You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Chris Fors <ch...@hotmail.com> on 2013/03/01 11:46:53 UTC
RE: Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit
All systems are domain-joined to a mature IT Lab and the issue is with the Tomcat server configuration as it should load the krb5.ini and or jaas.conf and activity should be observable on the Web server - whether or not any error is generated. It is not clear to me what the design load process / order of the call stack should be in the SPNEGO Authentication design. This would help focus on where the issue is. I ran Process Monitor
during a Network Client PC TCP session to the Tomcat Web Server as well as
during start of the Tomcat Web service.
During either of these I don’t observe any calls to jaas.conf, or
krb5.ini.
What should initiate loading
of these and at what point should they load?
Observation Notes:
Process Monitor for Tomcat7.exe when browsing to http://server/SPNEGOAuthTest.jsp shows in summary
TCP Accept: Server -> PC
TCP Receive: Server ->
PC
CreateFile: .\Tomcat7.0\webapps\ROOT\SPNEGOAuthTest.jsp
QueryNetworkOpenInformationFile:
CloseFile:
CreateFile:...
CreateFile: .\ \_\org\apache\jsp\SPNEGOAuthTest_jsp.class
CloseFole . \ \_\org\apache\jsp\SPNEGOAuthTest_jsp.class
...
TCP Send: Server -> PC
In the SPNEGOAuthTest.jsp
HTML response:
request.getRemoteUser()
response shows value of “Nul”
request.getRemoteAddr()
does show the IP address of the PC
Process Monitor during Tomcat
Service start -
Calls are shown to
.\conf\server.xml
mbeans-descriptors.xml
.\conf\tomcat-users.xml
.\conf\context.xml
.\conf\web.xml
Again no calls to
jaas.conf, or krb5.ini
> Date: Thu, 28 Feb 2013 06:42:35 -0800
> From: markt@apache.org
> To: users@tomcat.apache.org
> Subject: Re: Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit
>
> On 28/02/2013 02:18, Chris Fors wrote:
> > Trying to get Windows
> > Authentication operational using the Tomcat Built-in method. Implemented the following but not
> > observed any Windows / Kerberos authentication occuring:
> >
> > -
> > Domain joined
> > windows member server
> >
> > -
> > Domain service
> > account
> >
> > -
> > Delegated SPN for
> > HTTP protocol on the member server to the service account
> >
> > -
> > Generated keytab
> > file for the service account and saved in $catalina.base\conf folder
> >
> > -
> > Created Valve in context.xml of className org.apache.catalina.authenticator.SpnegoAuthenticator
> >
> > -
> > Created krb5.ini and
> > saved in $catalina.base\conf folder
> >
> > -
> > Created jaas.conf and
> > saved in $catalina.base\conf folder
> >
> >
> >
> > After this still no observed
> > effect on logon authentications – all still apparently anonymous.
>
> As expected from what you have described.
>
> If there are no security constraints on a resource, Tomcat isn't going
> to require authentication.
>
>
> > Anyone had success with this ?
>
> Yes. I have a set of test VMs (1 domain controller, 1 Tomcat server and
> 1 client) where this feature works.
>
> > Any ideas on what is missing?Is there a good way to
> > debug the process?
>
> See above. I'd expect to see some changes to the webapp.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>