I followed your instructions and used my own AD credentials and got the HelloKDC.java test working with Connection Test Successful. But when I put the same credentials in the Tomcat config and tried the Hello_SPNEGO.jsp, I got the HTTP 500 error (Failure unspecified at GSS-API level (Mechanism level: Checksum failed). In fact, even the http://server:port Tomcat home page doesn't come up. I thought since the filter settings in web.xml has <url-pattern>*.jsp</url-pattern>, only JSP URLs would be affected. Why does it affect the Tomcat homepage/default webapp?
Questions:
Any idea why the error? Is this because I did NOT do the SPN step yet? Is this a pre-requisite for the filter to work in Tomcat?
What if the password for the account used in the SPN changes? What kind of errors would this generate? How would this be fixed, remove and re-add all the SPNs? Or would it automatically correct itself when the new password is put in the Tomcat web.xml?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Meaning, perhaps this library may not be appropriate for your project/environment.
If you would like to see if we can get it to work in your environment, please go ahead and follow the guides to the letter.
Please do NOT skip any steps.
Also, please use the default install of the OS, Server, Tomcat, Workstation, Browser, etc.
If things are still not working as expected, please post to this Forum.
Finally, if possible, please include the following information:
Your Active Directory domain name
Pre-authentication account username
The FQDN of the machine hosting Tomcat
A list of All of the DNS entries/aliases that point to your Tomcat/JBoss machine
The FQDN of your default Windows XP/7 Workstation with default IE settings
The complete URL you are typing in IE when performing your test
The output from running the setspn.exe command
The contents of your krb5.conf file
The contents of your login.conf file
The spnego section of your web.xml file
I am sorry to hear that this library did not work in your environment.
Thank you for giving this library a try.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Could you look at my question #2 above? All domain account need to have their passwords periodically changed in our environment. What steps would be needed to accommodate this? The guide doesn't really go into that.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Tomcat 8.0.15 on RHEL.
I followed your instructions and used my own AD credentials and got the HelloKDC.java test working with Connection Test Successful. But when I put the same credentials in the Tomcat config and tried the Hello_SPNEGO.jsp, I got the HTTP 500 error (Failure unspecified at GSS-API level (Mechanism level: Checksum failed). In fact, even the http://server:port Tomcat home page doesn't come up. I thought since the filter settings in web.xml has <url-pattern>*.jsp</url-pattern>, only JSP URLs would be affected. Why does it affect the Tomcat homepage/default webapp?
Questions:
> Is this because I did NOT do the SPN step yet?
Unfortunately, the only way this library will work is if you follow the instructions to the letter.
http://spnego.sourceforge.net/pre_flight.html
http://spnego.sourceforge.net/spnego_tomcat.html
If any steps are skipped, this library will fail.
Meaning, perhaps this library may not be appropriate for your project/environment.
If you would like to see if we can get it to work in your environment, please go ahead and follow the guides to the letter.
Please do NOT skip any steps.
Also, please use the default install of the OS, Server, Tomcat, Workstation, Browser, etc.
If things are still not working as expected, please post to this Forum.
Finally, if possible, please include the following information:
The complete URL you are typing in IE when performing your test
The output from running the setspn.exe command
I am sorry to hear that this library did not work in your environment.
Thank you for giving this library a try.
Understood. I will add the SPN and try again.
Could you look at my question #2 above? All domain account need to have their passwords periodically changed in our environment. What steps would be needed to accommodate this? The guide doesn't really go into that.