Chuck

>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL
and is thus for use only by the intended recipient. If you received this in error, please
contact the sender and delete the e-mail and its attachments from all computers.

>> ---------------------------------------------------------------------

>> To unsubscribe, e-mail: [hidden email]

>> For additional commands, e-mail: [hidden email]

>> 	

>> 	

>> 	

>> 	

>> 	

>> 	

>> 	

>> 		If you reply to this email, your message will be added to the discussion below:

>> 		http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023854.html
>> 	

>> 	

>> 		

>> 		To unsubscribe from Tomcat windows authentication domain login issue, click here.

>> 		NAML

>> 	 		 	   		

>> --

>> View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023855.html
>> Sent from the Tomcat - User mailing list archive at Nabble.com.

>

>

> ---------------------------------------------------------------------

>

> To unsubscribe, e-mail: [hidden email]

>

> For additional commands, e-mail: [hidden email]

>

>

>

>

> 	

> 	

> 	

> 	

>

> 	

>

> 	

> 	

> 		If you reply to this email, your message will be added to the discussion below:

> 		http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023861.html
> 	

> 	

> 		

> 		To unsubscribe from Tomcat windows authentication domain login issue, click here.

>

> 		NAML

> 	 		 	   		

>

>

>

> --

> View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023862.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.



---------------------------------------------------------------------

To unsubscribe, e-mail: [hidden email]

For additional commands, e-mail: [hidden email]




	
	
	
	

	

	
	
		If you reply to this email, your message will be added to the discussion below:
		http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023863.html
	
	
		
		To unsubscribe from Tomcat windows authentication domain login issue, click here.

		NAML
	 		 	   		  



--
View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-login-issue-tp5023801p5023866.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message