Am 10.06.2013 23:35, schrieb james.henderson:
I am in a similar situation to Edward.
My authentication says something like:
principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 18 17.
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3,
#bytes=166
KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=166
KrbKdcReq send: #bytes read=152
KrbKdcReq send: #bytes read=152
KDCRep: init() encoding tag is 126 req type is 11
KRBError:
sTime is Mon Jun 10 17:21:23 EDT 2013 1370899283000
suSec is 764076
error code is 25
error Message is Additional pre-authentication required
realm is DEV
sname is krbtgt/DEV
eData provided.
msgType is 30
Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23
Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
Pre-Authentication Data:
PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
KrbAsReq salt is DEVserver.dev
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3,
#bytes=249
KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=249
KrbKdcReq send: #bytes read=1384
KrbKdcReq send: #bytes read=1384
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply HTTP/guedlvwcfv001.dev
principal is HTTP/guedlvwcfv001.dev@DEV
EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
Added server's keyKerberos Principal HTTP/server.dev@DEVKey Version 3key
EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
[Krb5LoginModule] added Krb5Principal HTTP/server.dev@DEV
to Subject
Commit Succeeded
Found key for HTTP/server.dev@DEV(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 3 1 23 16 17 18.
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Config reset default kdc DEV
object 0: 1370899284091/91026
object 0: 1370899284091/91026
replay cache found.
KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1400102526
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 909711492
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
But the page always returns 401 if I try to use it:
10.241.162.107 - - [10/Jun/2013:17:21:23 -0400] "GET /webeditors/hello
HTTP/1.1" 401 951
We have another page that uses spring SPNEGO and it works fine with exactly
the same user.
My security constraint/login config looks like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Wildcard means whole app requires
authentication</web-resource-name>
<url-pattern>/hello</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
I would like some idea how to:
a) get tomcat to tell me why it is returning 401 in this case (debug logs?)
You can enable more logging of the realm code by adding
"org.apache.catalina.realm.level=FINE" to your conf/logging.properties file.
b) Understand how the windows users/roles are going to map to any used in my
webapp. Is it a 1:1 mapping, or does it need some sort of configuration?
SPNego will only do authentication. Authorization is done via the
configured realm. If your users and roles are stored in an LDAP
directory (as I suspect it is), you can use the JNDIRealm to configure
where tomcat will look for your users and their roles. For more info
look at http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm
c) get more documentation on how these things are actually supposed to work.
Most of the information I find is examples, not proper documentation.
If your are not happy with the examples, you can look at the
configuration docs cunningly hidden
athttp://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
Regards,
Felix
d) Understand why I get this: init() encoding tag is 126 req type is 11
error.
Thanks,
James Henderson
--
View this message in context:
http://tomcat.10.x6.nabble.com/Tomcat7-and-SPNEGO-configuration-questions-tp4999666p4999977.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
