You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Steinberger, Richard" <Ri...@mantech-ist.com> on 2005/11/03 18:05:48 UTC
Client Certificate Authentication Failure
Hello All!
I am trying to setup client certificate authentication in 5.5.12 on
windows.
I am getting the following error page....
HTTP Status 401 - Cannot authenticate with the provided credentials
________________________________________
type Status report
message Cannot authenticate with the provided credentials
description This request requires HTTP authentication (Cannot
authenticate with the provided credentials).
________________________________________
Apache Tomcat/5.5.12
With the following dumped to the log.....
INFO: isSecure=true
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: ---------------------------------------------------------------
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: ---------------------------------------------------------------
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: authType=null
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: contentLength=-1
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: contentType=text/html;charset=utf-8
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: header=Pragma=No-cache
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: header=Cache-Control=no-cache
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: header=Expires=Wed, 31 Dec 1969 19:00:00 EST
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: message=Cannot authenticate with the provided
credentials
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: remoteUser=null
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: status=401
The log entry...
"authType=null"
confuses me.
The log entry...
"header=Expires=Wed, 31 Dec 1969 19:00:00 EST"
...makes it look like the server is not getting the user cert, so is
failing to authenticate because of an apparently expired certificate,
based on a (default?) date in the past.
I have tried this with two certificates, with two different signers, all
with valid dates, and still get the same result.
Here is the connector...
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="C:\\CACerts\\prod\\.keystore"
keystoreType="JKS" keystorePass="changeit"
truststoreFile="C:\\CACerts\\prod\\.truststore"
truststoreType="JKS" truststorePass="changeit" />
By switching the <login-config> to FORM I can login just fine over
https.
Also, turning off clientAuth, works fine.
My feeling is that the certifcicates are OK, but that I am missing a
config setting.
I am doing this testing on my local machine, with a fresh, default
install.
Any input would be appreciated.
Rick
Re: Client Certificate Authentication Failure
Posted by Bill Barker <wb...@wilshire.com>.
Tomcat is getting the cert fine (otherwise you'd get a different reponse
message). The problem is that it can't find a user to go with the
certificate.
This means that you've got a problem with your Realm configuration.
Unfortunately, out of the Realms that ship with Tomcat, only MemoryRealm and
UserDatabaseRealm support client-cert auth. With these, you need to specify
the string representation of the cert's Subject as the user's name.
If you need another method of matching certs to users, then you'll probably
need to create your own custom Realm to do it.
"Steinberger, Richard" <Ri...@mantech-ist.com> wrote in
message
news:C96DF7BDC732904A97D0714E82964A4610FA67@ISTMAIL.ist.mantechnss.com...
Hello All!
I am trying to setup client certificate authentication in 5.5.12 on
windows.
I am getting the following error page....
HTTP Status 401 - Cannot authenticate with the provided credentials
________________________________________
type Status report
message Cannot authenticate with the provided credentials
description This request requires HTTP authentication (Cannot
authenticate with the provided credentials).
________________________________________
Apache Tomcat/5.5.12
With the following dumped to the log.....
INFO: isSecure=true
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: ---------------------------------------------------------------
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: ---------------------------------------------------------------
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: authType=null
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: contentLength=-1
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: contentType=text/html;charset=utf-8
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: header=Pragma=No-cache
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: header=Cache-Control=no-cache
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: header=Expires=Wed, 31 Dec 1969 19:00:00 EST
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: message=Cannot authenticate with the provided
credentials
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: remoteUser=null
Nov 3, 2005 11:27:29 AM org.apache.catalina.valves.RequestDumperValve
invoke
INFO: status=401
The log entry...
"authType=null"
confuses me.
The log entry...
"header=Expires=Wed, 31 Dec 1969 19:00:00 EST"
...makes it look like the server is not getting the user cert, so is
failing to authenticate because of an apparently expired certificate,
based on a (default?) date in the past.
I have tried this with two certificates, with two different signers, all
with valid dates, and still get the same result.
Here is the connector...
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="C:\\CACerts\\prod\\.keystore"
keystoreType="JKS" keystorePass="changeit"
truststoreFile="C:\\CACerts\\prod\\.truststore"
truststoreType="JKS" truststorePass="changeit" />
By switching the <login-config> to FORM I can login just fine over
https.
Also, turning off clientAuth, works fine.
My feeling is that the certifcicates are OK, but that I am missing a
config setting.
I am doing this testing on my local machine, with a fresh, default
install.
Any input would be appreciated.
Rick
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org