Hello,
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've followed the guidelines on the website.
jaas.conf
com.sun.security.jgss.krb5.initiate {...};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule requireddoNotPrompt=true
principal="HT
I was using Internet explorer and had added the ip address of to domain
controller/ tomcat server to the trusted sites list in the Intranet zone.I was
not using https.I was using a Windows 8 client VM to talk to a Windows Server
2012 VM.
I have now tried Firefox with SPNEGO and can confirm with
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've created three Windows VMs :-
Tomcat Server - Windows 8.1 32 bit VM
Test Client - Windows 8.1 32 bit VM
Domain Controller - Windows Server 2012 R2 64 bit VM
The Tomcat Server and the Test Client are joined to the same domain
k
Sorry thats :-
> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
under jaas.conf, it is set to the tomcat server DNS.
> From: dmars...@outlook.com
> To: users@tomcat.apache.org
> Subject: SPNEGO test configuration with Manager webapp
> Date: Tue,
sers@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> Am 24.03.2015 um 21:05 schrieb David Marsh:
>> Sorry thats :-
>>
>>> principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
>> under jaas.conf, it is set to the tomca
I copied old config file to mail yes.
> Date: Tue, 24 Mar 2015 21:17:59 +0100
> From: felix.schumac...@internetallee.de
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> Am 24.03.2015 um 2
; From: felix.schumac...@internetallee.de
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> Am 24.03.2015 um 21:25 schrieb David Marsh:
> > Everything is as described and still not working, except the jaas.conf is :-
> >
> >
cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
Search Subject for SPNEGO ACCEPT cred (<>, sun.security.jgss.spnego.SpNegoC
redElement)
Search Subject for Kerberos V5 ACCEPT cred (<>, sun.security.jgss.krb5.Krb5
AcceptCredential)
Found KeyTab C:\Program Files\Apache Software Foundation\T
; From: ma...@apache.org
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> On 24/03/2015 20:47, David Marsh wrote:
>> Hi Felix,
>> Thanks fort your help!
>> I have enabled krb5 and gss debug.I altered CATALINA_OPTS in star
.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader
did not find the right
tag)
at sun.security.jgss.GSSHeader.(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptS
ager webapp
> From: felix.schumac...@internetallee.de
> Date: Wed, 25 Mar 2015 17:31:51 +0100
> To: users@tomcat.apache.org
>
>
>
> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh :
>>This is how the keytab was created :-
>>
>>ktpass -ptype KRB5_NT_PRINCIPAL
> Subject: RE: SPNEGO test configuration with Manager webapp
>> From: felix.schumac...@internetallee.de
>> Date: Wed, 25 Mar 2015 17:31:51 +0100
>> To: users@tomcat.apache.org
>>
>>
>>
>> Am 25. März 2015 17:25:25 MEZ, schrieb David Marsh :
>>>This
cUdNcmYw/ftHsanMwZEat5lznurgVFDwa6rjxVoc+X/C6Dwl+ME/yEClpwn6bxxDyCssxUgYsiRfWJGCr6EEPdWB5omQUf1o9ArvEbgtyS4kkHGLa3X5FeXctRwi2Yj/uLYnEOZHfkco
>>>>>
>>>>>
>>> Kk31FvdhSr92Kry4926hlS9ao4nyGS7ZVnvr1n8r5V6+D6UbYhUQgBvEaERgc8T822kiij1N/szQePAze4YWWTA0djryRSB0qqMG
ion information was invalid
> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
> eData provided.
> msgType is 30
>>>>Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
> ocal, s2kparams = null
> PA-ETYPE-
> > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Found unsupported keytype (1) for
> > HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
> > Added key: 17version: 5
> > Added key: 18version: 5
> > Added k
tication Data:
>>> PA-DATA type = 19
>>> PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
>>> ocal, s2kparams = null
>>> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>
>>>>>>Pre-Authentication Data:
with Manager webapp
>
> On 26/03/2015 00:36, David Marsh wrote:
> > Still getting :-
> > java.security.PrivilegedActionException: GSSException: Defective token
> > detected (Mechanism level: G
> > SSHeader did not find the right tag)
> >
> > Folks
configuration with Manager webapp
>
> David Marsh wrote:
>> Hi Mark,
>> Thanks that would be great !
>> Do you have a good mechanism to test and ensure kerberos token is passed to
>> tomcat and not NTLM token ?
>
> I believe that I can answer that.
>
>
x27;s and the Negotiate.
> Date: Thu, 26 Mar 2015 12:11:34 +0100
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> David Marsh wrote:
>> Hi Mark,
>>
>> Thank
t;
>
>> Date: Thu, 26 Mar 2015 12:11:34 +0100
>> From: a...@ice-sa.com
>> To: users@tomcat.apache.org
>> Subject: Re: SPNEGO test configuration with Manager webapp
>>
>> David Marsh wrote:
>>> Hi Mark,
>>&
10:13:29 +0200
> To: users@tomcat.apache.org
>
>
>
> Am 28. März 2015 17:46:50 MEZ, schrieb Mark Thomas :
>>On 28/03/2015 14:43, David Marsh wrote:
>>> Ok so I went back to basics and created three new VM's.
>>>
>>> Windows Server 2008 R2
>>> W
straints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /images/tomca
t.gif --> false
28-Mar-2015 14:21:28.864 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manag
ker.run(ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader
did not find
the right
tag)
at sun.security.jgss.GSSHeader
So I have SPNEGO working and I want to use the JNDI realm for authorisation.
I have this configured :-
ldap://win-dc01.kerbtest.local:389";
userBase="ou=Users,dc=kerbtest,dc=local"
userSearch="(uid={0})"
userRoleName="memberOf"
roleBase="ou=Users,dc=
Ok so I fixed my Realm :-
ldap://win-dc01.kerbtest.local:389";
userBase="cn=Users,dc=kerbtest,dc=local"
userSearch="(cn={0})"
userRoleName="memberOf"
roleBase="cn=Users,dc=kerbtest,dc=local"
roleName="cn"
roleSearch="(uniqueMember=
No worries fixed it :-
ldap://win-dc01.kerbtest.local:389";
userBase="cn=Users,dc=kerbtest,dc=local"
userSearch="(cn={0})"
userRoleName="memberOf"
roleBase="cn=Users,dc=kerbtest,dc=local"
roleName="cn"
roleSearch="(member={0})"
8000 Is the HTTP port in development just in case you are using port 808433 Is
similar for HTTPS22 Is SSH port
Normally you define a free port in a user range say 9009, to be your debug port.
Then you use a suitable java debugger to connect to that port.
I've never used vagrant, but it sounds like
Kerberos requires NTP synchronisation to be in place and working.
Fix your clocks and the error should go away.
> From: ravindhar_ko...@persistent.com
> To: users@tomcat.apache.org
> Subject: Tomcat windows 7 authentication
> Date: Thu, 7 May 2015 10:01:39 +
>
> Hi
> I am working on windows a
>
> I have done NTP synchronization in AD
> still I am getting same error
> could you please help in this
>
> -Original Message-
> From: David Marsh [mailto:dmars...@outlook.com]
> Sent: Thursday, May 07, 2015 3:39 PM
> To: Tomcat Users List
> Subject: RE: Tom
29 matches
Mail list logo
