-
Bug
-
Resolution: Duplicate
-
P3
-
None
-
8u40
-
x86
-
windows_8
FULL PRODUCT VERSION :
java version "1.8.0_40"
Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.3.9600]
EXTRA RELEVANT SYSTEM CONFIGURATION :
Tested on Tomcat 8 with Manager application SPNEGO auth, used 3 windows VM's, one configured as primary domain controller.
krb5.ini
[libdefaults]
default_realm = KERBTEST.LOCAL
default_keytab_name = FILE:C:\keytab\tomcat.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable = true
[realms]
KERBTEST.LOCAL = {
kdc = win-dc01.kerbtest.local:88
}
[domain_realm]
kerbtest.local = KERBTEST.LOCAL
.kerbtest.local = KERBTEST.LOCAL
jaas.conf
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/keytab/tomcat.keytab"
storeKey=true
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/keytab/tomcat.keytab"
storeKey=true
debug=true;
};
See :-
https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
A DESCRIPTION OF THE PROBLEM :
SPNEGO Kerberos browser based single sign on no longer works on windows in the latest JDK 8 u40.
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST
.LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate Unable to login as the service principal
java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism
level: G
SSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
va:243)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
6)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
a:659)
at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
col.java:223)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find
the right
tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:336)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:323)
... 18 more
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
REGRESSION. Last worked in version 8u31
ADDITIONAL REGRESSION INFORMATION:
java version "1.8.0_31"
Java(TM) SE Runtime Environment (build 1.8.0_31-b13)
Java HotSpot(TM) Client VM (build 25.31-b07, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
See :-
https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
Also word doc attached.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expecting user to be authenticated with app and token to be accepted.
You get one 401 in firefox followed by 200 response and tomcat Manager page.
No errors in tomcat logs, you can see kerberos ticket decrypted if debug options on.
ACTUAL -
User is not authenticated, you get three 401 responses in firefox, in tomcat log or command console you see
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find
the right
tag)
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST
.LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate Unable to login as the service principal
java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism
level: G
SSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
va:243)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
6)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
a:659)
at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
col.java:223)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find
the right
tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:336)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:323)
... 18 more
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Used Tomcat 8 Servlet container and its supplied Manager web app.
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've created three Windows VMs :-
Tomcat Server - Windows 8.1 32 bit VM
Test Client - Windows 8.1 32 bit VM
Domain Controller - Windows Server 2012 R2 64 bit VM
The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are
logged in with domain logins.
The firewall is disabled on the Tomcat Server VM.
I've followed the guidelines on the Apache Tomcat website.
jaas.conf
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
storeKey=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
storeKey=true;
};
krb5.ini
[libdefaults]
default_realm = KERBTEST.LOCAL
default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
[realms]
KERBTEST.LOCAL = {
kdc = win-dc01.kerbtest.local:88
}
I want to use the tomcat manager app to test SPNEGO with Active Directory.
I have tried to keep the setup as basic and vanilla to the instructions as possible.
Users were created as instructed.
Spn was created as instructed
setspn -A HTTP/win-tc01.kerbtest.local tc01
keytab was created as instructed
ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
/pass tc01pass
I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local
is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris
and network.negotiate-auth.trusted-uris.
Tomcat is running as a Windows service under the tc01@kerbtest.local account.
Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results
in 401 three times.
Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate:
Negotiate response http header.
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
I have got this to work by going back to earlier JDK's.
I tried many settings but never saw it work on JDK 8 u40.
This makes the latest JDK useless for those using SPNEGO as far as I can tell.
java version "1.8.0_40"
Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.3.9600]
EXTRA RELEVANT SYSTEM CONFIGURATION :
Tested on Tomcat 8 with Manager application SPNEGO auth, used 3 windows VM's, one configured as primary domain controller.
krb5.ini
[libdefaults]
default_realm = KERBTEST.LOCAL
default_keytab_name = FILE:C:\keytab\tomcat.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable = true
[realms]
KERBTEST.LOCAL = {
kdc = win-dc01.kerbtest.local:88
}
[domain_realm]
kerbtest.local = KERBTEST.LOCAL
.kerbtest.local = KERBTEST.LOCAL
jaas.conf
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/keytab/tomcat.keytab"
storeKey=true
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/keytab/tomcat.keytab"
storeKey=true
debug=true;
};
See :-
https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
A DESCRIPTION OF THE PROBLEM :
SPNEGO Kerberos browser based single sign on no longer works on windows in the latest JDK 8 u40.
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST
.LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate Unable to login as the service principal
java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism
level: G
SSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
va:243)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
6)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
a:659)
at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
col.java:223)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find
the right
tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:336)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:323)
... 18 more
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
REGRESSION. Last worked in version 8u31
ADDITIONAL REGRESSION INFORMATION:
java version "1.8.0_31"
Java(TM) SE Runtime Environment (build 1.8.0_31-b13)
Java HotSpot(TM) Client VM (build 25.31-b07, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
See :-
https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
Also word doc attached.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expecting user to be authenticated with app and token to be accepted.
You get one 401 in firefox followed by 200 response and tomcat Manager page.
No errors in tomcat logs, you can see kerberos ticket decrypted if debug options on.
ACTUAL -
User is not authenticated, you get three 401 responses in firefox, in tomcat log or command console you see
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find
the right
tag)
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST
.LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate Unable to login as the service principal
java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism
level: G
SSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
va:243)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
6)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
a:659)
at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
col.java:223)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find
the right
tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:336)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:323)
... 18 more
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Used Tomcat 8 Servlet container and its supplied Manager web app.
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've created three Windows VMs :-
Tomcat Server - Windows 8.1 32 bit VM
Test Client - Windows 8.1 32 bit VM
Domain Controller - Windows Server 2012 R2 64 bit VM
The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are
logged in with domain logins.
The firewall is disabled on the Tomcat Server VM.
I've followed the guidelines on the Apache Tomcat website.
jaas.conf
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
storeKey=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
storeKey=true;
};
krb5.ini
[libdefaults]
default_realm = KERBTEST.LOCAL
default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
[realms]
KERBTEST.LOCAL = {
kdc = win-dc01.kerbtest.local:88
}
I want to use the tomcat manager app to test SPNEGO with Active Directory.
I have tried to keep the setup as basic and vanilla to the instructions as possible.
Users were created as instructed.
Spn was created as instructed
setspn -A HTTP/win-tc01.kerbtest.local tc01
keytab was created as instructed
ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
/pass tc01pass
I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local
is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris
and network.negotiate-auth.trusted-uris.
Tomcat is running as a Windows service under the tc01@kerbtest.local account.
Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results
in 401 three times.
Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate:
Negotiate response http header.
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
I have got this to work by going back to earlier JDK's.
I tried many settings but never saw it work on JDK 8 u40.
This makes the latest JDK useless for those using SPNEGO as far as I can tell.
- duplicates
-
-
- Closed
-