looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3

["Mead, Jen L" <Me...@con-way.com>]

Hi,

I am brand new to tomcat 7 and am hoping to get realms set-up for users to use my CGI scripts using their windows password.  So far I have put a request into the windows group to create a user for this verification.  I followed the example in the tomcat manual as follows:

 *   Create a domain user that will be mapped to the service name used by the Tomcat server. In this how-to, this user is called tc01 and has a password of tc01pass.
 *   Map the service principal name (SPN) to the user account. SPNs take the form <service class>/<host>:<port>/<service name>. The SPN used in this how-to is HTTP/win-tc01.dev.local. To map the user to the SPN, run the following:








setspn -A HTTP/win-tc01.dev.local tc01










 *   Generate the keytab file that the Tomcat server will use to authenticate itself to the domain controller. This file contains the Tomcat private key for the service provider account and should be protected accordingly. To generate the file, run the following command (all on a single line):








ktpass /out c:\tomcat.keytab /mapuser tc01@DEV.LOCAL
          /princ HTTP/win-tc01.dev.local@DEV.LOCAL
          /pass tc01pass /kvno 0










 *   Create a domain user to be used on the client. In this how-to the domain user is test with a password of testpass.
I then went into the next section and started to do some configuration on the tomcat server, which right now is a prototype and is an AIX box running 5300-12-04-1119.

My question is: does the box need to be configured for Kerberos?  If so how does the Kerberos authentication work with tomcat?  The above code sent to the windows group creates a tomcat user, should there also be a Kerberos user?  How would they work together?  Or do they need to?  Should they be the same user?  The documentation does not address this situation in any way at all except to specify that Kerberos is required on the unix box, it doesn't address AIX specifically ever.

I work at a place where the admin team is half way around the world.  So each and every request and test is painstakingly long and obscure for the most part.  So any and all information I come armed with is the only way to fly.  Has anyone succeeded with this on unix or better yet AIX?  Any and all information is greatly appreciated.

Regards,
Jen in Oregon



Regards,
Jen

RE: looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3

[Martin Gainty <mg...@hotmail.com>]

correct
critical requirement from the client would be to supplyuser's password which is hashed by AS to secret-key which encrypts into generated TGSsecret-key which is later encrypted into TGT with secret-key http://en.wikipedia.org/wiki/Kerberos_(protocol)#Client_Authentication

Martin..
______________________________________________ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.

 > From: Mead.Jen@con-way.com
> To: users@tomcat.apache.org
> Date: Mon, 4 Jun 2012 14:08:04 -0700
> Subject: RE: looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3
> 
> Now that I am looking further into this, I am almost convinced that I don't need Kerberos on the AIX webserver but only in the client (PC that is accessing the pages that are going to authenticate).  I don't get the feeling that many people are doing this (just using a keytab file with an AD account and tweaking the conf files on the UNIX box where tomcat is installed).  This is the only response so far. 
> Jen
> 
> -----Original Message-----
> From: Martin Gainty [mailto:mgainty@hotmail.com] 
> Sent: Monday, June 04, 2012 12:45 PM
> To: Tomcat Users List
> Subject: RE: looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3
> 
> 
> assuming you're auth'ing against ADS then your Servlet will have to load a ADS Authentication library and then extract auth creds to validate against ADS..
> By the way ADS is native windows code so the only option to make ADS run on AIX is thru a Windows Emulator such as WINEhttp://www.winehq.org/download And yes if your ADS library forces Kerberos Authentication thru TC NegotiateAuthenticator valve (such as waffle).. then the answer is yes you will need to accomodate Kerberos Authentication Tokens http://code.dblock.org/single-sign-on-tomcat-negotiate-authenticator-kerberos-ntlm-w-waffleKeep in mind that the majority of ADS Libraries are written for native windows so turn your radar on for1)32bit vs 64bit ADS Deployments
> 2)Specific .NET Framework implementations (v1 or v2 or v3) for ADS3)Threaded vs non-threaded singleton library dependencies for ADS (keep the other library off the path) //somewhere in your code you have a javax.net.ssl.SSLSessionContext concrete class  .. then get the SSLSession with your JSessionIDjavax.net.ssl.SSLSession ssl_session=SSLSessionContext.getSession(JSessionID.getBytes()); //extract PeerPrincipal from your SSLSessionjava.security.Principal principal =(java.security.Principal) ssl_session.getPeerPrincipal();//test Principal for Kerberos    if (principal instanceof KerberosPrincipal)
>    {
>                  serverName = sun.security.util.HostnameChecker.getServerName((KerberosPrincipal)principal);    }http://www.docjar.com/html/api/sun/security/util/HostnameChecker.java.html
> i would not deploy on AIX and deploy on a windows box..far easier to load ADS Server and ADS client code windows code to test on guys..any suggestions?
> Martin
> ______________________________________________
> Do not alter or disrupt this message..Thank You
> 
>  From: Mead.Jen@con-way.com
> To: users@tomcat.apache.org
> Date: Mon, 4 Jun 2012 11:42:38 -0700
> Subject: looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3
> 
> Hi,   I am brand new to tomcat 7 and am hoping to get realms set-up for users to use my CGI scripts using their windows password.  So far I have put a request into the windows group to create a user for this verification.  I followed the example in the tomcat manual as follows:Create a domain user that will be mapped to the service name used by the Tomcat server. In this how-to, this user is called tc01 and has a password of tc01pass.Map the service principal name (SPN) to the user account. SPNs take the form <service class>/<host>:<port>/<service name>. The SPN used in this how-to is HTTP/win-tc01.dev.local. To map the user to the SPN, run the following: setspn -A HTTP/win-tc01.dev.local tc01Generate the keytab file that the Tomcat server will use to authenticate itself to the domain controller. This file contains the Tomcat private key for the service provider account and should be protected accordingly. To generate the file, run the following command (all on a single line): ktpass /out c:\tomcat.keytab /mapuser tc01@DEV.LOCAL          /princ HTTP/win-tc01.dev.local@DEV.LOCAL          /pass tc01pass /kvno 0Create a domain user to be used on the client. In this how-to the domain user is test with a password of testpass.I then went into the next section and started to do some configuration on the tomcat server, which right now is a prototype and is an AIX box running 5300-12-04-1119. My question is: does the box need to be configured for Kerberos?  If so how does the Kerberos authentication work with tomcat?  The above code sent to the windows group creates a tomcat user, should there also be a Kerberos user?  How would they work together?  Or do they need to?  Should they be the same user?  The documentation does not address this situation in any way at all except to specify that Kerberos is required on the unix box, it doesn't address AIX specifically ever.   I work at a place where the admin team is half way around the world.  So each and every request and test is painstakingly long and obscure for the most part.  So any and all information I come armed with is the only way to fly.  Has anyone succeeded with this on unix or better yet AIX?  Any and all information is greatly appreciated. Regards,Jen in Oregon   Regards,Jen  		 	   		  
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
 		 	   		  

RE: looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3

["Mead, Jen L" <Me...@con-way.com>]

Now that I am looking further into this, I am almost convinced that I don't need Kerberos on the AIX webserver but only in the client (PC that is accessing the pages that are going to authenticate).  I don't get the feeling that many people are doing this (just using a keytab file with an AD account and tweaking the conf files on the UNIX box where tomcat is installed).  This is the only response so far. 
Jen

-----Original Message-----
From: Martin Gainty [mailto:mgainty@hotmail.com] 
Sent: Monday, June 04, 2012 12:45 PM
To: Tomcat Users List
Subject: RE: looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3


assuming you're auth'ing against ADS then your Servlet will have to load a ADS Authentication library and then extract auth creds to validate against ADS..
By the way ADS is native windows code so the only option to make ADS run on AIX is thru a Windows Emulator such as WINEhttp://www.winehq.org/download And yes if your ADS library forces Kerberos Authentication thru TC NegotiateAuthenticator valve (such as waffle).. then the answer is yes you will need to accomodate Kerberos Authentication Tokens http://code.dblock.org/single-sign-on-tomcat-negotiate-authenticator-kerberos-ntlm-w-waffleKeep in mind that the majority of ADS Libraries are written for native windows so turn your radar on for1)32bit vs 64bit ADS Deployments
2)Specific .NET Framework implementations (v1 or v2 or v3) for ADS3)Threaded vs non-threaded singleton library dependencies for ADS (keep the other library off the path) //somewhere in your code you have a javax.net.ssl.SSLSessionContext concrete class  .. then get the SSLSession with your JSessionIDjavax.net.ssl.SSLSession ssl_session=SSLSessionContext.getSession(JSessionID.getBytes()); //extract PeerPrincipal from your SSLSessionjava.security.Principal principal =(java.security.Principal) ssl_session.getPeerPrincipal();//test Principal for Kerberos    if (principal instanceof KerberosPrincipal)
   {
                 serverName = sun.security.util.HostnameChecker.getServerName((KerberosPrincipal)principal);    }http://www.docjar.com/html/api/sun/security/util/HostnameChecker.java.html
i would not deploy on AIX and deploy on a windows box..far easier to load ADS Server and ADS client code windows code to test on guys..any suggestions?
Martin
______________________________________________
Do not alter or disrupt this message..Thank You

 From: Mead.Jen@con-way.com
To: users@tomcat.apache.org
Date: Mon, 4 Jun 2012 11:42:38 -0700
Subject: looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3

Hi,   I am brand new to tomcat 7 and am hoping to get realms set-up for users to use my CGI scripts using their windows password.  So far I have put a request into the windows group to create a user for this verification.  I followed the example in the tomcat manual as follows:Create a domain user that will be mapped to the service name used by the Tomcat server. In this how-to, this user is called tc01 and has a password of tc01pass.Map the service principal name (SPN) to the user account. SPNs take the form <service class>/<host>:<port>/<service name>. The SPN used in this how-to is HTTP/win-tc01.dev.local. To map the user to the SPN, run the following: setspn -A HTTP/win-tc01.dev.local tc01Generate the keytab file that the Tomcat server will use to authenticate itself to the domain controller. This file contains the Tomcat private key for the service provider account and should be protected accordingly. To generate the file, run the following command (all on a single line): ktpass /out c:\tomcat.keytab /mapuser tc01@DEV.LOCAL          /princ HTTP/win-tc01.dev.local@DEV.LOCAL          /pass tc01pass /kvno 0Create a domain user to be used on the client. In this how-to the domain user is test with a password of testpass.I then went into the next section and started to do some configuration on the tomcat server, which right now is a prototype and is an AIX box running 5300-12-04-1119. My question is: does the box need to be configured for Kerberos?  If so how does the Kerberos authentication work with tomcat?  The above code sent to the windows group creates a tomcat user, should there also be a Kerberos user?  How would they work together?  Or do they need to?  Should they be the same user?  The documentation does not address this situation in any way at all except to specify that Kerberos is required on the unix box, it doesn't address AIX specifically ever.   I work at a place where the admin team is half way around the world.  So each and every request and test is painstakingly long and obscure for the most part.  So any and all information I come armed with is the only way to fly.  Has anyone succeeded with this on unix or better yet AIX?  Any and all information is greatly appreciated. Regards,Jen in Oregon   Regards,Jen  		 	   		  

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3

[Martin Gainty <mg...@hotmail.com>]

assuming you're auth'ing against ADS then your Servlet will have to load a ADS Authentication library and then extract auth creds to validate against ADS..
By the way ADS is native windows code so the only option to make ADS run on AIX is thru a Windows Emulator such as WINEhttp://www.winehq.org/download And yes if your ADS library forces Kerberos Authentication thru TC NegotiateAuthenticator valve (such as waffle).. then the answer is yes you will need to accomodate Kerberos Authentication Tokens
http://code.dblock.org/single-sign-on-tomcat-negotiate-authenticator-kerberos-ntlm-w-waffleKeep in mind that the majority of ADS Libraries are written for native windows so turn your radar on for1)32bit vs 64bit ADS Deployments
2)Specific .NET Framework implementations (v1 or v2 or v3) for ADS3)Threaded vs non-threaded singleton library dependencies for ADS (keep the other library off the path) //somewhere in your code you have a javax.net.ssl.SSLSessionContext concrete class  .. then get the SSLSession with your JSessionIDjavax.net.ssl.SSLSession ssl_session=SSLSessionContext.getSession(JSessionID.getBytes()); //extract PeerPrincipal from your SSLSessionjava.security.Principal principal =(java.security.Principal) ssl_session.getPeerPrincipal();//test Principal for Kerberos    if (principal instanceof KerberosPrincipal)
   {
                 serverName = sun.security.util.HostnameChecker.getServerName((KerberosPrincipal)principal);    }http://www.docjar.com/html/api/sun/security/util/HostnameChecker.java.html
i would not deploy on AIX and deploy on a windows box..far easier to load ADS Server and ADS client code windows code to test on guys..any suggestions?
Martin 
______________________________________________ 
Do not alter or disrupt this message..Thank You

 From: Mead.Jen@con-way.com
To: users@tomcat.apache.org
Date: Mon, 4 Jun 2012 11:42:38 -0700
Subject: looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3

Hi,   I am brand new to tomcat 7 and am hoping to get realms set-up for users to use my CGI scripts using their windows password.  So far I have put a request into the windows group to create a user for this verification.  I followed the example in the tomcat manual as follows:Create a domain user that will be mapped to the service name used by the Tomcat server. In this how-to, this user is called tc01 and has a password of tc01pass.Map the service principal name (SPN) to the user account. SPNs take the form <service class>/<host>:<port>/<service name>. The SPN used in this how-to is HTTP/win-tc01.dev.local. To map the user to the SPN, run the following: setspn -A HTTP/win-tc01.dev.local tc01Generate the keytab file that the Tomcat server will use to authenticate itself to the domain controller. This file contains the Tomcat private key for the service provider account and should be protected accordingly. To generate the file, run the following command (all on a single line): ktpass /out c:\tomcat.keytab /mapuser tc01@DEV.LOCAL          /princ HTTP/win-tc01.dev.local@DEV.LOCAL          /pass tc01pass /kvno 0Create a domain user to be used on the client. In this how-to the domain user is test with a password of testpass.I then went into the next section and started to do some configuration on the tomcat server, which right now is a prototype and is an AIX box running 5300-12-04-1119. My question is: does the box need to be configured for Kerberos?  If so how does the Kerberos authentication work with tomcat?  The above code sent to the windows group creates a tomcat user, should there also be a Kerberos user?  How would they work together?  Or do they need to?  Should they be the same user?  The documentation does not address this situation in any way at all except to specify that Kerberos is required on the unix box, it doesn’t address AIX specifically ever.   I work at a place where the admin team is half way around the world.  So each and every request and test is painstakingly long and obscure for the most part.  So any and all information I come armed with is the only way to fly.  Has anyone succeeded with this on unix or better yet AIX?  Any and all information is greatly appreciated. Regards,Jen in Oregon   Regards,Jen  		 	   		  

Re: looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3

[André Warnier <aw...@ice-sa.com>]

Mead, Jen L wrote:
> Hi,
> 
> I am brand new to tomcat 7 and am hoping to get realms set-up for users to use my CGI scripts 

you are aware that to run CGI scripts, tomcat may not be the best choice ?
What is the programming language of your CGI scripts ?

using their windows password.  So far I have put a request into the windows group to 
create a user for this verification.

Well, if your workstations are running Windows in a Windows domain, then you should not 
need a special user for that, it should work with yours (or whomever is logged-in).  The 
point is to have the server authenticate the logged-in user automatically and 
transparently, no ?

   I followed the example in the tomcat manual as follows:

Which Tomcat manual ?
If you are talking about this : 
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
then it seems to me that this mechanism implies that your Tomcat server is a Windows host. 
  Did you not mention AIX ?

> 
>  *   Create a domain user that will be mapped to the service name used by the Tomcat server. In this how-to, this user is called tc01 and has a password of tc01pass.
>  *   Map the service principal name (SPN) to the user account. SPNs take the form <service class>/<host>:<port>/<service name>. The SPN used in this how-to is HTTP/win-tc01.dev.local. To map the user to the SPN, run the following:
> 

If you determine that you do need Tomcat for this, and you are not under Windows, then I 
suggest that you have a look at Jespa, at http://www.ioplex.com.
It is not either open-source nor free, but it works (on any Java platform) and it is 
really not expensive. (I have no commercial interest in it, I just use it).




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org