You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ravindhar Konka <ra...@persistent.com> on 2015/05/07 12:01:39 UTC
Tomcat windows 7 authentication
Hi
I am working on windows authentication with tomcat 7.
I have gone through the following doc.
windows-auth-howto Tomcat_instance_(Windows_server)<http://shodhganga.inflibnet.ac.in:8080/docs/windows-auth-howto.html#Tomcat_instance_(Windows_server)>
apache-tomcat-7.0.61
windows server 2008 R2
java 1.8.0_25
active directory machine ( DOMAIN-ad)
tomcat instance machine (windows-sso-demo)
username (ss0admin@domain.com<ma...@domain.com>)
password (XXXXXX)
setspn -A HTTP/WINDOWS-SSO-DEMO ssoadmin
ktpass /out c:\tomcat.keytab /mapuser ssoadmin@domain.COM /princ HTTP/WINDOWS-SSO-DEMO@DOMAIN.COM /pass XXXXX /kvno 0
C:\apache-tomcat-7.0.61\conf\jass.conf
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/WINDOWS-SSO-DEMO@DOMAIN.COM"
useKeyTab=true
keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab"
storeKey=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/WINDOWS-SSO-DEMO@DOMAIN.COM"
useKeyTab=true
keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab"
storeKey=true;
};
C:\apache-tomcat-7.0.61\conf\krb5.ini
[libdefaults]
default_realm = DOMAIN.COM
default_keytab_name = FILE:C:\apache-tomcat-7.0.61\conf\tomcat.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
[realms]
DOMAIN.COM = {
kdc = DOMAIN-ad:88
}
[domain_realm]
dev.local= DOMAIN.COM
.dev.local= DOMAIN.COM
C:\apache-tomcat-7.0.61\conf\server.xml
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://DOMAIN-ad:389"
alternateURL="ldap://DOMAIN-ad:389"
connectionName="CN=ssoadmin,CN=Users,DC=DOMAIN,DC=com"
connectionPassword="XXXX"
referrals="follow"
userBase="CN=Users, DC=DOMAIN, DC=com"
userSearch="(sAMAccountName={0})"
userSubtree="true"
roleBase="CN=Users, DC=DOMAIN, DC=com"
roleName="CN"
roleSubtree="true"
roleSearch="(member={0})" />
</Realm>
C:\apache-tomcat-7.0.61\webapps\sample\META-INF\context.xnl
<?xml version="1.0" encoding="UTF-8"?>
<Context>
<Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator" />
</Context>
C:\apache-tomcat-7.0.61\webapps\sample\WEB-INF\web.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<security-constraint>
<display-name>All users</display-name>
<web-resource-collection>
<web-resource-name>All requests</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>All users</description>
<role-name>*</role-name>
</security-role>
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
<display-name>Hello, World Application</display-name>
<description>
This is a simple web application with a source code organization
based on the recommendations of the Application Developer's Guide.
</description>
<servlet>
<servlet-name>HelloServlet</servlet-name>
<servlet-class>mypackage.Hello</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>HelloServlet</servlet-name>
<url-pattern>/hello</url-pattern>
</servlet-mapping>
</web-app>
My error is
SEVERE: Unable to login as the service principal
javax.security.auth.login.LoginException: Clock skew too great (37)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr
b5LoginModule.java:804)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.ja
va:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:1
95)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:6
80)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(Sp
negoAuthenticator.java:192)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
torBase.java:577)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
a:423)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp
11Processor.java:1079)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
AbstractProtocol.java:620)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoin
t.java:318)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh
read.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: KrbException: Clock skew too great (37)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr
b5LoginModule.java:776)
... 26 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
Ravindhar Konka | Software Engineering
ravindhar_konka@persistent.co.in<ma...@persistent.co.in>| Cell: +91-99633 74753 | Tel: +91-20-674 42058
Persistent Systems Ltd. | Partner in Innovation | www.persistent.com<http://www.persistent.com/>
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
Re: Tomcat windows 7 authentication
Posted by Mark Thomas <ma...@apache.org>.
On 07/05/2015 11:01, Ravindhar Konka wrote:
> Hi
> I am working on windows authentication with tomcat 7.
> I have gone through the following doc.
<snip/>
> My error is
>
> SEVERE: Unable to login as the service principal
> javax.security.auth.login.LoginException: Clock skew too great (37)
<snip/>
I couldn't find a question in your e-mail. I'm guessing you didn't just
send this to the users mailing list to keep us informed of your progress
and that you'd like some help with the error message.
Check that all the machines you are using are configured with the same
(ideally correct, preferably from an NTP server) time.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat windows 7 authentication
Posted by David Marsh <dm...@outlook.com>.
http://codermonkey65.blogspot.co.uk/2012/09/troubleshooting-kerberos.html
Look under NTP commands
w32tm /resyncnet start w32time
> From: ravindhar_konka@persistent.com
> To: users@tomcat.apache.org
> Subject: RE: Tomcat windows 7 authentication
> Date: Thu, 7 May 2015 11:37:43 +0000
>
> I have done NTP synchronization in AD
> still I am getting same error
> could you please help in this
>
> -----Original Message-----
> From: David Marsh [mailto:dmarsh26@outlook.com]
> Sent: Thursday, May 07, 2015 3:39 PM
> To: Tomcat Users List
> Subject: RE: Tomcat windows 7 authentication
>
> Kerberos requires NTP synchronisation to be in place and working.
> Fix your clocks and the error should go away.
>
> > From: ravindhar_konka@persistent.com
> > To: users@tomcat.apache.org
> > Subject: Tomcat windows 7 authentication
> > Date: Thu, 7 May 2015 10:01:39 +0000
> >
> > Hi
> > I am working on windows authentication with tomcat 7.
> > I have gone through the following doc.
> > windows-auth-howto Tomcat_instance_(Windows_server)<http://shodhganga.inflibnet.ac.in:8080/docs/windows-auth-howto.html#Tomcat_instance_(Windows_server)>
> >
> >
> > apache-tomcat-7.0.61
> > windows server 2008 R2
> > java 1.8.0_25
> > active directory machine ( DOMAIN-ad)
> > tomcat instance machine (windows-sso-demo)
> > username (ss0admin@domain.com<ma...@domain.com>)
> > password (XXXXXX)
> >
> > setspn -A HTTP/WINDOWS-SSO-DEMO ssoadmin
> > ktpass /out c:\tomcat.keytab /mapuser ssoadmin@domain.COM /princ HTTP/WINDOWS-SSO-DEMO@DOMAIN.COM /pass XXXXX /kvno 0
> >
> > C:\apache-tomcat-7.0.61\conf\jass.conf
> >
> > com.sun.security.jgss.krb5.initiate {
> > com.sun.security.auth.module.Krb5LoginModule required
> > doNotPrompt=true
> > principal="HTTP/WINDOWS-SSO-DEMO@DOMAIN.COM"
> > useKeyTab=true
> > keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab"
> > storeKey=true;
> > };
> >
> > com.sun.security.jgss.krb5.accept {
> > com.sun.security.auth.module.Krb5LoginModule required
> > doNotPrompt=true
> > principal="HTTP/WINDOWS-SSO-DEMO@DOMAIN.COM"
> > useKeyTab=true
> > keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab"
> > storeKey=true;
> > };
> >
> > C:\apache-tomcat-7.0.61\conf\krb5.ini
> >
> > [libdefaults]
> > default_realm = DOMAIN.COM
> > default_keytab_name = FILE:C:\apache-tomcat-7.0.61\conf\tomcat.keytab
> > default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> > default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> > forwardable=true
> >
> > [realms]
> > DOMAIN.COM = {
> > kdc = DOMAIN-ad:88
> > }
> >
> > [domain_realm]
> > dev.local= DOMAIN.COM
> > .dev.local= DOMAIN.COM
> >
> > C:\apache-tomcat-7.0.61\conf\server.xml
> >
> > <Realm className="org.apache.catalina.realm.LockOutRealm">
> > <!-- This Realm uses the UserDatabase configured in the global JNDI
> > resources under the key "UserDatabase". Any edits
> > that are performed against this UserDatabase are immediately
> > available for use by the Realm. -->
> > <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> > resourceName="UserDatabase"/>
> >
> > <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
> > connectionURL="ldap://DOMAIN-ad:389"
> > alternateURL="ldap://DOMAIN-ad:389"
> > connectionName="CN=ssoadmin,CN=Users,DC=DOMAIN,DC=com"
> > connectionPassword="XXXX"
> > referrals="follow"
> > userBase="CN=Users, DC=DOMAIN, DC=com"
> > userSearch="(sAMAccountName={0})"
> > userSubtree="true"
> > roleBase="CN=Users, DC=DOMAIN, DC=com"
> > roleName="CN"
> > roleSubtree="true"
> > roleSearch="(member={0})" />
> >
> >
> >
> > </Realm>
> >
> >
> > C:\apache-tomcat-7.0.61\webapps\sample\META-INF\context.xnl
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> > <Context>
> > <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator" />
> > </Context>
> >
> >
> >
> > C:\apache-tomcat-7.0.61\webapps\sample\WEB-INF\web.xml
> >
> > <?xml version="1.0" encoding="ISO-8859-1"?>
> > <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
> > version="2.4">
> >
> >
> >
> > <security-constraint>
> > <display-name>All users</display-name>
> > <web-resource-collection>
> > <web-resource-name>All requests</web-resource-name>
> > <url-pattern>/*</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>*</role-name>
> > </auth-constraint>
> > </security-constraint>
> >
> > <security-role>
> > <description>All users</description>
> > <role-name>*</role-name>
> > </security-role>
> >
> > <login-config>
> > <auth-method>SPNEGO</auth-method>
> > </login-config>
> >
> >
> > <display-name>Hello, World Application</display-name>
> > <description>
> > This is a simple web application with a source code organization
> > based on the recommendations of the Application Developer's Guide.
> > </description>
> >
> > <servlet>
> > <servlet-name>HelloServlet</servlet-name>
> > <servlet-class>mypackage.Hello</servlet-class>
> > </servlet>
> >
> > <servlet-mapping>
> > <servlet-name>HelloServlet</servlet-name>
> > <url-pattern>/hello</url-pattern>
> > </servlet-mapping>
> >
> >
> > </web-app>
> >
> >
> >
> > My error is
> >
> > SEVERE: Unable to login as the service principal
> > javax.security.auth.login.LoginException: Clock skew too great (37)
> > at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr
> > b5LoginModule.java:804)
> > at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.ja
> > va:617)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> > java:62)
> > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> > sorImpl.java:43)
> > at java.lang.reflect.Method.invoke(Method.java:483)
> > at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
> > at javax.security.auth.login.LoginContext.access$000(LoginContext.java:1
> > 95)
> > at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
> > at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
> > at java.security.AccessController.doPrivileged(Native Method)
> > at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:6
> > 80)
> > at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
> > at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(Sp
> > negoAuthenticator.java:192)
> > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
> > torBase.java:577)
> > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
> > ava:170)
> > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
> > ava:103)
> > at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
> > 950)
> > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
> > ve.java:116)
> > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
> > a:423)
> > at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp
> > 11Processor.java:1079)
> > at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
> > AbstractProtocol.java:620)
> > at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoin
> > t.java:318)
> > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
> > java:1142)
> > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
> > .java:617)
> > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh
> > read.java:61)
> > at java.lang.Thread.run(Thread.java:745)
> > Caused by: KrbException: Clock skew too great (37)
> > at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
> > at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
> > at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
> > at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr
> > b5LoginModule.java:776)
> > ... 26 more
> > Caused by: KrbException: Identifier doesn't match expected value (906)
> > at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
> > at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
> > at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
> >
> > Ravindhar Konka | Software Engineering
> > ravindhar_konka@persistent.co.in<ma...@persistent.co.in>| Cell: +91-99633 74753 | Tel: +91-20-674 42058
> > Persistent Systems Ltd. | Partner in Innovation | www.persistent.com<http://www.persistent.com/>
> >
> >
> > DISCLAIMER
> > ==========
> > This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
> >
>
>
> DISCLAIMER
> ==========
> This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
RE: Tomcat windows 7 authentication
Posted by Ravindhar Konka <ra...@persistent.com>.
I have done NTP synchronization in AD
still I am getting same error
could you please help in this
-----Original Message-----
From: David Marsh [mailto:dmarsh26@outlook.com]
Sent: Thursday, May 07, 2015 3:39 PM
To: Tomcat Users List
Subject: RE: Tomcat windows 7 authentication
Kerberos requires NTP synchronisation to be in place and working.
Fix your clocks and the error should go away.
> From: ravindhar_konka@persistent.com
> To: users@tomcat.apache.org
> Subject: Tomcat windows 7 authentication
> Date: Thu, 7 May 2015 10:01:39 +0000
>
> Hi
> I am working on windows authentication with tomcat 7.
> I have gone through the following doc.
> windows-auth-howto Tomcat_instance_(Windows_server)<http://shodhganga.inflibnet.ac.in:8080/docs/windows-auth-howto.html#Tomcat_instance_(Windows_server)>
>
>
> apache-tomcat-7.0.61
> windows server 2008 R2
> java 1.8.0_25
> active directory machine ( DOMAIN-ad)
> tomcat instance machine (windows-sso-demo)
> username (ss0admin@domain.com<ma...@domain.com>)
> password (XXXXXX)
>
> setspn -A HTTP/WINDOWS-SSO-DEMO ssoadmin
> ktpass /out c:\tomcat.keytab /mapuser ssoadmin@domain.COM /princ HTTP/WINDOWS-SSO-DEMO@DOMAIN.COM /pass XXXXX /kvno 0
>
> C:\apache-tomcat-7.0.61\conf\jass.conf
>
> com.sun.security.jgss.krb5.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/WINDOWS-SSO-DEMO@DOMAIN.COM"
> useKeyTab=true
> keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab"
> storeKey=true;
> };
>
> com.sun.security.jgss.krb5.accept {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/WINDOWS-SSO-DEMO@DOMAIN.COM"
> useKeyTab=true
> keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab"
> storeKey=true;
> };
>
> C:\apache-tomcat-7.0.61\conf\krb5.ini
>
> [libdefaults]
> default_realm = DOMAIN.COM
> default_keytab_name = FILE:C:\apache-tomcat-7.0.61\conf\tomcat.keytab
> default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> forwardable=true
>
> [realms]
> DOMAIN.COM = {
> kdc = DOMAIN-ad:88
> }
>
> [domain_realm]
> dev.local= DOMAIN.COM
> .dev.local= DOMAIN.COM
>
> C:\apache-tomcat-7.0.61\conf\server.xml
>
> <Realm className="org.apache.catalina.realm.LockOutRealm">
> <!-- This Realm uses the UserDatabase configured in the global JNDI
> resources under the key "UserDatabase". Any edits
> that are performed against this UserDatabase are immediately
> available for use by the Realm. -->
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase"/>
>
> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
> connectionURL="ldap://DOMAIN-ad:389"
> alternateURL="ldap://DOMAIN-ad:389"
> connectionName="CN=ssoadmin,CN=Users,DC=DOMAIN,DC=com"
> connectionPassword="XXXX"
> referrals="follow"
> userBase="CN=Users, DC=DOMAIN, DC=com"
> userSearch="(sAMAccountName={0})"
> userSubtree="true"
> roleBase="CN=Users, DC=DOMAIN, DC=com"
> roleName="CN"
> roleSubtree="true"
> roleSearch="(member={0})" />
>
>
>
> </Realm>
>
>
> C:\apache-tomcat-7.0.61\webapps\sample\META-INF\context.xnl
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Context>
> <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator" />
> </Context>
>
>
>
> C:\apache-tomcat-7.0.61\webapps\sample\WEB-INF\web.xml
>
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
> version="2.4">
>
>
>
> <security-constraint>
> <display-name>All users</display-name>
> <web-resource-collection>
> <web-resource-name>All requests</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-role>
> <description>All users</description>
> <role-name>*</role-name>
> </security-role>
>
> <login-config>
> <auth-method>SPNEGO</auth-method>
> </login-config>
>
>
> <display-name>Hello, World Application</display-name>
> <description>
> This is a simple web application with a source code organization
> based on the recommendations of the Application Developer's Guide.
> </description>
>
> <servlet>
> <servlet-name>HelloServlet</servlet-name>
> <servlet-class>mypackage.Hello</servlet-class>
> </servlet>
>
> <servlet-mapping>
> <servlet-name>HelloServlet</servlet-name>
> <url-pattern>/hello</url-pattern>
> </servlet-mapping>
>
>
> </web-app>
>
>
>
> My error is
>
> SEVERE: Unable to login as the service principal
> javax.security.auth.login.LoginException: Clock skew too great (37)
> at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr
> b5LoginModule.java:804)
> at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.ja
> va:617)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:483)
> at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
> at javax.security.auth.login.LoginContext.access$000(LoginContext.java:1
> 95)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:6
> 80)
> at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
> at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(Sp
> negoAuthenticator.java:192)
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
> torBase.java:577)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
> ava:170)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
> ava:103)
> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
> 950)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
> ve.java:116)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
> a:423)
> at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp
> 11Processor.java:1079)
> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
> AbstractProtocol.java:620)
> at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoin
> t.java:318)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
> java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
> .java:617)
> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh
> read.java:61)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: KrbException: Clock skew too great (37)
> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
> at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
> at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr
> b5LoginModule.java:776)
> ... 26 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
> at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
> at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
>
> Ravindhar Konka | Software Engineering
> ravindhar_konka@persistent.co.in<ma...@persistent.co.in>| Cell: +91-99633 74753 | Tel: +91-20-674 42058
> Persistent Systems Ltd. | Partner in Innovation | www.persistent.com<http://www.persistent.com/>
>
>
> DISCLAIMER
> ==========
> This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
>
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat windows 7 authentication
Posted by David Marsh <dm...@outlook.com>.
Kerberos requires NTP synchronisation to be in place and working.
Fix your clocks and the error should go away.
> From: ravindhar_konka@persistent.com
> To: users@tomcat.apache.org
> Subject: Tomcat windows 7 authentication
> Date: Thu, 7 May 2015 10:01:39 +0000
>
> Hi
> I am working on windows authentication with tomcat 7.
> I have gone through the following doc.
> windows-auth-howto Tomcat_instance_(Windows_server)<http://shodhganga.inflibnet.ac.in:8080/docs/windows-auth-howto.html#Tomcat_instance_(Windows_server)>
>
>
> apache-tomcat-7.0.61
> windows server 2008 R2
> java 1.8.0_25
> active directory machine ( DOMAIN-ad)
> tomcat instance machine (windows-sso-demo)
> username (ss0admin@domain.com<ma...@domain.com>)
> password (XXXXXX)
>
> setspn -A HTTP/WINDOWS-SSO-DEMO ssoadmin
> ktpass /out c:\tomcat.keytab /mapuser ssoadmin@domain.COM /princ HTTP/WINDOWS-SSO-DEMO@DOMAIN.COM /pass XXXXX /kvno 0
>
> C:\apache-tomcat-7.0.61\conf\jass.conf
>
> com.sun.security.jgss.krb5.initiate {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/WINDOWS-SSO-DEMO@DOMAIN.COM"
> useKeyTab=true
> keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab"
> storeKey=true;
> };
>
> com.sun.security.jgss.krb5.accept {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> principal="HTTP/WINDOWS-SSO-DEMO@DOMAIN.COM"
> useKeyTab=true
> keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab"
> storeKey=true;
> };
>
> C:\apache-tomcat-7.0.61\conf\krb5.ini
>
> [libdefaults]
> default_realm = DOMAIN.COM
> default_keytab_name = FILE:C:\apache-tomcat-7.0.61\conf\tomcat.keytab
> default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
> forwardable=true
>
> [realms]
> DOMAIN.COM = {
> kdc = DOMAIN-ad:88
> }
>
> [domain_realm]
> dev.local= DOMAIN.COM
> .dev.local= DOMAIN.COM
>
> C:\apache-tomcat-7.0.61\conf\server.xml
>
> <Realm className="org.apache.catalina.realm.LockOutRealm">
> <!-- This Realm uses the UserDatabase configured in the global JNDI
> resources under the key "UserDatabase". Any edits
> that are performed against this UserDatabase are immediately
> available for use by the Realm. -->
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase"/>
>
> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
> connectionURL="ldap://DOMAIN-ad:389"
> alternateURL="ldap://DOMAIN-ad:389"
> connectionName="CN=ssoadmin,CN=Users,DC=DOMAIN,DC=com"
> connectionPassword="XXXX"
> referrals="follow"
> userBase="CN=Users, DC=DOMAIN, DC=com"
> userSearch="(sAMAccountName={0})"
> userSubtree="true"
> roleBase="CN=Users, DC=DOMAIN, DC=com"
> roleName="CN"
> roleSubtree="true"
> roleSearch="(member={0})" />
>
>
>
> </Realm>
>
>
> C:\apache-tomcat-7.0.61\webapps\sample\META-INF\context.xnl
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Context>
> <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator" />
> </Context>
>
>
>
> C:\apache-tomcat-7.0.61\webapps\sample\WEB-INF\web.xml
>
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
> version="2.4">
>
>
>
> <security-constraint>
> <display-name>All users</display-name>
> <web-resource-collection>
> <web-resource-name>All requests</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-role>
> <description>All users</description>
> <role-name>*</role-name>
> </security-role>
>
> <login-config>
> <auth-method>SPNEGO</auth-method>
> </login-config>
>
>
> <display-name>Hello, World Application</display-name>
> <description>
> This is a simple web application with a source code organization
> based on the recommendations of the Application Developer's Guide.
> </description>
>
> <servlet>
> <servlet-name>HelloServlet</servlet-name>
> <servlet-class>mypackage.Hello</servlet-class>
> </servlet>
>
> <servlet-mapping>
> <servlet-name>HelloServlet</servlet-name>
> <url-pattern>/hello</url-pattern>
> </servlet-mapping>
>
>
> </web-app>
>
>
>
> My error is
>
> SEVERE: Unable to login as the service principal
> javax.security.auth.login.LoginException: Clock skew too great (37)
> at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr
> b5LoginModule.java:804)
> at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.ja
> va:617)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:483)
> at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
> at javax.security.auth.login.LoginContext.access$000(LoginContext.java:1
> 95)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:6
> 80)
> at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
> at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(Sp
> negoAuthenticator.java:192)
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
> torBase.java:577)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
> ava:170)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
> ava:103)
> at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
> 950)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
> ve.java:116)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
> a:423)
> at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp
> 11Processor.java:1079)
> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
> AbstractProtocol.java:620)
> at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoin
> t.java:318)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
> java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
> .java:617)
> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh
> read.java:61)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: KrbException: Clock skew too great (37)
> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
> at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
> at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr
> b5LoginModule.java:776)
> ... 26 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
> at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
> at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
>
> Ravindhar Konka | Software Engineering
> ravindhar_konka@persistent.co.in<ma...@persistent.co.in>| Cell: +91-99633 74753 | Tel: +91-20-674 42058
> Persistent Systems Ltd. | Partner in Innovation | www.persistent.com<http://www.persistent.com/>
>
>
> DISCLAIMER
> ==========
> This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
>