On 14/05/2015 22:29, Mark Thomas wrote:
> On 14/05/2015 21:11, Mark Thomas wrote:
>> On 29/03/2015 23:13, André Warnier wrote:
>>> David Marsh wrote:
I've tested all the following public JDKs
jdk-7u45-windows-i586.exe
jdk-7u65-windows-i586.exe
jdk-7u75-windows-i586.exe
jdk-
On 14/05/2015 21:11, Mark Thomas wrote:
> On 29/03/2015 23:13, André Warnier wrote:
>> David Marsh wrote:
>>> I've tested all the following public JDKs
>>> jdk-7u45-windows-i586.exe
>>> jdk-7u65-windows-i586.exe
>>> jdk-7u75-windows-i586.exe
>>> jdk-8-windows-i586.exe
>>> jdk-8u5-windows-i586.exe
>
On 29/03/2015 23:13, André Warnier wrote:
> David Marsh wrote:
>> I've tested all the following public JDKs
>> jdk-7u45-windows-i586.exe
>> jdk-7u65-windows-i586.exe
>> jdk-7u75-windows-i586.exe
>> jdk-8-windows-i586.exe
>> jdk-8u5-windows-i586.exe
>> jdk-8u11-windows-i586.exe
>> jdk-8u20-windows-i
ker.run(ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader
did not find
the right
tag)
at sun.security.jgss.GSSHeader
straints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /images/tomca
t.gif --> false
28-Mar-2015 14:21:28.864 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manag
works ?
David
----
Subject: Re: SPNEGO test configuration with Manager webapp
From: felix.schumac...@internetallee.de
Date: Sun, 29 Mar 2015 10:13:29 +0200
To: users@tomcat.apache.org
Am 28. März 2015 17:46:50 MEZ, schrieb Mark Thomas :
On 28/03/2015 14:43, David Marsh wrote:
Ok so I w
-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token
Seems a recent "fix" must broken it.
David
----
> Subject: Re: SPNEGO test configuration with Manager webapp
> From: felix.schumac...@internetallee.de
> Date: Sun, 29 Mar 2015
ult
* constrained delegation is supported.
My guess would be, that it would help (in this case) to reenable DES by adding
allow_weak_crypto=true in the krb5.conf.
Regards
Felix
>
>Mark
>
>
>>
>> David
>>
>> ------------
>>> Fro
From: dmars...@outlook.com
>> To: users@tomcat.apache.org
>> Subject: RE: SPNEGO test configuration with Manager webapp
>> Date: Fri, 27 Mar 2015 23:40:06 +
>>
>> By the way Tomcat 8 was running on JDK :-
>>
>> C:\Windows\system32>java -version
>>
David
> From: dmars...@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: SPNEGO test configuration with Manager webapp
> Date: Fri, 27 Mar 2015 23:40:06 +
>
> By the way Tomcat 8 was running on JDK :-
>
> C:\Windows\system32>java -version
>
x27;s and the Negotiate.
> Date: Thu, 26 Mar 2015 12:11:34 +0100
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> David Marsh wrote:
>> Hi Mark,
>>
>> Thank
y
dealing with NTLM matters. There are probably some hidden caches that get cleared only in
that way.
many thanks
David
Date: Thu, 26 Mar 2015 11:32:39 +0100
From: a...@ice-sa.com
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
David Marsh wrote:
ket in the Java session cache.
So problem seems to be either :-
1. Browser sends bad token
2. Token is good but Oracle JDK 8 GSS-API cannot handle it
many thanks
David
> Date: Thu, 26 Mar 2015 11:32:39 +0100
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test
x-based).
And there are very few people (and web pages) which span both worlds with their various
combinations.
David
Date: Thu, 26 Mar 2015 09:00:22 +
From: ma...@apache.org
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
On 26/03/2015 00:36, David Marsh wro
Hi Mark,
Thanks that would be great !
Do you have a good mechanism to test and ensure kerberos token is passed to
tomcat and not NTLM token ?
David
> Date: Thu, 26 Mar 2015 09:00:22 +
> From: ma...@apache.org
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration
On 26/03/2015 00:36, David Marsh wrote:
> Still getting :-
> java.security.PrivilegedActionException: GSSException: Defective token
> detected (Mechanism level: G
> SSHeader did not find the right tag)
>
> Folks here mention lack of NegoEx support or bugs in GSS-APi ?
>
> http://sourceforge.net
rberos and Windows
Kerberos, depend on the versions of both Java and Windows Server..
Man, this thing is really a nightmare, isn't it ?
From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: RE: SPNEGO test configuration with Manager webapp
Does Tomcat 8 work with NegoEx ?
Is Windows 8.1 and Windows Server 2012 RC2 supported ?
many thanks
David
> From: dmars...@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: SPNEGO test configuration with Manager webapp
> Date: Thu, 26 Mar 2015 00:18:11 +
>
> With
ead=1653>>> KdcAccessibility: remove win-dc01.kerbtest.local:88Looking for
keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALAdded key: 17version:
15Added key: 18version: 15Added key: 23version: 15Found unsupported keytype (3)
for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCALFound unsupported
)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.init(Unknown Source)
at sun.security.krb5.internal.ASRep.(Unknown Source)
... 5 more
> From: dmars...@outlook.co
bAsReqBuilder.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: KrbException: Identifier doesn't match e
utlook.com
To: users@tomcat.apache.org
Subject: RE: SPNEGO test configuration with Manager webapp
Date: Wed, 25 Mar 2015 16:50:47 +
Its possible I guess, although I would not expect that.
The test is :-
Client Test Windows 8.1 VM with Firefox -> Tomcat Server Windows 8.1 VM
Firefox is not con
--
From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: RE: SPNEGO test configuration with Manager webapp
Date: Wed, 25 Mar 2015 16:50:47 +
Its possible I guess, although I would not expect that.
The test is :-
Client Test Windows 8.1 VM with Firefox -> Tomcat Server Wind
ES-CBC-CRC" to the ktpass call (as in
https://community.oracle.com/thread/1527560).
Felix
From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: RE: SPNEGO test configuration with Manager webapp
Date: Wed, 25 Mar 2015 16:50:47 +000
h Java and Windows Server..
Man, this thing is really a nightmare, isn't it ?
From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: RE: SPNEGO test configuration with Manager webapp
Date: Wed, 25 Mar 2015 16:50:47 +
Its possible I
init.java:113)
> From: dmars...@outlook.com
> To: users@tomcat.apache.org
> Subject: RE: SPNEGO test configuration with Manager webapp
> Date: Wed, 25 Mar 2015 16:50:47 +
>
> Its possible I guess, although I would not expect that.
>
> The test
T5DR452ffxipG4yvXMCebDCnetitAbeIPXFJv1hdaJuMCO2E="
Reponse WWW-Authenticate: "Negotiate"
I'm not sure how long they should be, but they all end "=" so expect not
truncated ?
------------
> Subject: RE: SPNEGO test configuration with Man
ity.AccessController.doPrivileged(Native Method)
>at javax.security.auth.Subject.doAs(Subject.java:422)
>at
>org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
>va:243)
>at
>org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator
.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader
did not find the right
tag)
at sun.security.jgss.GSSHeader.(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptS
ndows, or how
the java one is used).
Felix
Date: Tue, 24 Mar 2015 22:46:15 +
From: ma...@apache.org
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
On 24/03/2015 20:47, David Marsh wrote:
Hi Felix,
Thanks
te: Tue, 24 Mar 2015 22:46:15 +
From: ma...@apache.org
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
On 24/03/2015 20:47, David Marsh wrote:
Hi Felix,
Thanks fort your help!
I have enabled krb5 and gss debug.I altered CATALINA_OPTS in startup.bat and
; From: ma...@apache.org
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> On 24/03/2015 20:47, David Marsh wrote:
>> Hi Felix,
>> Thanks fort your help!
>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in star
is not in evidence here for now.
Maybe the SPNs don't match, between the KDC and the Tomcat server ?
"ktlist" may be a good tool on both, to list what's there and compare.
David
Date: Tue, 24 Mar 2015 21:39:38 +0100
From: felix.schumac...@internetallee.de
To: users@
24 Mar 2015 21:39:38 +0100
>> From: felix.schumac...@internetallee.de
>> To: users@tomcat.apache.org
>> Subject: Re: SPNEGO test configuration with Manager webapp
>>
>> Am 24.03.2015 um 21:25 schrieb David Marsh:
>>> Everything is as described and s
ing with this configuration, or just to point out, that you
copied the wrong jaas.conf for the mail?
Felix
------------
From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: SPNEGO test configuration with Manager webapp
Date: Tue, 24 Mar 2015 20:02:04 +
cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
Search Subject for SPNEGO ACCEPT cred (<>, sun.security.jgss.spnego.SpNegoC
redElement)
Search Subject for Kerberos V5 ACCEPT cred (<>, sun.security.jgss.krb5.Krb5
AcceptCredential)
Found KeyTab C:\Program Files\Apache Software Foundation\T
; From: felix.schumac...@internetallee.de
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> Am 24.03.2015 um 21:25 schrieb David Marsh:
> > Everything is as described and still not working, except the jaas.conf is :-
> >
> >
om: felix.schumac...@internetallee.de
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
Am 24.03.2015 um 21:05 schrieb David Marsh:
Sorry thats :-
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
under jaas.conf, it is set to the tomcat serv
I copied old config file to mail yes.
> Date: Tue, 24 Mar 2015 21:17:59 +0100
> From: felix.schumac...@internetallee.de
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> Am 24.03.2015 um 2
t server DNS.
> Is it working with this configuration, or just to point out, that you
> copied the wrong jaas.conf for the mail?
>
> Felix
>>
>> ------------
>>> From: dmars...@outlook.com
>>> To: users@tomcat.apache.
l?
Felix
From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: SPNEGO test configuration with Manager webapp
Date: Tue, 24 Mar 2015 20:02:04 +
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've created three Windows V
Am 24.03.2015 um 21:02 schrieb David Marsh:
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've created three Windows VMs :-
Tomcat Server - Windows 8.1 32 bit VM
Test Client - Windows 8.1 32 bit VM
Domain Controller - Windows Server 2012 R2 64 bit VM
The Tomcat Server and the
Sorry thats :-
> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
under jaas.conf, it is set to the tomcat server DNS.
> From: dmars...@outlook.com
> To: users@tomcat.apache.org
> Subject: SPNEGO test configuration with Mana
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've created three Windows VMs :-
Tomcat Server - Windows 8.1 32 bit VM
Test Client - Windows 8.1 32 bit VM
Domain Controller - Windows Server 2012 R2 64 bit VM
The Tomcat Server and the Test Client are joined to the same domain
k
On 24/03/2015 15:17, David Marsh wrote:
SPNEGO is fickle. Sometimes the smallest change can cause problems.
Set up a test environment as close to the How-To as possible. You should
definitely be using three separate machines (or VMs).
Get this working. If your test environment doesn't work, fi
I was using Internet explorer and had added the ip address of to domain
controller/ tomcat server to the trusted sites list in the Intranet zone.I was
not using https.I was using a Windows 8 client VM to talk to a Windows Server
2012 VM.
I have now tried Firefox with SPNEGO and can confirm with
David Marsh wrote:
Hello,
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've followed the guidelines on the website.
jaas.conf
com.sun.security.jgss.krb5.initiate {...};
com.sun.security.jgss.krb5.accept {com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=t
Hello,
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've followed the guidelines on the website.
jaas.conf
com.sun.security.jgss.krb5.initiate {...};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule requireddoNotPrompt=true
principal="HT
48 matches
Mail list logo
