Hi Edward.
Am Freitag, den 31.05.2013, 13:24 -0500 schrieb Edward Siewick:
> ________________________________________
> From: Felix Schumacher [felix.schumac...@internetallee.de]
> Sent: Friday, May 31, 2013 1:18 PM
> To: users@tomcat.apache.org
> Subject: Re: Tomcat7 and SPNEGO configuration questions
>
> Am Freitag, den 31.05.2013, 10:17 -0500 schrieb Edward Siewick:
> >> Hi.
> >>
> >> I'm trying to get a baseline configuration working, following the
> >> http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. I'm
> >> apparently off in the weeds having missed something, though. So I'd really
> >> appreciate a sanity check of my configuration, and the testcase I'm
> >> attempting. I've got something messed up, and I'm looking for guidance on
> >> what to check.
> >>
> <snip>
> >> Well-founded guidance, clues, and even good guesses are all welcome.
>
> > I would look, if IE is sending an authorization header.
>
> Felix,
>
> Thanks. tcpdump shows an authz header, though it seems to be associated with
> the client's first call to the server. Let me know if I should be expecting
> some other packets in the exchange. It goes on for a few packets; the
> beginning of the Authorization: header from the client is below.
>
> Edward
>
> openid-wdw.openidmdev.com.50784 > openid-linux.openidmdev.com.webcache:
> Flags [.], seq 1:1461, ack 1, win 16425, length 1460
> E...i.@...5>
> .!`
> .!a.`....._K...P.@). ..GET /manager/status HTTP/1.1^M
> Accept: application/x-ms-application, image/jpeg, application/xaml+xml,
> image/gif, image/pjpeg, application/x-ms-xbap, */*^M
> Accept-Language: en-US^M
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;
> Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
> 3.0.30729; .NET4.0C; .NET4.0E)^M
> Accept-Encoding: gzip, deflate^M
> Host: openid-linux.openidmdev.com:8080^M
> Connection: Keep-Alive^M
> Cookie: JSESSIONID=58B85BF870EA8328FC7A76D70C39EAF5^M
> Authorization: Negotiate
> YIIGpwYGKwYBBQUCoIIGmzCCBpegMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBmEEggZdYIIGWQYJKoZIhvcSAQICAQBuggZIMIIGRKADAgEFoQMCAQ6iBwMFACAAAACjggTKYYIExjCCBMKgAwIBBaEQGw5PUEVOSURNREVWLkNPTaIuMCygAwIBAqElMCMbBEhUVFAbG29wZW5pZC1saW51eC5vcGVuaWRtZGV2LmNvbaOCBHcwggRzoAMCARehAwIBBqKCBGUEggRhtG1hWlctx9Ey75vGdQsRwKC5hNhuDW+qC4Kr2Dov2b/9TT94u8NZ30rqi4nJOKgK9VfcEsqgCwuLgnG0AdLmhXhaBYVk/p8xcJpXTeyUd3OOBVE1Z8BHD6fNlJ/c01o5r4iYV
The header looks good. What does a klist say on the client? Is
HTTP/openid-linux.openidmdev....@openidmdev.com listed?
Can you add -Dsun.security.krb5.debug=true to your CATALINA_OPTS?
On my installation it prints the following lines when I login with
principal user00...@example.com on the server www.example.com
>>> KeyTabInputStream, readName(): EXAMPLE.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): www.example.com
>>> KeyTab: load() entry length: 67; type: 23
>>> KeyTabInputStream, readName(): EXAMPLE.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): www.example.com
>>> KeyTab: load() entry length: 59; type: 3
>>> KeyTabInputStream, readName(): EXAMPLE.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): www.example.com
>>> KeyTab: load() entry length: 83; type: 18
>>> KeyTabInputStream, readName(): EXAMPLE.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): www.example.com
>>> KeyTab: load() entry length: 67; type: 17
Config name: /home/felix/Developer/apache-tomcat-7.0.40/conf/krb5.ini
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
>>> KdcAccessibility: reset
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
default etypes for default_tkt_enctypes: 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=localhost UDP:60088, timeout=30000, number of
retries =3, #bytes=153
>>> KDCCommunication: kdc=localhost UDP:60088, timeout=30000,Attempt =1,
#bytes=153
>>> KrbKdcReq send: #bytes read=187
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = null, s2kparams = null
PA-ETYPE-INFO2 etype = 16, salt = null, s2kparams = null
PA-ETYPE-INFO2 etype = 3, salt = null, s2kparams = null
>>> KdcAccessibility: remove localhost:60088
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Fri May 31 21:17:52 CEST 2013 1370027872000
suSec is 0
error code is 25
error Message is Additional pre-authentication required
realm is EXAMPLE.COM
sname is krbtgt/EXAMPLE.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = null, s2kparams = null
PA-ETYPE-INFO2 etype = 16, salt = null, s2kparams = null
PA-ETYPE-INFO2 etype = 3, salt = null, s2kparams = null
KRBError received: Additional pre-authentication required
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18 17.
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
default etypes for default_tkt_enctypes: 18 17.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=localhost UDP:60088, timeout=30000, number of
retries =3, #bytes=240
>>> KDCCommunication: kdc=localhost UDP:60088, timeout=30000,Attempt =1,
#bytes=240
>>> KrbKdcReq send: #bytes read=537
>>> KdcAccessibility: remove localhost:60088
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/www.example.com
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
Found KeyTab
Found KerberosKey for HTTP/www.example....@example.com
Found KerberosKey for HTTP/www.example....@example.com
Found KerberosKey for HTTP/www.example....@example.com
Found KerberosKey for HTTP/www.example....@example.com
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
replay cache for user00...@example.com is null.
object 0: 1370027872357/357663
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 758340766
Krb5Context setting mySeqNumber to: 758340766
My kerberos server is listening on localhost and port 60088 (and is
actually apacheds 2.0.0M12)
Greetings
Felix
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
