James, Regarding your question a), HTTP 401 is a tangle of both "not authenticated" and "not authorized". You're at least getting through authentication of the end user. At least that's my interpretation of Krb5Context logging of "KrbApReq: authenticate succeed." and logged values for mySeqNumber and peerSeqNumber. (In my case I'm not getting even this far.)
On your b), Felix's example for debugging a jmeter issue uses an LDAP call to check for group membership. This is configured within a <realm /> in server.xml, leveraging the "the user's delegated credentials via a request attribute so applications can make use of them" [presumably for more fine-grained authorization control]. Anyway, this seems to be an application level augmentation of SPNEGO vice a contradiction of the patch comment for the initial SPNEGO support in Tomcat-7.0.12. ("48685: Add initial support for SPNEGO/Kerberos authentication also referred to as integrated Windows authentication. This includes user authentication, authorisation via the directory using the user's delegated credentials and exposing the user's delegated credentials via a request attribute so applications can make use of them to impersonate the current user when accessing third-party systems that use a compatible authentication mechanism. Based on a patch provided by Michael Osipov. (markt).") There doesn't seem to be documentation that expands "authorisation via the directory using the user's delegated credentials" into a configuration option. As written the comment for 48685 says SPNEGO support doesn't stop at authentication; it [somehow] handles authorization, too. On c), absent documentation, the details in https://issues.apache.org/bugzilla/show_bug.cgi?id=48685 might help explain the developers' sense of the intended working order, provide some clues on the JAAS and SPNEGO configuration requirements. At least that's what I'm reading through. On d), you might already know this, but "KDCRep: init() encoding tag is 126 req type is 11" translates to "exception: Asn1Exception - if an error occurs while decoding an ASN1 encoded data." The actual text is from sun.security.krb5.internal.KDCRep: 116 /** 117 * Initializes an KDCRep object. 118 * 119 * @param encoding a single DER-encoded value. 120 * @param req_type reply message type. 121 * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data. 122 * @exception IOException if an I/O error occurs while reading encoded data. 123 * @exception RealmException if an error occurs while constructing 124 * a Realm object from DER-encoded data. 125 * @exception KrbApErrException if the value read from the DER-encoded 126 * data stream does not match the pre-defined value. 127 * 128 */ 129 protected void init(DerValue encoding, int req_type) 130 throws Asn1Exception, RealmException, IOException, 131 KrbApErrException { 132 DerValue der, subDer; 133 if ((encoding.getTag() & 0x1F) != req_type) { 134 if (DEBUG) { 135 System.out.println(">>> KDCRep: init() " + 136 "encoding tag is " + 137 encoding.getTag() + 138 " req type is " + req_type); 139 } 140 throw new Asn1Exception(Krb5.ASN1_BAD_ID); 141 } This snippet is from openjdk; http://cr.openjdk.java.net/~weijun/6966259/webrev.01/src/share/classes/sun/security/krb5/internal/KDCRep.java.html. There's also Oracle's http://www.docjar.com/html/api/sun/security/krb5/internal/KDCReq.java.html. It doesn't have the actual logging line, though. Edward ________________________________________ From: james.henderson [james.hender...@rbc.com] Sent: Monday, June 10, 2013 5:35 PM To: users@tomcat.apache.org Subject: RE: Tomcat7 and SPNEGO configuration questions I am in a similar situation to Edward. My authentication says something like: principal's key obtained from the keytab Acquire TGT using AS Exchange default etypes for default_tkt_enctypes: 23 18 17. >>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3, >>> #bytes=166 >>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=166 >>> KrbKdcReq send: #bytes read=152 >>> KrbKdcReq send: #bytes read=152 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Mon Jun 10 17:21:23 EDT 2013 1370899283000 suSec is 764076 error code is 25 error Message is Additional pre-authentication required realm is DEV sname is krbtgt/DEV eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23 >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 15 AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ >>>KrbAsReq salt is DEVserver.dev Pre-Authenticaton: find key for etype = 23 AS-REQ: Add PA_ENC_TIMESTAMP now >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3, >>> #bytes=249 >>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=249 >>> KrbKdcReq send: #bytes read=1384 >>> KrbKdcReq send: #bytes read=1384 >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsRep cons in KrbAsReq.getReply HTTP/guedlvwcfv001.dev principal is HTTP/guedlvwcfv001.dev@DEV EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted) Added server's keyKerberos Principal HTTP/server.dev@DEVKey Version 3key EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted) [Krb5LoginModule] added Krb5Principal HTTP/server.dev@DEV to Subject Commit Succeeded Found key for HTTP/server.dev@DEV(23) Entered Krb5Context.acceptSecContext with state=STATE_NEW >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType Using builtin default etypes for permitted_enctypes default etypes for permitted_enctypes: 3 1 23 16 17 18. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> Config reset default kdc DEV object 0: 1370899284091/91026 object 0: 1370899284091/91026 replay cache found. >>> KrbApReq: authenticate succeed. Krb5Context setting peerSeqNumber to: 1400102526 >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType Krb5Context setting mySeqNumber to: 909711492 [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject But the page always returns 401 if I try to use it: 10.241.162.107 - - [10/Jun/2013:17:21:23 -0400] "GET /webeditors/hello HTTP/1.1" 401 951 We have another page that uses spring SPNEGO and it works fine with exactly the same user. My security constraint/login config looks like this: <security-constraint> <web-resource-collection> <web-resource-name>Wildcard means whole app requires authentication</web-resource-name> <url-pattern>/hello</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>SPNEGO</auth-method> </login-config> I would like some idea how to: a) get tomcat to tell me why it is returning 401 in this case (debug logs?) b) Understand how the windows users/roles are going to map to any used in my webapp. Is it a 1:1 mapping, or does it need some sort of configuration? c) get more documentation on how these things are actually supposed to work. Most of the information I find is examples, not proper documentation. d) Understand why I get this: init() encoding tag is 126 req type is 11 error. Thanks, James Henderson -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat7-and-SPNEGO-configuration-questions-tp4999666p4999977.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org