tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Tomcat7 and SPNEGO configuration questions
Date Fri, 31 May 2013 16:56:27 GMT
Edward Siewick wrote:
> Hi.
> 
> I'm trying to get a baseline configuration working, following the http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html.
I'm apparently off in the weeds having missed something, though. So I'd really appreciate
a sanity check of my configuration, and the testcase I'm attempting.  I've got something messed
up, and I'm looking for guidance on what to check.
> 
> Environment is:
> Tomcat-7.0.33
> Redhat RHEL 6.3
> Linux openid-linux 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012 x86_64 x86_64
x86_64 GNU/Linux
> 
> AD is on a Win2008R2 server.
> Client is MSIE on a Win2007 workstation. "Enable Integrated Windows Authentication" is
set to true.
> 
> The MSA, keytab and Linux Kerberos bits seem to be OK. For completeness, here's what
I've got.
> 
> setspn -A HTTP/openid-linux.openidmdev.com tomcat7
> ktpass -princ HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<mailto:HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM>
-mapuser tomcat7@OPENIDMDEV.COM<mailto:tomcat7@OPENIDMDEV.COM> -crypto AES256-SHA1 -pass
"mySecret,78."  -ptype KRB5_NT_PRINCIPAL -kvno 0 -out tomcat7.keytab
> 
> /etc/krb5.conf:
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = OPENIDMDEV.COM
>  default_keytab_name = FILE:/usr/share/tomcat7c/conf/tomcat7.keytab
>  default_tkt_enctypes = aes256-cts-hmac-sha1-96
>  default_tgs_enctypes = aes256-cts-hmac-sha1-96
>  forwardable = true
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
> 
> [realms]
> OPENIDMDEV.COM = {
>     kdc = openiddc.openidmdev.com:88
>     admin_server = openiddc.openidmdev.com
> }
> [domain_realm]
> openidmdev.com  = OPENIDMDEV.COM
> .openidmdev.com = OPENIDMDEV.COM
> 
> The krb5.conf generally works. Using my domain username and password:
> 
> kinit -V esiewick
> Using default cache: /tmp/krb5cc_0
> Using principal: esiewick@OPENIDMDEV.COM<mailto:esiewick@OPENIDMDEV.COM>
> Password for esiewick@OPENIDMDEV.COM<mailto:esiewick@OPENIDMDEV.COM>:
> Authenticated to Kerberos v5
> 
> The keytab contains one key:
> 
> klist -e -k /usr/share/tomcat7c/conf/tomcat7.keytab
> Keytab name: WRFILE:/usr/share/tomcat7c/conf/tomcat7.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    0 HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<mailto:HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM>
(aes256-cts-hmac-sha1-96)
> 
> The krb5 config is generally happy with the contents of the keytab:
> 
> kinit -V -k -t /usr/share/tomcat7c/conf/tomcat7.keytab  HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<mailto:HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM>
> Using default cache: /tmp/krb5cc_0
> Using principal: HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<mailto:HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM>
> Using keytab: /usr/share/tomcat7c/conf/tomcat7.keytab
> Authenticated to Kerberos v5
> 
> So I'm confident the MSA and the keytab are OK.
> 
> The Tomcat7 configurations are localized, based on the descriptions in the windows-auth-howto.html.
> For the Java options, the init script uses:
> 
> JAVA_OPTS="-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server \
>   -Djava.security.krb5.conf=/etc/krb5.conf \
>   -Djava.security.auth.login.config=/usr/share/tomcat7c/conf/jaas.conf \
>   -Djavax.security.auth.useSubjectCredsOnly=false \
>   -Xms1536m \
>   -Xmx1536m \
>   -XX:NewSize=256m \
>   -XX:MaxNewSize=256m \
>   -XX:PermSize=256m \
>   -XX:MaxPermSize=256m \
>   -XX:+DisableExplicitGC"
> 
> /usr/share/tomcat7c/conf/jaas.conf is:
> 
> com.sun.security.jgss.krb5.initiate {
>     com.sun.security.auth.module.Krb5LoginModule required
>     doNotPrompt=true
>     principal="HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<mailto:HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM>"
>     useKeyTab=true
>     keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
>     storeKey=true
>     debug=true;
> };
> com.sun.security.jgss.krb5.accept {
>     com.sun.security.auth.module.Krb5LoginModule required
>     doNotPrompt=true
>     principal="HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<mailto:HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM>"
>     useKeyTab=true
>     keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
>     storeKey=true
>     debug=true;
> };
> 
> In /usr/share/tomcat7c/conf/server.xml, I've simply uncommented:
> 
> <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
> 
> For a testcase, I'm using the Tomcat7 "manager" webapp.
> In /usr/share/tomcat7c/webapps/manager/WEB-INF/web.xml
> I've simply adjusted:
> 
> <login-config>
>     <auth-method>BASIC</auth-method>
>     <realm-name>Tomcat Manager Application</realm-name>
>   </login-config>
> to:
>   <login-config>
>     <auth-method>SPNEGO</auth-method>
>     <realm-name>Tomcat Manager Application</realm-name>
>   </login-config>
> 
> For /usr/share/tomcat7c/conf/tomcat-users.xml:
> 
> <tomcat-users>
> <role rolename="tomcat"/>
> <role rolename="manager"/>
> <role rolename="manager-gui"/>
> <user username="esiewick@OPENIDMDEV.COM<mailto:esiewick@OPENIDMDEV.COM>" password=""
roles="tomcat,manager,manager-gui"/>
> </tomcat-users>
> 
> In actually trying to use this configuration,
> http://openid-linux.openidmdev.com:8080/manager/status
> gives HTTP 500 and logs:
> 
> Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache
is null isInitiator true KeyTab is /usr/share/tomcat7c/confx/tomcat7.keytab refreshKrb5Config
is false principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<mailto:HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM>
tryFirstPass is false useFirstPass is false storePass is false clearPass is false
> 
> Key for the principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<mailto:HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM>
not available in /usr/share/tomcat7c/confx/tomcat7.keytab
>                 [Krb5LoginModule] authentication failed
> 
> Unable to obtain password from user
> 
> May 31, 2013 8:55:15 AM org.apache.catalina.authenticator.SpnegoAuthenticator authenticate
> SEVERE: Unable to login as the service principal
> javax.security.auth.login.LoginException: Unable to obtain password from user
> at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
>         at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown
Source)
>         at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
>         at java.lang.reflect.Method.invoke(Unknown Source)
>         at javax.security.auth.login.LoginContext.invoke(Unknown Source)
>         at javax.security.auth.login.LoginContext.access$000(Unknown Source)
>         at javax.security.auth.login.LoginContext$4.run(Unknown Source)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
>         at javax.security.auth.login.LoginContext.login(Unknown Source)
>         at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:215)
>         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
>         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
>         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
>         at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:931)
>         at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:309)
>         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
>         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
>         at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
>         at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
>         at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
>         at java.lang.Thread.run(Unknown Source)
>                 [Krb5LoginModule]: Entering logout
>                 [Krb5LoginModule]: logged out Subject
> 
> I trust that the configuration at least is reading the jaas.conf, since the first line
of logging refects its settings. However, I'm not convinced Krb5LoginModule is actually reading
/usr/share/tomcat7c/conf/tomcat7.keytab; I can change:
> keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
> to:
> keyTab="/usr/share/tomcat7c/conf-junk/tomcat7.keytab"
> and get the same log "Key for the principal...not available" result (+ "-junk" of course).
> 
> Well-founded guidance, clues, and even good guesses are all welcome.
> 

Answering in the spirit of your last phrase above (because I really know nothing about the

Tomcat SPNEGO Valve, and very little about Kerberos) :

The error message :

javax.security.auth.login.LoginException: Unable to obtain password from user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)

would tend to indicate that something is trying to prompt the user for a password.
That should not really happen, in a Windows SSO mechanism, unless the Windows Domain 
Controller (to which the SPNEGO Valve is ultimately talking) is configured to accept HTTP

Basic authentication as a fall-back for a Windows Integrated Authentication that doesn't work.

One reason for which WIA could possibly not work, would be if your Windows workstation 
does not consider the Tomcat server to which it is connecting, as at least a "trusted" 
server.  In such a case, the *browser* will even refuse to start a WIA dialog with the server.
So, first thing : are you sure that the workstation and the Tomcat server, from a Windows

authentication point of view, are part of the same Windows Domain ?
(And if you are not sure, and you are allowed to do this, what happens if you go into the

IE settings, and add the tomcat hostname explicitly into the list of "trusted" servers ?).


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message