You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by chris <ch...@ottmountainbike.co.uk> on 2013/11/15 12:11:51 UTC
Help needed with SpnegoAuthenticator authentication
Any help with this would be very much appreciated. We are trying to proof of
concept this to return the remote user's domain login name to use it in a Web
application. Attempting to use a keytab method to hopefully negate any
requirement for exposing the kerberos principal delegate in any server
configuration files.
We have a test configuration for SpnegoAuthenticator authentication using Apache
Tomcat/7.0.47 in sandbox environment. From a remote client workstation we are
seeing an HTTP 500 error when testing and looking for some insight as to what is
wrong or missing in our test environment.
Environment:
Apache Tomcat/7.0.47
Java JDK/JRE 1.7.0_45
Test Workstation: Windows 7 x64 (domain joined)
Test Server: Windows Server 2008 R2
When testing see Log dump --->
Nov 14, 2013 10:04:50 PM org.apache.catalina.authenticator.SpnegoAuthenticator
authenticate
SEVERE: Unable to login as the service principal
javax.security.auth.login.LoginException: Unable to obtain password from user
at
com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown
Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown
Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at
org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:214)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:574)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
Source)
at java.lang.Thread.run(Unknown Source)
SPN is delegated to the domain account with UPN: svctomcatdv@mydom.int
(Setspn –a http/tomcatsvr.mydom.int:8080 svctomcatdv)
* Domain Controller DC1 is Server 2008 R2
* Windows server hosting Tomcat is Server 2008 R2
* PC is Windows 7 and configured to automatically login in Intranet zone
identified by *.mydom.int
Keytab generated using the ktpass.exe utility with command:
ktpass /crypto AES256-SHA1 /princ svctomcatdv@mydom.int /pass * /kvno 0 /ptype
KRB5_NT_SRV_INST /out "C:\temp\tc.keytab"
Tomcat Java options set are:
-Dcatalina.home=C:\Program Files\Apache Software Foundation\Tomcat 7.0
-Dcatalina.base=C:\Program Files\Apache Software Foundation\Tomcat 7.0
-Djava.endorsed.dirs=C:\Program Files\Apache Software Foundation\Tomcat
7.0\endorsed -Djava.io.tmpdir=C:\Program Files\Apache Software Foundation\Tomcat
7.0\temp
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=C:\Program Files\Apache Software
Foundation\Tomcat 7.0\conf\logging.properties
-Djava.security.krb5.conf=C:\Program Files\Apache Software Foundation\Tomcat
7.0\conf\krb5.ini
-Djava.security.auth.login.config=C:\Program Files\Apache Software
Foundation\Tomcat 7.0\conf\jaas.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Dsun.security.krb5.debug=true
Context.xml has the Spnego Valve declared ---
<Valve
className="org.apache.catalina.authenticator.SpnegoAuthenticator"
loginConfigName="com.sun.security.auth.module.Krb5LoginModule.accept"
storeDelegatedCredential="true" />
Web.xml has security constraints, roles, and SPNEGO authentication methods ---
<security-constraint>
<web-resource-collection>
<web-resource-name>All JSP Files</web-resource-name>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>
The role that is required to access the pages
</description>
<role-name>role1</role-name>
</security-role>
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
Krb5.ini –-
[libdefaults]
default_realm = MYDOM.INT
default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac
default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac
permitted_enctypes = aes256-cts aes128-cts rc4-hmac
default_keytab_name = "C:\temp\tomcat.keytab"
forwardable = true
[realms]
MYDOM.INT = {
kdc = dc1.mydom.int
default_domain = mydom.int
}
[domain_realm]
.mydom.int = MYDOM.INT
mydom.int = MYDOM.INT
jaas.conf is as ---
com.sun.security.auth.module.Krb5LoginModule.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="svctomcatdv@mydom.int"
useKeyTab=true
keyTab="c:/temp/tomcat.keytab"
storeKey=true;
};
com.sun.security.auth.module.Krb5LoginModule.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="svctomcatdv@mydom.int"
useKeyTab=true
keyTab="c:/temp/tomcat.keytab"
storeKey=true;
};
--------------------------------------------------------------------------------------
Re: Help needed with SpnegoAuthenticator authentication
Posted by Cédric Couralet <ce...@gmail.com>.
2013/11/15 chris <ch...@ottmountainbike.co.uk>:
> Any help with this would be very much appreciated. We are trying to proof of
> concept this to return the remote user's domain login name to use it in a Web
> application. Attempting to use a keytab method to hopefully negate any
> requirement for exposing the kerberos principal delegate in any server
> configuration files.
>
> We have a test configuration for SpnegoAuthenticator authentication using Apache
> Tomcat/7.0.47 in sandbox environment. From a remote client workstation we are
> seeing an HTTP 500 error when testing and looking for some insight as to what is
> wrong or missing in our test environment.
>
> Environment:
>
> Apache Tomcat/7.0.47
> Java JDK/JRE 1.7.0_45
> Test Workstation: Windows 7 x64 (domain joined)
> Test Server: Windows Server 2008 R2
>
> When testing see Log dump --->
>
> Nov 14, 2013 10:04:50 PM org.apache.catalina.authenticator.SpnegoAuthenticator
> authenticate
>
> SEVERE: Unable to login as the service principal
>
> javax.security.auth.login.LoginException: Unable to obtain password from user
>
> at
> com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
> at
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown
[..]
>
>
> SPN is delegated to the domain account with UPN: svctomcatdv@mydom.int
>
> (Setspn –a http/tomcatsvr.mydom.int:8080 svctomcatdv)
No need for the port when defining a SPN.
>
> * Domain Controller DC1 is Server 2008 R2
> * Windows server hosting Tomcat is Server 2008 R2
> * PC is Windows 7 and configured to automatically login in Intranet zone
> identified by *.mydom.int
>
> Keytab generated using the ktpass.exe utility with command:
>
> ktpass /crypto AES256-SHA1 /princ svctomcatdv@mydom.int /pass * /kvno 0 /ptype
> KRB5_NT_SRV_INST /out "C:\temp\tc.keytab"
>
I have found that an error like this indicates a bad keytab.
I generate keytab with the /princ option set to the SPN of the user
(as indicated on tomcat documentation :
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Domain_Controller)
Could you try it this way?
ktpass /crypto AES256-SHA1 /princ http/tomcatsvr.mydom.int@MYDOM.INT
/pass * /kvno 0 /out "C:\temp\tc.keytab"
Cédric
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Help needed with SpnegoAuthenticator authentication
Posted by André Warnier <aw...@ice-sa.com>.
chris wrote:
...
>
> When testing see Log dump --->
>
> Nov 14, 2013 10:04:50 PM org.apache.catalina.authenticator.SpnegoAuthenticator
> authenticate
>
> SEVERE: Unable to login as the service principal
>
> javax.security.auth.login.LoginException: Unable to obtain password from user
>
> at
> com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
> at
..
I am not a Kerberos specialist, but why would the above 2 lines be there ?
The whole point of SSO normally, is to not have to promt the user for a login/password,
and get the authentication directly from the logged-in workstation.
In a Windows-domain-style SSO, the fact of prompting the user usually already indicates
that something (some prior step) is not working as it should.
I would suggest to use a protocol analyser (maybe just a browser plugin) to check what
really goes on there.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org