You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/09/18 01:40:48 UTC
svn commit: r1625854 - /tomcat/trunk/webapps/docs/windows-auth-howto.xml
Author: markt
Date: Wed Sep 17 23:40:48 2014
New Revision: 1625854
URL: http://svn.apache.org/r1625854
Log:
After double-checking SPN to domain user is a one to one mapping
Modified:
tomcat/trunk/webapps/docs/windows-auth-howto.xml
Modified: tomcat/trunk/webapps/docs/windows-auth-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/windows-auth-howto.xml?rev=1625854&r1=1625853&r2=1625854&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/windows-auth-howto.xml (original)
+++ tomcat/trunk/webapps/docs/windows-auth-howto.xml Wed Sep 17 23:40:48 2014
@@ -64,9 +64,7 @@ debug logs in this case.</li>
intranet.</li>
<li>The SPN does not have to start with HTTP but the SPN must be the same in all
the files it is used.</li>
-<li>If you want multiple SPNs mapped to the same domain user then each SPN must
-use a unique prefix such as <code>HTTP01/...</code>, <code>HTTP02/...</code>,
-etc.</li>
+<li>No more than one SPN may be mapped to a domain user.</li>
</ul>
<p>The areas where further testing is required include:</p>
<ul>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1625854 - /tomcat/trunk/webapps/docs/windows-auth-howto.xml
Posted by Mark Thomas <ma...@apache.org>.
On 22/09/2014 20:48, Mark Thomas wrote:
> On 22/09/2014 20:44, Felix Schumacher wrote:
<snip/>
>> I am still wondering how it should work with anything other than HTTP/... since the client is requesting a ticket for HTTP/... before it is getting any information about the spn from the server and the server should be able to decrypt the service ticket with an appropiate spn ticket only.
>
> Is it though? I wonder. If I get a few minutes, I'll fire the VMs back
> up and start up Wireshark to see exactly what is going on.
>
>> Starting the server with any ticket will work of course. The fun starts, when requests arrive.
>>
>> But if it works for you, I will not say anything more on this.
>
> ACK.
Interesting...
The more I dig into this, the more I wish I hadn't. Trying to figure out
what is actually going on based on observed behaviour is non-trivial to
say the least.
It appears that the domain user has to have the "correct" SPN set. i.e.
"HTTP/fqdn". The SPN used in the keytab file and the jass.conf have to
agree with each other but they do not have to be the same as the SPN
associated with the domain user. There are obvious advantages (for
figuring out what on earth is going on) if they are the same. I don't
think I am even going to document this possibility.
The reason this appeared to be working before was that I had multiple
SPNs set on the domain user and didn't realise.
As I have the VMs up and running I'll answer a few more of the questions
on the Windows auth page and then update it.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1625854 - /tomcat/trunk/webapps/docs/windows-auth-howto.xml
Posted by Mark Thomas <ma...@apache.org>.
On 22/09/2014 20:44, Felix Schumacher wrote:
>
>
> On 22. September 2014 21:12:39 MESZ, Mark Thomas <ma...@apache.org> wrote:
>> On 22/09/2014 18:07, Felix Schumacher wrote:
>>> Am 21.09.2014 um 20:41 schrieb Mark Thomas:
>>>> On 21/09/2014 14:05, Felix Schumacher wrote:
>>>>> Hi Mark,
>>>>>
>>>>> Am 18.09.2014 um 01:40 schrieb markt@apache.org:
>>>>>> Author: markt
>>>>>> Date: Wed Sep 17 23:40:48 2014
>>>>>> New Revision: 1625854
>>>>>>
>>>>>> URL: http://svn.apache.org/r1625854
>>>>>> Log:
>>>>>> After double-checking SPN to domain user is a one to one mapping
>>>>>>
>>>>>> Modified:
>>>>>> tomcat/trunk/webapps/docs/windows-auth-howto.xml
>>>>>>
>>>>>> Modified: tomcat/trunk/webapps/docs/windows-auth-howto.xml
>>>>>> URL:
>>>>>>
>> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/windows-auth-howto.xml?rev=1625854&r1=1625853&r2=1625854&view=diff
>>>>>>
>>>>>>
>>>>>>
>> ==============================================================================
>>>>>>
>>>>>>
>>>>>> --- tomcat/trunk/webapps/docs/windows-auth-howto.xml (original)
>>>>>> +++ tomcat/trunk/webapps/docs/windows-auth-howto.xml Wed Sep 17
>>>>>> 23:40:48 2014
>>>>>> @@ -64,9 +64,7 @@ debug logs in this case.</li>
>>>>>> intranet.</li>
>>>>>> <li>The SPN does not have to start with HTTP but the SPN must
>> be the
>>>>>> same in all
>>>>>> the files it is used.</li>
>>>>> I thought that the browser will always prepend HTTP/ to the
>> hostname,
>>>>> which it connects. That is what I read from the last paragraph in
>> 4.1 of
>>>>> rfc 4559.
>>>>>
>>>>> Can you tell me where you got the information, that it could be
>>>>> anything?
>>>> I tested it.
>>> How did you test it?
>>
>> By following the instructions at:
>> http://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Built-in_Tomcat_support
>>
>> but replacing "HTTP/win-tc01.dev.local" first with
>> "HTTPA/win-tc01.dev.local" and then with "XYZ/win-tc01.dev.local"
>>
>> It worked in all cases.
> Which client did you use?
Internet explorer.
>>> It didn't work for me.
>>
>> Given my tests are using Windows AD and your test wasn't that isn;t a
>> huge surprise.
>
> It should work the same.
In an ideal world, yes. But this is Microsoft software...
>>> I set up my kerberos server (apacheds running on
>>> kerberos.example.com:60088) and inserted an object with a SPN
>>> XYZ/www.example.com.
>>> Then I created a keytab with only one entry, namely
>> XYZ/www.example.com.
>>> After that I edited jaas.conf and krb5.ini (both in
>> $CATALINA_BASE/conf)
>>> to use XYZ/www.example.com instead of HTTP/www.example.com and
>> changed
>>> the keytab entries to the new keytab.
>>> Now I started jmeter to do a request to a secured page and...it
>> didn't
>>> authenticate.
>>>
>>> Before I tested the setup with HTTP/www.example.com and it did work.
>>> After the failed test, I changed the entries back to
>>> HTTP/www.example.com and the original keytab and it worked again.
>>
>> I'd double check you got all those changes right but I am not entirely
>> surprised.
>>
>> If you confirm your results that this doesn't work with apache DS then
>> I'll update the docs with some suitable words.
>
> I am still wondering how it should work with anything other than HTTP/... since the client is requesting a ticket for HTTP/... before it is getting any information about the spn from the server and the server should be able to decrypt the service ticket with an appropiate spn ticket only.
Is it though? I wonder. If I get a few minutes, I'll fire the VMs back
up and start up Wireshark to see exactly what is going on.
> Starting the server with any ticket will work of course. The fun starts, when requests arrive.
>
> But if it works for you, I will not say anything more on this.
ACK.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1625854 - /tomcat/trunk/webapps/docs/windows-auth-howto.xml
Posted by Felix Schumacher <fe...@internetallee.de>.
On 22. September 2014 21:12:39 MESZ, Mark Thomas <ma...@apache.org> wrote:
>On 22/09/2014 18:07, Felix Schumacher wrote:
>> Am 21.09.2014 um 20:41 schrieb Mark Thomas:
>>> On 21/09/2014 14:05, Felix Schumacher wrote:
>>>> Hi Mark,
>>>>
>>>> Am 18.09.2014 um 01:40 schrieb markt@apache.org:
>>>>> Author: markt
>>>>> Date: Wed Sep 17 23:40:48 2014
>>>>> New Revision: 1625854
>>>>>
>>>>> URL: http://svn.apache.org/r1625854
>>>>> Log:
>>>>> After double-checking SPN to domain user is a one to one mapping
>>>>>
>>>>> Modified:
>>>>> tomcat/trunk/webapps/docs/windows-auth-howto.xml
>>>>>
>>>>> Modified: tomcat/trunk/webapps/docs/windows-auth-howto.xml
>>>>> URL:
>>>>>
>http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/windows-auth-howto.xml?rev=1625854&r1=1625853&r2=1625854&view=diff
>>>>>
>>>>>
>>>>>
>==============================================================================
>>>>>
>>>>>
>>>>> --- tomcat/trunk/webapps/docs/windows-auth-howto.xml (original)
>>>>> +++ tomcat/trunk/webapps/docs/windows-auth-howto.xml Wed Sep 17
>>>>> 23:40:48 2014
>>>>> @@ -64,9 +64,7 @@ debug logs in this case.</li>
>>>>> intranet.</li>
>>>>> <li>The SPN does not have to start with HTTP but the SPN must
>be the
>>>>> same in all
>>>>> the files it is used.</li>
>>>> I thought that the browser will always prepend HTTP/ to the
>hostname,
>>>> which it connects. That is what I read from the last paragraph in
>4.1 of
>>>> rfc 4559.
>>>>
>>>> Can you tell me where you got the information, that it could be
>>>> anything?
>>> I tested it.
>> How did you test it?
>
>By following the instructions at:
>http://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Built-in_Tomcat_support
>
>but replacing "HTTP/win-tc01.dev.local" first with
>"HTTPA/win-tc01.dev.local" and then with "XYZ/win-tc01.dev.local"
>
>It worked in all cases.
Which client did you use?
>
>> It didn't work for me.
>
>Given my tests are using Windows AD and your test wasn't that isn;t a
>huge surprise.
It should work the same.
>
>> I set up my kerberos server (apacheds running on
>> kerberos.example.com:60088) and inserted an object with a SPN
>> XYZ/www.example.com.
>> Then I created a keytab with only one entry, namely
>XYZ/www.example.com.
>> After that I edited jaas.conf and krb5.ini (both in
>$CATALINA_BASE/conf)
>> to use XYZ/www.example.com instead of HTTP/www.example.com and
>changed
>> the keytab entries to the new keytab.
>> Now I started jmeter to do a request to a secured page and...it
>didn't
>> authenticate.
>>
>> Before I tested the setup with HTTP/www.example.com and it did work.
>> After the failed test, I changed the entries back to
>> HTTP/www.example.com and the original keytab and it worked again.
>
>I'd double check you got all those changes right but I am not entirely
>surprised.
>
>If you confirm your results that this doesn't work with apache DS then
>I'll update the docs with some suitable words.
I am still wondering how it should work with anything other than HTTP/... since the client is requesting a ticket for HTTP/... before it is getting any information about the spn from the server and the server should be able to decrypt the service ticket with an appropiate spn ticket only.
Starting the server with any ticket will work of course. The fun starts, when requests arrive.
But if it works for you, I will not say anything more on this.
Felix
>
>Mark
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1625854 - /tomcat/trunk/webapps/docs/windows-auth-howto.xml
Posted by Mark Thomas <ma...@apache.org>.
On 22/09/2014 18:07, Felix Schumacher wrote:
> Am 21.09.2014 um 20:41 schrieb Mark Thomas:
>> On 21/09/2014 14:05, Felix Schumacher wrote:
>>> Hi Mark,
>>>
>>> Am 18.09.2014 um 01:40 schrieb markt@apache.org:
>>>> Author: markt
>>>> Date: Wed Sep 17 23:40:48 2014
>>>> New Revision: 1625854
>>>>
>>>> URL: http://svn.apache.org/r1625854
>>>> Log:
>>>> After double-checking SPN to domain user is a one to one mapping
>>>>
>>>> Modified:
>>>> tomcat/trunk/webapps/docs/windows-auth-howto.xml
>>>>
>>>> Modified: tomcat/trunk/webapps/docs/windows-auth-howto.xml
>>>> URL:
>>>> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/windows-auth-howto.xml?rev=1625854&r1=1625853&r2=1625854&view=diff
>>>>
>>>>
>>>> ==============================================================================
>>>>
>>>>
>>>> --- tomcat/trunk/webapps/docs/windows-auth-howto.xml (original)
>>>> +++ tomcat/trunk/webapps/docs/windows-auth-howto.xml Wed Sep 17
>>>> 23:40:48 2014
>>>> @@ -64,9 +64,7 @@ debug logs in this case.</li>
>>>> intranet.</li>
>>>> <li>The SPN does not have to start with HTTP but the SPN must be the
>>>> same in all
>>>> the files it is used.</li>
>>> I thought that the browser will always prepend HTTP/ to the hostname,
>>> which it connects. That is what I read from the last paragraph in 4.1 of
>>> rfc 4559.
>>>
>>> Can you tell me where you got the information, that it could be
>>> anything?
>> I tested it.
> How did you test it?
By following the instructions at:
http://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Built-in_Tomcat_support
but replacing "HTTP/win-tc01.dev.local" first with
"HTTPA/win-tc01.dev.local" and then with "XYZ/win-tc01.dev.local"
It worked in all cases.
> It didn't work for me.
Given my tests are using Windows AD and your test wasn't that isn;t a
huge surprise.
> I set up my kerberos server (apacheds running on
> kerberos.example.com:60088) and inserted an object with a SPN
> XYZ/www.example.com.
> Then I created a keytab with only one entry, namely XYZ/www.example.com.
> After that I edited jaas.conf and krb5.ini (both in $CATALINA_BASE/conf)
> to use XYZ/www.example.com instead of HTTP/www.example.com and changed
> the keytab entries to the new keytab.
> Now I started jmeter to do a request to a secured page and...it didn't
> authenticate.
>
> Before I tested the setup with HTTP/www.example.com and it did work.
> After the failed test, I changed the entries back to
> HTTP/www.example.com and the original keytab and it worked again.
I'd double check you got all those changes right but I am not entirely
surprised.
If you confirm your results that this doesn't work with apache DS then
I'll update the docs with some suitable words.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1625854 - /tomcat/trunk/webapps/docs/windows-auth-howto.xml
Posted by Felix Schumacher <fe...@internetallee.de>.
Am 21.09.2014 um 20:41 schrieb Mark Thomas:
> On 21/09/2014 14:05, Felix Schumacher wrote:
>> Hi Mark,
>>
>> Am 18.09.2014 um 01:40 schrieb markt@apache.org:
>>> Author: markt
>>> Date: Wed Sep 17 23:40:48 2014
>>> New Revision: 1625854
>>>
>>> URL: http://svn.apache.org/r1625854
>>> Log:
>>> After double-checking SPN to domain user is a one to one mapping
>>>
>>> Modified:
>>> tomcat/trunk/webapps/docs/windows-auth-howto.xml
>>>
>>> Modified: tomcat/trunk/webapps/docs/windows-auth-howto.xml
>>> URL:
>>> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/windows-auth-howto.xml?rev=1625854&r1=1625853&r2=1625854&view=diff
>>>
>>> ==============================================================================
>>>
>>> --- tomcat/trunk/webapps/docs/windows-auth-howto.xml (original)
>>> +++ tomcat/trunk/webapps/docs/windows-auth-howto.xml Wed Sep 17
>>> 23:40:48 2014
>>> @@ -64,9 +64,7 @@ debug logs in this case.</li>
>>> intranet.</li>
>>> <li>The SPN does not have to start with HTTP but the SPN must be the
>>> same in all
>>> the files it is used.</li>
>> I thought that the browser will always prepend HTTP/ to the hostname,
>> which it connects. That is what I read from the last paragraph in 4.1 of
>> rfc 4559.
>>
>> Can you tell me where you got the information, that it could be anything?
> I tested it.
How did you test it?
It didn't work for me.
I set up my kerberos server (apacheds running on
kerberos.example.com:60088) and inserted an object with a SPN
XYZ/www.example.com.
Then I created a keytab with only one entry, namely XYZ/www.example.com.
After that I edited jaas.conf and krb5.ini (both in $CATALINA_BASE/conf)
to use XYZ/www.example.com instead of HTTP/www.example.com and changed
the keytab entries to the new keytab.
Now I started jmeter to do a request to a secured page and...it didn't
authenticate.
Before I tested the setup with HTTP/www.example.com and it did work.
After the failed test, I changed the entries back to
HTTP/www.example.com and the original keytab and it worked again.
Regards
Felix
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1625854 - /tomcat/trunk/webapps/docs/windows-auth-howto.xml
Posted by Mark Thomas <ma...@apache.org>.
On 21/09/2014 14:05, Felix Schumacher wrote:
> Hi Mark,
>
> Am 18.09.2014 um 01:40 schrieb markt@apache.org:
>> Author: markt
>> Date: Wed Sep 17 23:40:48 2014
>> New Revision: 1625854
>>
>> URL: http://svn.apache.org/r1625854
>> Log:
>> After double-checking SPN to domain user is a one to one mapping
>>
>> Modified:
>> tomcat/trunk/webapps/docs/windows-auth-howto.xml
>>
>> Modified: tomcat/trunk/webapps/docs/windows-auth-howto.xml
>> URL:
>> http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/windows-auth-howto.xml?rev=1625854&r1=1625853&r2=1625854&view=diff
>>
>> ==============================================================================
>>
>> --- tomcat/trunk/webapps/docs/windows-auth-howto.xml (original)
>> +++ tomcat/trunk/webapps/docs/windows-auth-howto.xml Wed Sep 17
>> 23:40:48 2014
>> @@ -64,9 +64,7 @@ debug logs in this case.</li>
>> intranet.</li>
>> <li>The SPN does not have to start with HTTP but the SPN must be the
>> same in all
>> the files it is used.</li>
> I thought that the browser will always prepend HTTP/ to the hostname,
> which it connects. That is what I read from the last paragraph in 4.1 of
> rfc 4559.
>
> Can you tell me where you got the information, that it could be anything?
I tested it.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1625854 - /tomcat/trunk/webapps/docs/windows-auth-howto.xml
Posted by Felix Schumacher <fe...@internetallee.de>.
Hi Mark,
Am 18.09.2014 um 01:40 schrieb markt@apache.org:
> Author: markt
> Date: Wed Sep 17 23:40:48 2014
> New Revision: 1625854
>
> URL: http://svn.apache.org/r1625854
> Log:
> After double-checking SPN to domain user is a one to one mapping
>
> Modified:
> tomcat/trunk/webapps/docs/windows-auth-howto.xml
>
> Modified: tomcat/trunk/webapps/docs/windows-auth-howto.xml
> URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/windows-auth-howto.xml?rev=1625854&r1=1625853&r2=1625854&view=diff
> ==============================================================================
> --- tomcat/trunk/webapps/docs/windows-auth-howto.xml (original)
> +++ tomcat/trunk/webapps/docs/windows-auth-howto.xml Wed Sep 17 23:40:48 2014
> @@ -64,9 +64,7 @@ debug logs in this case.</li>
> intranet.</li>
> <li>The SPN does not have to start with HTTP but the SPN must be the same in all
> the files it is used.</li>
I thought that the browser will always prepend HTTP/ to the hostname,
which it connects. That is what I read from the last paragraph in 4.1 of
rfc 4559.
Can you tell me where you got the information, that it could be anything?
Regards
Felix
> -<li>If you want multiple SPNs mapped to the same domain user then each SPN must
> -use a unique prefix such as <code>HTTP01/...</code>, <code>HTTP02/...</code>,
> -etc.</li>
> +<li>No more than one SPN may be mapped to a domain user.</li>
> </ul>
> <p>The areas where further testing is required include:</p>
> <ul>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org