Pardon my apparent dislexia:

> This snippet is from openjdk; 
> http://cr.openjdk.java.net/~weijun/6966259/webrev.01/src/share/classes/sun/security/krb5/internal/KDCRep.java.html.
> There's also Oracle's 
> http://www.docjar.com/html/api/sun/security/krb5/internal/KDCReq.java.html. 
> It doesn't have the actual logging line, though.

http://www.docjar.com/html/api/sun/security/krb5/internal/KDCRep.java.html does 
contain this.

________________________________________
From: james.henderson [james.hender...@rbc.com]
Sent: Monday, June 10, 2013 5:35 PM
To: users@tomcat.apache.org
Subject: RE: Tomcat7 and SPNEGO configuration questions

I am in a similar situation to Edward.

My authentication says something like:

principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3,
>>> #bytes=166
>>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=166
>>> KrbKdcReq send: #bytes read=152
>>> KrbKdcReq send: #bytes read=152
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Mon Jun 10 17:21:23 EDT 2013 1370899283000
         suSec is 764076
         error code is 25
         error Message is Additional pre-authentication required
         realm is DEV
         sname is krbtgt/DEV
         eData provided.
         msgType is 30
>>>Pre-Authentication Data:
         PA-DATA type = 11
         PA-ETYPE-INFO etype = 23
>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
>>>KrbAsReq salt is DEVserver.dev
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3,
>>> #bytes=249
>>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=249
>>> KrbKdcReq send: #bytes read=1384
>>> KrbKdcReq send: #bytes read=1384
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/guedlvwcfv001.dev
principal is HTTP/guedlvwcfv001.dev@DEV
EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
Added server's keyKerberos Principal HTTP/server.dev@DEVKey Version 3key
EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
                [Krb5LoginModule] added Krb5Principal  HTTP/server.dev@DEV
to Subject
Commit Succeeded


Found key for HTTP/server.dev@DEV(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 3 1 23 16 17 18.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> Config reset default kdc DEV
object 0: 1370899284091/91026
object 0: 1370899284091/91026
replay cache found.
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1400102526
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 909711492
                [Krb5LoginModule]: Entering logout
                [Krb5LoginModule]: logged out Subject

But the page always returns 401 if I try to use it:

10.241.162.107 - - [10/Jun/2013:17:21:23 -0400] "GET /webeditors/hello
HTTP/1.1" 401 951

We have another page that uses spring SPNEGO and it works fine with exactly
the same user.

My security constraint/login config looks like this:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Wildcard means whole app requires
authentication</web-resource-name>
            <url-pattern>/hello</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>

        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>

        <user-data-constraint>

            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>SPNEGO</auth-method>
    </login-config>

I would like some idea how to:

a) get tomcat to tell me why it is returning 401 in this case (debug logs?)
b) Understand how the windows users/roles are going to map to any used in my
webapp.  Is it a 1:1 mapping, or does it need some sort of configuration?
c) get more documentation on how these things are actually supposed to work.
Most of the information I find is examples, not proper documentation.
d) Understand why I get this: init() encoding tag is 126 req type is 11
error.

Thanks,

James Henderson




--
View this message in context: 
http://tomcat.10.x6.nabble.com/Tomcat7-and-SPNEGO-configuration-questions-tp4999666p4999977.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to