Pardon my apparent dislexia: > This snippet is from openjdk; > http://cr.openjdk.java.net/~weijun/6966259/webrev.01/src/share/classes/sun/security/krb5/internal/KDCRep.java.html. > There's also Oracle's > http://www.docjar.com/html/api/sun/security/krb5/internal/KDCReq.java.html. > It doesn't have the actual logging line, though.
http://www.docjar.com/html/api/sun/security/krb5/internal/KDCRep.java.html does contain this. ________________________________________ From: james.henderson [james.hender...@rbc.com] Sent: Monday, June 10, 2013 5:35 PM To: users@tomcat.apache.org Subject: RE: Tomcat7 and SPNEGO configuration questions I am in a similar situation to Edward. My authentication says something like: principal's key obtained from the keytab Acquire TGT using AS Exchange default etypes for default_tkt_enctypes: 23 18 17. >>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3, >>> #bytes=166 >>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=166 >>> KrbKdcReq send: #bytes read=152 >>> KrbKdcReq send: #bytes read=152 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Mon Jun 10 17:21:23 EDT 2013 1370899283000 suSec is 764076 error code is 25 error Message is Additional pre-authentication required realm is DEV sname is krbtgt/DEV eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23 >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 15 AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ >>>KrbAsReq salt is DEVserver.dev Pre-Authenticaton: find key for etype = 23 AS-REQ: Add PA_ENC_TIMESTAMP now >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3, >>> #bytes=249 >>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=249 >>> KrbKdcReq send: #bytes read=1384 >>> KrbKdcReq send: #bytes read=1384 >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbAsRep cons in KrbAsReq.getReply HTTP/guedlvwcfv001.dev principal is HTTP/guedlvwcfv001.dev@DEV EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted) Added server's keyKerberos Principal HTTP/server.dev@DEVKey Version 3key EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted) [Krb5LoginModule] added Krb5Principal HTTP/server.dev@DEV to Subject Commit Succeeded Found key for HTTP/server.dev@DEV(23) Entered Krb5Context.acceptSecContext with state=STATE_NEW >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType Using builtin default etypes for permitted_enctypes default etypes for permitted_enctypes: 3 1 23 16 17 18. >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> Config reset default kdc DEV object 0: 1370899284091/91026 object 0: 1370899284091/91026 replay cache found. >>> KrbApReq: authenticate succeed. Krb5Context setting peerSeqNumber to: 1400102526 >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType Krb5Context setting mySeqNumber to: 909711492 [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject But the page always returns 401 if I try to use it: 10.241.162.107 - - [10/Jun/2013:17:21:23 -0400] "GET /webeditors/hello HTTP/1.1" 401 951 We have another page that uses spring SPNEGO and it works fine with exactly the same user. My security constraint/login config looks like this: <security-constraint> <web-resource-collection> <web-resource-name>Wildcard means whole app requires authentication</web-resource-name> <url-pattern>/hello</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>SPNEGO</auth-method> </login-config> I would like some idea how to: a) get tomcat to tell me why it is returning 401 in this case (debug logs?) b) Understand how the windows users/roles are going to map to any used in my webapp. Is it a 1:1 mapping, or does it need some sort of configuration? c) get more documentation on how these things are actually supposed to work. Most of the information I find is examples, not proper documentation. d) Understand why I get this: init() encoding tag is 126 req type is 11 error. Thanks, James Henderson -- View this message in context: http://tomcat.10.x6.nabble.com/Tomcat7-and-SPNEGO-configuration-questions-tp4999666p4999977.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
