tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 57022] New: Tomcat Spnego authentication against Active Directory fails with Java 8
Date Fri, 26 Sep 2014 13:33:32 GMT

            Bug ID: 57022
           Summary: Tomcat Spnego authentication against Active Directory
                    fails with Java 8
           Product: Tomcat 7
           Version: 7.0.55
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina

Created attachment 32059
Tomcat JAAS configuration

Hello everyone,
   I'm successfully using Tomcat 7.0.55 configured with Spnego authentication
against Active Directory running Windows 2008 Server and Java 
After switching to Java 1.8.0_20, authentication does not work anymore, Tomcat
logs the following error message:

SEVERE: Exception performing authentication
javax.naming.AuthenticationException: GSSAPI [Root exception is GSS initiate failed [Caused by GSSException:
No valid credentials provided (
Mechanism level: Failed to find any Kerberos tgt)]]; remaining name
        at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(
        at com.sun.jndi.ldap.LdapClient.authenticate(
        at com.sun.jndi.ldap.LdapCtx.connect(
        at com.sun.jndi.ldap.LdapCtx.ensureOpen(
        at com.sun.jndi.ldap.LdapCtx.ensureOpen(
        at com.sun.jndi.ldap.LdapCtx.doSearch(
        at com.sun.jndi.ldap.LdapCtx.searchAux(
        at com.sun.jndi.ldap.LdapCtx.c_search(
        at org.apache.catalina.realm.JNDIRealm.getUser(
        at org.apache.catalina.realm.JNDIRealm.getUser(
        at org.apache.catalina.realm.RealmBase.authenticate(

Tomcat is configured according to the "Windows Authentication How-To" document,
I'm attaching the krb5.ini, jaas.conf and server.xml that contains the
JNDIRealm definition.

I have investigated the problem and I believe it is related to the Kerberos
constraint delegation support added in Java 8, see:

It seems that per default, GSS API in Java 8 will attempt constraint delegation
on the acceptor side, see referenced changes and in particular the
getCredDelegState() method:

The result of this, is that Tomcat's JNDIRealm now finds the delegated
credential delivered with the constraint delegation and switches GSSAPI
security mechanism for JNDI/LDAP (this was not the case on Java 7). However,
the Kerberos initiation during LDAP authentication does not find the Kerberos
TGT in the Subject. After digging further, I noticed that the Subject used
during the LDAP authentication is not set. Though the SpnegoAuthenticator
initializes a Subject instance using Kerberos login via JAAS and this contains
the obtained TGT, this Subject instance is not used for performing the LDAP
authentication. I saw the following comment in JNDIRealm.getPrincipal:

// Note: Subject already set in SPNEGO authenticator so no need for
Subject.doAs() here

So I decided to modify this and execute the getPrincipal using Subject.doAs()
and the Subject instance available after the Kerberos login. This lead to
successful authentication to LDAP and I was able to access the Spnego-secured
webapp again.

Please note that this setup is not using any file-system Kerberos credential
cache, so it requires that the Kerberos TGT is available in the Subject
instance associated with current ACC.

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message