SPNEGO Activity
Brought to you by:
darwinfelix
Activity for SPNEGO
-
William Crowell posted a comment on discussion Help
Good morning. Are there any examples out there to retrofit spnego-r9.jar to use s4u2proxy? Any plans to do this? Regards.
-
SPNEGO released /spnego-jakarta-2.1.jar
-
-
Darwin Felix committed [r11] on Code
1) 302 server redirects 2) spnego.authz.403 page 3) isEmtpy() with isBlank() 4) Base64 @Deprecated 5) Fixed: getLocalAddr() causing NPE 6) Added IAM Gateways support
-
-
-
Nathan Watson posted a comment on discussion Help
In case others are looking. As far as I can find the released compiled jar does not support constrained delegation. I did find a patch that doesn't seem to have been implemented that supports constrained delegation and the S4U kerberos extentions Microsoft did. I have manually implemented that along with a few fixes and it seems to work for me.
-
Does Spnego work with constrained delegation? I am using the R10 version with Tomcat 9.5 and when calling getDelegatedCredential() on an instance of DelegateServletRequest I always get a null when constrained delegation is configured on the service account in AD.
-
Kei Shirabe modified a comment on discussion Help
UPDATE: We got this working eventually, this was a CORS issue because our front end and back end had different URLs. We made changes to both sides, so for anyone who might run into this issue like I did, here's what we did: For BE side: We had to modify the @CrossOrigin annotation for the specific method. It ended up looking like this: @CrossOrigin(origins = {"${app.api.settings.cross-origin.allowed-origins}"}, maxAge = 3600, allowCredentials = "true") @GetMapping("/getSsoToken") public ResponseEntity<Object>...
-
UPDATE: We got this working eventually, this was a CORS issue because our front end and back end had different URLs. We made changes to both sides, so for anyone who might run into this issue like I did, here's what we did: For BE side: We had to modify the @CrossOrigin annotation for the specific method. It ended up looking like this: @CrossOrigin(origins = {"${app.api.settings.cross-origin.allowed-origins}"}, maxAge = 3600, allowCredentials = "true") @GetMapping("/getSsoToken") public ResponseEntity<Object>...
-
Hello, I currently have the whole SSO setup working on my Spring 3 web service. The issue I'm running into is, it doesn't seem to work when accessing the URL through our front end service? For example, I'm supposed to call an API that goes through this SSO authentication when the user clicks a specific button on the page. If I try typing out the API directly onto the browser, it works as expected and I get my result. The logs also print out the expected log: net.sourceforge.spnego.SpnegoHttpFilter.doFilter...
-
Hello, I currently have the whole SSO setup working on my Spring 3 web service. The issue I'm running into is, it doesn't seem to work when accessing the URL through our front end service? For example, I'm supposed to call an API that goes through this SSO authentication when the user clicks a specific button on the page. If I try typing out the API directly onto the browser, it works as expected and I get my result. The logs also print out the expected log: net.sourceforge.spnego.SpnegoHttpFilter.doFilter...
-
Hello, I currently have the whole SSO setup working on my Spring 3 web service. The issue I'm running into is, it doesn't seem to work when accessing the URL through our front end service? For example, I'm supposed to call an API that goes through this SSO authentication when the user clicks a specific button on the page. If I try typing out the API directly onto the browser, it works as expected and I get my result. The logs also print out the expected log: net.sourceforge.spnego.SpnegoHttpFilter.doFilter...
-
Hello, I currently have the whole SSO setup working on my Spring 3 web service. The issue I'm running into is, it doesn't seem to work when accessing the URL through our front end service? For example, I'm supposed to call an API that goes through this SSO authentication when the user clicks a specific button on the page. If I try typing out the API directly onto the browser, it works as expected and I get my result. The logs also print out the expected log: net.sourceforge.spnego.SpnegoHttpFilter.doFilter...
-
Hello, I currently have the whole SSO setup working on my Spring 3 web service. The issue I'm running into is, it doesn't seem to work when accessing the URL through our front end service? For example, I'm supposed to call an API that goes through this SSO authentication when the user clicks a specific button on the page. If I try typing out the API directly onto the browser, it works as expected and I get my result. The logs also print out the expected log: net.sourceforge.spnego.SpnegoHttpFilter.doFilter...
-
Hello, I currently have the whole SSO setup working on my Spring 3 web service. The issue I'm running into is, it doesn't seem to work when accessing the URL through our front end service? For example, I'm supposed to call an API that goes through this SSO authentication when the user clicks a specific button on the page. If I try typing out the API directly onto the browser, it works as expected and I get my result. The logs also print out the expected log: net.sourceforge.spnego.SpnegoHttpFilter.doFilter...
-
Hi Kei, I'm glad everything is now working as expected. Yes, 14 years is a long time but I'm always happy to help. Thanks, -Darwin
-
Hey Darwin, Sorry for the late reply, after a lot of tinkering we finally managed to get it to work after all! The nail in the coffin was testing the SSO using a different account than the pre-authentication account. I had wrongly assumed that logging in to the workstation using the pre-auth credentials and trying the SSO out would "just work" since it was a valid AD account anyway. But our IT guy suggested that I try logging in to the workstation with a different AD account, and that one did work....
-
Hey Darwin, Sorry for the late reply, after a lot of tinkering we finally managed to get it to work after all! The nail in the coffin was testing the SSO using a different account than the pre-authentication account. I had wrongly assumed that logging in to the workstation using the pre-auth credentials and trying the SSO out would "just work" since it was a valid AD account anyway. But our IT guy suggested that I try logging in to the workstation with a different AD account, and that one did work....
-
Hi Kei, > checking the AES128 or AES256 settings in the Active Directory Users and Computers program, > it gives me the KDC has no support for encryption type (14) error. > Leaving them unchecked gave me the Connection test successful message. Do you mind leaving AES128 and AES256 checkboxes un-checked for right now? > forwardable = true > defaultrealm = DOMAIN-NAME.LOCAL > defaulttktenctypes = aes128-cts aes256-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc > defaulttgsenctypes = aes128-cts...
-
Just found a difference when accessing the app from the computer name (servercomputername.domain-name.local) VS the DNS URL (webapp.website.com). When accessing with the DNS URL, it shows the custom Microsoft Edge login prompt, and is able to authenticate properly after providing credentials. However when I access the app with the computer name, it shows the default (?) Windows Security login prompt box. Once I provide the correct credentials, it returns Failure unspecified at GSS-API level (Mechanism...
-
Hello, I was able to set up a third machine (Windows 10) and separated the app from the KDC. Still no success. Btw, I stated the wrong OS for my first two machines, they are both Windows Server 2022 (I initially said 2012, sorry). Based on what I understand from SPNs, I've also updated the SPNs for the service account to ONLY be the URLs from which I can access the app. From my experience, the Apache Tomcat homepage ONLY shows up when I use the URLs "webapp.website.com" and "servercomputername.domain-name.local"....
-
Hello, would like to ask for some assistance in setting up SSO. Made it through the pre-flight checklist and it was working on the server as well as the client machine. However when setting up the Tomcat part, when accessing hello_spnego.jsp, it still shows the login prompt dialog box, which I understand means that the SSO part failed and it is asking for the credentials manually. I do have some differences with the provided guide, specifically with the encryption method. I couldn't figure out how...
-
Eloisa Reyes modified a comment on discussion Open Discussion
Hi, I was able to make the jar work in Tomcat, however, I'm having issues when using SpringBoot 3. Kindly refer to attachments UPDATE: Sorry, this is my fault. I've overlooked something.
-
Hi, I was able to make the jar work in Tomcat, however, I'm having issues when using SpringBoot 3. Kindly refer to attachments
-
Hi, I was able to make the jar work in Tomcat, however, I'm having issues when using SpringBoot 3. Log file below:
-
Hey Darwin, I'll ask if I can have another VM set up and will let you know how it turns out. I am using Java 17 downloaded from here: https://www.oracle.com/ph/java/technologies/downloads/#jdk17-windows
-
Hi Kei, Thank you for taking a look at this library to see if it might be helpful for your project. I also thank you for providing all of this info right upfront. > Also I have the app and AD/KDC on the same machine (Windows Server 2012) I've never tried this config and I'm not 100% sure if it will work or not. Are you able to put the app on a 3rd machine instead? Also, do you mind specifying which JDK vendor and the JDK version you are using? Thanks, -Darwin
-
Hi Maarten, I have not tried it with that JDK. Are you aware of any API changes or available encryption algorithms that might make it troublesome? Thanks, -Darwin
-
Hello, would like to ask for some assistance in setting up SSO. Made it through the pre-flight checklist and it was working on the server as well as the client machine. However when setting up the Tomcat part, when accessing hello_spnego.jsp, it still shows the login prompt dialog box, which I understand means that the SSO part failed and it is asking for the credentials manually. I do have some differences with the provided guide, specifically with the encryption method. I couldn't figure out how...
-
Hello, would like to ask for some assistance in setting up SSO. Made it through the pre-flight checklist and it was working on the server as well as the client machine. However when setting up the Tomcat part, when accessing hello_spnego.jsp, it still shows the login prompt dialog box, which I understand means that the SSO part failed and it is asking for the credentials manually. I do have some differences with the provided guide, specifically with the encryption method. I couldn't figure out how...
-
Hello, would like to ask for some assistance in setting up SSO. Made it through the pre-flight checklist and it was working on the server as well as the client machine. However when setting up the Tomcat part, when accessing hello_spnego.jsp, it still shows the login prompt dialog box, which I understand means that the SSO part failed and it is asking for the credentials manually. I do have some differences with the provided guide, specifically with the encryption method. I couldn't figure out how...
-
Hello, would like to ask for some assistance in setting up SSO. Made it through the pre-flight checklist and it was working on the server as well as the client machine. However when setting up the Tomcat part, when accessing hello_spnego.jsp, it still shows the login prompt dialog box, which I understand means that the SSO part failed and it is asking for the credentials manually. I do have a difference with the provided guide, specifically with the encryption method. I couldn't figure out how to...
-
Hello, would like to ask for some assistance in setting up SSO. Made it through the pre-flight checklist and it was working on the server as well as the client machine. However when setting up the Tomcat part, when accessing hello_spnego.jsp, it still shows the login prompt dialog box, which I understand means that the SSO part failed and it is asking for the credentials manually. I do have a difference with the provided guide, specifically with the encryption method. I couldn't figure out how to...
-
Hello, would like to ask for some assistance in setting up SSO. Made it through the pre-flight checklist and it was working on the server as well as the client machine. However when setting up the Tomcat part, when accessing hello_spnego.jsp, it still shows the login prompt dialog box, which I understand means that the SSO part failed and it is asking for the credentials manually. I do have a difference with the provided guide, specifically with the encryption method. I couldn't figure out how to...
-
Hello, would like to ask for some assistance in setting up SSO. Made it through the pre-flight checklist and it was working on the server as well as the client machine. However when setting up the Tomcat part, when accessing hello_spnego.jsp, it still shows the login prompt dialog box, which I understand means that the SSO part failed and it is asking for the credentials manually. I do have a difference with the provided guide, specifically with the encryption method. I couldn't figure out how to...
-
Hello, would like to ask for some assistance in setting up SSO. Made it through the pre-flight checklist and it was working on the server as well as the client machine. However when setting up the Tomcat part, when accessing hello_spnego.jsp, it still shows the login prompt dialog box, which I understand means that the SSO part failed and it is asking for the credentials manually. I do have a difference with the provided guide, specifically with the encryption method. I couldn't figure out how to...
-
Hello, would like to ask for some assistance in setting up SSO. Made it through the pre-flight checklist and it was working on the server as well as the client machine. However when setting up the Tomcat part, when accessing hello_spnego.jsp, it still shows the login prompt dialog box, which I understand means that the SSO part failed and it is asking for the credentials manually. I do have a difference with the provided guide, specifically with the encryption method. I couldn't figure out how to...
-
Hello, would like to ask for some assistance in setting up SSO. Made it through the pre-flight checklist and it was working on the server as well as the client machine. However when setting up the Tomcat part, when accessing hello_spnego.jsp, it still shows the login prompt, which I understand means that the SSO part failed and it is asking for the credentials manually. I do have a difference with the provided guide, specifically with the encryption method. I couldn't figure out how to get AES to...
-
Maarten Vekens modified a comment on discussion Help
UPDATE: it is finally working, in stead of the username in web.xml, I need to add the Server principal name
-
anyone another idea? I switched back to RC4 and SSO is working as expected. So the configuration is fine. Client: USER @ SOME.DOMAIN Server: HTTP/iamd.some.domain @ domain KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize Start Time: 5/23/2023 13:52:13 (local) End Time: 5/24/2023 9:51:59 (local) Renew Time: 5/30/2023 13:51:59 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0 Kdc Called: AD...
-
anyone another idea?
-
same test with latest jar and tomcat 10+ java 11, same result
-
Hi Darwin, I redid the configuration as suggested but same issue. I see that the kerberos ticket is created as it should be (also on our ad server) any other suggestion?
-
Ssu posted a comment on discussion Help
Hi, Darwin: The information you provide is very helpful. Maybe you would like to include them in SPNEGO's document? For example, I don't have the luxury to modify AD account. I work for a big organization and it is not easy to persuade AD Admin team for this kind of task. (On an old Dell server, I did try to setup several virtual machines to mimic the setup. Unfortunately, that server doesn't have enough resource...) Hi, Maarten, I don't have a "debug file". These are the steps I execute to enable...
-
Hi Maarten, I'm sorry to hear that you are still stuck with your configuration. Perhaps, the best thing to do now is to start over with a hello world example. I don't really have any better suggestions or any more ideas of what the issue might be in your setup/environment. Looks like Ssu gave some good ideas and maybe continue to pursue those as well. Just to be sure, I went ahead and tried to re-create the problem again in our network. Here are the steps I took: 1) Created a new pre-auth account...
-
Dear, I have really no clue how to proceed, everything is configured as it should be and RC4 is working. Do you have any suggestion? Can I use your debug file? I have dpuble checked our active directory logs, and the ticket is created in AES256. So this is working as it should be. Target username also double checked
-
Dear, I have really no clue how to proceed, everything is configured as it should be and RC4 is working. Do you have any suggestion? Can I use your debug file? thx
-
Maarten, I believe Java version is not a problem. You might have noticed that in my post, the root exception occurs at the same line as yours. This part of codes have been stable for a long long time. I did debug down to file "AesDkCrypto.java" although I have to admit I didn't find where account name is used as salt for decoding. It was mentioned in some other website that AES uses account name as salt (after I accidentally found the "fix" for my setup). Hope you will find a solution quickly and...
-
new account, same error. Can It be related to my java version? eclipse adoptium jdk 11 SEVERE: Servlet.service() for servlet [Faces Servlet] in context with path [/identityiq] threw exception [GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)] with root cause java.security.GeneralSecurityException: Checksum failed at java.security.jgss/sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451) at java.security.jgss/sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)...
-
Hi Darwin, do you support Eclipse Adoptium jdk-11.0.16.101-hotspot, thx
-
FYI. Added two (2) new examples/guides on https://spnego.sourceforge.net/ The package names of the servlet-api is migrating from javax.servlet to jakarta.servlet. Spring Boot 2.x still uses the javax.servlet package name whereas Spring Boot 3.x now uses the jakarta.servlet package name. If you are on Spring Boot 2.x, you can continue to use the spnego-r9.jar file. However, if you want to use Spring Boot 3.x, you will have to use the spnego-jakarta-2.0.jar file. Both jar files can be download here......
-
Hi Maxime, https://sourceforge.net/projects/spnego/files/ I tested the spnego-r9.jar with Java 11 and it worked. Tomcat 8 and Java 8 => worked Tomcat 9 and Java 11 => worked However, spnego-r9.jar did not work with Tomcat 10. Tomcat 10 and Java 11 => did not work So, I updated the SPNEGO source-code and created spnego-jakarta-2.0.jar. I tested spnego-jakarta-2.0.jar with Java 11 and it worked. Tomcat 10 and Java 11 => worked Btw, in the meantime, I also made a couple of minor changes. I attached...
-
I have requested a new account. As soon as I receive it, I will test. Keep you posted!
-
Wow Ssu... what a great find! Also, I am very glad to hear that you now have everything working as expected. Thanks, -Darwin
-
-
-
-
Yeah, the delegation setup is very delicate :( One small mismatch will break the whole thing and the messages are not helpful n most cases. Is there any way you could ask the system admin to create a brand new account and use it?
-
That's what I did monday, but didn't worked. Which extra logging do you have enabled?
-
That's what I did monday, but didn't worked.
-
Yes, I use the same account name. If you have permission, you can run the Powershell command "get-adaccount -identity MySpnegoAccountName -properties * " to find the exact account name.
-
Hello, sorry for my late reply (holiday) I tried your suggestion but if fails with the same error. Are you using the samaccountname?
-
Darwin and Maarten, After working with System Admin group, I resolved the checksum failure issue. The solution is actually super simple: in web.xml, the user name is CASE-SENSITIVE! Long version: when the SPNEGO account was created, I was given the account name with all low-case characters. It works fine with RC4. And I continued to use that account name in testing AES256 and stuck with checksum failure error. In the debugging session, I saw the exact account name. After I change the account name...
-
Hello, it's working on RC4 on te same tomcat and java, only aes128 and aes256 are failing. I use spnego-9.jar. For me it's has nothing to do with JAVA, In only want to upgrade the encryption level to aeS128 or better aes256 HelloKDC.java is working, Hello_spnego.jsp is failing I'm a running tomcat 9.70 and java eclipse adoptium 11.0.12.1+1 Server version: Apache Tomcat/9.0.70 Server built: Dec 1 2022 14:05:47 UTC Server number: 9.0.70.0 OS Name: Windows Server 2019 OS Version: 10.0 Architecture:...
-
Hello, it's working on RC4 on te same tomcat and java, only aes128 and aes256 are failing. I use spnego-9.jar. For me it's has nothing to do with JAVA, In only want to upgrade the encryption level to aeS128 or better aes256 HelloKDC.java is working, Hello_spnego.jsp is failing I'm a running tomcat 9.70 and java eclipse adoptium 11.0.12.1+1 Server version: Apache Tomcat/9.0.70 Server built: Dec 1 2022 14:05:47 UTC Server number: 9.0.70.0 OS Name: Windows Server 2019 OS Version: 10.0 Architecture:...
-
Darwin and Maarten, I will have a debug meeting with IT admin group early next week. I will keep you posted. So far, I am 99% sure that the checkbox labeled "This account supports Kerberos AES 256 bit encryption" is checked. Using the preflight test code, I can see the ticket is indeed AES256. Also, in PowerShell, command "get-adaccount -identity MySpnegoAccountName -properties * " does show the account has AES256 encryption. I will ask IT admin to show the Active Directory configuration window in...
-
Hi Maarten, Do you mind posting the same level of info as Ssu did above? Also, did you previously have this working? Meaning, was your app working normally and as expected before the Java upgrade to 361? Thanks, -Darwin
-
Hi Darwin, this option is checked. I have also tested it with a keytab in aes128 and we have the same issue.
-
Hi Ssu, Thank you for providing all of this info... it has been very helpful. I am wondering about one other piece of configuration... In Active Directory, if you look at/view your pre-auth account (spnego.preauth.username), can you please tell me if the AES 256 bit encryption is checked? In Active Directory, if you look at the properties of your pre-auth account, look under the tab labeled "Account". Under that tab, look for the section labeled "Account options:". Scroll through the checkbox options...
-
Hello, did you managed to solve it?
-
We have successfully used SPNEGO/Kerberos authentication for our Java web application with Active Directory. RC4-HMAC1 encryption was used. Now the system admins notified us that AES256 encryption will be used instead of RC4. Again, I follow https://spnego.sourceforge.net/index.html to setup a test box. Preflight went well. But accessing any file on the Tomcat, I get the famous "Checksum failed" exception. (System details: Using SPNEGO release R7 or R9; Tomcat 8.5.84; Java JDK 1.8.0_361; Web Server...
-
Merlin posted a comment on ticket #5
Applying this patch results in this Kerberos Error at the point when we use the credentials to make a service connection to the IBMi via JTOpen: KRBError: sTime is Thu Jun 16 20:34:38 BST 2022 1655408078000 suSec is 925556 error code is 13 error Message is KDC cannot accommodate requested option sname is krbsvr400/ibmi.mydomain@MYDOMAIN eData provided. msgType is 30 Unknown eData field of KRB-ERROR: 0000: 30 15 A1 03 02 01 03 A2 0E 04 0C 25 02 00 C0 00 0..........%.... 0010: 00 00 00 03 00 00 00...
-
Justin Warwick posted a comment on ticket #7
By the by, here is my patch to r9 that seems to be working fine for this issue: Index: SpnegoHttpFilter.java =================================================================== --- SpnegoHttpFilter.java (revision 1638) +++ SpnegoHttpFilter.java (revision 1639) @@ -272,7 +272,7 @@ (HttpServletResponse) response); // skip authentication if resource is in the list of directories to exclude - if (exclude(httpRequest.getContextPath(), httpRequest.getServletPath())) { + if (exclude(httpRequest.getContextPath(),...
-
Maxime Lemieux posted a comment on discussion Help
Is there any plan to have a spnego jar compatible with java 11+ ? Current version spnego-r9.jar has dependencies on javax packages that were removed
-
Michel posted a comment on discussion Help
Thanks Darwin. I will try Michel
-
Hi Michel, No worries. I believe I understand your question(s). Redhat: Yes Tomcat 9: Yes Load Balancer: Yes For load balancing, I have never tried with HAProxy... we use this product instead: https://www.f5.com/products/big-ip-services My suggestion is to take small steps and get a simple bare bones setup working first. Start with just Redhat/Tomcat and get those two working first before adding in a load balancer and/or Apache HTTPD. To get started, take a look at the SPNEGO library's documentation...
-
Hi Shaoyu, Yes, what you are a looking to achieve is the primary use-case of most implementations and it is the reason why most people use this library. Please have a look at the spnego library's documenation... starting with this one: http://spnego.sourceforge.net/pre_flight.html Feel free to post to this thread if you encounter any hiccups. thanks, -darwin
-
Hi Saurabh, Unfortunately, it's not a configuration thing. As you know, if you are working with your own custom codebase, you can strip out the unwanted value yourself. However, if you are working with a 3rd party vendor codebase, and you don't have access to the source-code, that's a bit trickier. One solution to the scenario where you are using a 3rd party vendor and you don't have access to the source-code is to implement a custom ServletFilter and change the REMOTE_USER value. Meaning, in your...
-
Hi Bernhard, I did not try with Ubuntu but perhaps it might be fixed with the latest version of Tomcat...? Instead, I tried with Windows 2008 Server x64, JDK 11.0.14 x64, and Tomcat 9.0.58 x64. I did not have any issues and everything worked as expected. thanks, -darwin
-
Hello, Sorry for my very poor english I tried to use spnego on this architecture : * redhat 8 * apache httpd 2.4 * tomcat 9 * haproxy 1.8 * There are 2 tomcat servers (ex server1:8080, server2:8080) * the httpd configuration includes load balancing with the 2 servers I can't get spnego ok. Before investigate much more, il would know if this type of architecture is compatible with spnego, and if someone did it with success Thanks for help Michel
-
We are developing a Java application and hope to get SPNEGO to work. Any feedback will be greatly appreciated. The following is our environment: 1. Windows Server 2016 2. Tomcat 8.5 (with Java 8) 3. Active Directory (fro authentication) 4. Java application (Spring framework with a USERS table in the DB for authorization) 5. A service account to run the Tomcat service and execute SPNEGO negotiation Our goal is: 1. when a Windows user tries to access the web app, SPNEGO will take care of authentication...
-
<REDACTED> created ticket #9
StringIndexOutOfBoundsException in SpnegoProvider
-
Ashwini created ticket #8
ullPointerException in the method at net.sourceforge.spnego.SpnegoAuthenticator.isLocalhost(SpnegoAuthenticator.java:491)
-
Vera Anikina posted a comment on discussion Help
Hi I have configured a java based web service to use Kerberos/spenego. But each time when trying to access it from browser from another computer, receive next error: org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [default] in context with path [] threw exception [GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)] with root cause...
-
I ran into the same problem, and solved it essentially the same way. It seems like getRequestURI reflects the "logical" path more reliably and completely and lots of fancy servlets now have lots internal dynamic path handling, and in such a way that servlet path is coming back empty. I believe this issue is duplicated by feature request #5, though this one is more complete and clearer. If it matters, my use case was a deployment of Oracle ORDS (on tomcat), where we want all of APEX to be protected...
-
Jamie Mellway posted a comment on discussion Help
One issue above is that NTLM was not setup properly. Adding this fixed that. AppContext.SetSwitch("System.Net.Http.UseSocketsHttpHandler", false); HttpClientHandler httpClientHandler = new HttpClientHandler { UseDefaultCredentials = true, AllowAutoRedirect = true, }; var cred = CredentialCache.DefaultCredentials.GetCredential(uri, "Negotiate"); Now the issue is that NTLM is not supported by spnego.sourceforge.net. It shows NTLM specified. Downgraded to Basic Auth (and/or SSL) but downgrade not supported....
-
I want to http-get a webpage using this library from C# code. What I expected to work was to use HttpClient with DefaultCredentials. However it is failing in SpnegoHttpFilter as the authentication header is missing [“WWW-Authenticate”,”Negotiate”] and [“Authorization”,”Negotiate {token}”]. I can add those, but I don’t know how to find the token from DefaultCredentials. For background, I inherited code hosted on WebLogic that is using this library. I have access to that code and server. A web portal...
-
I want to call a service using this library from C# code. What I expected to work was to use HttpClient with DefaultCredentials. However it is failing in SpnegoHttpFilter as the header is missing [“WWW-Authenticate”,”Negotiate”] and [“Authorization”,”Negotiate {token}”]. I can add those, but I don’t know how to find the token from DefaultCredentials. For background, I inherited code hosted on WebLogic that is using this library. I have access to that code and server. A web portal is currently calling...
-
<meta content="text/html; charset=utf-8" http-equiv="Content-Type"><meta content="Microsoft Word 15 (filtered medium)" name="Generator"><style><!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; font-size:11.0pt; font-family:"Calibri",sans-serif;} .MsoChpDefault {mso-style-type:export-only;} @page WordSection1...
-
Kevin Moray modified a comment on discussion Help
hello, I connect to a server with a user LDAP (spenego@FMP-FBZ.FGOV.BE). Then when my server makes a connection, I get another userPrincipal (sles12-tjava01.fedris.be@FMP-FBZ.FGOV.BE). How is it possible ? it is a LDAP configuration? SPN is the solution ?
-
hello, I connect to a server with a user LDAP (spenego@FMP-FBZ.FGOV.BE). Then when my server makes a connection, I get another userPrincipal (sles12-tjava01.fedris.be@FMP-FBZ.FGOV.BE). How is it possible ? it is a LDAP configuration?
-
Saurabh Garg posted a comment on discussion Help
Hello, I have implemented the same and can work fine using tomcat, but our appplication is written using pl/sql and they are using the username without the realm and the package is returing the principal name with realm. Example: REMOTE_USER = saurabh.garg@SAURABH.COM Can I get REMOTE_USER = saurabh.garg only , if there any configuration missing. @darwinfelix can you pls help. Thanks Saurabh
-
Niranjan Murthy created ticket #7
spnego.exclude.dirs does not work in some cases
-
Veikko posted a comment on discussion Help
Hi I am using spnego-r9 and tomcat 7 (which is fully supported on CentOS7) and purpose is to log which sites users are accessing. The problem is that access_log does not record windows domain username. SPNego logs are in catalina.out file but there is only authentication information which user has logged in at specific moment and no info about visited sites. Is it possible to log username and visited file to access_log or to SPNego log (catalina.out), how?
-
Bernhard Kiselka posted a comment on discussion Help
I had the same problem already described in http://tomcat.10.x6.nabble.com/SSO-fails-on-Tomcat-9-td5089051.html#a5089145 : When upgrading from Tomcat8.5.20 to Tomcat9.0.22 calling request.getRemoteUser() in a JSP (like the hello_spnego.jsp file as mentioned in http://spnego.sourceforge.net/spnego_tomcat.html) of the ROOT webapp with identically configured SPNEGO (using a SpnegoHttpFilter in the web.xml) did not return the Windows-User of the Browser sending the request transferring the Kerberos-Ticket...
-
Jan Pernica posted a comment on discussion Help
Hi, I've successfuly integrated SPNEGO into our solution filtering WebDAV requests for Office 2010. But we've got problem with Office 2016. It is using bearer token. And this token is not supported by SPNEGO. Please have you got any hint what to do with it? Thnx. Jan
-
Richard Pointon created ticket #5
Fix for constrained delegation
-
Keith Williams modified a comment on discussion Help
Hi, Please disregard the follow-up question above. There is some difference in the server configuration, which means I currently have to specify the port. So I can reach the app at http://myuatserver:8080/MYAPP/. This gives me a new SPNEGO exception, which I am now investigating to see what differs between the working (Live) version and this non-working version. Thanks, Keith.
1 >
