You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "Steinberger, Richard" <Ri...@mantech-ist.com> on 2005/11/03 18:05:48 UTC

Client Certificate Authentication Failure

 

 Hello All!

 

I am trying to setup client certificate authentication in 5.5.12 on
windows.

 

I am getting the following error page....

 

HTTP Status 401 - Cannot authenticate with the provided credentials

________________________________________

type Status report

message Cannot authenticate with the provided credentials

description This request requires HTTP authentication (Cannot
authenticate with the provided credentials).

________________________________________

Apache Tomcat/5.5.12

 

 

With the following dumped to the log.....

 

INFO:           isSecure=true

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO: ---------------------------------------------------------------

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO: ---------------------------------------------------------------

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:           authType=null

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:      contentLength=-1

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:        contentType=text/html;charset=utf-8

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             header=Pragma=No-cache

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             header=Cache-Control=no-cache

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             header=Expires=Wed, 31 Dec 1969 19:00:00 EST

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:            message=Cannot authenticate with the provided
credentials

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:         remoteUser=null

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             status=401

 

The log entry...

"authType=null"

confuses me.

 

 

The log entry...

"header=Expires=Wed, 31 Dec 1969 19:00:00 EST"

...makes it look like the server is not getting the user cert, so is
failing to authenticate because of an apparently expired certificate,

based on a (default?) date in the past.

I have tried this with two certificates, with two different signers, all
with valid dates, and still get the same result.

 

 

Here is the connector...

 

    <Connector port="8443" maxHttpHeaderSize="8192"

               maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"

               enableLookups="false" disableUploadTimeout="true"

               acceptCount="100" scheme="https" secure="true"

               clientAuth="true" sslProtocol="TLS" 

               keystoreFile="C:\\CACerts\\prod\\.keystore"
keystoreType="JKS" keystorePass="changeit" 

                   truststoreFile="C:\\CACerts\\prod\\.truststore"
truststoreType="JKS" truststorePass="changeit" />

 

 

By switching the <login-config> to FORM I can login just fine over
https.

Also, turning off clientAuth, works fine.

 

My feeling is that the certifcicates are OK, but that I am missing a
config setting.

 

I am doing this testing on my local machine, with a fresh, default
install.

 

Any input would be appreciated.

 

Rick

Re: Client Certificate Authentication Failure

Posted by Bill Barker <wb...@wilshire.com>.

Tomcat is getting the cert fine (otherwise you'd get a different reponse 
message).  The problem is that it can't find a user to go with the 
certificate.

This means that you've got a problem with your Realm configuration. 
Unfortunately, out of the Realms that ship with Tomcat, only MemoryRealm and 
UserDatabaseRealm support client-cert auth.  With these, you need to specify 
the string representation of the cert's Subject as the user's name.

If you need another method of matching certs to users, then you'll probably 
need to create your own custom Realm to do it.

"Steinberger, Richard" <Ri...@mantech-ist.com> wrote in 
message 
news:C96DF7BDC732904A97D0714E82964A4610FA67@ISTMAIL.ist.mantechnss.com...


 Hello All!



I am trying to setup client certificate authentication in 5.5.12 on
windows.



I am getting the following error page....



HTTP Status 401 - Cannot authenticate with the provided credentials

________________________________________

type Status report

message Cannot authenticate with the provided credentials

description This request requires HTTP authentication (Cannot
authenticate with the provided credentials).

________________________________________

Apache Tomcat/5.5.12





With the following dumped to the log.....



INFO:           isSecure=true

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO: ---------------------------------------------------------------

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO: ---------------------------------------------------------------

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:           authType=null

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:      contentLength=-1

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:        contentType=text/html;charset=utf-8

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             header=Pragma=No-cache

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             header=Cache-Control=no-cache

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             header=Expires=Wed, 31 Dec 1969 19:00:00 EST

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:            message=Cannot authenticate with the provided
credentials

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:         remoteUser=null

Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke

INFO:             status=401



The log entry...

"authType=null"

confuses me.





The log entry...

"header=Expires=Wed, 31 Dec 1969 19:00:00 EST"

...makes it look like the server is not getting the user cert, so is
failing to authenticate because of an apparently expired certificate,

based on a (default?) date in the past.

I have tried this with two certificates, with two different signers, all
with valid dates, and still get the same result.





Here is the connector...



    <Connector port="8443" maxHttpHeaderSize="8192"

               maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"

               enableLookups="false" disableUploadTimeout="true"

               acceptCount="100" scheme="https" secure="true"

               clientAuth="true" sslProtocol="TLS"

               keystoreFile="C:\\CACerts\\prod\\.keystore"
keystoreType="JKS" keystorePass="changeit"

                   truststoreFile="C:\\CACerts\\prod\\.truststore"
truststoreType="JKS" truststorePass="changeit" />





By switching the <login-config> to FORM I can login just fine over
https.

Also, turning off clientAuth, works fine.



My feeling is that the certifcicates are OK, but that I am missing a
config setting.



I am doing this testing on my local machine, with a fresh, default
install.



Any input would be appreciated.



Rick











---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org