tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <felix.schumac...@internetallee.de>
Subject Re: Tomcat7 and SPNEGO configuration questions
Date Tue, 11 Jun 2013 18:07:08 GMT
Am 10.06.2013 22:06, schrieb Edward Siewick:
> I've tried an AES128 keytab and matching krb5.conf; this didn't get any further.
Could you try an arc4 one?

Felix
>
> Edward
>
>
> ________________________________________
> From: Edward Siewick [esiewick@ementum.com]
> Sent: Monday, June 10, 2013 3:31 PM
> To: Tomcat Users List
> Subject: RE: Tomcat7 and SPNEGO configuration questions
>
> Felix,
>
> Thanks for the example. And yes, I agree -- my setup isn't getting far enough to attempt
an authentication of an end user. I *think* I've got the keytab and MSA aspect working. So
two possibilities seem worth digging at. First, there's likely a gap in my understanding of
the http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html instructions. I'm trying
to use the most simple authentication / authorization example available in the default Tomcat7
kit, the manager-gui <auth-constraint> / <role-name> and an ordinary conf/tomcat-users.xml.
Regarding  the web.xml, the HowTo only mentions that SPNEGO is to be used, vice BASIC. Other
than swapping the string BASIC for SPNEGO, though, I'm out of guesses on that point in the
instruction. Is there something more needed in the web.xml?
>
> Second, I'm restricting my configuration to only AES256 (aes256-cts-hmac-sha1-96) and
a keytab created only for AES256. Is the default pre-built Tomcat7 kit known to work with
that, by just adding Oracle's jce_policy-6.zip? I'm picking at this because, where my log
trace seems OK with the AD MSA's keytab, for a user authentication it jumps straight to a
logout:
>
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
>                    [Krb5LoginModule]: Entering logout
>                    [Krb5LoginModule]: logged out Subject
>
> It's at this point that your trace goes on to "Using builtin default etypes for permitted_enctypes,"
authenticates an end user, and seems to be waiting for further end users. It does pick up
both type 18 (AES256) and 17 (AES128), but only reports using the AES128:
>
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
> Added key: 17version: 1
> Added key: 18version: 1
> Added key: 3version: 1
> Added key: 23version: 1
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 18 17.
>>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> Using builtin default etypes for permitted_enctypes
> default etypes for permitted_enctypes: 18 17 16 23 1 3.
>>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
> replay cache for user00001@EXAMPLE.COM is null.
> object 0: 1370027872357/357663
>>>> KrbApReq: authenticate succeed.
> Krb5Context setting peerSeqNumber to: 758340766
> Krb5Context setting mySeqNumber to: 758340766
>
> Edward
>
> P.S.: The example server.xml bit from your bugzilla test kit provides for role based
authorization. If I can get my very simple example to work, I'll try to use it. On that point,
the bit:
>
>       <Realm className="org.apache.catalina.realm.JNDIRealm"
>          connectionURL="ldap://localhost:10389"
>          userBase="ou=users,ou=security,dc=example,dc=com"
>          userSearch="(uid={0})"
>          roleBase="ou=groups,dc=example,dc=com"
>          roleName="cn"
>          roleSearch="(uniqueMember={0})"
>          useDelegatedCredential="false"
>       />
>
> or a similar tidy might be added to the HowTo, right after:
>
> "The SPNEGO authenticator will work with any Realm but if used with the JNDI Realm, by
default the JNDI Realm will use the user's delegated credentials to connect to the Active
Directory."
>
>
>
>
> ________________________________________
> From: Felix Schumacher [felix.schumacher@internetallee.de]
> Sent: Wednesday, June 05, 2013 4:12 PM
> To: users@tomcat.apache.org
> Subject: Re: Tomcat7 and SPNEGO configuration questions
>
> Am 03.06.2013 20:48, schrieb Edward Siewick:
>> Felix & Friends,
>>
>> I've made a fair amount of progress, though I'm still not able to log in with a domain
credential. The domain account ID doesn't appear in the Tomcat7 logging at all, >though
it is in tomcat-users.xml. So I might now only be confused as to the syntax of: server.xml
for JAAS; the webapp's "realm" bits in web.xml for SPNEGO, or; > tomcat-users.xml. I have
tried changing tomcat-users.xml to "OPENIDMDEV/esiewick", "COM.OPENIDMDEV/esiewick" and just
"esiewick". And, I've adjusted the Account ID in the Windows Security prompt to match each
of these.
> If I read your logs at the end of your mail correctly, I think you
> haven't gotten that far as to have authenticated an user. In my logs you
> could see an user00001 being authenticated. But I can't really tell you,
> why your user was not authenticated.
>
> At https://issues.apache.org/bugzilla/show_bug.cgi?id=53480 I have
> described how I setup a tomcat with apacheds as a kerberos server. You
> might want to try that setup.
>
> Regards
>    Felix
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message