Working trace :-
28-Mar-2015 14:20:27.865 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server ve
rsion: Apache Tomcat/8.0.20
28-Mar-2015 14:20:27.881 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server bu
ilt: Feb 15 2015 18:10:42 UTC
28-Mar-2015 14:20:27.881 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Server nu
mber: 8.0.20.0
28-Mar-2015 14:20:27.881 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log OS Name:
Windows 7
28-Mar-2015 14:20:27.881 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log OS Versio
n: 6.1
28-Mar-2015 14:20:27.881 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Architect
ure: x86
28-Mar-2015 14:20:27.881 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Java Home
: C:\Program Files (x86)\Java\jdk1.7.0_45\jre
28-Mar-2015 14:20:27.881 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log JVM Versi
on: 1.7.0_45-b18
28-Mar-2015 14:20:27.881 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log JVM Vendo
r: Oracle Corporation
28-Mar-2015 14:20:27.881 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_
BASE: C:\Program Files (x86)\Apache Software Foundation\Tomcat 8.0
28-Mar-2015 14:20:27.881 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log CATALINA_
HOME: C:\Program Files (x86)\Apache Software Foundation\Tomcat 8.0
28-Mar-2015 14:20:27.944 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command l
ine argument: -Djava.util.logging.config.file=C:\Program Files (x86)\Apache
Software Foundation\Tomc
at 8.0\conf\logging.properties
28-Mar-2015 14:20:27.944 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command l
ine argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
28-Mar-2015 14:20:27.944 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command l
ine argument: -Dsun.security.krb5.debug=true
28-Mar-2015 14:20:27.944 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command l
ine argument: -Dsun.security.jgss.debug=true
28-Mar-2015 14:20:27.944 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command l
ine argument: -Djava.endorsed.dirs=C:\Program Files (x86)\Apache Software
Foundation\Tomcat 8.0\endo
rsed
28-Mar-2015 14:20:27.944 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command l
ine argument: -Dcatalina.base=C:\Program Files (x86)\Apache Software
Foundation\Tomcat 8.0
28-Mar-2015 14:20:27.944 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command l
ine argument: -Dcatalina.home=C:\Program Files (x86)\Apache Software
Foundation\Tomcat 8.0
28-Mar-2015 14:20:27.944 INFO [main]
org.apache.catalina.startup.VersionLoggerListener.log Command l
ine argument: -Djava.io.tmpdir=C:\Program Files (x86)\Apache Software
Foundation\Tomcat 8.0\temp
28-Mar-2015 14:20:27.944 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Th
e APR based Apache Tomcat Native library which allows optimal performance in
production environments
was not found on the java.library.path: C:\Program Files
(x86)\Java\jdk1.7.0_45\bin;C:\Windows\Sun\
Java\bin;C:\Windows\system32;C:\Windows;C:\Program Files
(x86)\Java\jdk1.7.0_45\bin;C:\ProgramData\O
racle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\Wind
owsPowerShell\v1.0\;.
28-Mar-2015 14:20:31.657 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHa
ndler ["http-nio-80"]
28-Mar-2015 14:20:32.515 INFO [main]
org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Us
ing a shared selector for servlet write/read
28-Mar-2015 14:20:32.578 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHa
ndler ["ajp-nio-8009"]
28-Mar-2015 14:20:32.578 INFO [main]
org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Us
ing a shared selector for servlet write/read
28-Mar-2015 14:20:32.578 INFO [main] org.apache.catalina.startup.Catalina.load
Initialization proces
sed in 12345 ms
28-Mar-2015 14:20:33.217 INFO [main]
org.apache.catalina.core.StandardService.startInternal Starting
service Catalina
28-Mar-2015 14:20:33.217 INFO [main]
org.apache.catalina.core.StandardEngine.startInternal Starting
Servlet Engine: Apache Tomcat/8.0.20
28-Mar-2015 14:20:34.388 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files (x86)\Apache
Software Foundation\Tomca
t 8.0\webapps\docs
28-Mar-2015 14:20:37.929 INFO [localhost-startStop-1]
org.apache.catalina.util.SessionIdGeneratorBas
e.createSecureRandom Creation of SecureRandom instance for session ID
generation using [SHA1PRNG] to
ok [187] milliseconds.
28-Mar-2015 14:20:38.304 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files (x86)\Apache
Software Foundation\T
omcat 8.0\webapps\docs has finished in 3,916 ms
28-Mar-2015 14:20:38.335 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files (x86)\Apache
Software Foundation\Tomca
t 8.0\webapps\manager
28-Mar-2015 14:20:38.585 FINE [localhost-startStop-1]
org.apache.catalina.authenticator.Authenticato
rBase.startInternal No SingleSignOn Valve is present
28-Mar-2015 14:20:38.772 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files (x86)\Apache
Software Foundation\T
omcat 8.0\webapps\manager has finished in 437 ms
28-Mar-2015 14:20:38.788 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployD
irectory Deploying web application directory C:\Program Files (x86)\Apache
Software Foundation\Tomca
t 8.0\webapps\ROOT
28-Mar-2015 14:20:39.006 INFO [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployD
irectory Deployment of web application directory C:\Program Files (x86)\Apache
Software Foundation\T
omcat 8.0\webapps\ROOT has finished in 218 ms
28-Mar-2015 14:20:39.037 INFO [main] org.apache.coyote.AbstractProtocol.start
Starting ProtocolHandl
er ["http-nio-80"]
28-Mar-2015 14:20:39.084 INFO [main] org.apache.coyote.AbstractProtocol.start
Starting ProtocolHandl
er ["ajp-nio-8009"]
28-Mar-2015 14:20:39.115 INFO [main] org.apache.catalina.startup.Catalina.start
Server startup in 65
24 ms
28-Mar-2015 14:21:03.119 FINE [http-nio-80-exec-1]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
28-Mar-2015 14:21:23.809 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface
(for humans)]' against G
ET /html --> true
28-Mar-2015 14:21:23.809 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against
GET /html --> false
28-Mar-2015 14:21:23.824 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface
(for scripts)]' against
GET /html --> false
28-Mar-2015 14:21:23.840 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /html --> fal
se
28-Mar-2015 14:21:23.855 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface
(for humans)]' against G
ET /html --> true
28-Mar-2015 14:21:23.871 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against
GET /html --> false
28-Mar-2015 14:21:23.887 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface
(for scripts)]' against
GET /html --> false
28-Mar-2015 14:21:23.887 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /html --> fal
se
28-Mar-2015 14:21:23.918 FINE [http-nio-80-exec-1]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling hasUserDataPermission()
28-Mar-2015 14:21:23.918 FINE [http-nio-80-exec-1]
org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission User data constraint has no restrictions
28-Mar-2015 14:21:23.933 FINE [http-nio-80-exec-1]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling authenticate()
28-Mar-2015 14:21:23.933 FINE [http-nio-80-exec-1]
org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate No authorization header sent by client
28-Mar-2015 14:21:23.949 FINE [http-nio-80-exec-1]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
28-Mar-2015 14:21:24.433 FINE [http-nio-80-exec-2]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/html
28-Mar-2015 14:21:24.448 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface
(for humans)]' against G
ET /html --> true
28-Mar-2015 14:21:24.464 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against
GET /html --> false
28-Mar-2015 14:21:24.479 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface
(for scripts)]' against
GET /html --> false
28-Mar-2015 14:21:24.479 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /html --> fal
se
28-Mar-2015 14:21:24.495 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface
(for humans)]' against G
ET /html --> true
28-Mar-2015 14:21:24.511 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against
GET /html --> false
28-Mar-2015 14:21:24.526 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface
(for scripts)]' against
GET /html --> false
28-Mar-2015 14:21:24.542 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /html --> fal
se
28-Mar-2015 14:21:24.557 FINE [http-nio-80-exec-2]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling hasUserDataPermission()
28-Mar-2015 14:21:24.557 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.hasUserDataPe
rmission User data constraint has no restrictions
28-Mar-2015 14:21:24.573 FINE [http-nio-80-exec-2]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling authenticate()
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt
true ticketCache is nul
l isInitiator true KeyTab is C:/keytab/tomcat.keytab refreshKrb5Config is false
principal is HTTP/wi
n-tc01.kerbtest.local@KERBTEST.LOCAL tryFirstPass is false useFirstPass is
false storePass is false
clearPass is false
>>> KeyTabInputStream, readName(): KERBTEST.LOCAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 78; type: 23
Java config name: C:\Program Files (x86)\Apache Software Foundation\Tomcat
8.0\conf\krb5.ini
Loaded from Java config
Added key: 23version: 4
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 17.
>>> KdcAccessibility: reset
Added key: 23version: 4
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 17.
default etypes for default_tkt_enctypes: 23 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number
>>> of retries =3, #bytes=
164
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
>>> =1, #bytes=164
>>> KrbKdcReq send: #bytes read=185
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Sat Mar 28 14:21:25 GMT 2015 1427552485000
suSec is 49553
error code is 25
error Message is Additional pre-authentication required
realm is KERBTEST.LOCAL
sname is krbtgt/KERBTEST.LOCAL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 17.
Added key: 23version: 4
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 17.
Added key: 23version: 4
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 17.
default etypes for default_tkt_enctypes: 23 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number
>>> of retries =3, #bytes=
247
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
>>> =1, #bytes=247
>>> KrbKdcReq send: #bytes read=1455
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
Added key: 23version: 4
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Will use keytab
Added key: 23version: 4
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 17.
Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab
Found KerberosKey for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 23version: 4
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
replay cache for test@KERBTEST.LOCAL is null.
object 0: 1427552484000/49
>>> KrbApReq: authenticate succeed.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>Delegated Creds have pname=test@KERBTEST.LOCAL
>>>sname=krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL authtim
e=null starttime=20150328135023Z
endtime=20150328235013ZrenewTill=20150404135013Z
Krb5Context setting peerSeqNumber to: 2034472035
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 566818784
28-Mar-2015 14:21:26.305 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.CombinedRealm.authentic
ate Attempting to authenticate user "test@KERBTEST.LOCAL" with realm
"org.apache.catalina.realm.JNDI
Realm"
Search Subject for Kerberos V5 INIT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5InitCredential)
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
krbtgt/KERBTEST.LOCAL@KERBTEST
.LOCAL expiring on Sun Mar 29 00:21:25 GMT 2015
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to
krbtgt/KERBTEST.LOCAL@KERBTEST
.LOCAL expiring on Sun Mar 29 00:21:25 GMT 2015
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 23 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number
>>> of retries =3, #bytes=
1464
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
>>> =1, #bytes=1464
>>> KrbKdcReq send: #bytes read=107
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number
>>> of retries =3, #bytes=
1464
>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt
>>> =1, #bytes=1464
>>>DEBUG: TCPClient reading 1488 bytes
>>> KrbKdcReq send: #bytes read=1488
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 739542637
Created InitSecContextToken:
0000: 01 00 6E 82 05 7D 30 82 05 79 A0 03 02 01 05 A1 ..n...0..y......
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 04 ......... ......
0020: 8A 61 82 04 86 30 82 04 82 A0 03 02 01 05 A1 10 .a...0..........
0030: 1B 0E 4B 45 52 42 54 45 53 54 2E 4C 4F 43 41 4C ..KERBTEST.LOCAL
0040: A2 2A 30 28 A0 03 02 01 00 A1 21 30 1F 1B 04 6C .*0(......!0...l
0050: 64 61 70 1B 17 77 69 6E 2D 64 63 30 31 2E 6B 65 dap..win-dc01.ke
0060: 72 62 74 65 73 74 2E 6C 6F 63 61 6C A3 82 04 3B rbtest.local...;
0070: 30 82 04 37 A0 03 02 01 12 A1 03 02 01 03 A2 82 0..7............
0080: 04 29 04 82 04 25 D1 29 BA B7 F3 7D 99 FE 54 52 .)...%.)......TR
0090: 8B 6B 07 B3 A5 34 78 66 BF 53 1B CC 4B 3B F0 30 .k...4xf.S..K;.0
00A0: 82 0A BA 1C C0 12 CF AA FB 3C 12 D1 EA 6B 7D 51 .........<...k.Q
00B0: 6F 74 08 3C 00 22 56 FB 9F 5C 84 E0 CC F2 DA CF ot.<."V..\......
00C0: B2 A7 73 16 13 9E 59 8B EA 45 AC F0 DF 2B 1B 1B ..s...Y..E...+..
00D0: C0 C2 21 BE DE 77 EE E7 05 9B 3E 81 9B B3 D4 8E ..!..w....>.....
00E0: B8 8D F1 CA 78 E2 C0 F7 E6 E6 6B B7 3E 39 52 19 ....x.....k.>9R.
00F0: 23 02 F2 07 B1 8C 8D 27 3E 68 7E D6 2F FA 0A AC #......'>h../...
0100: 45 54 4B A6 56 B8 9F 00 D0 26 94 6E 02 A9 36 4F ETK.V....&.n..6O
0110: 4A DD 22 E1 C3 26 14 F2 6C D8 14 CB 5C 1F 82 F7 J."..&..l...\...
0120: EE 8B 20 11 94 46 12 96 F9 3A 7D 79 73 8A 11 6D .. ..F...:.ys..m
0130: 05 70 6F 8B BE 87 CD 10 13 35 63 EA 08 9F 8F CD .po......5c.....
0140: A1 A8 77 BC 2C 67 60 AD D6 15 22 0C 5A 2F 62 BF ..w.,g`...".Z/b.
0150: F8 06 DA 75 5B 43 61 92 99 89 73 A6 F6 3F 4B F4 ...u[Ca...s..?K.
0160: 82 7F 37 EC 55 76 C7 E1 D5 BB AB B7 8A 1E A0 99 ..7.Uv..........
0170: 65 CF 31 C8 33 A4 FA 6D DC 2C 8A 73 F3 BD D5 DE e.1.3..m.,.s....
0180: 4F F3 09 16 FB CE 7A 73 60 78 9C 43 F1 2F EF F9 O.....zs`x.C./..
0190: 40 A5 7E 89 D2 E5 2B 7A 11 C0 A8 3B B9 F3 F1 3C @.....+z...;...<
01A0: 79 C9 14 A9 DD 62 5E 25 9F F5 F4 F5 98 03 91 85 y....b^%........
01B0: B1 E9 E1 FE 07 14 0C CD BF 06 5C DF EF 9C E1 92 ..........\.....
01C0: 80 75 BA 54 BD B6 D4 D7 A4 F1 6C 5D E4 50 7A CA .u.T......l].Pz.
01D0: 6F 3A 10 19 E9 AD 94 D0 30 02 6F F9 CF 95 16 47 o:......0.o....G
01E0: 5B D2 A7 32 30 96 80 25 93 FB 53 3A 81 9B EA F9 [..20..%..S:....
01F0: A5 11 B7 53 77 DD 1A 1A C3 F8 BB 81 1D C1 1D D7 ...Sw...........
0200: 7C 01 EB D1 A2 F8 72 5B C3 B3 63 AC F9 11 6B 98 ......r[..c...k.
0210: B3 51 F7 79 7A F2 C6 D3 0A 3D FB 09 C0 C6 9B 82 .Q.yz....=......
0220: 06 FE 21 81 18 8B 77 08 B0 5B FC BC 6B E8 6C F0 ..!...w..[..k.l.
0230: 65 DA AE AB 7A AE 95 7A CF A6 EA 4C 3F B1 FA C2 e...z..z...L?...
0240: 0D EA 9C A2 8E 50 D3 5F 35 D5 3D 71 73 E2 77 48 .....P._5.=qs.wH
0250: 84 C1 D8 C1 95 C2 50 9B A6 16 69 68 BC CD 75 11 ......P...ih..u.
0260: 32 32 FB 78 FD 80 C6 BF 69 8F AF F3 3B B1 C9 75 22.x....i...;..u
0270: 69 F1 98 91 13 04 6F 9A 75 E1 32 3C 8B 46 A3 FA i.....o.u.2<.F..
0280: F5 32 25 09 FB 97 EB EA 5E 63 BD A1 89 DF A8 4D .2%.....^c.....M
0290: 4C 82 5D F0 E6 A6 F1 68 CF AE A8 8D 7D 2B 45 DA L.]....h.....+E.
02A0: 3A 4A F0 E5 EA E1 C0 A5 6E 33 DF 60 21 97 50 21 :J......n3.`!.P!
02B0: 26 59 F7 0B 4E C4 FD 1D AA 00 22 EE 18 C8 A0 02 &Y..N.....".....
02C0: 36 8E AF 08 63 0B 73 A9 37 92 4D F1 11 3E 4A 2E 6...c.s.7.M..>J.
02D0: 38 75 0C 52 44 02 E0 17 82 C8 B8 9E 16 F6 58 A1 8u.RD.........X.
02E0: 3E BB C3 10 16 9B 9F BF 30 8A 43 6A 5B 1F 48 E0 >.......0.Cj[.H.
02F0: 0F EE 94 CE A3 49 4C A7 48 A6 10 20 60 A7 FB 43 .....IL.H.. `..C
0300: 13 72 2A F0 98 5D 4A F5 32 42 8E 77 03 94 4C 90 .r*..]J.2B.w..L.
0310: 99 9B FB 7E 43 79 F6 74 B7 49 67 B2 E1 1D 49 1A ....Cy.t.Ig...I.
0320: 57 AD 3E 10 FF AF 3D B2 02 58 BF 90 42 FD F8 75 W.>...=..X..B..u
0330: A8 28 6F 07 8D 94 A5 E3 E1 C9 B5 56 F8 93 4B 6C .(o........V..Kl
0340: 98 A0 08 75 19 8A 7C C7 20 B2 D6 E7 34 07 43 61 ...u.... ...4.Ca
0350: DF F7 58 C4 41 17 D0 F6 A5 99 B6 39 80 51 22 10 ..X.A......9.Q".
0360: 03 30 4D D7 F7 DC 38 F3 07 6E 97 78 8E DF FE 59 .0M...8..n.x...Y
0370: 7B A4 18 55 AC D3 78 AE F5 C5 85 FD 94 12 EA 6A ...U..x........j
0380: 58 9B 7B 0A EC E9 1C 99 9B 15 E3 B9 0F 6A A6 16 X............j..
0390: BD 25 86 A3 7E 50 E6 F4 E5 57 1C 94 9A 9C 27 FE .%...P...W....'.
03A0: A9 14 18 E0 DB 6C F8 AC BD 3F 96 77 7C 8B 19 6E .....l...?.w...n
03B0: BA F7 45 16 40 49 01 2A 45 07 40 32 72 58 5D 10 ..E.@I.*E.@2rX].
03C0: 9A 16 30 CA EF 0C 59 34 42 EE 82 B6 E0 32 0F DA ..0...Y4B....2..
03D0: 44 9A 82 0D 4B C3 1A 73 0A DE 46 E1 4E 05 E4 82 D...K..s..F.N...
03E0: F8 C0 02 90 C7 E1 78 6D 0D 7F EB 6A 4F FB 49 6D ......xm...jO.Im
03F0: C9 93 ED 75 75 31 5C 7E CC 59 73 20 90 6B 1F E1 ...uu1\..Ys .k..
0400: 08 8F 2D 3D 17 64 25 5B B1 5C F2 C5 BF 65 C8 2C ..-=.d%[.\...e.,
0410: EF FF 92 66 04 FF 2C 49 1D E0 91 75 28 51 42 7C ...f..,I...u(QB.
0420: 36 44 9A 19 62 14 7F 72 62 3A 00 65 49 D3 00 3B 6D..b..rb:.eI..;
0430: 63 D8 7D 57 99 0E 97 E5 A9 05 8A B5 C4 76 00 6E c..W.........v.n
0440: 2E 14 87 83 5B 9A 0A 1D E2 0E DD EF 29 B3 63 1C ....[.......).c.
0450: 76 D0 CE 4A E2 39 A6 91 1F A1 BA A3 1B E1 EC A1 v..J.9..........
0460: 94 6B EE 6C B6 3A 9D 66 3D 5E 16 28 27 04 D0 9F .k.l.:.f=^.('...
0470: B1 D7 7D 93 D0 66 A4 58 D5 B3 68 6D EB 37 98 A4 .....f.X..hm.7..
0480: 35 60 9F B9 6B A0 8C 6E A4 B0 CB B2 1A 8B 9F 36 5`..k..n.......6
0490: 3E 65 CD B7 D2 8F F9 99 04 AE 53 24 34 5F FC DA >e........S$4_..
04A0: 22 6E 24 51 B2 51 06 82 29 DB CA A4 81 D5 30 81 "n$Q.Q..).....0.
04B0: D2 A0 03 02 01 17 A2 81 CA 04 81 C7 23 E5 79 55 ............#.yU
04C0: 63 E3 78 62 D9 9B 0E AC 3B F8 18 D2 94 F1 21 A5 c.xb....;.....!.
04D0: 27 B5 E4 24 6E 5F 2F 60 3A 2D 4B 39 98 54 08 F3 '..$n_/`:-K9.T..
04E0: FE F0 FD 2B 49 6E 68 BC C6 38 89 FA 4E D0 24 E0 ...+Inh..8..N.$.
04F0: 3F 0F EE CE 0C 18 7C 7A B6 2E E4 F5 B4 56 2E 06 ?......z.....V..
0500: 6B BF 26 D6 47 07 E8 F3 39 6A D9 B2 D7 80 83 9C k.&.G...9j......
0510: 3E F5 45 6B 52 40 89 45 CF 91 07 17 8E E6 42 09 >.EkR@.E......B.
0520: E8 9F 87 FD 86 5A E5 63 93 13 9A 0C E8 78 34 45 .....Z.c.....x4E
0530: 64 3B 2D C6 A7 34 7B DD 5F 41 18 F6 11 18 62 20 d;-..4.._A....b
0540: 4F 55 C9 6A 83 81 AA 50 63 5E DE 60 F0 6C 6D 93 OU.j...Pc^.`.lm.
0550: B2 FF F8 F9 28 52 74 FC 61 7D DF 73 31 6C 01 B9 ....(Rt.a..s1l..
0560: D5 7E 22 1A 22 17 23 4C 72 A7 64 F0 37 F7 40 02 ..".".#Lr.d.7.@.
0570: 31 78 6C 83 B3 6C 9B F9 33 F6 1E B4 69 16 FC 02 1xl..l..3...i...
0580: E4 9A C5 ...
Entered Krb5Context.initSecContext with state=STATE_IN_PROCESS
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting peerSeqNumber to: 2077264086
Krb5Context.unwrap: token=[60 30 06 09 2a 86 48 86 f7 12 01 02 02 02 01 11 00
ff ff ff ff b3 1d 50 0
b 1c c4 d7 16 70 7e 09 40 1c 9f 90 83 93 e2 74 67 90 64 1c 8d 07 a0 00 00 01 ]
Krb5Context.unwrap: data=[07 a0 00 00 ]
Krb5Context.wrap: data=[04 01 00 00 ]
Krb5Context.wrap: token=[60 30 06 09 2a 86 48 86 f7 12 01 02 02 02 01 11 00 ff
ff ff ff 4b 67 86 d6
c3 4a db 5a 75 e8 cf 0e c4 d5 86 b0 08 64 5d 4e 74 23 50 26 04 01 00 00 01 ]
Krb5Context.wrap: data=[30 69 02 01 05 63 47 04 1d 6f 75 3d 55 73 65 72 73 2c
64 63 3d 6b 65 72 62 7
4 65 73 74 2c 64 63 3d 6c 6f 63 61 6c 0a 01 01 0a 01 03 02 01 00 02 01 00 01 01
00 a3 0b 04 03 75 69
64 04 04 74 65 73 74 30 0a 04 08 6d 65 6d 62 65 72 4f 66 a0 1b 30 19 04 17 32
2e 31 36 2e 38 34 30
2e 31 2e 31 31 33 37 33 30 2e 33 2e 34 2e 32 ]
Krb5Context.wrap: token=[60 81 97 06 09 2a 86 48 86 f7 12 01 02 02 02 01 11 00
10 00 ff ff a9 c4 a2
7d 8a 67 41 bd 01 2c 93 3e 4c af cd a8 73 60 d7 c3 7a f0 a4 d7 47 b8 20 1b a7
67 25 3e 07 3e ac 0f d
0 60 45 e3 cc 6f 19 f3 d5 5d 1e 65 f8 3a 30 b2 11 38 a1 f0 d5 5a 5c 5c d2 10 ae
c6 f4 dd 56 58 79 4f
2c 8c 79 bb bb 24 e1 e2 31 bb 14 ad 8e 74 c6 cd ef 4c 97 95 2e 94 1f 3f 23 eb
e0 96 6b 83 57 d8 2a
03 31 59 5c 35 71 68 79 48 45 5b e7 bc 0b 6c 82 a6 24 6e 00 c3 04 6f b8 5d 27
01 bc 4b ]
Krb5Context.unwrap: token=[60 81 c2 06 09 2a 86 48 86 f7 12 01 02 02 02 01 11
00 10 00 ff ff 69 15 0
2 db 6e f5 97 7c 87 25 b9 3a 3a 00 ff 3f 33 9e 0a 7b 45 9b d4 52 29 5a d4 a5 d9
a9 e1 87 39 1d 44 93
8e 7e af d7 3b ef fa d8 0a 2f 3f bf d5 e8 2f 33 19 96 da 4e 4b 4c 2e b3 52 e5
c3 71 cb b9 98 da af
93 3f 66 8b c1 9d 6d 99 05 42 cb 04 05 1c cd 22 85 af c7 e6 d5 35 03 23 f0 25
16 38 f6 a8 c8 10 cb e
1 69 7d 11 61 a8 35 45 6d b6 ae 18 44 c9 ac 63 b2 fb 88 ba 4f 02 2f 41 6f 0f a9
42 53 3d 87 f7 ca e0
b8 4b 3a f5 b4 7a 38 ff 84 65 58 c4 bc c1 52 6f 0a cd 18 f9 58 82 61 ad aa b4
9c d7 6c 4f 4a 13 7e
0b 29 fa 57 01 66 ]
Krb5Context.unwrap: data=[30 84 00 00 00 90 02 01 05 65 84 00 00 00 87 0a 01 20
04 14 44 43 3d 6b 65
72 62 74 65 73 74 2c 44 43 3d 6c 6f 63 61 6c 04 6c 30 30 30 30 32 30 38 44 3a
20 4e 61 6d 65 45 72
72 3a 20 44 53 49 44 2d 30 33 31 30 30 32 30 41 2c 20 70 72 6f 62 6c 65 6d 20
32 30 30 31 20 28 4e 4
f 5f 4f 42 4a 45 43 54 29 2c 20 64 61 74 61 20 30 2c 20 62 65 73 74 20 6d 61 74
63 68 20 6f 66 3a 0a
09 27 44 43 3d 6b 65 72 62 74 65 73 74 2c 44 43 3d 6c 6f 63 61 6c 27 0a 00 ]
28-Mar-2015 14:21:27.303 SEVERE [http-nio-80-exec-2]
org.apache.catalina.realm.JNDIRealm.getPrincipa
l Exception performing authentication
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr:
DSID-0310020A, proble
m 2001 (NO_OBJECT), data 0, best match of:
'DC=kerbtest,DC=local'
]; remaining name 'ou=Users,dc=kerbtest,dc=local'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3112)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1849)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.jav
a:356)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.jav
a:339)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at
org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1473)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1309)
at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1237)
at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:2079)
at org.apache.catalina.realm.JNDIRealm.getPrincipal(JNDIRealm.java:1995)
at org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:578)
at
org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:325)
at
org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:249)
at
org.apache.catalina.authenticator.SpnegoAuthenticator$AuthenticateAction.run(SpnegoAuthen
ticator.java:357)
at
org.apache.catalina.authenticator.SpnegoAuthenticator$AuthenticateAction.run(SpnegoAuthen
ticator.java:342)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:356)
at
org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
va:256)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
6)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
a:659)
at
org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
col.java:223)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:744)
Krb5Context.wrap: data=[30 22 02 01 06 42 00 a0 1b 30 19 04 17 32 2e 31 36 2e
38 34 30 2e 31 2e 31 3
1 33 37 33 30 2e 33 2e 34 2e 32 ]
Krb5Context.wrap: token=[60 50 06 09 2a 86 48 86 f7 12 01 02 02 02 01 11 00 10
00 ff ff a6 82 0f 16
49 26 14 02 83 46 f7 56 e4 66 be a5 97 fe a6 3b 3a 4d c3 e3 06 38 3f c2 cc 1e
43 75 e7 8b aa c3 f8 0
c bf 5c d2 b5 81 4c a1 ee 26 11 c4 3c a3 88 88 28 92 a5 45 ff b4 61 d2 ]
28-Mar-2015 14:21:27.569 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.CombinedRealm.authentic
ate Failed to authenticate user "test@KERBTEST.LOCAL" with realm
"org.apache.catalina.realm.JNDIReal
m"
28-Mar-2015 14:21:27.584 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.CombinedRealm.authentic
ate Attempting to authenticate user "test@KERBTEST.LOCAL" with realm
"org.apache.catalina.realm.User
DatabaseRealm"
28-Mar-2015 14:21:27.600 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.CombinedRealm.authentic
ate Authenticated user "test@KERBTEST.LOCAL" with realm
"org.apache.catalina.realm.UserDatabaseRealm
"
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
28-Mar-2015 14:21:27.631 FINE [http-nio-80-exec-2]
org.apache.catalina.authenticator.AuthenticatorBa
se.register Authenticated 'test' with type 'SPNEGO'
28-Mar-2015 14:21:27.631 FINE [http-nio-80-exec-2]
org.apache.catalina.authenticator.AuthenticatorBa
se.register Session ID changed on authentication from
[728B9064A83E6C33C4B32AEE2ADDFCDD] to [762404E
FFCBD391541903E2692D05B92]
28-Mar-2015 14:21:27.647 FINE [http-nio-80-exec-2]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Calling accessControl()
28-Mar-2015 14:21:27.662 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.hasResourcePe
rmission Checking roles GenericPrincipal[test(manager-gui,)]
28-Mar-2015 14:21:27.678 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.hasRole Usern
ame test has role manager-gui
28-Mar-2015 14:21:27.678 FINE [http-nio-80-exec-2]
org.apache.catalina.realm.RealmBase.hasResourcePe
rmission Role found: manager-gui
28-Mar-2015 14:21:27.694 FINE [http-nio-80-exec-2]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Successfully passed all security constraints
28-Mar-2015 14:21:28.364 FINE [http-nio-80-exec-3]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/images/asf-logo.gif
28-Mar-2015 14:21:28.380 FINE [http-nio-80-exec-3]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke We have cached auth type SPNEGO for principal
GenericPrincipal[test(manager-gui,)]
28-Mar-2015 14:21:28.380 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface
(for humans)]' against G
ET /images/asf-logo.gif --> false
28-Mar-2015 14:21:28.396 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against
GET /images/asf-logo
.gif --> false
28-Mar-2015 14:21:28.411 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface
(for scripts)]' against
GET /images/asf-logo.gif --> false
28-Mar-2015 14:21:28.427 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /images/asf-l
ogo.gif --> false
28-Mar-2015 14:21:28.442 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface
(for humans)]' against G
ET /images/asf-logo.gif --> false
28-Mar-2015 14:21:28.458 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against
GET /images/asf-logo
.gif --> false
28-Mar-2015 14:21:28.474 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface
(for scripts)]' against
GET /images/asf-logo.gif --> false
28-Mar-2015 14:21:28.489 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /images/asf-l
ogo.gif --> false
28-Mar-2015 14:21:28.505 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface
(for humans)]' against G
ET /images/asf-logo.gif --> false
28-Mar-2015 14:21:28.520 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against
GET /images/asf-logo
.gif --> false
28-Mar-2015 14:21:28.536 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface
(for scripts)]' against
GET /images/asf-logo.gif --> false
28-Mar-2015 14:21:28.552 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /images/asf-l
ogo.gif --> false
28-Mar-2015 14:21:28.567 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface
(for humans)]' against G
ET /images/asf-logo.gif --> false
28-Mar-2015 14:21:28.583 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against
GET /images/asf-logo
.gif --> false
28-Mar-2015 14:21:28.598 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface
(for scripts)]' against
GET /images/asf-logo.gif --> false
28-Mar-2015 14:21:28.614 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /images/asf-l
ogo.gif --> false
28-Mar-2015 14:21:28.630 FINE [http-nio-80-exec-3]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints No applicable constraint located
28-Mar-2015 14:21:28.645 FINE [http-nio-80-exec-3]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Not subject to any constraint
28-Mar-2015 14:21:28.364 FINE [http-nio-80-exec-4]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Security checking request GET /manager/images/tomcat.gif
28-Mar-2015 14:21:28.676 FINE [http-nio-80-exec-4]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke We have cached auth type SPNEGO for principal
GenericPrincipal[test(manager-gui,)]
28-Mar-2015 14:21:28.676 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface
(for humans)]' against G
ET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.692 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against
GET /images/tomcat.g
if --> false
28-Mar-2015 14:21:28.708 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface
(for scripts)]' against
GET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.723 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /images/tomca
t.gif --> false
28-Mar-2015 14:21:28.739 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface
(for humans)]' against G
ET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.754 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against
GET /images/tomcat.g
if --> false
28-Mar-2015 14:21:28.770 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface
(for scripts)]' against
GET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.786 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /images/tomca
t.gif --> false
28-Mar-2015 14:21:28.801 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface
(for humans)]' against G
ET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.817 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against
GET /images/tomcat.g
if --> false
28-Mar-2015 14:21:28.832 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface
(for scripts)]' against
GET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.848 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /images/tomca
t.gif --> false
28-Mar-2015 14:21:28.864 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[HTML Manager interface
(for humans)]' against G
ET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.879 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Status interface]' against
GET /images/tomcat.g
if --> false
28-Mar-2015 14:21:28.895 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[Text Manager interface
(for scripts)]' against
GET /images/tomcat.gif --> false
28-Mar-2015 14:21:28.910 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints Checking constraint 'SecurityConstraint[JMX Proxy interface]'
against GET /images/tomca
t.gif --> false
28-Mar-2015 14:21:28.926 FINE [http-nio-80-exec-4]
org.apache.catalina.realm.RealmBase.findSecurityC
onstraints No applicable constraint located
28-Mar-2015 14:21:28.926 FINE [http-nio-80-exec-4]
org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Not subject to any constraint
----------------------------------------
> Date: Mon, 30 Mar 2015 00:13:54 +0200
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: SPNEGO test configuration with Manager webapp
>
> David Marsh wrote:
>> I've tested all the following public JDKs
>>
>> jdk-7u45-windows-i586.exe
>> jdk-7u65-windows-i586.exe
>> jdk-7u75-windows-i586.exe
>> jdk-8-windows-i586.exe
>> jdk-8u5-windows-i586.exe
>> jdk-8u11-windows-i586.exe
>> jdk-8u20-windows-i586.exe
>> jdk-8u25-windows-i586.exe
>> jdk-8u31-windows-i586.exe
>> jdk-8u40-windows-i586.exe <-- Only this one fails SPNEGO / Bad GSS Token
>>
>> Seems a recent "fix" must broken it.
>
> That is really great info. Thanks.
>
> By the way, would you still have the Tomcat Kerberos logs that fail, in
> comparison to one
> where it works ?
>
>
>>
>> David
>>
>> ----------------------------------------
>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>> From: felix.schumac...@internetallee.de
>>> Date: Sun, 29 Mar 2015 10:13:29 +0200
>>> To: users@tomcat.apache.org
>>>
>>>
>>>
>>> Am 28. März 2015 17:46:50 MEZ, schrieb Mark Thomas <ma...@apache.org>:
>>>> On 28/03/2015 14:43, David Marsh wrote:
>>>>> Ok so I went back to basics and created three new VM's.
>>>>>
>>>>> Windows Server 2008 R2
>>>>> Windows 7 Client
>>>>> Windows 7 Tomcat
>>>>>
>>>>> I still had same issues, until I changed the Java on the tomcat
>>>> server to JDK 7 u45.
>>>>> It appears there are breaking changes to JAAS/GSS in newer JDKs ?
>>>> Thank you for doing all this testing. That is useful information to
>>>> know. The next step (for you, me or anyone who has the time and wants
>>>> to
>>>> help) is to test subsequent Java 7 releases and see at which version it
>>>> stops working. I'd hope that a review of the relevant change log would
>>>> identify the change that triggered the breakage and provide some clues
>>>> on how to fix it.
>>>>
>>>> It would be worth testing the Java 8 releases the same way.
>>> I read it, that jdk 7 works and jdk 8 is problematic.
>>>
>>> There are a few Kerberos related Chaves in jdk 8 (
>>> http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html).
>>>
>>> Interesting are the two changes:
>>>
>>> * DES is disabled by default
>>> * constrained delegation is supported.
>>>
>>> My guess would be, that it would help (in this case) to reenable DES by
>>> adding allow_weak_crypto=true in the krb5.conf.
>>>
>>> Regards
>>> Felix
>>>> Mark
>>>>
>>>>
>>>>> David
>>>>>
>>>>> ----------------------------------------
>>>>>> From: dmars...@outlook.com
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: RE: SPNEGO test configuration with Manager webapp
>>>>>> Date: Fri, 27 Mar 2015 23:40:06 +0000
>>>>>>
>>>>>> By the way Tomcat 8 was running on JDK :-
>>>>>>
>>>>>> C:\Windows\system32>java -version
>>>>>> java version "1.8.0_40"
>>>>>> Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
>>>>>> Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)
>>>>>>
>>>>>> Version update 40 should include some JRE fixes around GSS and
>>>> SPNEGO, including ignoring parts of NegoEx, however
>>>>>> it does not seem to work.
>>>>>>
>>>>>> I've also created a Windows 7 client with same config just different
>>>> DNS of win-pc02.kerbtest.local
>>>>>> It has the same issue going from firefox to
>>>> http://win-tc01.kerbtest.local/manager/html
>>>>>> I get the same three 401's and the Negotiate.
>>>>>>
>>>>>> ----------------------------------------
>>>>>>> Date: Thu, 26 Mar 2015 12:11:34 +0100
>>>>>>> From: a...@ice-sa.com
>>>>>>> To: users@tomcat.apache.org
>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>
>>>>>>> David Marsh wrote:
>>>>>>>> Hi Mark,
>>>>>>>>
>>>>>>>> Thanks for that, yes I've got 30 years windows experience, I can
>>>> use Linux at a push but its not really my area expertise.
>>>>>>>> I'm a Java / Windows programmer so I should be able to understand
>>>> it, but not kerberos or Active Directory expert.
>>>>>>>> I have used Waffle in the past with success and used JAAS/GSS-API
>>>> in Java thick clients.
>>>>>>>> I made the IE settings you outlined but it seems to still prompt.
>>>>>>>> IE has win-tc01.kerbtest.local as a trusted site.
>>>>>>>> Enable Windows Integrated Authentication is on
>>>>>>>> Auto logon only in Intranet Zone is on
>>>>>>>>
>>>>>>>> I've been using Firefox to test and that does send 401 and
>>>> negotiate, but causes the GSS token error mentioned.
>>>>>>>> Active directory and krb5.ini are using eType 23 which is rc4-hmac
>>>>>>>>
>>>>>>>> The windows client OS and tomcat server OS has registry setting
>>>> for allowtgtsessionkey set to 1 (enabled).
>>>>>>>> Java kinit test works and stores a ticket in the Java session
>>>> cache.
>>>>>>>> So problem seems to be either :-
>>>>>>>>
>>>>>>>> 1. Browser sends bad token
>>>>>>>> 2. Token is good but Oracle JDK 8 GSS-API cannot handle it
>>>>>>>>
>>>>>>> Another shot almost in the dark : while browsing hundreds of
>>>> Kerberos-related pages on the
>>>>>>> WWW, one other recommendation which seems to appear regularly (and
>>>> Mark also mentioned
>>>>>>> that somewhere), is that each time you make a change somewhere, you
>>>> should reboot the
>>>>>>> machine afterward, before re-testing. (Particularly on Windows
>>>> machines).
>>>>>>> I know it's a PITA, but I have also found the same to be true
>>>> sometimes when merely
>>>>>>> dealing with NTLM matters. There are probably some hidden caches
>>>> that get cleared only in
>>>>>>> that way.
>>>>>>>
>>>>>>>
>>>>>>>> many thanks
>>>>>>>>
>>>>>>>> David
>>>>>>>>
>>>>>>>>> Date: Thu, 26 Mar 2015 11:32:39 +0100
>>>>>>>>> From: a...@ice-sa.com
>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>
>>>>>>>>> David Marsh wrote:
>>>>>>>>>> Hi Mark,
>>>>>>>>>> Thanks that would be great !
>>>>>>>>>> Do you have a good mechanism to test and ensure kerberos token
>>>> is passed to tomcat and not NTLM token ?
>>>>>>>>> I believe that I can answer that.
>>>>>>>>>
>>>>>>>>> And the basic answer is no.
>>>>>>>>>
>>>>>>>>> First the basic principle, valid for this and many many other
>>>> areas : the server cannot
>>>>>>>>> "impose" anything on the browser. The local user can always
>>>> override anything received
>>>>>>>>> from the server, by a setting in the browser. And a hacker can of
>>>> course do anything.
>>>>>>>>> All the server can do, is tell the browser what it will accept,
>>>> and the browser can tell
>>>>>>>>> the server ditto.
>>>>>>>>> So, never assume the opposite, and you will save yourself a lot
>>>> of fruitless searches and
>>>>>>>>> dead-ends.
>>>>>>>>>
>>>>>>>>> Now more specific :
>>>>>>>>> 1) For Kerberos to be used at all at the browser level, the
>>>> server must send a 401
>>>>>>>>> response with "Negociate" as the requested authentication method.
>>>> Unless it does that,
>>>>>>>>> the browser will never even attempt to send a Kerberos
>>>> "Authorization" back.
>>>>>>>>> 2) for the browser to consider returning a Kerberos Authorization
>>>> header to the server,
>>>>>>>>> additional conditions depend on the browser.
>>>>>>>>> For IE :
>>>>>>>>> a) the "enable Windows Integrated Authentication" setting must be
>>>> on (checked), whether
>>>>>>>>> this is done locally by the user, or part of the standard IE
>>>> settings company-wide, or
>>>>>>>>> imposed by some "network policy" at corporate level.
>>>>>>>>> b) the server to which the browser is talking, must be known to
>>>> IE as either
>>>>>>>>> - part of the "Intranet"
>>>>>>>>> - or at least a "trusted" server
>>>>>>>>> That is defined in IE's "security zones" (which again can be
>>>> local, or corporation-wide).
>>>>>>>>> If condition (a) is not met, when the server sends a 401
>>>> "Negociate", IE will fall back to
>>>>>>>>> NTLM, always. And there is nothing you can do about that at the
>>>> server level.
>>>>>>>>> (Funnily enough, disabling the "enable Windows Integrated
>>>> Authentication" at the IE level,
>>>>>>>>> has the effect of disabling Kerberos, but not NTLM).
>>>>>>>>>
>>>>>>>>> If condition (b) is not met, IE will try neither Kerberos nor
>>>> NTLM, and it /might/ fall
>>>>>>>>> back to Basic authentication, if its other settings allow that.
>>>> That's when you see the
>>>>>>>>> browser popup login dialog; and in an SSO context, this is a sure
>>>> sign that something
>>>>>>>>> isn't working as expected.
>>>>>>>>>
>>>>>>>>> Some authentication modules, at the server level, are able to
>>>> adapt to what the browser
>>>>>>>>> sends, others not. I believe that Waffle can accept either
>>>> browser NTLM or Kerberos
>>>>>>>>> authentication. Waffle works only on a Windows Tomcat server, not
>>>> on a Linux Tomcat server.
>>>>>>>>> I do not know about the SPNEGO thing in Tomcat (from the name, it
>>>> should).
>>>>>>>>> The Jespa module from www.ioplex.com does not handle Kerberos,
>>>> just NTLM, but it works
>>>>>>>>> under both Windows and Linux.
>>>>>>>>>
>>>>>>>>> And finally, about your problems : it seems that you have fallen
>>>> in a very specific kind
>>>>>>>>> of hell, because you are trying to talk to a Windows-based
>>>> Kerberos KDC (which is using
>>>>>>>>> Windows Kerberos libraries and encryption method choices and
>>>> hostname formats etc..), from
>>>>>>>>> a Java JVM-based "client" (in this case the Tomcat server,
>>>> whatever its underlying
>>>>>>>>> platform is), which is using Java Kerberos libraries and
>>>> encryption method choices etc...
>>>>>>>>> And it seems that between this Java Kerberos part and the Windows
>>>> Kerberos part, there
>>>>>>>>> are a number of areas of mutual incomprehension (such as which
>>>> key encryption methods they
>>>>>>>>> each implement, or which ones are the "default" ones for each).
>>>>>>>>>
>>>>>>>>> And I am sure that the issue can be resolved. But it is probably
>>>> a question of finding
>>>>>>>>> out which among the 25 or more settings one can alter on each
>>>> side, overlap and either
>>>>>>>>> agree or contradict eachother.
>>>>>>>>>
>>>>>>>>> One underlying issue is that, as well in corporations as on the
>>>> WWW, the "Windows people"
>>>>>>>>> and the "Linux people" tend to be 2 separate groups. If you ask
>>>> the "Windows people" how
>>>>>>>>> to set this up, they will tell you "just do this and it works"
>>>> (assuming that all the
>>>>>>>>> moving parts are Windows-based); and if you ask the "Linux
>>>> people", they will tell you
>>>>>>>>> "just do this and it works" (assuming that all the moving parts
>>>> are Linux-based).
>>>>>>>>> And there are very few people (and web pages) which span both
>>>> worlds with their various
>>>>>>>>> combinations.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> David
>>>>>>>>>>
>>>>>>>>>>> Date: Thu, 26 Mar 2015 09:00:22 +0000
>>>>>>>>>>> From: ma...@apache.org
>>>>>>>>>>> To: users@tomcat.apache.org
>>>>>>>>>>> Subject: Re: SPNEGO test configuration with Manager webapp
>>>>>>>>>>>
>>>>>>>>>>> On 26/03/2015 00:36, David Marsh wrote:
>>>>>>>>>>>> Still getting :-
>>>>>>>>>>>> java.security.PrivilegedActionException: GSSException:
>>>> Defective token detected (Mechanism level: G
>>>>>>>>>>>> SSHeader did not find the right tag)
>>>>>>>>>>>>
>>>>>>>>>>>> Folks here mention lack of NegoEx support or bugs in GSS-APi ?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>> http://sourceforge.net/p/spnego/discussion/1003769/thread/990913cc/?page=1
>>>>>>>>>>>> Does Tomcat 8 work with NegoEx ?
>>>>>>>>>>>>
>>>>>>>>>>>> Is Windows 8.1 and Windows Server 2012 RC2 supported ?
>>>>>>>>>>> My test environment is Windows 2008 R2 server and Windows 7. It
>>>> is
>>>>>>>>>>> certainly possibly security has been tightened between those
>>>> versions
>>>>>>>>>>> and 2012/R2 + 8 that means things don't work by default with
>>>> Java.
>>>>>>>>>>> I'll see if I can find some time in the next few weeks to
>>>> update my test
>>>>>>>>>>> environment and do some more testing.
>>>>>>>>>>>
>>>>>>>>>>> Mark
>>>>>>>>>>>
>>>>>>>>>>>
>>>> ---------------------------------------------------------------------
>>>>>>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>>>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>>>>>>>>
>>>>>>>>>
>>>> ---------------------------------------------------------------------
>>>>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>>>>>>
>>>>>>>
>>>>>>>
>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>>>>
>>>>>>
>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
