0

I try to configure WebSSO for a Tomcat 10 with the build-in SPNEGO authenticator over Kerberos. When I access the application, a HTTP BasicAuth Dialog pops up and a debug entry is written in the catalina.out (see below).

My keytab file pt6.keytab contains a principal who is registered on my AD-Server (via ktpass.exe & setspn.exe).

I switched on debug-mode for Kerberos, but I cannot find the problem. It simply stops at some point with Entering logout. Do you have any idea, in which step the authentication stops and what could be the reason for that? Any help is appreciated!

NOTE: I am hosting it on my machine joined to my company domain(xxxyyy.com). I am having virtual machine(dc)(xxx.com) which is running in same machine.

CATALINA.OUT

15-Apr-2023 20:45:52.151 FINE [http-nio-8080-exec-1] org.apache.catalina.authenticator.SpnegoAuthenticator.doAuthenticate No authorization header sent by client
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Program Files/Apache Software Foundation/Tomcat 10.0/conf/pt6115.keytab refreshKrb5Config is false principal is HTTP/RANGESH-PT6.XXXYYY.COM@XXX.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is HTTP/RANGESH-PT6.XXXYYY.COM@XXX.COM
Will use keytab
Commit Succeeded

15-Apr-2023 20:45:52.311 FINE [http-nio-8080-exec-2] org.apache.catalina.authenticator.SpnegoAuthenticator.doAuthenticate Unable to login as the service principal
        java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
                at java.base/java.security.AccessController.doPrivileged(AccessController.java:716)
                at java.base/javax.security.auth.Subject.doAs(Subject.java:533)
                at org.apache.catalina.authenticator.SpnegoAuthenticator.doAuthenticate(SpnegoAuthenticator.java:226)
                at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:626)
                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:119)
                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
                at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:356)
                at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
                at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
                at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:870)
                at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1762)
                at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
                at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
                at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
                at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                at java.base/java.lang.Thread.run(Thread.java:1589)
        Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
                at java.security.jgss/sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
                at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:325)
                at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)
                at java.security.jgss/sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:903)
                at java.security.jgss/sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:557)
                at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:361)
                at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)
                at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticator.java:326)
                at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticator.java:313)
                at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
                ... 17 more
                [Krb5LoginModule]: Entering logout
                [Krb5LoginModule]: logged out Subject

KRB5.INI

[libdefaults]
    default_realm = XXX.COM
    default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 10.0\conf\pt6.keytab
    
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    forwardable=true

[realms]
    ZOHOR.COM = {
        kdc = win-971madet2qs.zohor.com
        admin_server = win-971madet2qs.zohor.com
    }

[domain_realm]
    .xxx.com = XXX.COM
xxx.com = XXX.COM

JAAS.CONF

com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/RANGESH-PT6.XXXYYY.COM@XXX.COM"
    useKeyTab=true
    keyTab="C:/Program Files/Apache Software Foundation/Tomcat 10.0/conf/pt6.keytab"
    storeKey=true
    debug=true
    moduleBanner=true;
};

com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/RANGESH-PT6.XXXYYY.COM@XXX.COM"
    useKeyTab=true
    keyTab="C:/Program Files/Apache Software Foundation/Tomcat 10.0/conf/pt6.keytab"
    storeKey=true
    debug=true
    moduleBanner=true;
};

  • I tried accessing the applicaiton using host name instead of ip address

  • tried hosting the the tomcat on anther vm which is joined to the domain(xxx.com)

  • Tried pasting the krb5.ini in C:/windows/..

I am getting below kerberos token while accessing in my machine

"Negotiate YIGABgYrBgEFBQKgdjB0oDAwLgYKKwYBBAGCNwICCgYJKoZIgvcSAQICBgkqhkiG9xIBAgIGCisGAQQBgjcCAh6iQAQ+TlRMTVNTUAABAAAAl7II4ggACAA2AAAADgAOACgAAAAKAF1YAAAAD1JBTkdFU0gtUFQ2MTE1Wk9IT0NPUlA= Credentials=\`��+�v0t�00. +�7  \*�H�� \*�H�� +�7�@\>NTLMSSP���6( \]XRANGESH-PT6XXXYYY"

I am getting below token while accessing in machines(vm) other than the tomcat hosting machine

"Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAGNFAAAADw=="

I want it to return kerberos token in all machine how to do that.

seenukarthi
  • 8,241
  • 10
  • 47
  • 68
rangesh a
  • 1
  • 1
  • Does this answer your question? ["GSSException Defective token detected" - when trying to Authenticate to Tomcat running on Windows using Kerberos](https://stackoverflow.com/questions/47227276/gssexception-defective-token-detected-when-trying-to-authenticate-to-tomcat) – seenukarthi Apr 17 '23 at 04:45
  • 1
    The mistake i did was accessing my application using the ip address instead of **Host name** in my case(**rangesh-pt6**) is my hostname i tried accessing with **ip address** which results in giving me a NTLM token instead of Kerberos Token. **lol,Neenga oruthar tha bro commented, any way thanks bro.** @seenukarthi – rangesh a Apr 20 '23 at 08:21

0 Answers0