Fatal编程技术网
  • java/
  • Java 使用Kerberos SPNEGO配置Tomcat SSO

Java 使用Kerberos SPNEGO配置Tomcat SSO

java tomcat single-sign-on

Java 使用Kerberos SPNEGO配置Tomcat SSO,java,tomcat,single-sign-on,kerberos,spnego,Java,Tomcat,Single Sign On,Kerberos,Spnego,我正在尝试使用Kerberos在Tomcat 9(带有SDK 8)中配置SSO。我的环境都在Windows Server 2016虚拟机中: - server2016.forestgump.internal 192.168.44.130-Active Directory windowstomcat.forestgump.internal 192.168.44.135-Tomcat v9,SDK 8 WIN-MN3G5OM9U4Q.forestgump.internal 192.168.44.1

我正在尝试使用Kerberos在Tomcat 9(带有SDK 8)中配置SSO。我的环境都在Windows Server 2016虚拟机中: -

  • server2016.forestgump.internal 192.168.44.130-Active Directory
  • windowstomcat.forestgump.internal 192.168.44.135-Tomcat v9,SDK 8
  • WIN-MN3G5OM9U4Q.forestgump.internal 192.168.44.140-仅客户端
我读了很多教程(都有点不同),但我仍然无法获得我的网页,401一直在等着我

广告中的域名是“FORESTGUMP.INTERNAL”(是的……在拼写forest时没有错误,只有一个“R”,只是凌晨2点时虚构的名字)。我在这个域中创建了2个用户

  • tomcat(技术用户,用于登录windowstomcat.forestgump.internal tomcat服务器)。此用户具有一些附加配置:Password never expires=true,user cannot change Password=true,他的帐户支持Kerberos AES128,此帐户支持Kerberos AES256,信任此用户委派给任何服务(仅限Kerberos)
  • mario(登录到客户端计算机中的域的用户)
我将SPN映射到tomcat用户:

setspn -l forestgump.internal\tomcat
        Registered ServicePrincipalNames for CN=tomcat,CN=Users,DC=forestgump,DC=internal:
        HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
        HTTP/windowstomcat@FORESTGUMP.INTERNAL
        HTTP/windowstomcat
        HTTP/windowstomcat.forestgump.internal
然后我生成了一个keytab文件:

ktpass /out c:\tomcat.keytab /mapuser TOMCAT@FORESTGUMP.INTERNAL /princ HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL /pass Passw0rd! /kvno 0 -crypto ALL -ptype KRB5_NT_PRINCIPAL
并将这个tomcat.keytab复制到tomcat服务器上。/tomcat-9/conf,并在c.\tomcat-9\lib中添加了spnego-r9.jar

在tomcat服务器中,我创建了文件。/tomcat-9/conf/krb5.ini

    [libdefaults]
default_realm = FORESTGUMP.INTERNAL
default_keytab_name = "C:\opt\tomcat-9\conf\tomcat.keytab"
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true

[realms]
forestgump.internal = {
        kdc = server2016.forestgump.internal:88
}

[domain_realm]
forestgump.internal= FORESTGUMP.INTERNAL
.forestgump.internal= FORESTGUMP.INTERNAL
我创建了文件。/tomcat-9/conf/jass.conf

com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL"
keyTab="c:/opt/tomcat-9/conf/tomcat.keytab"
useKeyTab=true
storeKey=true;
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL"
keyTab="c:/opt/tomcat-9/conf/tomcat.keytab"
useKeyTab=true
storeKey=true;
debug=true;
};
到目前为止,我找到的所有教程都非常一致。从现在起,far west和我对tomcat和java开发的缺乏知识对我没有帮助。 我更改了默认的tomcat-9/conf/server.xml,为AD LDAP添加了一个域

      <Realm className="org.apache.catalina.realm.LockOutRealm">
      <!-- This Realm uses the UserDatabase configured in the global JNDI
         resources under the key "UserDatabase".  Any edits
         that are performed against this UserDatabase are immediately
         available for use by the Realm.  -->
      <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" />

      <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://server2016.forestgump.internal:389" authentication="simple" referrals="follow" connectionName="CN=tomcat,CN=Users,DC=forestgump,DC=internal" connectionPassword="Passw0rd!" userSearch="(sAMAccountName={0})" userBase="CN=Users,DC=forestgump,DC=internal" userSubtree="true" roleSearch="(member={0})" roleName="cn" roleSubtree="true" roleBase="cn=Builtin,DC=forestgump,DC=internal" />
      </Realm>
用户帐户(tomcat和mario)支持Kerberos 128/256位加密

无法确定配置错误

问题似乎是您的
jaas.conf
中的分号:

com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL"
keyTab="c:/opt/tomcat-9/conf/tomcat.keytab"
useKeyTab=true
storeKey=true;
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL"
keyTab="c:/opt/tomcat-9/conf/tomcat.keytab"
useKeyTab=true
storeKey=true;
debug=true;
};
删除
storeKey=true
后的分号。因此,
debug=true
被解释为它自己的条目,它不是——它只是一个属性。

太棒了,谢谢,那个分号改变了一切,我现在可以看到一些事情正在发生。不幸的是,我得到了403分,但至少我还有一些例外。我更新了我的原始注释,但有一个例外。IMHO,403应该表示身份验证成功-否则,您将收到401或500。但是,角色配置可能与LDAP用户/组不匹配。删除
auth约束
以查看身份验证本身是否有效(您的
index.jsp
应返回远程用户/主体)。然后,重新检查角色配置。再次感谢。我做了测试,没有
auth约束
页面已加载,但没有返回任何信息:Hello World!身份验证类型:null远程用户:null主体:null名称:NO PRINCIPALI已将my web xml中的“CN=Users,DC=forestgump,DC=internal”从“CN=Users,DC=forestgump,DC=internal”更改为“Users”,并且有效!非常感谢你的帮助。 
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
    version="4.0"
    metadata-complete="true">

    <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Web Resource - Allow GET method</web-resource-name>

            <url-pattern>/*</url-pattern>

            <http-method>GET</http-method>
        </web-resource-collection>

        <auth-constraint>
            <role-name>CN=Users,DC=forestgump,DC=internal</role-name>
        </auth-constraint>
    </security-constraint>

    <security-role>
        <role-name>CN=Users,DC=forestgump,DC=internal</role-name>
    </security-role>

    <login-config>
        <auth-method>SPNEGO</auth-method>
        <realm-name>FORESTGUMP.INTERNAL</realm-name>
    </login-config>
</web-app>

<?xml version="1.0" encoding="UTF-8"?>
<Context antiJARLocking="true" path="/spnego">
<!-- valve will be explicitly created when SPNEGO is used,
 this is to declare additional attributes -->
  <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator" 
  alwaysUseSession="true" cache="true"  />
</Context>

08-May-2020 14:51:46.294 SEVERE [http-nio-8080-exec-4] org.apache.catalina.core.StandardHostValve.invoke Exception Processing /TomcatHelloWorld/
    java.lang.SecurityException: java.io.IOException: Configuration Error:
    Line 8: expected [controlFlag]
        at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:137)
        at sun.security.provider.ConfigFile.<init>(ConfigFile.java:102)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at java.lang.Class.newInstance(Class.java:442)
        at javax.security.auth.login.Configuration$2.run(Configuration.java:255)
        at javax.security.auth.login.Configuration$2.run(Configuration.java:247)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:246)
        at javax.security.auth.login.LoginContext$1.run(LoginContext.java:245)
        at javax.security.auth.login.LoginContext$1.run(LoginContext.java:243)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.init(LoginContext.java:243)
        at javax.security.auth.login.LoginContext.<init>(LoginContext.java:348)
        at org.apache.catalina.authenticator.SpnegoAuthenticator.doAuthenticate(SpnegoAuthenticator.java:196)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:631)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
    Caused by: java.io.IOException: Configuration Error:
    Line 8: expected [controlFlag]
        at sun.security.provider.ConfigFile$Spi.ioException(ConfigFile.java:666)
        at sun.security.provider.ConfigFile$Spi.match(ConfigFile.java:572)
        at sun.security.provider.ConfigFile$Spi.parseLoginEntry(ConfigFile.java:454)
        at sun.security.provider.ConfigFile$Spi.readConfig(ConfigFile.java:427)
        at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:329)
        at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:271)
        at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:135)
        ... 31 more

11-May-2020 14:38:55.976 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [897] milliseconds
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is c:/opt/tomcat-9/conf/tomcat.keytab refreshKrb5Config is false principal is HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 85; type: 1
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 85; type: 3
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 93; type: 23
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 109; type: 18
>>> KeyTabInputStream, readName(): FORESTGUMP.INTERNAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): windowstomcat.forestgump.internal
>>> KeyTab: load() entry length: 93; type: 17
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Java config name: C:\opt\tomcat-9\conf\krb5.ini
Loaded from Java config
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
>>> KdcAccessibility: reset
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=server2016.forestgump.internal. UDP:88, timeout=30000, number of retries =3, #bytes=190
>>> KDCCommunication: kdc=server2016.forestgump.internal. UDP:88, timeout=30000,Attempt =1, #bytes=190
>>> KrbKdcReq send: #bytes read=238
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = FORESTGUMP.INTERNALHTTPwindowstomcat.forestgump.internal, s2kparams = null
         PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

>>> KdcAccessibility: remove server2016.forestgump.internal.:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Mon May 11 14:39:04 NZST 2020 1589164744000
         suSec is 480933
         error code is 25
         error Message is Additional pre-authentication required
         sname is krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL
         eData provided.
         msgType is 30
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = FORESTGUMP.INTERNALHTTPwindowstomcat.forestgump.internal, s2kparams = null
         PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=server2016.forestgump.internal. UDP:88, timeout=30000, number of retries =3, #bytes=279
>>> KDCCommunication: kdc=server2016.forestgump.internal. UDP:88, timeout=30000,Attempt =1, #bytes=279
>>> KrbKdcReq send: #bytes read=110
>>> KrbKdcReq send: kdc=server2016.forestgump.internal. TCP:88, timeout=30000, number of retries =3, #bytes=279
>>> KDCCommunication: kdc=server2016.forestgump.internal. TCP:88, timeout=30000,Attempt =1, #bytes=279
>>>DEBUG: TCPClient reading 1694 bytes
>>> KrbKdcReq send: #bytes read=1694
>>> KdcAccessibility: remove server2016.forestgump.internal.:88
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/windowstomcat.forestgump.internal
principal is HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Will use keytab
Commit Succeeded

Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found KeyTab c:\opt\tomcat-9\conf\tomcat.keytab for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found KeyTab c:\opt\tomcat-9\conf\tomcat.keytab for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found ticket for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL to go to krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL expiring on Tue May 12 00:39:04 NZST 2020
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 8..
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
SpNegoToken NegTokenInit: reading Mech Token
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
Found unsupported keytype (1) for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
MemoryCache: add 1589164744/000073/52EB3DFA8A4B8EADDCE4B0019A0968EE/Administrator@FORESTGUMP.INTERNAL to Administrator@FORESTGUMP.INTERNAL|HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL
>>> KrbApReq: authenticate succeed.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>Delegated Creds have pname=Administrator@FORESTGUMP.INTERNAL sname=krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL authtime=null starttime=20200511023904Z endtime=20200511123904ZrenewTill=20200518023904Z
Krb5Context setting peerSeqNumber to: 1464367068
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 206741889
...
Search Subject for Kerberos V5 INIT cred (<<DEF>>, sun.security.jgss.krb5.Krb5InitCredential)
Found ticket for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL to go to krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL expiring on Tue May 12 00:39:04 NZST 2020
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL to go to krbtgt/FORESTGUMP.INTERNAL@FORESTGUMP.INTERNAL expiring on Tue May 12 00:39:04 NZST 2020
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> CksumType: sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=server2016.forestgump.internal. TCP:88, timeout=30000, number of retries =3, #bytes=1622
>>> KDCCommunication: kdc=server2016.forestgump.internal. TCP:88, timeout=30000,Attempt =1, #bytes=1622
>>>DEBUG: TCPClient reading 1598 bytes
>>> KrbKdcReq send: #bytes read=1598
>>> KdcAccessibility: remove server2016.forestgump.internal.:88
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 905416011
Created InitSecContextToken:
0000: 01 00 6E 82 05 DF 30 82   05 DB A0 03 02 01 05 A1  ..n...0.........
.....
05D0: BE 28 08 00 6F FC 45 DC   0D 90 93 E9 60 46 CC 81  .(..o.E.....`F..
05E0: 51 D8 99 06 16                                     Q....

Entered Krb5Context.initSecContext with state=STATE_IN_PROCESS
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting peerSeqNumber to: 1474518462
                [Krb5LoginModule]: Entering logout
                [Krb5LoginModule]: logged out Subject

ksetup /setenctypeattr FQDN>forestgump.internal RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96

com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL"
keyTab="c:/opt/tomcat-9/conf/tomcat.keytab"
useKeyTab=true
storeKey=true;
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/windowstomcat.forestgump.internal@FORESTGUMP.INTERNAL"
keyTab="c:/opt/tomcat-9/conf/tomcat.keytab"
useKeyTab=true
storeKey=true;
debug=true;
};