You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Edward Siewick <es...@ementum.com> on 2013/05/31 17:17:11 UTC
Tomcat7 and SPNEGO configuration questions
Hi.
I'm trying to get a baseline configuration working, following the http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. I'm apparently off in the weeds having missed something, though. So I'd really appreciate a sanity check of my configuration, and the testcase I'm attempting. I've got something messed up, and I'm looking for guidance on what to check.
Environment is:
Tomcat-7.0.33
Redhat RHEL 6.3
Linux openid-linux 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux
AD is on a Win2008R2 server.
Client is MSIE on a Win2007 workstation. "Enable Integrated Windows Authentication" is set to true.
The MSA, keytab and Linux Kerberos bits seem to be OK. For completeness, here's what I've got.
setspn -A HTTP/openid-linux.openidmdev.com tomcat7
ktpass -princ HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> -mapuser tomcat7@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> -crypto AES256-SHA1 -pass "mySecret,78." -ptype KRB5_NT_PRINCIPAL -kvno 0 -out tomcat7.keytab
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = OPENIDMDEV.COM
default_keytab_name = FILE:/usr/share/tomcat7c/conf/tomcat7.keytab
default_tkt_enctypes = aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96
forwardable = true
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
[realms]
OPENIDMDEV.COM = {
kdc = openiddc.openidmdev.com:88
admin_server = openiddc.openidmdev.com
}
[domain_realm]
openidmdev.com = OPENIDMDEV.COM
.openidmdev.com = OPENIDMDEV.COM
The krb5.conf generally works. Using my domain username and password:
kinit -V esiewick
Using default cache: /tmp/krb5cc_0
Using principal: esiewick@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>
Password for esiewick@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>:
Authenticated to Kerberos v5
The keytab contains one key:
klist -e -k /usr/share/tomcat7c/conf/tomcat7.keytab
Keytab name: WRFILE:/usr/share/tomcat7c/conf/tomcat7.keytab
KVNO Principal
---- --------------------------------------------------------------------------
0 HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> (aes256-cts-hmac-sha1-96)
The krb5 config is generally happy with the contents of the keytab:
kinit -V -k -t /usr/share/tomcat7c/conf/tomcat7.keytab HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>
Using keytab: /usr/share/tomcat7c/conf/tomcat7.keytab
Authenticated to Kerberos v5
So I'm confident the MSA and the keytab are OK.
The Tomcat7 configurations are localized, based on the descriptions in the windows-auth-howto.html.
For the Java options, the init script uses:
JAVA_OPTS="-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server \
-Djava.security.krb5.conf=/etc/krb5.conf \
-Djava.security.auth.login.config=/usr/share/tomcat7c/conf/jaas.conf \
-Djavax.security.auth.useSubjectCredsOnly=false \
-Xms1536m \
-Xmx1536m \
-XX:NewSize=256m \
-XX:MaxNewSize=256m \
-XX:PermSize=256m \
-XX:MaxPermSize=256m \
-XX:+DisableExplicitGC"
/usr/share/tomcat7c/conf/jaas.conf is:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>"
useKeyTab=true
keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
storeKey=true
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>"
useKeyTab=true
keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
storeKey=true
debug=true;
};
In /usr/share/tomcat7c/conf/server.xml, I've simply uncommented:
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
For a testcase, I'm using the Tomcat7 "manager" webapp.
In /usr/share/tomcat7c/webapps/manager/WEB-INF/web.xml
I've simply adjusted:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>
to:
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>
For /usr/share/tomcat7c/conf/tomcat-users.xml:
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="manager"/>
<role rolename="manager-gui"/>
<user username="esiewick@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>" password="" roles="tomcat,manager,manager-gui"/>
</tomcat-users>
In actually trying to use this configuration,
http://openid-linux.openidmdev.com:8080/manager/status
gives HTTP 500 and logs:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /usr/share/tomcat7c/confx/tomcat7.keytab refreshKrb5Config is false principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Key for the principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> not available in /usr/share/tomcat7c/confx/tomcat7.keytab
[Krb5LoginModule] authentication failed
Unable to obtain password from user
May 31, 2013 8:55:15 AM org.apache.catalina.authenticator.SpnegoAuthenticator authenticate
SEVERE: Unable to login as the service principal
javax.security.auth.login.LoginException: Unable to obtain password from user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:215)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:931)
at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:309)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
I trust that the configuration at least is reading the jaas.conf, since the first line of logging refects its settings. However, I'm not convinced Krb5LoginModule is actually reading /usr/share/tomcat7c/conf/tomcat7.keytab; I can change:
keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
to:
keyTab="/usr/share/tomcat7c/conf-junk/tomcat7.keytab"
and get the same log "Key for the principal...not available" result (+ "-junk" of course).
Well-founded guidance, clues, and even good guesses are all welcome.
Edward
RE: Tomcat7 and SPNEGO configuration questions
Posted by Edward Siewick <es...@ementum.com>.
>>
>> Well-founded guidance, clues, and even good guesses are all welcome.
>>
>
> Answering in the spirit of your last phrase above (because I really know nothing about the
> Tomcat SPNEGO Valve, and very little about Kerberos) :
>
> The error message :
>
> javax.security.auth.login.LoginException: Unable to obtain password from user
> at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
>
> would tend to indicate that something is trying to prompt the user for a password.
> That should not really happen, in a Windows SSO mechanism, unless the Windows Domain
> Controller (to which the SPNEGO Valve is ultimately talking) is configured to accept HTTP
> Basic authentication as a fall-back for a Windows Integrated Authentication that doesn't work.
>
> One reason for which WIA could possibly not work, would be if your Windows workstation
> does not consider the Tomcat server to which it is connecting, as at least a "trusted"
> server. In such a case, the *browser* will even refuse to start a WIA dialog with the server.
> So, first thing : are you sure that the workstation and the Tomcat server, from a Windows
> authentication point of view, are part of the same Windows Domain ?
> (And if you are not sure, and you are allowed to do this, what happens if you go into the
> IE settings, and add the tomcat hostname explicitly into the list of "trusted" servers ?).
André,
Thanks for the good guess. The server, DC and workstation are all virtual hosts in an isolated lab context. So tinkering around with configurations isn't a problem. I've added the http:// and https:// for the FQDN and IP address of the server on the list. This didn't change anything in the result.
Thanks,
Edward
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat7 and SPNEGO configuration questions
Posted by André Warnier <aw...@ice-sa.com>.
Edward Siewick wrote:
> Hi.
>
> I'm trying to get a baseline configuration working, following the http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. I'm apparently off in the weeds having missed something, though. So I'd really appreciate a sanity check of my configuration, and the testcase I'm attempting. I've got something messed up, and I'm looking for guidance on what to check.
>
> Environment is:
> Tomcat-7.0.33
> Redhat RHEL 6.3
> Linux openid-linux 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux
>
> AD is on a Win2008R2 server.
> Client is MSIE on a Win2007 workstation. "Enable Integrated Windows Authentication" is set to true.
>
> The MSA, keytab and Linux Kerberos bits seem to be OK. For completeness, here's what I've got.
>
> setspn -A HTTP/openid-linux.openidmdev.com tomcat7
> ktpass -princ HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> -mapuser tomcat7@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> -crypto AES256-SHA1 -pass "mySecret,78." -ptype KRB5_NT_PRINCIPAL -kvno 0 -out tomcat7.keytab
>
> /etc/krb5.conf:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = OPENIDMDEV.COM
> default_keytab_name = FILE:/usr/share/tomcat7c/conf/tomcat7.keytab
> default_tkt_enctypes = aes256-cts-hmac-sha1-96
> default_tgs_enctypes = aes256-cts-hmac-sha1-96
> forwardable = true
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
>
> [realms]
> OPENIDMDEV.COM = {
> kdc = openiddc.openidmdev.com:88
> admin_server = openiddc.openidmdev.com
> }
> [domain_realm]
> openidmdev.com = OPENIDMDEV.COM
> .openidmdev.com = OPENIDMDEV.COM
>
> The krb5.conf generally works. Using my domain username and password:
>
> kinit -V esiewick
> Using default cache: /tmp/krb5cc_0
> Using principal: esiewick@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>
> Password for esiewick@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>:
> Authenticated to Kerberos v5
>
> The keytab contains one key:
>
> klist -e -k /usr/share/tomcat7c/conf/tomcat7.keytab
> Keytab name: WRFILE:/usr/share/tomcat7c/conf/tomcat7.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 0 HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> (aes256-cts-hmac-sha1-96)
>
> The krb5 config is generally happy with the contents of the keytab:
>
> kinit -V -k -t /usr/share/tomcat7c/conf/tomcat7.keytab HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>
> Using default cache: /tmp/krb5cc_0
> Using principal: HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>
> Using keytab: /usr/share/tomcat7c/conf/tomcat7.keytab
> Authenticated to Kerberos v5
>
> So I'm confident the MSA and the keytab are OK.
>
> The Tomcat7 configurations are localized, based on the descriptions in the windows-auth-howto.html.
> For the Java options, the init script uses:
>
> JAVA_OPTS="-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server \
> -Djava.security.krb5.conf=/etc/krb5.conf \
> -Djava.security.auth.login.config=/usr/share/tomcat7c/conf/jaas.conf \
> -Djavax.security.auth.useSubjectCredsOnly=false \
> -Xms1536m \
> -Xmx1536m \
> -XX:NewSize=256m \
> -XX:MaxNewSize=256m \
> -XX:PermSize=256m \
> -XX:MaxPermSize=256m \
> -XX:+DisableExplicitGC"
>
> /usr/share/tomcat7c/conf/jaas.conf is:
>
> com.sun.security.jgss.krb5.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>"
> useKeyTab=true
> keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
> storeKey=true
> debug=true;
> };
> com.sun.security.jgss.krb5.accept {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>"
> useKeyTab=true
> keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
> storeKey=true
> debug=true;
> };
>
> In /usr/share/tomcat7c/conf/server.xml, I've simply uncommented:
>
> <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
>
> For a testcase, I'm using the Tomcat7 "manager" webapp.
> In /usr/share/tomcat7c/webapps/manager/WEB-INF/web.xml
> I've simply adjusted:
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Tomcat Manager Application</realm-name>
> </login-config>
> to:
> <login-config>
> <auth-method>SPNEGO</auth-method>
> <realm-name>Tomcat Manager Application</realm-name>
> </login-config>
>
> For /usr/share/tomcat7c/conf/tomcat-users.xml:
>
> <tomcat-users>
> <role rolename="tomcat"/>
> <role rolename="manager"/>
> <role rolename="manager-gui"/>
> <user username="esiewick@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>" password="" roles="tomcat,manager,manager-gui"/>
> </tomcat-users>
>
> In actually trying to use this configuration,
> http://openid-linux.openidmdev.com:8080/manager/status
> gives HTTP 500 and logs:
>
> Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /usr/share/tomcat7c/confx/tomcat7.keytab refreshKrb5Config is false principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> tryFirstPass is false useFirstPass is false storePass is false clearPass is false
>
> Key for the principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> not available in /usr/share/tomcat7c/confx/tomcat7.keytab
> [Krb5LoginModule] authentication failed
>
> Unable to obtain password from user
>
> May 31, 2013 8:55:15 AM org.apache.catalina.authenticator.SpnegoAuthenticator authenticate
> SEVERE: Unable to login as the service principal
> javax.security.auth.login.LoginException: Unable to obtain password from user
> at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
> at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
> at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at javax.security.auth.login.LoginContext.invoke(Unknown Source)
> at javax.security.auth.login.LoginContext.access$000(Unknown Source)
> at javax.security.auth.login.LoginContext$4.run(Unknown Source)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
> at javax.security.auth.login.LoginContext.login(Unknown Source)
> at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:215)
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:931)
> at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:309)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
> at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
> at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
> at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> at java.lang.Thread.run(Unknown Source)
> [Krb5LoginModule]: Entering logout
> [Krb5LoginModule]: logged out Subject
>
> I trust that the configuration at least is reading the jaas.conf, since the first line of logging refects its settings. However, I'm not convinced Krb5LoginModule is actually reading /usr/share/tomcat7c/conf/tomcat7.keytab; I can change:
> keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
> to:
> keyTab="/usr/share/tomcat7c/conf-junk/tomcat7.keytab"
> and get the same log "Key for the principal...not available" result (+ "-junk" of course).
>
> Well-founded guidance, clues, and even good guesses are all welcome.
>
Answering in the spirit of your last phrase above (because I really know nothing about the
Tomcat SPNEGO Valve, and very little about Kerberos) :
The error message :
javax.security.auth.login.LoginException: Unable to obtain password from user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
would tend to indicate that something is trying to prompt the user for a password.
That should not really happen, in a Windows SSO mechanism, unless the Windows Domain
Controller (to which the SPNEGO Valve is ultimately talking) is configured to accept HTTP
Basic authentication as a fall-back for a Windows Integrated Authentication that doesn't work.
One reason for which WIA could possibly not work, would be if your Windows workstation
does not consider the Tomcat server to which it is connecting, as at least a "trusted"
server. In such a case, the *browser* will even refuse to start a WIA dialog with the server.
So, first thing : are you sure that the workstation and the Tomcat server, from a Windows
authentication point of view, are part of the same Windows Domain ?
(And if you are not sure, and you are allowed to do this, what happens if you go into the
IE settings, and add the tomcat hostname explicitly into the list of "trusted" servers ?).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat7 and SPNEGO configuration questions
Posted by Edward Siewick <es...@ementum.com>.
Pardon my apparent dislexia:
> This snippet is from openjdk; http://cr.openjdk.java.net/~weijun/6966259/webrev.01/src/share/classes/sun/security/krb5/internal/KDCRep.java.html.
> There's also Oracle's http://www.docjar.com/html/api/sun/security/krb5/internal/KDCReq.java.html. It doesn't have the actual logging line, though.
http://www.docjar.com/html/api/sun/security/krb5/internal/KDCRep.java.html does contain this.
________________________________________
From: james.henderson [james.henderson@rbc.com]
Sent: Monday, June 10, 2013 5:35 PM
To: users@tomcat.apache.org
Subject: RE: Tomcat7 and SPNEGO configuration questions
I am in a similar situation to Edward.
My authentication says something like:
principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3,
>>> #bytes=166
>>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=166
>>> KrbKdcReq send: #bytes read=152
>>> KrbKdcReq send: #bytes read=152
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Jun 10 17:21:23 EDT 2013 1370899283000
suSec is 764076
error code is 25
error Message is Additional pre-authentication required
realm is DEV
sname is krbtgt/DEV
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
>>>KrbAsReq salt is DEVserver.dev
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3,
>>> #bytes=249
>>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=249
>>> KrbKdcReq send: #bytes read=1384
>>> KrbKdcReq send: #bytes read=1384
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/guedlvwcfv001.dev
principal is HTTP/guedlvwcfv001.dev@DEV
EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
Added server's keyKerberos Principal HTTP/server.dev@DEVKey Version 3key
EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
[Krb5LoginModule] added Krb5Principal HTTP/server.dev@DEV
to Subject
Commit Succeeded
Found key for HTTP/server.dev@DEV(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 3 1 23 16 17 18.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> Config reset default kdc DEV
object 0: 1370899284091/91026
object 0: 1370899284091/91026
replay cache found.
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1400102526
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 909711492
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
But the page always returns 401 if I try to use it:
10.241.162.107 - - [10/Jun/2013:17:21:23 -0400] "GET /webeditors/hello
HTTP/1.1" 401 951
We have another page that uses spring SPNEGO and it works fine with exactly
the same user.
My security constraint/login config looks like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Wildcard means whole app requires
authentication</web-resource-name>
<url-pattern>/hello</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
I would like some idea how to:
a) get tomcat to tell me why it is returning 401 in this case (debug logs?)
b) Understand how the windows users/roles are going to map to any used in my
webapp. Is it a 1:1 mapping, or does it need some sort of configuration?
c) get more documentation on how these things are actually supposed to work.
Most of the information I find is examples, not proper documentation.
d) Understand why I get this: init() encoding tag is 126 req type is 11
error.
Thanks,
James Henderson
--
View this message in context: http://tomcat.10.x6.nabble.com/Tomcat7-and-SPNEGO-configuration-questions-tp4999666p4999977.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat7 and SPNEGO configuration questions
Posted by Edward Siewick <es...@ementum.com>.
James,
Regarding your question a), HTTP 401 is a tangle of both "not authenticated" and "not authorized". You're at least getting through authentication of the end user. At least that's my interpretation of Krb5Context logging of "KrbApReq: authenticate succeed." and logged values for mySeqNumber and peerSeqNumber. (In my case I'm not getting even this far.)
On your b), Felix's example for debugging a jmeter issue uses an LDAP call to check for group membership. This is configured within a <realm /> in server.xml, leveraging the "the user's delegated credentials via a request attribute so applications can make use of them" [presumably for more fine-grained authorization control]. Anyway, this seems to be an application level augmentation of SPNEGO vice a contradiction of the patch comment for the initial SPNEGO support in Tomcat-7.0.12. ("48685: Add initial support for SPNEGO/Kerberos authentication also referred to as integrated Windows authentication. This includes user authentication, authorisation via the directory using the user's delegated credentials and exposing the user's delegated credentials via a request attribute so applications can make use of them to impersonate the current user when accessing third-party systems that use a compatible authentication mechanism. Based on a patch provided by Michael Osipov. (markt).") There doesn't seem to be documentation that expands "authorisation via the directory using the user's delegated credentials" into a configuration option. As written the comment for 48685 says SPNEGO support doesn't stop at authentication; it [somehow] handles authorization, too.
On c), absent documentation, the details in
https://issues.apache.org/bugzilla/show_bug.cgi?id=48685
might help explain the developers' sense of the intended working order, provide some clues on the JAAS and SPNEGO configuration requirements. At least that's what I'm reading through.
On d), you might already know this, but "KDCRep: init() encoding tag is 126 req type is 11" translates to "exception: Asn1Exception - if an error occurs while decoding an ASN1 encoded data." The actual text is from sun.security.krb5.internal.KDCRep:
116 /**
117 * Initializes an KDCRep object.
118 *
119 * @param encoding a single DER-encoded value.
120 * @param req_type reply message type.
121 * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
122 * @exception IOException if an I/O error occurs while reading encoded data.
123 * @exception RealmException if an error occurs while constructing
124 * a Realm object from DER-encoded data.
125 * @exception KrbApErrException if the value read from the DER-encoded
126 * data stream does not match the pre-defined value.
127 *
128 */
129 protected void init(DerValue encoding, int req_type)
130 throws Asn1Exception, RealmException, IOException,
131 KrbApErrException {
132 DerValue der, subDer;
133 if ((encoding.getTag() & 0x1F) != req_type) {
134 if (DEBUG) {
135 System.out.println(">>> KDCRep: init() " +
136 "encoding tag is " +
137 encoding.getTag() +
138 " req type is " + req_type);
139 }
140 throw new Asn1Exception(Krb5.ASN1_BAD_ID);
141 }
This snippet is from openjdk; http://cr.openjdk.java.net/~weijun/6966259/webrev.01/src/share/classes/sun/security/krb5/internal/KDCRep.java.html.
There's also Oracle's http://www.docjar.com/html/api/sun/security/krb5/internal/KDCReq.java.html. It doesn't have the actual logging line, though.
Edward
________________________________________
From: james.henderson [james.henderson@rbc.com]
Sent: Monday, June 10, 2013 5:35 PM
To: users@tomcat.apache.org
Subject: RE: Tomcat7 and SPNEGO configuration questions
I am in a similar situation to Edward.
My authentication says something like:
principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3,
>>> #bytes=166
>>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=166
>>> KrbKdcReq send: #bytes read=152
>>> KrbKdcReq send: #bytes read=152
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Jun 10 17:21:23 EDT 2013 1370899283000
suSec is 764076
error code is 25
error Message is Additional pre-authentication required
realm is DEV
sname is krbtgt/DEV
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
>>>KrbAsReq salt is DEVserver.dev
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3,
>>> #bytes=249
>>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=249
>>> KrbKdcReq send: #bytes read=1384
>>> KrbKdcReq send: #bytes read=1384
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/guedlvwcfv001.dev
principal is HTTP/guedlvwcfv001.dev@DEV
EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
Added server's keyKerberos Principal HTTP/server.dev@DEVKey Version 3key
EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
[Krb5LoginModule] added Krb5Principal HTTP/server.dev@DEV
to Subject
Commit Succeeded
Found key for HTTP/server.dev@DEV(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 3 1 23 16 17 18.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> Config reset default kdc DEV
object 0: 1370899284091/91026
object 0: 1370899284091/91026
replay cache found.
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1400102526
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 909711492
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
But the page always returns 401 if I try to use it:
10.241.162.107 - - [10/Jun/2013:17:21:23 -0400] "GET /webeditors/hello
HTTP/1.1" 401 951
We have another page that uses spring SPNEGO and it works fine with exactly
the same user.
My security constraint/login config looks like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Wildcard means whole app requires
authentication</web-resource-name>
<url-pattern>/hello</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
I would like some idea how to:
a) get tomcat to tell me why it is returning 401 in this case (debug logs?)
b) Understand how the windows users/roles are going to map to any used in my
webapp. Is it a 1:1 mapping, or does it need some sort of configuration?
c) get more documentation on how these things are actually supposed to work.
Most of the information I find is examples, not proper documentation.
d) Understand why I get this: init() encoding tag is 126 req type is 11
error.
Thanks,
James Henderson
--
View this message in context: http://tomcat.10.x6.nabble.com/Tomcat7-and-SPNEGO-configuration-questions-tp4999666p4999977.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat7 and SPNEGO configuration questions
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 10.06.2013 23:35, schrieb james.henderson:
> I am in a similar situation to Edward.
>
> My authentication says something like:
>
> principal's key obtained from the keytab
> Acquire TGT using AS Exchange
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq calling createMessage
>>>> KrbAsReq in createMessage
>>>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3,
>>>> #bytes=166
>>>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=166
>>>> KrbKdcReq send: #bytes read=152
>>>> KrbKdcReq send: #bytes read=152
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Mon Jun 10 17:21:23 EDT 2013 1370899283000
> suSec is 764076
> error code is 25
> error Message is Additional pre-authentication required
> realm is DEV
> sname is krbtgt/DEV
> eData provided.
> msgType is 30
>>>> Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23
>>>> Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
> PA-DATA type = 15
> AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
>>>> KrbAsReq salt is DEVserver.dev
> Pre-Authenticaton: find key for etype = 23
> AS-REQ: Add PA_ENC_TIMESTAMP now
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq calling createMessage
>>>> KrbAsReq in createMessage
>>>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3,
>>>> #bytes=249
>>>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=249
>>>> KrbKdcReq send: #bytes read=1384
>>>> KrbKdcReq send: #bytes read=1384
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/guedlvwcfv001.dev
> principal is HTTP/guedlvwcfv001.dev@DEV
> EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
> Added server's keyKerberos Principal HTTP/server.dev@DEVKey Version 3key
> EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
> [Krb5LoginModule] added Krb5Principal HTTP/server.dev@DEV
> to Subject
> Commit Succeeded
>
>
> Found key for HTTP/server.dev@DEV(23)
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> Using builtin default etypes for permitted_enctypes
> default etypes for permitted_enctypes: 3 1 23 16 17 18.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> Config reset default kdc DEV
> object 0: 1370899284091/91026
> object 0: 1370899284091/91026
> replay cache found.
>>>> KrbApReq: authenticate succeed.
> Krb5Context setting peerSeqNumber to: 1400102526
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> Krb5Context setting mySeqNumber to: 909711492
> [Krb5LoginModule]: Entering logout
> [Krb5LoginModule]: logged out Subject
>
> But the page always returns 401 if I try to use it:
>
> 10.241.162.107 - - [10/Jun/2013:17:21:23 -0400] "GET /webeditors/hello
> HTTP/1.1" 401 951
>
> We have another page that uses spring SPNEGO and it works fine with exactly
> the same user.
>
> My security constraint/login config looks like this:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Wildcard means whole app requires
> authentication</web-resource-name>
> <url-pattern>/hello</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
>
> <user-data-constraint>
>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>SPNEGO</auth-method>
> </login-config>
>
> I would like some idea how to:
>
> a) get tomcat to tell me why it is returning 401 in this case (debug logs?)
You can enable more logging of the realm code by adding
"org.apache.catalina.realm.level=FINE" to your conf/logging.properties file.
> b) Understand how the windows users/roles are going to map to any used in my
> webapp. Is it a 1:1 mapping, or does it need some sort of configuration?
SPNego will only do authentication. Authorization is done via the
configured realm. If your users and roles are stored in an LDAP
directory (as I suspect it is), you can use the JNDIRealm to configure
where tomcat will look for your users and their roles. For more info
look at http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm
> c) get more documentation on how these things are actually supposed to work.
> Most of the information I find is examples, not proper documentation.
If your are not happy with the examples, you can look at the
configuration docs cunningly hidden
athttp://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm
Regards,
Felix
> d) Understand why I get this: init() encoding tag is 126 req type is 11
> error.
>
> Thanks,
>
> James Henderson
>
>
>
>
> --
> View this message in context: http://tomcat.10.x6.nabble.com/Tomcat7-and-SPNEGO-configuration-questions-tp4999666p4999977.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat7 and SPNEGO configuration questions
Posted by "james.henderson" <ja...@rbc.com>.
I am in a similar situation to Edward.
My authentication says something like:
principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3,
>>> #bytes=166
>>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=166
>>> KrbKdcReq send: #bytes read=152
>>> KrbKdcReq send: #bytes read=152
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Jun 10 17:21:23 EDT 2013 1370899283000
suSec is 764076
error code is 25
error Message is Additional pre-authentication required
realm is DEV
sname is krbtgt/DEV
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
>>>KrbAsReq salt is DEVserver.dev
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3,
>>> #bytes=249
>>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=249
>>> KrbKdcReq send: #bytes read=1384
>>> KrbKdcReq send: #bytes read=1384
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/guedlvwcfv001.dev
principal is HTTP/guedlvwcfv001.dev@DEV
EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
Added server's keyKerberos Principal HTTP/server.dev@DEVKey Version 3key
EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
[Krb5LoginModule] added Krb5Principal HTTP/server.dev@DEV
to Subject
Commit Succeeded
Found key for HTTP/server.dev@DEV(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 3 1 23 16 17 18.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> Config reset default kdc DEV
object 0: 1370899284091/91026
object 0: 1370899284091/91026
replay cache found.
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1400102526
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 909711492
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
But the page always returns 401 if I try to use it:
10.241.162.107 - - [10/Jun/2013:17:21:23 -0400] "GET /webeditors/hello
HTTP/1.1" 401 951
We have another page that uses spring SPNEGO and it works fine with exactly
the same user.
My security constraint/login config looks like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Wildcard means whole app requires
authentication</web-resource-name>
<url-pattern>/hello</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
I would like some idea how to:
a) get tomcat to tell me why it is returning 401 in this case (debug logs?)
b) Understand how the windows users/roles are going to map to any used in my
webapp. Is it a 1:1 mapping, or does it need some sort of configuration?
c) get more documentation on how these things are actually supposed to work.
Most of the information I find is examples, not proper documentation.
d) Understand why I get this: init() encoding tag is 126 req type is 11
error.
Thanks,
James Henderson
--
View this message in context: http://tomcat.10.x6.nabble.com/Tomcat7-and-SPNEGO-configuration-questions-tp4999666p4999977.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat7 and SPNEGO configuration questions
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 10.06.2013 22:06, schrieb Edward Siewick:
> I've tried an AES128 keytab and matching krb5.conf; this didn't get any further.
Could you try an arc4 one?
Felix
>
> Edward
>
>
> ________________________________________
> From: Edward Siewick [esiewick@ementum.com]
> Sent: Monday, June 10, 2013 3:31 PM
> To: Tomcat Users List
> Subject: RE: Tomcat7 and SPNEGO configuration questions
>
> Felix,
>
> Thanks for the example. And yes, I agree -- my setup isn't getting far enough to attempt an authentication of an end user. I *think* I've got the keytab and MSA aspect working. So two possibilities seem worth digging at. First, there's likely a gap in my understanding of the http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html instructions. I'm trying to use the most simple authentication / authorization example available in the default Tomcat7 kit, the manager-gui <auth-constraint> / <role-name> and an ordinary conf/tomcat-users.xml. Regarding the web.xml, the HowTo only mentions that SPNEGO is to be used, vice BASIC. Other than swapping the string BASIC for SPNEGO, though, I'm out of guesses on that point in the instruction. Is there something more needed in the web.xml?
>
> Second, I'm restricting my configuration to only AES256 (aes256-cts-hmac-sha1-96) and a keytab created only for AES256. Is the default pre-built Tomcat7 kit known to work with that, by just adding Oracle's jce_policy-6.zip? I'm picking at this because, where my log trace seems OK with the AD MSA's keytab, for a user authentication it jumps straight to a logout:
>
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
> [Krb5LoginModule]: Entering logout
> [Krb5LoginModule]: logged out Subject
>
> It's at this point that your trace goes on to "Using builtin default etypes for permitted_enctypes," authenticates an end user, and seems to be waiting for further end users. It does pick up both type 18 (AES256) and 17 (AES128), but only reports using the AES128:
>
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
> Added key: 17version: 1
> Added key: 18version: 1
> Added key: 3version: 1
> Added key: 23version: 1
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 18 17.
>>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> Using builtin default etypes for permitted_enctypes
> default etypes for permitted_enctypes: 18 17 16 23 1 3.
>>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> replay cache for user00001@EXAMPLE.COM is null.
> object 0: 1370027872357/357663
>>>> KrbApReq: authenticate succeed.
> Krb5Context setting peerSeqNumber to: 758340766
> Krb5Context setting mySeqNumber to: 758340766
>
> Edward
>
> P.S.: The example server.xml bit from your bugzilla test kit provides for role based authorization. If I can get my very simple example to work, I'll try to use it. On that point, the bit:
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldap://localhost:10389"
> userBase="ou=users,ou=security,dc=example,dc=com"
> userSearch="(uid={0})"
> roleBase="ou=groups,dc=example,dc=com"
> roleName="cn"
> roleSearch="(uniqueMember={0})"
> useDelegatedCredential="false"
> />
>
> or a similar tidy might be added to the HowTo, right after:
>
> "The SPNEGO authenticator will work with any Realm but if used with the JNDI Realm, by default the JNDI Realm will use the user's delegated credentials to connect to the Active Directory."
>
>
>
>
> ________________________________________
> From: Felix Schumacher [felix.schumacher@internetallee.de]
> Sent: Wednesday, June 05, 2013 4:12 PM
> To: users@tomcat.apache.org
> Subject: Re: Tomcat7 and SPNEGO configuration questions
>
> Am 03.06.2013 20:48, schrieb Edward Siewick:
>> Felix & Friends,
>>
>> I've made a fair amount of progress, though I'm still not able to log in with a domain credential. The domain account ID doesn't appear in the Tomcat7 logging at all, >though it is in tomcat-users.xml. So I might now only be confused as to the syntax of: server.xml for JAAS; the webapp's "realm" bits in web.xml for SPNEGO, or; > tomcat-users.xml. I have tried changing tomcat-users.xml to "OPENIDMDEV/esiewick", "COM.OPENIDMDEV/esiewick" and just "esiewick". And, I've adjusted the Account ID in the Windows Security prompt to match each of these.
> If I read your logs at the end of your mail correctly, I think you
> haven't gotten that far as to have authenticated an user. In my logs you
> could see an user00001 being authenticated. But I can't really tell you,
> why your user was not authenticated.
>
> At https://issues.apache.org/bugzilla/show_bug.cgi?id=53480 I have
> described how I setup a tomcat with apacheds as a kerberos server. You
> might want to try that setup.
>
> Regards
> Felix
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat7 and SPNEGO configuration questions
Posted by Edward Siewick <es...@ementum.com>.
I've tried an AES128 keytab and matching krb5.conf; this didn't get any further.
Edward
________________________________________
From: Edward Siewick [esiewick@ementum.com]
Sent: Monday, June 10, 2013 3:31 PM
To: Tomcat Users List
Subject: RE: Tomcat7 and SPNEGO configuration questions
Felix,
Thanks for the example. And yes, I agree -- my setup isn't getting far enough to attempt an authentication of an end user. I *think* I've got the keytab and MSA aspect working. So two possibilities seem worth digging at. First, there's likely a gap in my understanding of the http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html instructions. I'm trying to use the most simple authentication / authorization example available in the default Tomcat7 kit, the manager-gui <auth-constraint> / <role-name> and an ordinary conf/tomcat-users.xml. Regarding the web.xml, the HowTo only mentions that SPNEGO is to be used, vice BASIC. Other than swapping the string BASIC for SPNEGO, though, I'm out of guesses on that point in the instruction. Is there something more needed in the web.xml?
Second, I'm restricting my configuration to only AES256 (aes256-cts-hmac-sha1-96) and a keytab created only for AES256. Is the default pre-built Tomcat7 kit known to work with that, by just adding Oracle's jce_policy-6.zip? I'm picking at this because, where my log trace seems OK with the AD MSA's keytab, for a user authentication it jumps straight to a logout:
Entered Krb5Context.acceptSecContext with state=STATE_NEW
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
It's at this point that your trace goes on to "Using builtin default etypes for permitted_enctypes," authenticates an end user, and seems to be waiting for further end users. It does pick up both type 18 (AES256) and 17 (AES128), but only reports using the AES128:
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
replay cache for user00001@EXAMPLE.COM is null.
object 0: 1370027872357/357663
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 758340766
Krb5Context setting mySeqNumber to: 758340766
Edward
P.S.: The example server.xml bit from your bugzilla test kit provides for role based authorization. If I can get my very simple example to work, I'll try to use it. On that point, the bit:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://localhost:10389"
userBase="ou=users,ou=security,dc=example,dc=com"
userSearch="(uid={0})"
roleBase="ou=groups,dc=example,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"
useDelegatedCredential="false"
/>
or a similar tidy might be added to the HowTo, right after:
"The SPNEGO authenticator will work with any Realm but if used with the JNDI Realm, by default the JNDI Realm will use the user's delegated credentials to connect to the Active Directory."
________________________________________
From: Felix Schumacher [felix.schumacher@internetallee.de]
Sent: Wednesday, June 05, 2013 4:12 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat7 and SPNEGO configuration questions
Am 03.06.2013 20:48, schrieb Edward Siewick:
> Felix & Friends,
>
> I've made a fair amount of progress, though I'm still not able to log in with a domain credential. The domain account ID doesn't appear in the Tomcat7 logging at all, >though it is in tomcat-users.xml. So I might now only be confused as to the syntax of: server.xml for JAAS; the webapp's "realm" bits in web.xml for SPNEGO, or; > tomcat-users.xml. I have tried changing tomcat-users.xml to "OPENIDMDEV/esiewick", "COM.OPENIDMDEV/esiewick" and just "esiewick". And, I've adjusted the Account ID in the Windows Security prompt to match each of these.
If I read your logs at the end of your mail correctly, I think you
haven't gotten that far as to have authenticated an user. In my logs you
could see an user00001 being authenticated. But I can't really tell you,
why your user was not authenticated.
At https://issues.apache.org/bugzilla/show_bug.cgi?id=53480 I have
described how I setup a tomcat with apacheds as a kerberos server. You
might want to try that setup.
Regards
Felix
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat7 and SPNEGO configuration questions
Posted by Felix Schumacher <fe...@internetallee.de>.
Hi Edward,
Am 10.06.2013 21:31, schrieb Edward Siewick:
> Felix,
>
> Thanks for the example. And yes, I agree -- my setup isn't getting far enough to attempt an authentication of an end user. I *think* I've got the keytab and MSA aspect working. So two possibilities seem worth digging at. First, there's likely a gap in my understanding of the http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html instructions. I'm trying to use the most simple authentication / authorization example available in the default Tomcat7 kit, the manager-gui <auth-constraint> / <role-name> and an ordinary conf/tomcat-users.xml. Regarding the web.xml, the HowTo only mentions that SPNEGO is to be used, vice BASIC. Other than swapping the string BASIC for SPNEGO, though, I'm out of guesses on that point in the instruction. Is there something more needed in the web.xml?
No, there is nothing else needed in web.xml. Authentication will be done
by using SPNego and authorization by whatever realm you have configured
for the context.
>
> Second, I'm restricting my configuration to only AES256 (aes256-cts-hmac-sha1-96) and a keytab created only for AES256. Is the default pre-built Tomcat7 kit known to work with that, by just adding Oracle's jce_policy-6.zip?
In my example I used tomcat 7.0.40 with openjdk 7u21 without any
modifications. My server keytab held an aes256-cts-hmac-sha1-96 encoded
key. So tomcat has no problems per se with that encoding-combination.
> I'm picking at this because, where my log trace seems OK with the AD MSA's keytab, for a user authentication it jumps straight to a logout:
>
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
> [Krb5LoginModule]: Entering logout
> [Krb5LoginModule]: logged out Subject
>
> It's at this point that your trace goes on to "Using builtin default etypes for permitted_enctypes," authenticates an end user, and seems to be waiting for further end users. It does pick up both type 18 (AES256) and 17 (AES128), but only reports using the AES128:
My old trace was produced with an aes128 encrypted key, so that may
explain that. I had to enable aes256 explicitly for apacheds, which I
hadn't bothered first.
With aes256 the trace looks like this:
...>>> KrbAsRep cons in KrbAsReq.getReply HTTP/www.example.com
Added key: 18version: 1
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
Found KeyTab
Found KerberosKey for HTTP/www.example.com@EXAMPLE.COM
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 18version: 1
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
replay cache for user0001@EXAMPLE.COM is null.
object 0: 1370973475196/196436
>>> KrbApReq: authenticate succeed.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>Delegated Creds have pname=user0001@EXAMPLE.COM
sname=krbtgt/EXAMPLE.COM@EXAMPLE.COM authtime=20130611175709Z
starttime=20130611175755Z endtime=20130612175704ZrenewTill=null
...
>
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
> Added key: 17version: 1
> Added key: 18version: 1
> Added key: 3version: 1
> Added key: 23version: 1
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 18 17.
>>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> Using builtin default etypes for permitted_enctypes
> default etypes for permitted_enctypes: 18 17 16 23 1 3.
>>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> replay cache for user00001@EXAMPLE.COM is null.
> object 0: 1370027872357/357663
>>>> KrbApReq: authenticate succeed.
> Krb5Context setting peerSeqNumber to: 758340766
> Krb5Context setting mySeqNumber to: 758340766
>
> Edward
>
> P.S.: The example server.xml bit from your bugzilla test kit provides for role based authorization. If I can get my very simple example to work, I'll try to use it. On that point, the bit:
>
> <Realm className="org.apache.catalina.realm.JNDIRealm"
> connectionURL="ldap://localhost:10389"
> userBase="ou=users,ou=security,dc=example,dc=com"
> userSearch="(uid={0})"
> roleBase="ou=groups,dc=example,dc=com"
> roleName="cn"
> roleSearch="(uniqueMember={0})"
> useDelegatedCredential="false"
> />
>
> or a similar tidy might be added to the HowTo, right after:
>
> "The SPNEGO authenticator will work with any Realm but if used with the JNDI Realm, by default the JNDI Realm will use the user's delegated credentials to connect to the Active Directory."
That would be a bad example, since I explicitly disabled the delegation
of the credentials in my case :)
Regards,
Felix
>
>
>
>
> ________________________________________
> From: Felix Schumacher [felix.schumacher@internetallee.de]
> Sent: Wednesday, June 05, 2013 4:12 PM
> To: users@tomcat.apache.org
> Subject: Re: Tomcat7 and SPNEGO configuration questions
>
> Am 03.06.2013 20:48, schrieb Edward Siewick:
>> Felix & Friends,
>>
>> I've made a fair amount of progress, though I'm still not able to log in with a domain credential. The domain account ID doesn't appear in the Tomcat7 logging at all, >though it is in tomcat-users.xml. So I might now only be confused as to the syntax of: server.xml for JAAS; the webapp's "realm" bits in web.xml for SPNEGO, or; > tomcat-users.xml. I have tried changing tomcat-users.xml to "OPENIDMDEV/esiewick", "COM.OPENIDMDEV/esiewick" and just "esiewick". And, I've adjusted the Account ID in the Windows Security prompt to match each of these.
> If I read your logs at the end of your mail correctly, I think you
> haven't gotten that far as to have authenticated an user. In my logs you
> could see an user00001 being authenticated. But I can't really tell you,
> why your user was not authenticated.
>
> At https://issues.apache.org/bugzilla/show_bug.cgi?id=53480 I have
> described how I setup a tomcat with apacheds as a kerberos server. You
> might want to try that setup.
>
> Regards
> Felix
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat7 and SPNEGO configuration questions
Posted by Edward Siewick <es...@ementum.com>.
Felix,
Thanks for the example. And yes, I agree -- my setup isn't getting far enough to attempt an authentication of an end user. I *think* I've got the keytab and MSA aspect working. So two possibilities seem worth digging at. First, there's likely a gap in my understanding of the http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html instructions. I'm trying to use the most simple authentication / authorization example available in the default Tomcat7 kit, the manager-gui <auth-constraint> / <role-name> and an ordinary conf/tomcat-users.xml. Regarding the web.xml, the HowTo only mentions that SPNEGO is to be used, vice BASIC. Other than swapping the string BASIC for SPNEGO, though, I'm out of guesses on that point in the instruction. Is there something more needed in the web.xml?
Second, I'm restricting my configuration to only AES256 (aes256-cts-hmac-sha1-96) and a keytab created only for AES256. Is the default pre-built Tomcat7 kit known to work with that, by just adding Oracle's jce_policy-6.zip? I'm picking at this because, where my log trace seems OK with the AD MSA's keytab, for a user authentication it jumps straight to a logout:
Entered Krb5Context.acceptSecContext with state=STATE_NEW
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
It's at this point that your trace goes on to "Using builtin default etypes for permitted_enctypes," authenticates an end user, and seems to be waiting for further end users. It does pick up both type 18 (AES256) and 17 (AES128), but only reports using the AES128:
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
replay cache for user00001@EXAMPLE.COM is null.
object 0: 1370027872357/357663
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 758340766
Krb5Context setting mySeqNumber to: 758340766
Edward
P.S.: The example server.xml bit from your bugzilla test kit provides for role based authorization. If I can get my very simple example to work, I'll try to use it. On that point, the bit:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://localhost:10389"
userBase="ou=users,ou=security,dc=example,dc=com"
userSearch="(uid={0})"
roleBase="ou=groups,dc=example,dc=com"
roleName="cn"
roleSearch="(uniqueMember={0})"
useDelegatedCredential="false"
/>
or a similar tidy might be added to the HowTo, right after:
"The SPNEGO authenticator will work with any Realm but if used with the JNDI Realm, by default the JNDI Realm will use the user's delegated credentials to connect to the Active Directory."
________________________________________
From: Felix Schumacher [felix.schumacher@internetallee.de]
Sent: Wednesday, June 05, 2013 4:12 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat7 and SPNEGO configuration questions
Am 03.06.2013 20:48, schrieb Edward Siewick:
> Felix & Friends,
>
> I've made a fair amount of progress, though I'm still not able to log in with a domain credential. The domain account ID doesn't appear in the Tomcat7 logging at all, >though it is in tomcat-users.xml. So I might now only be confused as to the syntax of: server.xml for JAAS; the webapp's "realm" bits in web.xml for SPNEGO, or; > tomcat-users.xml. I have tried changing tomcat-users.xml to "OPENIDMDEV/esiewick", "COM.OPENIDMDEV/esiewick" and just "esiewick". And, I've adjusted the Account ID in the Windows Security prompt to match each of these.
If I read your logs at the end of your mail correctly, I think you
haven't gotten that far as to have authenticated an user. In my logs you
could see an user00001 being authenticated. But I can't really tell you,
why your user was not authenticated.
At https://issues.apache.org/bugzilla/show_bug.cgi?id=53480 I have
described how I setup a tomcat with apacheds as a kerberos server. You
might want to try that setup.
Regards
Felix
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat7 and SPNEGO configuration questions
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 03.06.2013 20:48, schrieb Edward Siewick:
> Felix & Friends,
>
> I've made a fair amount of progress, though I'm still not able to log in with a domain credential. The domain account ID doesn't appear in the Tomcat7 logging at all, though it is in tomcat-users.xml. So I might now only be confused as to the syntax of: server.xml for JAAS; the webapp's "realm" bits in web.xml for SPNEGO, or; tomcat-users.xml. I have tried changing tomcat-users.xml to "OPENIDMDEV/esiewick", "COM.OPENIDMDEV/esiewick" and just "esiewick". And, I've adjusted the Account ID in the Windows Security prompt to match each of these.
If I read your logs at the end of your mail correctly, I think you
haven't gotten that far as to have authenticated an user. In my logs you
could see an user00001 being authenticated. But I can't really tell you,
why your user was not authenticated.
At https://issues.apache.org/bugzilla/show_bug.cgi?id=53480 I have
described how I setup a tomcat with apacheds as a kerberos server. You
might want to try that setup.
Regards
Felix
>
> On the progress, here's some detail for the listserv archive.
>
> A first issue was how I was trying to get the CATALINA_OPTS set, so I should start with a "Thank you" for nudging me on the CATALINA_OPTS bit. I had tried to add CATALINA_OPTS to the init.d script, which apparently was getting over-written later in the Tomcat7 startup sequence. To correct, I simply added "-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true" to the bin/setenv.sh, vice the init.d script. After this, debug=true appeared properly in the resulting process, below.
>
> ps ajx | grep tomc
> 27474 29541 29541 27446 pts/3 29541 S+ 0 0:00 tail -f /var/log/tomcat7/catalina.out
> 1 29585 29571 27391 pts/0 29626 Sl 0 0:36 /usr/java/jre1.6.0_39/bin/java
> -Djava.util.logging.config.file=/usr/share/tomcat7c/conf/logging.properties
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> -Xmx512m -XX:MaxPermSize=256m -XX:PermSize=256m
> -Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true
> -Djava.endorsed.dirs=/usr/share/tomcat7c/endorsed
> -classpath /usr/share/tomcat7c/bin/bootstrap.jar:/usr/share/tomcat7c/bin/tomcat-juli.jar
> -Dcatalina.base=/usr/share/tomcat7c -Dcatalina.home=/usr/share/tomcat7c
> -Djava.io.tmpdir=/usr/share/tomcat7c/temp org.apache.catalina.startup.Bootstrap start
>
> This changed the error logging, adding a clue that smelled like a crypto module limitation:
>
> Found unsupported keytype (18) for HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM
>
> The trace was:
>
> Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /usr/share/tomcat7c/conf/tomcat7.keytab refreshKrb5Config is false principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
>>>> KeyTabInputStream, readName(): OPENIDMDEV.COM
>>>> KeyTabInputStream, readName(): HTTP
>>>> KeyTabInputStream, readName(): openid-linux.openidmdev.com
>>>> KeyTab: load() entry length: 98; type: 18
> Found unsupported keytype (18) for HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM
> Key for the principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM not available in /usr/share/tomcat7c/conf/tomcat7.keytab
> [Krb5LoginModule] authentication failed
> Unable to obtain password from user
>
> In http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
> I found:
>
> "NOTE: The JCE framework within JDK includes an ability to enforce restrictions regarding the cryptographic algorithms and maximum cryptographic strengths available to applications. Such restrictions are specified in "jurisdiction policy files". The jurisdiction policy files bundled in Java SE limits the maximum key length. Hence, in order to use AES256 encryption type, you will need to install the JCE crypto policy with the unlimited version to allow AES with 256-bit key."
>
> So, the second issue pertained to cryptography limitations set in /usr/java/jre1.6.0_39/lib/security/. The tomcat7.keytab was created only with "aes256-cts-hmac-sha1-96" and the /etc/krb5.conf has a likewise limited suite. The fix was to download Oracle's jce_policy-6.zip, unzip it, and copy the "unlimited" versions of local_policy.jar and US_export_policy.jar into /usr/java/jre1.6.0_39/lib/security/.
>
> After the jce_policy-6.zip *.jar files were in place, I got:
>
> Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /usr/share/tomcat7c/conf/tomcat7.keytab refreshKrb5Config is false principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
>>>> KeyTabInputStream, readName(): OPENIDMDEV.COM
>>>> KeyTabInputStream, readName(): HTTP
>>>> KeyTabInputStream, readName(): openid-linux.openidmdev.com
>>>> KeyTab: load() entry length: 98; type: 18
> Added key: 18version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 18.
> 0: EncryptionKey: keyType=18 kvno=0 keyValue (hex dump)=
> 0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
> 0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
>
> principal's key obtained from the keytab
> Acquire TGT using AS Exchange
>>>> KdcAccessibility: reset
> default etypes for default_tkt_enctypes: 18.
>>>> KrbAsReq calling createMessage
>>>> KrbAsReq in createMessage
>>>> KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number of retries =3, #bytes=168
>>>> KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt =1, #bytes=168
>>>> KrbKdcReq send: #bytes read=210
>>>> KrbKdcReq send: #bytes read=210
>>>> KdcAccessibility: remove openiddc.openidmdev.com:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Mon Jun 03 13:11:34 EDT 2013 1370279494000
> suSec is 37310
> error code is 25
> error Message is Additional pre-authentication required
> realm is OPENIDMDEV.COM
> sname is krbtgt/OPENIDMDEV.COM
> eData provided.
> msgType is 30
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 18
> PA-ETYPE-INFO2 salt = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
> PA-ETYPE-INFO2 s2kparams = null
> AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
> Updated salt from pre-auth = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
>>>> KrbAsReq salt is OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
> default etypes for default_tkt_enctypes: 18.
> Pre-Authenticaton: find key for etype = 18
> AS-REQ: Add PA_ENC_TIMESTAMP now
>>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>> KrbAsReq calling createMessage
>>>> KrbAsReq in createMessage
>>>> KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number of retries =3, #bytes=255
>>>> KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt =1, #bytes=255
>>>> KrbKdcReq send: #bytes read=100
>>>> KrbKdcReq send: #bytes read=100
>>>> KdcAccessibility: remove openiddc.openidmdev.com:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Mon Jun 03 13:11:34 EDT 2013 1370279494000
> suSec is 209191
> error code is 52
> error Message is Response too big for UDP, retry with TCP
> realm is OPENIDMDEV.COM
> sname is krbtgt/OPENIDMDEV.COM
> msgType is 30
>>>> KrbKdcReq send: kdc=openiddc.openidmdev.com TCP:88, timeout=30000, number of retries =3, #bytes=255
>>>> KDCCommunication: kdc=openiddc.openidmdev.com TCP:88, timeout=30000,Attempt =1, #bytes=255
>>>> DEBUG: TCPClient reading 1611 bytes
>>>> KrbKdcReq send: #bytes read=1611
>>>> KrbKdcReq send: #bytes read=1611
>>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/openid-linux.openidmdev.com
> principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM
> EncryptionKey: keyType=18 keyBytes (hex dump)=0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
> 0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
> Added server's keyKerberos Principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COMKey Version 0key EncryptionKey: keyType=18 keyBytes (hex dump)=
> 0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
> 0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
>
> [Krb5LoginModule] added Krb5Principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM to Subject
> Commit Succeeded
> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
> Found key for HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM(18)
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
> [Krb5LoginModule]: Entering logout
> [Krb5LoginModule]: logged out Subject
> Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /usr/share/tomcat7c/conf/tomcat7.keytab refreshKrb5Config is false principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
> KeyTab instance already exists
> Added key: 18version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 18.
> 0: EncryptionKey: keyType=18 kvno=0 keyValue (hex dump)=
> 0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
> 0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
>
> principal's key obtained from the keytab
> Acquire TGT using AS Exchange
> default etypes for default_tkt_enctypes: 18.
>>>> KrbAsReq calling createMessage
>>>> KrbAsReq in createMessage
>>>> KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number of retries =3, #bytes=168
>>>> KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt =1, #bytes=168
>>>> KrbKdcReq send: #bytes read=210
>>>> KrbKdcReq send: #bytes read=210
>>>> KdcAccessibility: remove openiddc.openidmdev.com:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Mon Jun 03 13:11:49 EDT 2013 1370279509000
> suSec is 608182
> error code is 25
> error Message is Additional pre-authentication required
> realm is OPENIDMDEV.COM
> sname is krbtgt/OPENIDMDEV.COM
> eData provided.
> msgType is 30
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 18
> PA-ETYPE-INFO2 salt = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
> PA-ETYPE-INFO2 s2kparams = null
> AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
> Updated salt from pre-auth = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
>>>> KrbAsReq salt is OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
> default etypes for default_tkt_enctypes: 18.
> Pre-Authenticaton: find key for etype = 18
> AS-REQ: Add PA_ENC_TIMESTAMP now
>>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>> KrbAsReq calling createMessage
>>>> KrbAsReq in createMessage
>>>> KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number of retries =3, #bytes=255
>>>> KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt =1, #bytes=255
>>>> KrbKdcReq send: #bytes read=100
>>>> KrbKdcReq send: #bytes read=100
>>>> KdcAccessibility: remove openiddc.openidmdev.com:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Mon Jun 03 13:11:49 EDT 2013 1370279509000
> suSec is 614041
> error code is 52
> error Message is Response too big for UDP, retry with TCP
> realm is OPENIDMDEV.COM
> sname is krbtgt/OPENIDMDEV.COM
> msgType is 30
>>>> KrbKdcReq send: kdc=openiddc.openidmdev.com TCP:88, timeout=30000, number of retries =3, #bytes=255
>>>> KDCCommunication: kdc=openiddc.openidmdev.com TCP:88, timeout=30000,Attempt =1, #bytes=255
>>>> DEBUG: TCPClient reading 1611 bytes
>>>> KrbKdcReq send: #bytes read=1611
>>>> KrbKdcReq send: #bytes read=1611
>>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/openid-linux.openidmdev.com
> principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM
> EncryptionKey: keyType=18 keyBytes (hex dump)=0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
> 0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
> Added server's keyKerberos Principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COMKey Version 0key EncryptionKey: keyType=18 keyBytes (hex dump)=
> 0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
> 0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
>
> [Krb5LoginModule] added Krb5Principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM to Subject
> Commit Succeeded
> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
> Found key for HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM(18)
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
> [Krb5LoginModule]: Entering logout
> [Krb5LoginModule]: logged out Subject
> Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /usr/share/tomcat7c/conf/tomcat7.keytab refreshKrb5Config is false principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
> KeyTab instance already exists
> Added key: 18version: 0
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 18.
> 0: EncryptionKey: keyType=18 kvno=0 keyValue (hex dump)=
> 0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
> 0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
>
> principal's key obtained from the keytab
> Acquire TGT using AS Exchange
> default etypes for default_tkt_enctypes: 18.
>>>> KrbAsReq calling createMessage
>>>> KrbAsReq in createMessage
>>>> KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number of retries =3, #bytes=168
>>>> KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt =1, #bytes=168
>>>> KrbKdcReq send: #bytes read=210
>>>> KrbKdcReq send: #bytes read=210
>>>> KdcAccessibility: remove openiddc.openidmdev.com:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Mon Jun 03 13:11:56 EDT 2013 1370279516000
> suSec is 589895
> error code is 25
> error Message is Additional pre-authentication required
> realm is OPENIDMDEV.COM
> sname is krbtgt/OPENIDMDEV.COM
> eData provided.
> msgType is 30
>>>> Pre-Authentication Data:
> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 18
> PA-ETYPE-INFO2 salt = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
> PA-ETYPE-INFO2 s2kparams = null
> AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
> Updated salt from pre-auth = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
>>>> KrbAsReq salt is OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
> default etypes for default_tkt_enctypes: 18.
> Pre-Authenticaton: find key for etype = 18
> AS-REQ: Add PA_ENC_TIMESTAMP now
>>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>> KrbAsReq calling createMessage
>>>> KrbAsReq in createMessage
>>>> KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number of retries =3, #bytes=255
>>>> KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt =1, #bytes=255
>>>> KrbKdcReq send: #bytes read=100
>>>> KrbKdcReq send: #bytes read=100
>>>> KdcAccessibility: remove openiddc.openidmdev.com:88
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
> sTime is Mon Jun 03 13:11:56 EDT 2013 1370279516000
> suSec is 595755
> error code is 52
> error Message is Response too big for UDP, retry with TCP
> realm is OPENIDMDEV.COM
> sname is krbtgt/OPENIDMDEV.COM
> msgType is 30
>>>> KrbKdcReq send: kdc=openiddc.openidmdev.com TCP:88, timeout=30000, number of retries =3, #bytes=255
>>>> KDCCommunication: kdc=openiddc.openidmdev.com TCP:88, timeout=30000,Attempt =1, #bytes=255
>>>> DEBUG: TCPClient reading 1611 bytes
>>>> KrbKdcReq send: #bytes read=1611
>>>> KrbKdcReq send: #bytes read=1611
>>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/openid-linux.openidmdev.com
> principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM
> EncryptionKey: keyType=18 keyBytes (hex dump)=0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
> 0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
> Added server's keyKerberos Principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COMKey Version 0key EncryptionKey: keyType=18 keyBytes (hex dump)=
> 0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
> 0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
>
> [Krb5LoginModule] added Krb5Principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM to Subject
> Commit Succeeded
> Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
> Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
> Found key for HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM(18)
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
> [Krb5LoginModule]: Entering logout
> [Krb5LoginModule]: logged out Subject
>
>
> --
>
> ________________________________________
> From: Felix Schumacher [felix.schumacher@internetallee.de]
> Sent: Sunday, June 02, 2013 12:20 PM
> To: users@tomcat.apache.org
> Subject: Re: Tomcat7 and SPNEGO configuration questions
>
> Hi Edward,
>
> a few more questions:
>
> * What is your CATALINA_BASE and what CATALINA_HOME?
> * Have you verified, that your options (set by your JAVA_OPTS) are
> really used by your tomcat installation?
>
> Greetings
> Felix
>
> Am 31.05.2013 17:17, schrieb Edward Siewick:
>> Hi.
>>
>> I'm trying to get a baseline configuration working, following the http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. I'm apparently off in the weeds having missed something, though. So I'd really appreciate a sanity check of my configuration, and the testcase I'm attempting. I've got something messed up, and I'm looking for guidance on what to check.
>>
>> Environment is:
>> Tomcat-7.0.33
>> Redhat RHEL 6.3
>> Linux openid-linux 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux
>>
>> AD is on a Win2008R2 server.
>> Client is MSIE on a Win2007 workstation. "Enable Integrated Windows Authentication" is set to true.
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat7 and SPNEGO configuration questions
Posted by Edward Siewick <es...@ementum.com>.
Felix & Friends,
I've made a fair amount of progress, though I'm still not able to log in with a domain credential. The domain account ID doesn't appear in the Tomcat7 logging at all, though it is in tomcat-users.xml. So I might now only be confused as to the syntax of: server.xml for JAAS; the webapp's "realm" bits in web.xml for SPNEGO, or; tomcat-users.xml. I have tried changing tomcat-users.xml to "OPENIDMDEV/esiewick", "COM.OPENIDMDEV/esiewick" and just "esiewick". And, I've adjusted the Account ID in the Windows Security prompt to match each of these.
On the progress, here's some detail for the listserv archive.
A first issue was how I was trying to get the CATALINA_OPTS set, so I should start with a "Thank you" for nudging me on the CATALINA_OPTS bit. I had tried to add CATALINA_OPTS to the init.d script, which apparently was getting over-written later in the Tomcat7 startup sequence. To correct, I simply added "-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true" to the bin/setenv.sh, vice the init.d script. After this, debug=true appeared properly in the resulting process, below.
ps ajx | grep tomc
27474 29541 29541 27446 pts/3 29541 S+ 0 0:00 tail -f /var/log/tomcat7/catalina.out
1 29585 29571 27391 pts/0 29626 Sl 0 0:36 /usr/java/jre1.6.0_39/bin/java
-Djava.util.logging.config.file=/usr/share/tomcat7c/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Xmx512m -XX:MaxPermSize=256m -XX:PermSize=256m
-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true
-Djava.endorsed.dirs=/usr/share/tomcat7c/endorsed
-classpath /usr/share/tomcat7c/bin/bootstrap.jar:/usr/share/tomcat7c/bin/tomcat-juli.jar
-Dcatalina.base=/usr/share/tomcat7c -Dcatalina.home=/usr/share/tomcat7c
-Djava.io.tmpdir=/usr/share/tomcat7c/temp org.apache.catalina.startup.Bootstrap start
This changed the error logging, adding a clue that smelled like a crypto module limitation:
Found unsupported keytype (18) for HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM
The trace was:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /usr/share/tomcat7c/conf/tomcat7.keytab refreshKrb5Config is false principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
>>> KeyTabInputStream, readName(): OPENIDMDEV.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): openid-linux.openidmdev.com
>>> KeyTab: load() entry length: 98; type: 18
Found unsupported keytype (18) for HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM
Key for the principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM not available in /usr/share/tomcat7c/conf/tomcat7.keytab
[Krb5LoginModule] authentication failed
Unable to obtain password from user
In http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
I found:
"NOTE: The JCE framework within JDK includes an ability to enforce restrictions regarding the cryptographic algorithms and maximum cryptographic strengths available to applications. Such restrictions are specified in "jurisdiction policy files". The jurisdiction policy files bundled in Java SE limits the maximum key length. Hence, in order to use AES256 encryption type, you will need to install the JCE crypto policy with the unlimited version to allow AES with 256-bit key."
So, the second issue pertained to cryptography limitations set in /usr/java/jre1.6.0_39/lib/security/. The tomcat7.keytab was created only with "aes256-cts-hmac-sha1-96" and the /etc/krb5.conf has a likewise limited suite. The fix was to download Oracle's jce_policy-6.zip, unzip it, and copy the "unlimited" versions of local_policy.jar and US_export_policy.jar into /usr/java/jre1.6.0_39/lib/security/.
After the jce_policy-6.zip *.jar files were in place, I got:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /usr/share/tomcat7c/conf/tomcat7.keytab refreshKrb5Config is false principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
>>> KeyTabInputStream, readName(): OPENIDMDEV.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): openid-linux.openidmdev.com
>>> KeyTab: load() entry length: 98; type: 18
Added key: 18version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18.
0: EncryptionKey: keyType=18 kvno=0 keyValue (hex dump)=
0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
principal's key obtained from the keytab
Acquire TGT using AS Exchange
>>> KdcAccessibility: reset
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number of retries =3, #bytes=168
>>> KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt =1, #bytes=168
>>> KrbKdcReq send: #bytes read=210
>>> KrbKdcReq send: #bytes read=210
>>> KdcAccessibility: remove openiddc.openidmdev.com:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Jun 03 13:11:34 EDT 2013 1370279494000
suSec is 37310
error code is 25
error Message is Additional pre-authentication required
realm is OPENIDMDEV.COM
sname is krbtgt/OPENIDMDEV.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18
PA-ETYPE-INFO2 salt = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
PA-ETYPE-INFO2 s2kparams = null
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
Updated salt from pre-auth = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
>>>KrbAsReq salt is OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
default etypes for default_tkt_enctypes: 18.
Pre-Authenticaton: find key for etype = 18
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number of retries =3, #bytes=255
>>> KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt =1, #bytes=255
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: #bytes read=100
>>> KdcAccessibility: remove openiddc.openidmdev.com:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Jun 03 13:11:34 EDT 2013 1370279494000
suSec is 209191
error code is 52
error Message is Response too big for UDP, retry with TCP
realm is OPENIDMDEV.COM
sname is krbtgt/OPENIDMDEV.COM
msgType is 30
>>> KrbKdcReq send: kdc=openiddc.openidmdev.com TCP:88, timeout=30000, number of retries =3, #bytes=255
>>> KDCCommunication: kdc=openiddc.openidmdev.com TCP:88, timeout=30000,Attempt =1, #bytes=255
>>>DEBUG: TCPClient reading 1611 bytes
>>> KrbKdcReq send: #bytes read=1611
>>> KrbKdcReq send: #bytes read=1611
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/openid-linux.openidmdev.com
principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM
EncryptionKey: keyType=18 keyBytes (hex dump)=0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
Added server's keyKerberos Principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COMKey Version 0key EncryptionKey: keyType=18 keyBytes (hex dump)=
0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
[Krb5LoginModule] added Krb5Principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM to Subject
Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found key for HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM(18)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /usr/share/tomcat7c/conf/tomcat7.keytab refreshKrb5Config is false principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
KeyTab instance already exists
Added key: 18version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18.
0: EncryptionKey: keyType=18 kvno=0 keyValue (hex dump)=
0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number of retries =3, #bytes=168
>>> KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt =1, #bytes=168
>>> KrbKdcReq send: #bytes read=210
>>> KrbKdcReq send: #bytes read=210
>>> KdcAccessibility: remove openiddc.openidmdev.com:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Jun 03 13:11:49 EDT 2013 1370279509000
suSec is 608182
error code is 25
error Message is Additional pre-authentication required
realm is OPENIDMDEV.COM
sname is krbtgt/OPENIDMDEV.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18
PA-ETYPE-INFO2 salt = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
PA-ETYPE-INFO2 s2kparams = null
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
Updated salt from pre-auth = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
>>>KrbAsReq salt is OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
default etypes for default_tkt_enctypes: 18.
Pre-Authenticaton: find key for etype = 18
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number of retries =3, #bytes=255
>>> KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt =1, #bytes=255
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: #bytes read=100
>>> KdcAccessibility: remove openiddc.openidmdev.com:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Jun 03 13:11:49 EDT 2013 1370279509000
suSec is 614041
error code is 52
error Message is Response too big for UDP, retry with TCP
realm is OPENIDMDEV.COM
sname is krbtgt/OPENIDMDEV.COM
msgType is 30
>>> KrbKdcReq send: kdc=openiddc.openidmdev.com TCP:88, timeout=30000, number of retries =3, #bytes=255
>>> KDCCommunication: kdc=openiddc.openidmdev.com TCP:88, timeout=30000,Attempt =1, #bytes=255
>>>DEBUG: TCPClient reading 1611 bytes
>>> KrbKdcReq send: #bytes read=1611
>>> KrbKdcReq send: #bytes read=1611
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/openid-linux.openidmdev.com
principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM
EncryptionKey: keyType=18 keyBytes (hex dump)=0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
Added server's keyKerberos Principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COMKey Version 0key EncryptionKey: keyType=18 keyBytes (hex dump)=
0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
[Krb5LoginModule] added Krb5Principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM to Subject
Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found key for HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM(18)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /usr/share/tomcat7c/conf/tomcat7.keytab refreshKrb5Config is false principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
KeyTab instance already exists
Added key: 18version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18.
0: EncryptionKey: keyType=18 kvno=0 keyValue (hex dump)=
0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number of retries =3, #bytes=168
>>> KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt =1, #bytes=168
>>> KrbKdcReq send: #bytes read=210
>>> KrbKdcReq send: #bytes read=210
>>> KdcAccessibility: remove openiddc.openidmdev.com:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Jun 03 13:11:56 EDT 2013 1370279516000
suSec is 589895
error code is 25
error Message is Additional pre-authentication required
realm is OPENIDMDEV.COM
sname is krbtgt/OPENIDMDEV.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18
PA-ETYPE-INFO2 salt = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
PA-ETYPE-INFO2 s2kparams = null
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
Updated salt from pre-auth = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
>>>KrbAsReq salt is OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
default etypes for default_tkt_enctypes: 18.
Pre-Authenticaton: find key for etype = 18
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number of retries =3, #bytes=255
>>> KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt =1, #bytes=255
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: #bytes read=100
>>> KdcAccessibility: remove openiddc.openidmdev.com:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Jun 03 13:11:56 EDT 2013 1370279516000
suSec is 595755
error code is 52
error Message is Response too big for UDP, retry with TCP
realm is OPENIDMDEV.COM
sname is krbtgt/OPENIDMDEV.COM
msgType is 30
>>> KrbKdcReq send: kdc=openiddc.openidmdev.com TCP:88, timeout=30000, number of retries =3, #bytes=255
>>> KDCCommunication: kdc=openiddc.openidmdev.com TCP:88, timeout=30000,Attempt =1, #bytes=255
>>>DEBUG: TCPClient reading 1611 bytes
>>> KrbKdcReq send: #bytes read=1611
>>> KrbKdcReq send: #bytes read=1611
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/openid-linux.openidmdev.com
principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM
EncryptionKey: keyType=18 keyBytes (hex dump)=0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
Added server's keyKerberos Principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COMKey Version 0key EncryptionKey: keyType=18 keyBytes (hex dump)=
0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
[Krb5LoginModule] added Krb5Principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM to Subject
Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found key for HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM(18)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
--
________________________________________
From: Felix Schumacher [felix.schumacher@internetallee.de]
Sent: Sunday, June 02, 2013 12:20 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat7 and SPNEGO configuration questions
Hi Edward,
a few more questions:
* What is your CATALINA_BASE and what CATALINA_HOME?
* Have you verified, that your options (set by your JAVA_OPTS) are
really used by your tomcat installation?
Greetings
Felix
Am 31.05.2013 17:17, schrieb Edward Siewick:
> Hi.
>
> I'm trying to get a baseline configuration working, following the http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. I'm apparently off in the weeds having missed something, though. So I'd really appreciate a sanity check of my configuration, and the testcase I'm attempting. I've got something messed up, and I'm looking for guidance on what to check.
>
> Environment is:
> Tomcat-7.0.33
> Redhat RHEL 6.3
> Linux openid-linux 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux
>
> AD is on a Win2008R2 server.
> Client is MSIE on a Win2007 workstation. "Enable Integrated Windows Authentication" is set to true.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat7 and SPNEGO configuration questions
Posted by Felix Schumacher <fe...@internetallee.de>.
Hi Edward,
a few more questions:
* What is your CATALINA_BASE and what CATALINA_HOME?
* Have you verified, that your options (set by your JAVA_OPTS) are
really used by your tomcat installation?
Greetings
Felix
Am 31.05.2013 17:17, schrieb Edward Siewick:
> Hi.
>
> I'm trying to get a baseline configuration working, following the http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. I'm apparently off in the weeds having missed something, though. So I'd really appreciate a sanity check of my configuration, and the testcase I'm attempting. I've got something messed up, and I'm looking for guidance on what to check.
>
> Environment is:
> Tomcat-7.0.33
> Redhat RHEL 6.3
> Linux openid-linux 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux
>
> AD is on a Win2008R2 server.
> Client is MSIE on a Win2007 workstation. "Enable Integrated Windows Authentication" is set to true.
>
> The MSA, keytab and Linux Kerberos bits seem to be OK. For completeness, here's what I've got.
>
> setspn -A HTTP/openid-linux.openidmdev.com tomcat7
> ktpass -princ HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> -mapuser tomcat7@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> -crypto AES256-SHA1 -pass "mySecret,78." -ptype KRB5_NT_PRINCIPAL -kvno 0 -out tomcat7.keytab
>
> /etc/krb5.conf:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = OPENIDMDEV.COM
> default_keytab_name = FILE:/usr/share/tomcat7c/conf/tomcat7.keytab
> default_tkt_enctypes = aes256-cts-hmac-sha1-96
> default_tgs_enctypes = aes256-cts-hmac-sha1-96
> forwardable = true
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
>
> [realms]
> OPENIDMDEV.COM = {
> kdc = openiddc.openidmdev.com:88
> admin_server = openiddc.openidmdev.com
> }
> [domain_realm]
> openidmdev.com = OPENIDMDEV.COM
> .openidmdev.com = OPENIDMDEV.COM
>
> The krb5.conf generally works. Using my domain username and password:
>
> kinit -V esiewick
> Using default cache: /tmp/krb5cc_0
> Using principal: esiewick@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>
> Password for esiewick@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>:
> Authenticated to Kerberos v5
>
> The keytab contains one key:
>
> klist -e -k /usr/share/tomcat7c/conf/tomcat7.keytab
> Keytab name: WRFILE:/usr/share/tomcat7c/conf/tomcat7.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 0 HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> (aes256-cts-hmac-sha1-96)
>
> The krb5 config is generally happy with the contents of the keytab:
>
> kinit -V -k -t /usr/share/tomcat7c/conf/tomcat7.keytab HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>
> Using default cache: /tmp/krb5cc_0
> Using principal: HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>
> Using keytab: /usr/share/tomcat7c/conf/tomcat7.keytab
> Authenticated to Kerberos v5
>
> So I'm confident the MSA and the keytab are OK.
>
> The Tomcat7 configurations are localized, based on the descriptions in the windows-auth-howto.html.
> For the Java options, the init script uses:
>
> JAVA_OPTS="-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server \
> -Djava.security.krb5.conf=/etc/krb5.conf \
> -Djava.security.auth.login.config=/usr/share/tomcat7c/conf/jaas.conf \
> -Djavax.security.auth.useSubjectCredsOnly=false \
> -Xms1536m \
> -Xmx1536m \
> -XX:NewSize=256m \
> -XX:MaxNewSize=256m \
> -XX:PermSize=256m \
> -XX:MaxPermSize=256m \
> -XX:+DisableExplicitGC"
>
> /usr/share/tomcat7c/conf/jaas.conf is:
>
> com.sun.security.jgss.krb5.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>"
> useKeyTab=true
> keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
> storeKey=true
> debug=true;
> };
> com.sun.security.jgss.krb5.accept {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>"
> useKeyTab=true
> keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
> storeKey=true
> debug=true;
> };
>
> In /usr/share/tomcat7c/conf/server.xml, I've simply uncommented:
>
> <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
>
> For a testcase, I'm using the Tomcat7 "manager" webapp.
> In /usr/share/tomcat7c/webapps/manager/WEB-INF/web.xml
> I've simply adjusted:
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Tomcat Manager Application</realm-name>
> </login-config>
> to:
> <login-config>
> <auth-method>SPNEGO</auth-method>
> <realm-name>Tomcat Manager Application</realm-name>
> </login-config>
>
> For /usr/share/tomcat7c/conf/tomcat-users.xml:
>
> <tomcat-users>
> <role rolename="tomcat"/>
> <role rolename="manager"/>
> <role rolename="manager-gui"/>
> <user username="esiewick@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>" password="" roles="tomcat,manager,manager-gui"/>
> </tomcat-users>
>
> In actually trying to use this configuration,
> http://openid-linux.openidmdev.com:8080/manager/status
> gives HTTP 500 and logs:
>
> Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /usr/share/tomcat7c/confx/tomcat7.keytab refreshKrb5Config is false principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> tryFirstPass is false useFirstPass is false storePass is false clearPass is false
>
> Key for the principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> not available in /usr/share/tomcat7c/confx/tomcat7.keytab
> [Krb5LoginModule] authentication failed
>
> Unable to obtain password from user
>
> May 31, 2013 8:55:15 AM org.apache.catalina.authenticator.SpnegoAuthenticator authenticate
> SEVERE: Unable to login as the service principal
> javax.security.auth.login.LoginException: Unable to obtain password from user
> at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
> at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
> at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at javax.security.auth.login.LoginContext.invoke(Unknown Source)
> at javax.security.auth.login.LoginContext.access$000(Unknown Source)
> at javax.security.auth.login.LoginContext$4.run(Unknown Source)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
> at javax.security.auth.login.LoginContext.login(Unknown Source)
> at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:215)
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:931)
> at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:309)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
> at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
> at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
> at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> at java.lang.Thread.run(Unknown Source)
> [Krb5LoginModule]: Entering logout
> [Krb5LoginModule]: logged out Subject
>
> I trust that the configuration at least is reading the jaas.conf, since the first line of logging refects its settings. However, I'm not convinced Krb5LoginModule is actually reading /usr/share/tomcat7c/conf/tomcat7.keytab; I can change:
> keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
> to:
> keyTab="/usr/share/tomcat7c/conf-junk/tomcat7.keytab"
> and get the same log "Key for the principal...not available" result (+ "-junk" of course).
>
> Well-founded guidance, clues, and even good guesses are all welcome.
>
> Edward
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat7 and SPNEGO configuration questions
Posted by Edward Siewick <es...@ementum.com>.
________________________________________
From: Felix Schumacher [felix.schumacher@internetallee.de]
Sent: Friday, May 31, 2013 3:22 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat7 and SPNEGO configuration questions
Hi Edward.
Am Freitag, den 31.05.2013, 13:24 -0500 schrieb Edward Siewick:
> ________________________________________
> From: Felix Schumacher [felix.schumacher@internetallee.de]
> Sent: Friday, May 31, 2013 1:18 PM
> To: users@tomcat.apache.org
> Subject: Re: Tomcat7 and SPNEGO configuration questions
>
> Am Freitag, den 31.05.2013, 10:17 -0500 schrieb Edward Siewick:
> >> Hi.
> >>
> >> I'm trying to get a baseline configuration working, following the http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. I'm apparently off in the weeds having missed something, though. So I'd really appreciate a sanity check of my configuration, and the testcase I'm attempting. I've got something messed up, and I'm looking for guidance on what to check.
> >>
> <snip>
> >> Well-founded guidance, clues, and even good guesses are all welcome.
>
> > I would look, if IE is sending an authorization header.
>
> Felix,
>
> Thanks. tcpdump shows an authz header, though it seems to be associated with the client's first call to the server. Let me know if I should be expecting some other packets in the exchange. It goes on for a few packets; the beginning of the Authorization: header from the client is below.
>
> Edward
>
> openid-wdw.openidmdev.com.50784 > openid-linux.openidmdev.com.webcache: Flags [.], seq 1:1461, ack 1, win 16425, length 1460
> E...i.@...5>
> .!`
> .!a.`....._K...P.@). ..GET /manager/status HTTP/1.1^M
> Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*^M
> Accept-Language: en-US^M
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)^M
> Accept-Encoding: gzip, deflate^M
> Host: openid-linux.openidmdev.com:8080^M
> Connection: Keep-Alive^M
> Cookie: JSESSIONID=58B85BF870EA8328FC7A76D70C39EAF5^M
> Authorization: Negotiate YIIGpwYGKwYBBQUCoIIGmzCCBpegMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBmEEggZdYIIGWQYJKoZIhvcSAQICAQBuggZIMIIGRKADAgEFoQMCAQ6iBwMFACAAAACjggTKYYIExjCCBMKgAwIBBaEQGw5PUEVOSURNREVWLkNPTaIuMCygAwIBAqElMCMbBEhUVFAbG29wZW5pZC1saW51eC5vcGVuaWRtZGV2LmNvbaOCBHcwggRzoAMCARehAwIBBqKCBGUEggRhtG1hWlctx9Ey75vGdQsRwKC5hNhuDW+qC4Kr2Dov2b/9TT94u8NZ30rqi4nJOKgK9VfcEsqgCwuLgnG0AdLmhXhaBYVk/p8xcJpXTeyUd3OOBVE1Z8BHD6fNlJ/c01o5r4iYV
The header looks good. What does a klist say on the client? Is
HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM listed?
Can you add -Dsun.security.krb5.debug=true to your CATALINA_OPTS?
On my installation it prints the following lines when I login with
principal user00001@EXAMPLE.COM on the server www.example.com
>>> KeyTabInputStream, readName(): EXAMPLE.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): www.example.com
>>> KeyTab: load() entry length: 67; type: 23
>>> KeyTabInputStream, readName(): EXAMPLE.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): www.example.com
>>> KeyTab: load() entry length: 59; type: 3
>>> KeyTabInputStream, readName(): EXAMPLE.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): www.example.com
>>> KeyTab: load() entry length: 83; type: 18
>>> KeyTabInputStream, readName(): EXAMPLE.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): www.example.com
>>> KeyTab: load() entry length: 67; type: 17
Config name: /home/felix/Developer/apache-tomcat-7.0.40/conf/krb5.ini
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
>>> KdcAccessibility: reset
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
default etypes for default_tkt_enctypes: 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=localhost UDP:60088, timeout=30000, number of
retries =3, #bytes=153
>>> KDCCommunication: kdc=localhost UDP:60088, timeout=30000,Attempt =1,
#bytes=153
>>> KrbKdcReq send: #bytes read=187
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = null, s2kparams = null
PA-ETYPE-INFO2 etype = 16, salt = null, s2kparams = null
PA-ETYPE-INFO2 etype = 3, salt = null, s2kparams = null
>>> KdcAccessibility: remove localhost:60088
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Fri May 31 21:17:52 CEST 2013 1370027872000
suSec is 0
error code is 25
error Message is Additional pre-authentication required
realm is EXAMPLE.COM
sname is krbtgt/EXAMPLE.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = null, s2kparams = null
PA-ETYPE-INFO2 etype = 16, salt = null, s2kparams = null
PA-ETYPE-INFO2 etype = 3, salt = null, s2kparams = null
KRBError received: Additional pre-authentication required
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18 17.
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
default etypes for default_tkt_enctypes: 18 17.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=localhost UDP:60088, timeout=30000, number of
retries =3, #bytes=240
>>> KDCCommunication: kdc=localhost UDP:60088, timeout=30000,Attempt =1,
#bytes=240
>>> KrbKdcReq send: #bytes read=537
>>> KdcAccessibility: remove localhost:60088
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/www.example.com
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
Found KeyTab
Found KerberosKey for HTTP/www.example.com@EXAMPLE.COM
Found KerberosKey for HTTP/www.example.com@EXAMPLE.COM
Found KerberosKey for HTTP/www.example.com@EXAMPLE.COM
Found KerberosKey for HTTP/www.example.com@EXAMPLE.COM
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
replay cache for user00001@EXAMPLE.COM is null.
object 0: 1370027872357/357663
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 758340766
Krb5Context setting mySeqNumber to: 758340766
My kerberos server is listening on localhost and port 60088 (and is
actually apacheds 2.0.0M12)
Greetings
Felix
> ---------------------------------------------------------------------
Felix,
Thanks. I've added the "-Dsun.security.krb5.debug=true" to CATALINA_OPTS in the init script. This didn't change anything in the logging. I also exported it via the shell. Again, no change in the logging.
I have a Windows 2007 workstation in the lab configured for development, though. So to try to better isolate the problem, e.g., exclude the Tomcat7 bits, I wrote a simple JAAS test framework based on a quick mash-up of
http://www.avajava.com/tutorials/lessons/how-do-i-create-a-login-module.html
and
http://download.java.net/jdk8/docs/technotes/guides/security/jgss/single-signon.html
The logging is nearly the same as appears in catalina.out. So I'm fairly certain I've got the right classes in play for emulating what Tomcat is doing. The first thing I've noticed is that nobody's checking whether the keytab file actually exists. So, regardless of whether I use a valid or bogus path to the keytab, the logging is the same.
TestCallbackHandler: constructor called
Debug is true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Dev/krb5-servlet/src/main/java/krb5servlet/tomcat7.keytab.BOGUS refreshKrb5Config is false principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM
null credentials from Ticket Cache
Key for the principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM not available in C:/Dev/krb5-servlet/src/main/java/krb5servlet/tomcat7.keytab.BOGUS
[Krb5LoginModule] authentication failed
Unable to obtain password from user
javax.security.auth.login.LoginException: Unable to obtain password from user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:789)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:654)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at krb5servlet.JaasAuthenticationTest.main(JaasAuthenticationTest.java:44)
I forgot to note in the original posting, JVM on the server is
java version "1.6.0_39"
Java(TM) SE Runtime Environment (build 1.6.0_39-b04)
Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode)
Also, thanks for mentioning that ApacheDS can be used as a KDC. I'll be out of the lab for the weekend; I don't run any MS stuff at home. But, I can try a bit more testing against a ApacheDS based KDC.
Edward
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat7 and SPNEGO configuration questions
Posted by Felix Schumacher <fe...@internetallee.de>.
Hi Edward.
Am Freitag, den 31.05.2013, 13:24 -0500 schrieb Edward Siewick:
> ________________________________________
> From: Felix Schumacher [felix.schumacher@internetallee.de]
> Sent: Friday, May 31, 2013 1:18 PM
> To: users@tomcat.apache.org
> Subject: Re: Tomcat7 and SPNEGO configuration questions
>
> Am Freitag, den 31.05.2013, 10:17 -0500 schrieb Edward Siewick:
> >> Hi.
> >>
> >> I'm trying to get a baseline configuration working, following the http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. I'm apparently off in the weeds having missed something, though. So I'd really appreciate a sanity check of my configuration, and the testcase I'm attempting. I've got something messed up, and I'm looking for guidance on what to check.
> >>
> <snip>
> >> Well-founded guidance, clues, and even good guesses are all welcome.
>
> > I would look, if IE is sending an authorization header.
>
> Felix,
>
> Thanks. tcpdump shows an authz header, though it seems to be associated with the client's first call to the server. Let me know if I should be expecting some other packets in the exchange. It goes on for a few packets; the beginning of the Authorization: header from the client is below.
>
> Edward
>
> openid-wdw.openidmdev.com.50784 > openid-linux.openidmdev.com.webcache: Flags [.], seq 1:1461, ack 1, win 16425, length 1460
> E...i.@...5>
> .!`
> .!a.`....._K...P.@). ..GET /manager/status HTTP/1.1^M
> Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*^M
> Accept-Language: en-US^M
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)^M
> Accept-Encoding: gzip, deflate^M
> Host: openid-linux.openidmdev.com:8080^M
> Connection: Keep-Alive^M
> Cookie: JSESSIONID=58B85BF870EA8328FC7A76D70C39EAF5^M
> Authorization: Negotiate YIIGpwYGKwYBBQUCoIIGmzCCBpegMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBmEEggZdYIIGWQYJKoZIhvcSAQICAQBuggZIMIIGRKADAgEFoQMCAQ6iBwMFACAAAACjggTKYYIExjCCBMKgAwIBBaEQGw5PUEVOSURNREVWLkNPTaIuMCygAwIBAqElMCMbBEhUVFAbG29wZW5pZC1saW51eC5vcGVuaWRtZGV2LmNvbaOCBHcwggRzoAMCARehAwIBBqKCBGUEggRhtG1hWlctx9Ey75vGdQsRwKC5hNhuDW+qC4Kr2Dov2b/9TT94u8NZ30rqi4nJOKgK9VfcEsqgCwuLgnG0AdLmhXhaBYVk/p8xcJpXTeyUd3OOBVE1Z8BHD6fNlJ/c01o5r4iYV
The header looks good. What does a klist say on the client? Is
HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM listed?
Can you add -Dsun.security.krb5.debug=true to your CATALINA_OPTS?
On my installation it prints the following lines when I login with
principal user00001@EXAMPLE.COM on the server www.example.com
>>> KeyTabInputStream, readName(): EXAMPLE.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): www.example.com
>>> KeyTab: load() entry length: 67; type: 23
>>> KeyTabInputStream, readName(): EXAMPLE.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): www.example.com
>>> KeyTab: load() entry length: 59; type: 3
>>> KeyTabInputStream, readName(): EXAMPLE.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): www.example.com
>>> KeyTab: load() entry length: 83; type: 18
>>> KeyTabInputStream, readName(): EXAMPLE.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): www.example.com
>>> KeyTab: load() entry length: 67; type: 17
Config name: /home/felix/Developer/apache-tomcat-7.0.40/conf/krb5.ini
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
>>> KdcAccessibility: reset
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
default etypes for default_tkt_enctypes: 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=localhost UDP:60088, timeout=30000, number of
retries =3, #bytes=153
>>> KDCCommunication: kdc=localhost UDP:60088, timeout=30000,Attempt =1,
#bytes=153
>>> KrbKdcReq send: #bytes read=187
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = null, s2kparams = null
PA-ETYPE-INFO2 etype = 16, salt = null, s2kparams = null
PA-ETYPE-INFO2 etype = 3, salt = null, s2kparams = null
>>> KdcAccessibility: remove localhost:60088
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Fri May 31 21:17:52 CEST 2013 1370027872000
suSec is 0
error code is 25
error Message is Additional pre-authentication required
realm is EXAMPLE.COM
sname is krbtgt/EXAMPLE.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 17, salt = null, s2kparams = null
PA-ETYPE-INFO2 etype = 16, salt = null, s2kparams = null
PA-ETYPE-INFO2 etype = 3, salt = null, s2kparams = null
KRBError received: Additional pre-authentication required
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18 17.
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
default etypes for default_tkt_enctypes: 18 17.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=localhost UDP:60088, timeout=30000, number of
retries =3, #bytes=240
>>> KDCCommunication: kdc=localhost UDP:60088, timeout=30000,Attempt =1,
#bytes=240
>>> KrbKdcReq send: #bytes read=537
>>> KdcAccessibility: remove localhost:60088
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/www.example.com
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
Found KeyTab
Found KerberosKey for HTTP/www.example.com@EXAMPLE.COM
Found KerberosKey for HTTP/www.example.com@EXAMPLE.COM
Found KerberosKey for HTTP/www.example.com@EXAMPLE.COM
Found KerberosKey for HTTP/www.example.com@EXAMPLE.COM
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
replay cache for user00001@EXAMPLE.COM is null.
object 0: 1370027872357/357663
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 758340766
Krb5Context setting mySeqNumber to: 758340766
My kerberos server is listening on localhost and port 60088 (and is
actually apacheds 2.0.0M12)
Greetings
Felix
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat7 and SPNEGO configuration questions
Posted by Edward Siewick <es...@ementum.com>.
________________________________________
From: Felix Schumacher [felix.schumacher@internetallee.de]
Sent: Friday, May 31, 2013 1:18 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat7 and SPNEGO configuration questions
Am Freitag, den 31.05.2013, 10:17 -0500 schrieb Edward Siewick:
>> Hi.
>>
>> I'm trying to get a baseline configuration working, following the http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. I'm apparently off in the weeds having missed something, though. So I'd really appreciate a sanity check of my configuration, and the testcase I'm attempting. I've got something messed up, and I'm looking for guidance on what to check.
>>
<snip>
>> Well-founded guidance, clues, and even good guesses are all welcome.
> I would look, if IE is sending an authorization header.
Felix,
Thanks. tcpdump shows an authz header, though it seems to be associated with the client's first call to the server. Let me know if I should be expecting some other packets in the exchange. It goes on for a few packets; the beginning of the Authorization: header from the client is below.
Edward
openid-wdw.openidmdev.com.50784 > openid-linux.openidmdev.com.webcache: Flags [.], seq 1:1461, ack 1, win 16425, length 1460
E...i.@...5>
.!`
.!a.`....._K...P.@). ..GET /manager/status HTTP/1.1^M
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*^M
Accept-Language: en-US^M
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)^M
Accept-Encoding: gzip, deflate^M
Host: openid-linux.openidmdev.com:8080^M
Connection: Keep-Alive^M
Cookie: JSESSIONID=58B85BF870EA8328FC7A76D70C39EAF5^M
Authorization: Negotiate YIIGpwYGKwYBBQUCoIIGmzCCBpegMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBmEEggZdYIIGWQYJKoZIhvcSAQICAQBuggZIMIIGRKADAgEFoQMCAQ6iBwMFACAAAACjggTKYYIExjCCBMKgAwIBBaEQGw5PUEVOSURNREVWLkNPTaIuMCygAwIBAqElMCMbBEhUVFAbG29wZW5pZC1saW51eC5vcGVuaWRtZGV2LmNvbaOCBHcwggRzoAMCARehAwIBBqKCBGUEggRhtG1hWlctx9Ey75vGdQsRwKC5hNhuDW+qC4Kr2Dov2b/9TT94u8NZ30rqi4nJOKgK9VfcEsqgCwuLgnG0AdLmhXhaBYVk/p8xcJpXTeyUd3OOBVE1Z8BHD6fNlJ/c01o5r4iYV
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat7 and SPNEGO configuration questions
Posted by Felix Schumacher <fe...@internetallee.de>.
Am Freitag, den 31.05.2013, 10:17 -0500 schrieb Edward Siewick:
> Hi.
>
> I'm trying to get a baseline configuration working, following the http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. I'm apparently off in the weeds having missed something, though. So I'd really appreciate a sanity check of my configuration, and the testcase I'm attempting. I've got something messed up, and I'm looking for guidance on what to check.
>
> Environment is:
> Tomcat-7.0.33
> Redhat RHEL 6.3
> Linux openid-linux 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux
>
> AD is on a Win2008R2 server.
> Client is MSIE on a Win2007 workstation. "Enable Integrated Windows Authentication" is set to true.
>
> The MSA, keytab and Linux Kerberos bits seem to be OK. For completeness, here's what I've got.
>
> setspn -A HTTP/openid-linux.openidmdev.com tomcat7
> ktpass -princ HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> -mapuser tomcat7@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> -crypto AES256-SHA1 -pass "mySecret,78." -ptype KRB5_NT_PRINCIPAL -kvno 0 -out tomcat7.keytab
I hope the mailto: links are not part of your principals.
>
> /etc/krb5.conf:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = OPENIDMDEV.COM
> default_keytab_name = FILE:/usr/share/tomcat7c/conf/tomcat7.keytab
> default_tkt_enctypes = aes256-cts-hmac-sha1-96
> default_tgs_enctypes = aes256-cts-hmac-sha1-96
> forwardable = true
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
>
> [realms]
> OPENIDMDEV.COM = {
> kdc = openiddc.openidmdev.com:88
> admin_server = openiddc.openidmdev.com
> }
> [domain_realm]
> openidmdev.com = OPENIDMDEV.COM
> .openidmdev.com = OPENIDMDEV.COM
>
> The krb5.conf generally works. Using my domain username and password:
>
> kinit -V esiewick
> Using default cache: /tmp/krb5cc_0
> Using principal: esiewick@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>
> Password for esiewick@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>:
> Authenticated to Kerberos v5
>
> The keytab contains one key:
>
> klist -e -k /usr/share/tomcat7c/conf/tomcat7.keytab
> Keytab name: WRFILE:/usr/share/tomcat7c/conf/tomcat7.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 0 HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> (aes256-cts-hmac-sha1-96)
>
> The krb5 config is generally happy with the contents of the keytab:
>
> kinit -V -k -t /usr/share/tomcat7c/conf/tomcat7.keytab HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>
> Using default cache: /tmp/krb5cc_0
> Using principal: HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>
> Using keytab: /usr/share/tomcat7c/conf/tomcat7.keytab
> Authenticated to Kerberos v5
>
> So I'm confident the MSA and the keytab are OK.
>
> The Tomcat7 configurations are localized, based on the descriptions in the windows-auth-howto.html.
> For the Java options, the init script uses:
>
> JAVA_OPTS="-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server \
> -Djava.security.krb5.conf=/etc/krb5.conf \
> -Djava.security.auth.login.config=/usr/share/tomcat7c/conf/jaas.conf \
> -Djavax.security.auth.useSubjectCredsOnly=false \
> -Xms1536m \
> -Xmx1536m \
> -XX:NewSize=256m \
> -XX:MaxNewSize=256m \
> -XX:PermSize=256m \
> -XX:MaxPermSize=256m \
> -XX:+DisableExplicitGC"
Better would be CATALINA_OPTS instead of JAVA_OPTS, since those values
are only needed for startup.
>
> /usr/share/tomcat7c/conf/jaas.conf is:
>
> com.sun.security.jgss.krb5.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>"
> useKeyTab=true
> keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
> storeKey=true
> debug=true;
> };
> com.sun.security.jgss.krb5.accept {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>"
> useKeyTab=true
> keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
> storeKey=true
> debug=true;
> };
>
> In /usr/share/tomcat7c/conf/server.xml, I've simply uncommented:
>
> <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
That valve is not needed for SPNego. You can leave it commented.
>
> For a testcase, I'm using the Tomcat7 "manager" webapp.
> In /usr/share/tomcat7c/webapps/manager/WEB-INF/web.xml
> I've simply adjusted:
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Tomcat Manager Application</realm-name>
> </login-config>
> to:
> <login-config>
> <auth-method>SPNEGO</auth-method>
> <realm-name>Tomcat Manager Application</realm-name>
> </login-config>
>
> For /usr/share/tomcat7c/conf/tomcat-users.xml:
>
> <tomcat-users>
> <role rolename="tomcat"/>
> <role rolename="manager"/>
> <role rolename="manager-gui"/>
> <user username="esiewick@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM>" password="" roles="tomcat,manager,manager-gui"/>
> </tomcat-users>
>
> In actually trying to use this configuration,
> http://openid-linux.openidmdev.com:8080/manager/status
> gives HTTP 500 and logs:
>
> Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /usr/share/tomcat7c/confx/tomcat7.keytab refreshKrb5Config is false principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> tryFirstPass is false useFirstPass is false storePass is false clearPass is false
>
> Key for the principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<ma...@OPENIDMDEV.COM> not available in /usr/share/tomcat7c/confx/tomcat7.keytab
> [Krb5LoginModule] authentication failed
>
> Unable to obtain password from user
>
> May 31, 2013 8:55:15 AM org.apache.catalina.authenticator.SpnegoAuthenticator authenticate
> SEVERE: Unable to login as the service principal
> javax.security.auth.login.LoginException: Unable to obtain password from user
> at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
> at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
> at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at javax.security.auth.login.LoginContext.invoke(Unknown Source)
> at javax.security.auth.login.LoginContext.access$000(Unknown Source)
> at javax.security.auth.login.LoginContext$4.run(Unknown Source)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
> at javax.security.auth.login.LoginContext.login(Unknown Source)
> at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:215)
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:931)
> at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:309)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
> at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
> at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
> at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> at java.lang.Thread.run(Unknown Source)
> [Krb5LoginModule]: Entering logout
> [Krb5LoginModule]: logged out Subject
>
> I trust that the configuration at least is reading the jaas.conf, since the first line of logging refects its settings. However, I'm not convinced Krb5LoginModule is actually reading /usr/share/tomcat7c/conf/tomcat7.keytab; I can change:
> keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
> to:
> keyTab="/usr/share/tomcat7c/conf-junk/tomcat7.keytab"
> and get the same log "Key for the principal...not available" result (+ "-junk" of course).
>
> Well-founded guidance, clues, and even good guesses are all welcome.
I would look, if IE is sending an authorization header.
Greetings
Felix
>
> Edward
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org