Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2B05617A0A for ; Wed, 15 Oct 2014 07:56:21 +0000 (UTC) Received: (qmail 60298 invoked by uid 500); 15 Oct 2014 07:56:16 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 60228 invoked by uid 500); 15 Oct 2014 07:56:16 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 60217 invoked by uid 99); 15 Oct 2014 07:56:16 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 Oct 2014 07:56:16 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [81.169.162.220] (HELO h1611079.stratoserver.net) (81.169.162.220) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 Oct 2014 07:55:50 +0000 Received: from [192.168.178.43] (dslb-094-221-113-062.094.221.pools.vodafone-ip.de [94.221.113.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by h1611079.stratoserver.net (Postfix) with ESMTPSA id D1CC849481CC for ; Wed, 15 Oct 2014 09:55:47 +0200 (CEST) Message-ID: <543E2882.1090900@internetallee.de> Date: Wed, 15 Oct 2014 09:55:46 +0200 From: Felix Schumacher User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: users@tomcat.apache.org Subject: Re: Tomcat windows authentication domain login issue References: <1413257530456-5023801.post@n6.nabble.com> <543D0E48.7040104@internetallee.de> <1413333894734-5023851.post@n6.nabble.com> <1413334243280-5023853.post@n6.nabble.com> <99C8B2929B39C24493377AC7A121E21F0111204D9038@USEA-EXCH8.na.uis.unisys.com> In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org Am 15.10.2014 um 03:48 schrieb tantaryu: > Okay, now I tried with a email client. Let's see if it works. > I need some idea on what's wrong with my tomcat configuration for windo= ws authentication. I followed the tomcat windows authentication tutorial = and uses the "manager" web application comes with tomcat to do a poc. In = my web.xml I change BASIC to SPNE= GO and also changes the auth-constraint to the following *. > This is my krb5.ini [libdefaults]default_realm =3D ACMEdefault_keytab_n= ame =3D FILE:C:\tomcat\conf\tomcat.keytabdefault_tkt_enctypes =3D rc4-hma= c,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96default_tgs_enctypes =3D= rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96forwardable=3Dtr= ue[realms]ACME =3D { kdc =3D AD-Server:88}[domain_realm]acme=3D AC= ME.acme=3D ACME > This is my jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.s= ecurity.auth.module.Krb5LoginModule required debug=3Dtrue doNotProm= pt=3Dtrue principal=3D"HTTP/Client2@ACME" useKeyTab=3Dtrue keyTa= b=3D"C:/tomcat/conf/tomcat.keytab" //useTicketCache=3Dtrue storeKey= =3Dtrue;};com.sun.security.jgss.krb5.accept { com.sun.security.auth.mo= dule.Krb5LoginModule required debug=3Dtrue doNotPrompt=3Dtrue pr= incipal=3D"HTTP/Client2@ACME" useKeyTab=3Dtrue keyTab=3D"C:/tomcat/= conf/tomcat.keytab" //useTicketCache=3Dtrue storeKey=3Dtrue;}; > The weird thing is regardless of what username and password I put in wh= en I accessed the tomcat manager web-app the debug message shown is the s= ame. Debug is true storeKey true useTicketCache false useKeyTab true doN= otPrompt true ticketCache is null isInitiator true KeyTab is C:/tomcat/co= nf/tomcat.keytab refreshKrb5Config is false principal is HTTP/Client2@ACM= E tryFirstPass is false useFirstPass is false storePass is false clearPas= s is false>>> KeyTabInputStream, readName(): acme>>> KeyTabInputStream, r= eadName(): HTTP>>> KeyTabInputStream, readName(): Client2>>> KeyTab: load= () entry length: 52; type: 23Looking for keys for: HTTP/Client2@ACMEJava = config name: C:\tomcat\conf\krb5.iniLoaded from Java configAdded key: 23v= ersion: 0>>> KdcAccessibility: resetLooking for keys for: HTTP/Client2@AC= MEAdded key: 23version: 0default etypes for default_tkt_enctypes: 23 17.>= >> KrbAsReq creating message>>> KrbKdcReq send: kdc=3DAD-Server UDP:88, t= imeout=3D30000, number of retries =3D3, #bytes=3D124>>> KDCCommunication:= kdc=3DAD-Server UDP:88, timeout=3D30000,Attempt =3D1, #bytes=3D124 Could you try to add the missing newlines? It is really hard to read the = text without them. Regards Felix >>>> KrbKdcReq send: #bytes read=3D538>>> KdcAccessibility: remove AD-Ser= ver:88Looking for keys for: HTTP/Client2@ACMEAdded key: 23version: 0>>> E= Type: sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsRep cons= in KrbAsReq.getReply HTTP/Client2principal is HTTP/Client2@ACMEWill use = keytabCommit Succeeded > Search Subject for SPNEGO ACCEPT cred (<>, sun.security.jgss.spneg= o.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred (<>, = sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab C:\tomcat\conf\t= omcat.keytab for HTTP/Client2@ACMEFound KeyTab C:\tomcat\conf\tomcat.keyt= ab for HTTP/Client2@ACMEFound ticket for HTTP/Client2@ACME to go to krbtg= t/ACME@ACME expiring on Tue Oct 14 02:49:29 CST 2014 [Krb5= LoginModule]: Entering logout [Krb5LoginModule]: logged ou= t Subject > I added this in my server.xml > When I tried login, it doesn't seem to recognize the valid credential. = The app keeps on asking me to enter a valid credential. What do I need to= change to make it work? > Date: Tue, 14 Oct 2014 18:03:07 -0700 > From: ml-node+s10n5023854h44@n6.nabble.com > To: ming.sa@outlook.com > Subject: RE: Tomcat windows authentication domain login issue > > > > > From: tantaryu [mailto:[hidden email]] > >> Subject: Re: Tomcat windows authentication domain login issue > >> Let me know if you can read it still. I didn't checked the "Message is= in >> HTML Format" option. > > It didn't help. Don't use Nabble - post to the user's list directly fr= om an e-mail client. > > > - Chuck > > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETAR= Y MATERIAL and is thus for use only by the intended recipient. If you rec= eived this in error, please contact the sender and delete the e-mail and = its attachments from all computers. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [hidden email] > > For additional commands, e-mail: [hidden email] > > > > > =09 > =09 > =09 > =09 > > =09 > > =09 > =09 > If you reply to this email, your message will be added to the discuss= ion below: > http://tomcat.10.x6.nabble.com/Tomcat-windows-authentication-domain-l= ogin-issue-tp5023801p5023854.html > =09 > =09 > =09 > To unsubscribe from Tomcat windows authentication domain login issue,= click here. > > NAML > =09 > > > > -- > View this message in context: http://tomcat.10.x6.nabble.com/Tomcat-win= dows-authentication-domain-login-issue-tp5023801p5023855.html > Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org