We need to split between constrained and unconstrained delegation. Let's stay
with uncontrained, simplest one.
For that to happen you need:
* Enable it for the service account (acceptor side)
* Set the delegate flag (also there is a policy) on the security context
(initiator side)
Try again. Th
Thanks for the reply Michael,
I'm trying to achieve retrieving delegated credentials. I'm confused by the
debug output because I'm being told that authentication succeeded but no
indication of why I'm not receiving delegated credentials other than there
are none.I have looked over the delegation r
On 2024/05/02 19:20:59 Tom Delaney wrote:
> Hi All,
>
> Sorry for the duplicate requests. The first one was accidentally flagged
> for Google's new Confidential Mode which happened to be flagged.
> I have a red hat 9.2 server hosting a web application on a single instance
> of Apache Tomcat. This
Tom Delaney has sent you an email via Gmail confidential mode:
[image: Gmail logo]Re: SPNEGO GSSCaller {UNKNOWN} No Delegated Creds
<https://confidential-mail.google.com/msg/AJ05YhfeGMtaULvQONHydor3-HWpWsb1xJ3tZJ35SH0U8kxvJIPpKEc9wRaa7uacfDUwg1PbwWJJZqFQzDl26IiNtrsAyHw3t4XjnbAx4Qn6Lj7v
On 14/05/2015 22:29, Mark Thomas wrote:
> On 14/05/2015 21:11, Mark Thomas wrote:
>> On 29/03/2015 23:13, André Warnier wrote:
>>> David Marsh wrote:
I've tested all the following public JDKs
jdk-7u45-windows-i586.exe
jdk-7u65-windows-i586.exe
jdk-7u75-windows-i586.exe
jdk-
On 14/05/2015 21:11, Mark Thomas wrote:
> On 29/03/2015 23:13, André Warnier wrote:
>> David Marsh wrote:
>>> I've tested all the following public JDKs
>>> jdk-7u45-windows-i586.exe
>>> jdk-7u65-windows-i586.exe
>>> jdk-7u75-windows-i586.exe
>>> jdk-8-windows-i586.exe
>>> jdk-8u5-windows-i586.exe
>
On 29/03/2015 23:13, André Warnier wrote:
> David Marsh wrote:
>> I've tested all the following public JDKs
>> jdk-7u45-windows-i586.exe
>> jdk-7u65-windows-i586.exe
>> jdk-7u75-windows-i586.exe
>> jdk-8-windows-i586.exe
>> jdk-8u5-windows-i586.exe
>> jdk-8u11-windows-i586.exe
>> jdk-8u20-windows-i
ker.run(ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader
did not find
the right
tag)
at sun.security.jgss.GSSHeader
straints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /images/tomca
t.gif --> false
28-Mar-2015 14:21:28.864 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manag
works ?
David
--------
Subject: Re: SPNEGO test configuration with Manager webapp
From: felix.schumac...@internetallee.de
Date: Sun, 29 Mar 2015 10:13:29 +0200
To: users@tomcat.apache.org
Am 28. März 2015 17:46:50 MEZ, schrieb Mark Thomas :
On 28/03/2015 14:43, David Marsh wrote:
Ok so I w
-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token
Seems a recent "fix" must broken it.
David
--------
> Subject: Re: SPNEGO test configuration with Manager webapp
> From: felix.schumac...@internetallee.de
> Date: Sun, 29 Mar 2015
ult
* constrained delegation is supported.
My guess would be, that it would help (in this case) to reenable DES by adding
allow_weak_crypto=true in the krb5.conf.
Regards
Felix
>
>Mark
>
>
>>
>> David
>>
>>
>>> Fro
From: dmars...@outlook.com
>> To: users@tomcat.apache.org
>> Subject: RE: SPNEGO test configuration with Manager webapp
>> Date: Fri, 27 Mar 2015 23:40:06 +
>>
>> By the way Tomcat 8 was running on JDK :-
>>
>> C:\Windows\system32>java -version
>>
David
> From: dmars...@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: SPNEGO test configuration with Manager webapp
> Date: Fri, 27 Mar 2015 23:40:06 +
>
> By the way Tomcat 8 was running on JDK :-
>
> C:\Windows\system32>java -version
>
x27;s and the Negotiate.
> Date: Thu, 26 Mar 2015 12:11:34 +0100
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> David Marsh wrote:
>> Hi Mark,
>>
>> Thank
y
dealing with NTLM matters. There are probably some hidden caches that get cleared only in
that way.
many thanks
David
Date: Thu, 26 Mar 2015 11:32:39 +0100
From: a...@ice-sa.com
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
David Marsh wrote:
ket in the Java session cache.
So problem seems to be either :-
1. Browser sends bad token
2. Token is good but Oracle JDK 8 GSS-API cannot handle it
many thanks
David
> Date: Thu, 26 Mar 2015 11:32:39 +0100
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test
x-based).
And there are very few people (and web pages) which span both worlds with their various
combinations.
David
Date: Thu, 26 Mar 2015 09:00:22 +
From: ma...@apache.org
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
On 26/03/2015 00:36, David Marsh wro
Hi Mark,
Thanks that would be great !
Do you have a good mechanism to test and ensure kerberos token is passed to
tomcat and not NTLM token ?
David
> Date: Thu, 26 Mar 2015 09:00:22 +
> From: ma...@apache.org
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration
On 26/03/2015 00:36, David Marsh wrote:
> Still getting :-
> java.security.PrivilegedActionException: GSSException: Defective token
> detected (Mechanism level: G
> SSHeader did not find the right tag)
>
> Folks here mention lack of NegoEx support or bugs in GSS-APi ?
>
> http://sourceforge.net
rberos and Windows
Kerberos, depend on the versions of both Java and Windows Server..
Man, this thing is really a nightmare, isn't it ?
From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: RE: SPNEGO test configuration with Manager webapp
Does Tomcat 8 work with NegoEx ?
Is Windows 8.1 and Windows Server 2012 RC2 supported ?
many thanks
David
> From: dmars...@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: SPNEGO test configuration with Manager webapp
> Date: Thu, 26 Mar 2015 00:18:11 +
>
> With
ead=1653>>> KdcAccessibility: remove win-dc01.kerbtest.local:88Looking for
keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version:
15Added key: 18version: 15Added key: 23version: 15Found unsupported keytype (3)
for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported
)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.(Unknown Source)
... 5 more
> From: dmars...@outlook.co
bAsReqBuilder.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: KrbException: Identifier doesn't match e
utlook.com
To: users@tomcat.apache.org
Subject: RE: SPNEGO test configuration with Manager webapp
Date: Wed, 25 Mar 2015 16:50:47 +
Its possible I guess, although I would not expect that.
The test is :-
Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM
Firefox is not con
--
From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: RE: SPNEGO test configuration with Manager webapp
Date: Wed, 25 Mar 2015 16:50:47 +
Its possible I guess, although I would not expect that.
The test is :-
Client Test Windows 8.1 VM with Firefox -> Tomcat Server Wind
ES-CBC-CRC" to the ktpass call (as in
https://community.oracle.com/thread/1527560).
Felix
From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: RE: SPNEGO test configuration with Manager webapp
Date: Wed, 25 Mar 2015 16:50:47 +000
h Java and Windows Server..
Man, this thing is really a nightmare, isn't it ?
From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: RE: SPNEGO test configuration with Manager webapp
Date: Wed, 25 Mar 2015 16:50:47 +
Its possible I
init.java:113)
> From: dmars...@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: SPNEGO test configuration with Manager webapp
> Date: Wed, 25 Mar 2015 16:50:47 +
>
> Its possible I guess, although I would not expect that.
>
> The test
T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E="
Reponse WWW-Authenticate: "Negotiate"
I'm not sure how long they should be, but they all end "=" so expect not
truncated ?
> Subject: RE: SPNEGO test configuration with Man
ity.AccessController.doPrivileged(Native Method)
>at javax.security.auth.Subject.doAs(Subject.java:422)
>at
>org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
>va:243)
>at
>org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator
> Server: HTTP/win-tc01.kerbtest.local @ KERBTEST.LOCAL
>> KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>> Ticket Flags 0x40a1 -> forwardable renewable pre_authent
>> name_canoni
>> calize
>> Start Time: 3/25/2015 14:51:21 (local)
>> End Time: 3/26/2
ndows, or how
the java one is used).
Felix
Date: Tue, 24 Mar 2015 22:46:15 +
From: ma...@apache.org
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
On 24/03/2015 20:47, David Marsh wrote:
Hi Felix,
Thanks
te: Tue, 24 Mar 2015 22:46:15 +
From: ma...@apache.org
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
On 24/03/2015 20:47, David Marsh wrote:
Hi Felix,
Thanks fort your help!
I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and
; From: ma...@apache.org
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> On 24/03/2015 20:47, David Marsh wrote:
>> Hi Felix,
>> Thanks fort your help!
>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in star
is not in evidence here for now.
Maybe the SPNs don't match, between the KDC and the Tomcat server ?
"ktlist" may be a good tool on both, to list what's there and compare.
David
Date: Tue, 24 Mar 2015 21:39:38 +0100
From: felix.schumac...@internetallee.de
To: users@
24 Mar 2015 21:39:38 +0100
>> From: felix.schumac...@internetallee.de
>> To: users@tomcat.apache.org
>> Subject: Re: SPNEGO test configuration with Manager webapp
>>
>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>> Everything is as described and s
btest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
In other words the principal is the tomcat server as it should be.
Date: Tue, 24 Mar 2015 21:17:59 +0100
From: felix.schu
cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
Search Subject for SPNEGO ACCEPT cred (<>, sun.security.jgss.spnego.SpNegoC
redElement)
Search Subject for Kerberos V5 ACCEPT cred (<>, sun.security.jgss.krb5.Krb5
AcceptCredential)
Found KeyTab C:\Program Files\Apache Software Foundation\T
; From: felix.schumac...@internetallee.de
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> Am 24.03.2015 um 21:25 schrieb David Marsh:
> > Everything is as described and still not working, except the jaas.conf is :-
> >
> >
om: felix.schumac...@internetallee.de
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
Am 24.03.2015 um 21:05 schrieb David Marsh:
Sorry thats :-
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
under jaas.conf, it is set to the tomcat serv
I copied old config file to mail yes.
> Date: Tue, 24 Mar 2015 21:17:59 +0100
> From: felix.schumac...@internetallee.de
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> Am 24.03.2015 um 2
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
In other words the principal is the tomcat server as it should be.
> Date: Tue, 24 Mar 2015 21:17:59 +0100
> From: felix.schumac...@internetallee.de
> To: u
Am 24.03.2015 um 21:05 schrieb David Marsh:
Sorry thats :-
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
under jaas.conf, it is set to the tomcat server DNS.
Is it working with this configuration, or just to point out, that you
copied the wrong jaas.conf for the mail?
Felix
Am 24.03.2015 um 21:02 schrieb David Marsh:
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've created three Windows VMs :-
Tomcat Server - Windows 8.1 32 bit VM
Test Client - Windows 8.1 32 bit VM
Domain Controller - Windows Server 2012 R2 64 bit VM
The Tomcat Server and the
Sorry thats :-
> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
under jaas.conf, it is set to the tomcat server DNS.
> From: dmars...@outlook.com
> To: users@tomcat.apache.org
> Subject: SPNEGO test configuration with Manager webapp
> Date: Tue,
On 24/03/2015 15:17, David Marsh wrote:
SPNEGO is fickle. Sometimes the smallest change can cause problems.
Set up a test environment as close to the How-To as possible. You should
definitely be using three separate machines (or VMs).
Get this working. If your test environment doesn't work, fi
I was using Internet explorer and had added the ip address of to domain
controller/ tomcat server to the trusted sites list in the Intranet zone.I was
not using https.I was using a Windows 8 client VM to talk to a Windows Server
2012 VM.
I have now tried Firefox with SPNEGO and can confirm with
David Marsh wrote:
Hello,
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've followed the guidelines on the website.
jaas.conf
com.sun.security.jgss.krb5.initiate {...};
com.sun.security.jgss.krb5.accept {com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=t
Am 29.08.2014 um 15:44 schrieb Seshadri, Usha:
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Friday, August 29, 2014 1:44 AM
To: Tomcat Users List
Subject: EXTERNAL: Re: Spnego authentication with Tomcat 7.0.55 on Linux 6.5
returns null from request.getremoteUser
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Friday, August 29, 2014 1:44 AM
To: Tomcat Users List
Subject: EXTERNAL: Re: Spnego authentication with Tomcat 7.0.55 on Linux 6.5
returns null from request.getremoteUser
On 29/08/2014 03:51, Seshadri, Usha wrote:
>
On 29/08/2014 03:51, Seshadri, Usha wrote:
> Hi,
> I am trying to configure spnego out of the box on tomcat 7.0.55 on Linux 6.5,
> with directions given at
> http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. And I am
> trying to test the configuration with a sample hello_spnego.js
Darren Salomons wrote:
I have successfully setup SPNEGO auth Valve using the included
SpengoAuthenticator with tomcat 7.0.26 and using an LDAP realm to
retrieve the roles.
This SPNEGO requires that the web.xml use the auth-method: SPNEGO.
Is there a way to fallback to BASIC or FORM authenticati
Caldarale, Charles R schrieb:
The krb5 extension to jCIFS might satisfy your needs:
http://jcifs.samba.org/
Thanks, haven't seen that before.
I discovered http://dev.taglab.com/sites/taglab-public/support/spnego.html
But I'd like to know if anybody's using such a tool.
Guido
---
> From: Guido Schoepp [mailto:[EMAIL PROTECTED]
> Subject: SPNEGO
>
> did anybody successfully bind a SPNEGO auth to a webapp?
The krb5 extension to jCIFS might satisfy your needs:
http://jcifs.samba.org/
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERI
56 matches
Mail list logo
