Built-in Tomcat Support for Windows Authentication

Terence M. Bandoian Wed, 22 Oct 2014 09:56:43 -0700

On 10/22/2014 4:40 AM, Philippe Wijdh wrote:

Hello,


We have spent a long time now, trying to set up Apache Tomcat with Windows 
Authentication.
We followed the instructions as per 
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html but we cannot 
make it work properly, the logon dialog keeps appearing and trying to log on 
fails.
Additional to that we tried suggestions, like adding the registry key 
AllowTgtSessionKey and setting it to 0x01
Seems like we are close but we are missing something (see tomcat output below)
Does anyone have a more complete documentation or have any suggestions on how 
to make this work.


Kind regards,

Philippe Wijdh



Extra information on the setup:

Windows 2008 r2 sp1
Apache Tomcat 7.0.54
jdk1.7.0_60

Tomcat is running as a service using account  HTTP/v3tcat4ad.assai.nl:8080 
(have created spn with and without the port number, does not make a difference)

Test is done with user testu...@assai.nl<mailto:testu...@assai.nl> in IE11 on 
different machines, with http://v3tcat4ad.assai.nl explicitly added to the Intranet 
sites.



Hi, Philippe-

I have not used the built-in Tomcat Windows authentication but have hadsuccess using Waffle in a similar configuration. You might try that ifall else fails.


-Terence Bandoian




Tomcat Output:

KeyTabInputStream, readName(): ASSAI.NL
KeyTabInputStream, readName(): HTTP
KeyTabInputStream, readName(): v3tcat4ad.assai.nl:8080
KeyTab: load() entry length: 72; type: 23

Java config name: C:\MyPrograms\Tomcat7\conf\krb5.conf
Loaded from Java config
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.

KdcAccessibility: reset

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.

KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries 
=3, #bytes=152
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, 
#bytes=152
KrbKdcReq send: #bytes read=173
Pre-Authentication Data:

             PA-DATA type = 11
             PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:

             PA-DATA type = 19
             PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:

             PA-DATA type = 2
             PA-ENC-TIMESTAMP

Pre-Authentication Data:

             PA-DATA type = 16

Pre-Authentication Data:

             PA-DATA type = 15

KdcAccessibility: remove v3dom1.assai.nl:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:

             sTime is Wed Oct 22 09:53:56 CEST 2014 1413964436000
             suSec is 403143
             error code is 25
             error Message is Additional pre-authentication required
             realm is ASSAI.NL
             sname is krbtgt/ASSAI.NL
             eData provided.
             msgType is 30

Pre-Authentication Data:

             PA-DATA type = 11
             PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:

             PA-DATA type = 19
             PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:

             PA-DATA type = 2
             PA-ENC-TIMESTAMP

Pre-Authentication Data:

             PA-DATA type = 16

Pre-Authentication Data:

             PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries 
=3, #bytes=235
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, 
#bytes=235
KrbKdcReq send: #bytes read=1446
KdcAccessibility: remove v3dom1.assai.nl:88

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, 
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, 
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.

KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries 
=3, #bytes=152
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, 
#bytes=152
KrbKdcReq send: #bytes read=173
Pre-Authentication Data:

             PA-DATA type = 11
             PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:

             PA-DATA type = 19
             PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:

             PA-DATA type = 2
             PA-ENC-TIMESTAMP

Pre-Authentication Data:

             PA-DATA type = 16

Pre-Authentication Data:

             PA-DATA type = 15

KdcAccessibility: remove v3dom1.assai.nl:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:

             sTime is Wed Oct 22 09:54:12 CEST 2014 1413964452000
             suSec is 996893
             error code is 25
             error Message is Additional pre-authentication required
             realm is ASSAI.NL
             sname is krbtgt/ASSAI.NL
             eData provided.
             msgType is 30

Pre-Authentication Data:

             PA-DATA type = 11
             PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:

             PA-DATA type = 19
             PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:

             PA-DATA type = 2
             PA-ENC-TIMESTAMP

Pre-Authentication Data:

             PA-DATA type = 16

Pre-Authentication Data:

             PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries 
=3, #bytes=235
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, 
#bytes=235
KrbKdcReq send: #bytes read=1446
KdcAccessibility: remove v3dom1.assai.nl:88

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, 
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, 
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.

KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries 
=3, #bytes=152
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, 
#bytes=152
KrbKdcReq send: #bytes read=173
Pre-Authentication Data:

             PA-DATA type = 11
             PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:

             PA-DATA type = 19
             PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:

             PA-DATA type = 2
             PA-ENC-TIMESTAMP

Pre-Authentication Data:

             PA-DATA type = 16

Pre-Authentication Data:

             PA-DATA type = 15

KdcAccessibility: remove v3dom1.assai.nl:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:

             sTime is Wed Oct 22 09:54:56 CEST 2014 1413964496000
             suSec is 543768
             error code is 25
             error Message is Additional pre-authentication required
             realm is ASSAI.NL
             sname is krbtgt/ASSAI.NL
             eData provided.
             msgType is 30

Pre-Authentication Data:

             PA-DATA type = 11
             PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:

             PA-DATA type = 19
             PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:

             PA-DATA type = 2
             PA-ENC-TIMESTAMP

Pre-Authentication Data:

             PA-DATA type = 16

Pre-Authentication Data:

             PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries 
=3, #bytes=235
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, 
#bytes=235
KrbKdcReq send: #bytes read=1446
KdcAccessibility: remove v3dom1.assai.nl:88

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, 
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, 
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl
09:55:00.008 [QuartzScheduler_Worker-1] DEBUG org.quartz.core.JobRunShell - 
Calling execute on job DEFAULT.reportsJob
09:55:00.008 [QuartzScheduler_Worker-1] DEBUG org.quartz.core.JobRunShell - 
Calling execute on job DEFAULT.reportsJob
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.

KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries 
=3, #bytes=152
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, 
#bytes=152
KrbKdcReq send: #bytes read=173
Pre-Authentication Data:

             PA-DATA type = 11
             PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:

             PA-DATA type = 19
             PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:

             PA-DATA type = 2
             PA-ENC-TIMESTAMP

Pre-Authentication Data:

             PA-DATA type = 16

Pre-Authentication Data:

             PA-DATA type = 15

KdcAccessibility: remove v3dom1.assai.nl:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:

             sTime is Wed Oct 22 09:55:15 CEST 2014 1413964515000
             suSec is 715643
             error code is 25
             error Message is Additional pre-authentication required
             realm is ASSAI.NL
             sname is krbtgt/ASSAI.NL
             eData provided.
             msgType is 30

Pre-Authentication Data:

             PA-DATA type = 11
             PA-ETYPE-INFO etype = 23, salt =

Pre-Authentication Data:

             PA-DATA type = 19
             PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

Pre-Authentication Data:

             PA-DATA type = 2
             PA-ENC-TIMESTAMP

Pre-Authentication Data:

             PA-DATA type = 16

Pre-Authentication Data:

             PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
default etypes for default_tkt_enctypes: 23 18 17.

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsReq creating message
KrbKdcReq send: kdc=v3dom1.assai.nl UDP:88, timeout=30000, number of retries 
=3, #bytes=235
KDCCommunication: kdc=v3dom1.assai.nl UDP:88, timeout=30000,Attempt =1, 
#bytes=235
KrbKdcReq send: #bytes read=1446
KdcAccessibility: remove v3dom1.assai.nl:88

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbAsRep cons in KrbAsReq.getReply HTTP/v3tcat4ad.assai.nl:8080

Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, 
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, 
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/v3tcat4ad.assai.nl:8...@assai.nl
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 23version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Built-in Tomcat Support for Windows Authentication

Reply via email to