tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <felix.schumac...@internetallee.de>
Subject Re: Tomcat7 and SPNEGO configuration questions
Date Sun, 02 Jun 2013 16:20:06 GMT
Hi Edward,

a few more questions:

  * What is your CATALINA_BASE and what CATALINA_HOME?
  * Have you verified, that your options (set by your JAVA_OPTS) are 
really used by your tomcat installation?

Greetings
  Felix

Am 31.05.2013 17:17, schrieb Edward Siewick:
> Hi.
>
> I'm trying to get a baseline configuration working, following the http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html.
I'm apparently off in the weeds having missed something, though. So I'd really appreciate
a sanity check of my configuration, and the testcase I'm attempting.  I've got something messed
up, and I'm looking for guidance on what to check.
>
> Environment is:
> Tomcat-7.0.33
> Redhat RHEL 6.3
> Linux openid-linux 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012 x86_64 x86_64
x86_64 GNU/Linux
>
> AD is on a Win2008R2 server.
> Client is MSIE on a Win2007 workstation. "Enable Integrated Windows Authentication" is
set to true.
>
> The MSA, keytab and Linux Kerberos bits seem to be OK. For completeness, here's what
I've got.
>
> setspn -A HTTP/openid-linux.openidmdev.com tomcat7
> ktpass -princ HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<mailto:HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM>
-mapuser tomcat7@OPENIDMDEV.COM<mailto:tomcat7@OPENIDMDEV.COM> -crypto AES256-SHA1 -pass
"mySecret,78."  -ptype KRB5_NT_PRINCIPAL -kvno 0 -out tomcat7.keytab
>
> /etc/krb5.conf:
>
> [logging]
>   default = FILE:/var/log/krb5libs.log
>   kdc = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>   default_realm = OPENIDMDEV.COM
>   default_keytab_name = FILE:/usr/share/tomcat7c/conf/tomcat7.keytab
>   default_tkt_enctypes = aes256-cts-hmac-sha1-96
>   default_tgs_enctypes = aes256-cts-hmac-sha1-96
>   forwardable = true
>   dns_lookup_realm = false
>   dns_lookup_kdc = false
>   ticket_lifetime = 24h
>   renew_lifetime = 7d
>
> [realms]
> OPENIDMDEV.COM = {
>      kdc = openiddc.openidmdev.com:88
>      admin_server = openiddc.openidmdev.com
> }
> [domain_realm]
> openidmdev.com  = OPENIDMDEV.COM
> .openidmdev.com = OPENIDMDEV.COM
>
> The krb5.conf generally works. Using my domain username and password:
>
> kinit -V esiewick
> Using default cache: /tmp/krb5cc_0
> Using principal: esiewick@OPENIDMDEV.COM<mailto:esiewick@OPENIDMDEV.COM>
> Password for esiewick@OPENIDMDEV.COM<mailto:esiewick@OPENIDMDEV.COM>:
> Authenticated to Kerberos v5
>
> The keytab contains one key:
>
> klist -e -k /usr/share/tomcat7c/conf/tomcat7.keytab
> Keytab name: WRFILE:/usr/share/tomcat7c/conf/tomcat7.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>     0 HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<mailto:HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM>
(aes256-cts-hmac-sha1-96)
>
> The krb5 config is generally happy with the contents of the keytab:
>
> kinit -V -k -t /usr/share/tomcat7c/conf/tomcat7.keytab  HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<mailto:HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM>
> Using default cache: /tmp/krb5cc_0
> Using principal: HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<mailto:HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM>
> Using keytab: /usr/share/tomcat7c/conf/tomcat7.keytab
> Authenticated to Kerberos v5
>
> So I'm confident the MSA and the keytab are OK.
>
> The Tomcat7 configurations are localized, based on the descriptions in the windows-auth-howto.html.
> For the Java options, the init script uses:
>
> JAVA_OPTS="-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server \
>    -Djava.security.krb5.conf=/etc/krb5.conf \
>    -Djava.security.auth.login.config=/usr/share/tomcat7c/conf/jaas.conf \
>    -Djavax.security.auth.useSubjectCredsOnly=false \
>    -Xms1536m \
>    -Xmx1536m \
>    -XX:NewSize=256m \
>    -XX:MaxNewSize=256m \
>    -XX:PermSize=256m \
>    -XX:MaxPermSize=256m \
>    -XX:+DisableExplicitGC"
>
> /usr/share/tomcat7c/conf/jaas.conf is:
>
> com.sun.security.jgss.krb5.initiate {
>      com.sun.security.auth.module.Krb5LoginModule required
>      doNotPrompt=true
>      principal="HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<mailto:HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM>"
>      useKeyTab=true
>      keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
>      storeKey=true
>      debug=true;
> };
> com.sun.security.jgss.krb5.accept {
>      com.sun.security.auth.module.Krb5LoginModule required
>      doNotPrompt=true
>      principal="HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<mailto:HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM>"
>      useKeyTab=true
>      keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
>      storeKey=true
>      debug=true;
> };
>
> In /usr/share/tomcat7c/conf/server.xml, I've simply uncommented:
>
> <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
>
> For a testcase, I'm using the Tomcat7 "manager" webapp.
> In /usr/share/tomcat7c/webapps/manager/WEB-INF/web.xml
> I've simply adjusted:
>
> <login-config>
>      <auth-method>BASIC</auth-method>
>      <realm-name>Tomcat Manager Application</realm-name>
>    </login-config>
> to:
>    <login-config>
>      <auth-method>SPNEGO</auth-method>
>      <realm-name>Tomcat Manager Application</realm-name>
>    </login-config>
>
> For /usr/share/tomcat7c/conf/tomcat-users.xml:
>
> <tomcat-users>
> <role rolename="tomcat"/>
> <role rolename="manager"/>
> <role rolename="manager-gui"/>
> <user username="esiewick@OPENIDMDEV.COM<mailto:esiewick@OPENIDMDEV.COM>" password=""
roles="tomcat,manager,manager-gui"/>
> </tomcat-users>
>
> In actually trying to use this configuration,
> http://openid-linux.openidmdev.com:8080/manager/status
> gives HTTP 500 and logs:
>
> Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache
is null isInitiator true KeyTab is /usr/share/tomcat7c/confx/tomcat7.keytab refreshKrb5Config
is false principal is HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<mailto:HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM>
tryFirstPass is false useFirstPass is false storePass is false clearPass is false
>
> Key for the principal HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM<mailto:HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COM>
not available in /usr/share/tomcat7c/confx/tomcat7.keytab
>                  [Krb5LoginModule] authentication failed
>
> Unable to obtain password from user
>
> May 31, 2013 8:55:15 AM org.apache.catalina.authenticator.SpnegoAuthenticator authenticate
> SEVERE: Unable to login as the service principal
> javax.security.auth.login.LoginException: Unable to obtain password from user
> at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
>          at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown
Source)
>          at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
>          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>          at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
>          at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
>          at java.lang.reflect.Method.invoke(Unknown Source)
>          at javax.security.auth.login.LoginContext.invoke(Unknown Source)
>          at javax.security.auth.login.LoginContext.access$000(Unknown Source)
>          at javax.security.auth.login.LoginContext$4.run(Unknown Source)
>          at java.security.AccessController.doPrivileged(Native Method)
>          at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
>          at javax.security.auth.login.LoginContext.login(Unknown Source)
>          at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:215)
>          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
>          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
>          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
>          at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:931)
>          at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:309)
>          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
>          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
>          at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
>          at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
>          at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
>          at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
>          at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
>          at java.lang.Thread.run(Unknown Source)
>                  [Krb5LoginModule]: Entering logout
>                  [Krb5LoginModule]: logged out Subject
>
> I trust that the configuration at least is reading the jaas.conf, since the first line
of logging refects its settings. However, I'm not convinced Krb5LoginModule is actually reading
/usr/share/tomcat7c/conf/tomcat7.keytab; I can change:
> keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
> to:
> keyTab="/usr/share/tomcat7c/conf-junk/tomcat7.keytab"
> and get the same log "Key for the principal...not available" result (+ "-junk" of course).
>
> Well-founded guidance, clues, and even good guesses are all welcome.
>
> Edward
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message