tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Fors <chri...@hotmail.com>
Subject RE: Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit
Date Fri, 01 Mar 2013 10:46:53 GMT


All systems are  domain-joined to a mature IT Lab and the issue is with the Tomcat server
configuration as it should load the krb5.ini and or jaas.conf and activity should be observable
on the Web server - whether or not any error is generated.  It is not clear to me what the
design load process / order of the call stack should be in the SPNEGO Authentication design.
 This would help focus on where the issue is. I ran Process Monitor
during a Network Client PC TCP session to the Tomcat Web Server as well as
during start of the Tomcat Web service.  

During either of these  I don’t observe any calls to jaas.conf, or
krb5.ini.

What should initiate loading
of these and at what point should they load?



Observation Notes:

Process Monitor for Tomcat7.exe when browsing to http://server/SPNEGOAuthTest.jsp shows in
summary

TCP Accept: Server -> PC


TCP Receive: Server ->
PC

CreateFile:  .\Tomcat7.0\webapps\ROOT\SPNEGOAuthTest.jsp

QueryNetworkOpenInformationFile:

CloseFile:

CreateFile:...

CreateFile: .\ \_\org\apache\jsp\SPNEGOAuthTest_jsp.class

CloseFole . \ \_\org\apache\jsp\SPNEGOAuthTest_jsp.class

...

TCP Send:  Server -> PC

In the SPNEGOAuthTest.jsp
HTML response: 

  request.getRemoteUser()
response shows value of “Nul”

  request.getRemoteAddr()
does show the IP address of the PC



Process Monitor during Tomcat
Service start - 

Calls are shown to 

   .\conf\server.xml

   mbeans-descriptors.xml

   .\conf\tomcat-users.xml

   .\conf\context.xml

   .\conf\web.xml

Again no calls to
jaas.conf, or krb5.ini


 > Date: Thu, 28 Feb 2013 06:42:35 -0800
> From: markt@apache.org
> To: users@tomcat.apache.org
> Subject: Re: Windows Authentication on Tomcat 7.0.37 and JRE 7u13 / 64-bit
> 
> On 28/02/2013 02:18, Chris Fors wrote:
> > Trying to get Windows
> > Authentication operational using the Tomcat Built-in method.  Implemented the following
but not
> > observed any Windows / Kerberos authentication occuring:
> >
> > -
> > Domain joined
> > windows member server
> >
> > -
> > Domain service
> > account
> >
> > -
> > Delegated SPN for
> > HTTP protocol on the member server to the service account
> >
> > -
> > Generated keytab
> > file for the service account and saved in $catalina.base\conf folder
> >
> > -
> > Created Valve in context.xml of className org.apache.catalina.authenticator.SpnegoAuthenticator
> >
> > -
> > Created krb5.ini and
> > saved in $catalina.base\conf folder
> >
> > -
> > Created jaas.conf and
> > saved in $catalina.base\conf folder
> >
> >
> >
> > After this still no observed
> > effect on logon authentications – all still apparently anonymous.
> 
> As expected from what you have described.
> 
> If there are no security constraints on a resource, Tomcat isn't going 
> to require authentication.
> 
> 
> >   Anyone had success with this ?
> 
> Yes. I have a set of test VMs (1 domain controller, 1 Tomcat server and 
> 1 client) where this feature works.
> 
> > Any ideas on what is missing?Is there a good way to
> > debug the process?
> 
> See above. I'd expect to see some changes to the webapp.
> 
> Mark
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message