tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cédric Couralet <cedric.coura...@gmail.com>
Subject Re: Help needed with SpnegoAuthenticator authentication
Date Sat, 16 Nov 2013 08:09:49 GMT
2013/11/15 chris <chris@ottmountainbike.co.uk>:
> Any help with this would be very much appreciated.  We are trying to proof of
> concept this to return the remote user's domain login name to use it in a Web
> application.  Attempting to use a keytab method to hopefully negate any
> requirement for exposing the kerberos principal delegate in any server
> configuration files.
>
> We have a test configuration for SpnegoAuthenticator authentication using Apache
> Tomcat/7.0.47 in sandbox environment.  From a remote client workstation we are
> seeing an HTTP 500 error when testing and looking for some insight as to what is
> wrong or missing in our test environment.
>
> Environment:
>
> Apache Tomcat/7.0.47
> Java JDK/JRE 1.7.0_45
> Test Workstation:  Windows 7 x64 (domain joined)
> Test Server:  Windows Server 2008 R2
>
> When testing see Log dump --->
>
>   Nov 14, 2013 10:04:50 PM org.apache.catalina.authenticator.SpnegoAuthenticator
> authenticate
>
>   SEVERE: Unable to login as the service principal
>
>   javax.security.auth.login.LoginException: Unable to obtain password from user
>
>             at
> com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
>             at
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown
[..]
>
>
> SPN is delegated to the domain account with UPN:  svctomcatdv@mydom.int
>
> (Setspn –a http/tomcatsvr.mydom.int:8080 svctomcatdv)

No need for the port when defining a SPN.

>
> * Domain Controller DC1 is Server 2008 R2
> * Windows server hosting Tomcat is Server 2008 R2
> * PC is Windows 7 and configured to automatically login in Intranet zone
> identified by *.mydom.int
>
> Keytab generated using the ktpass.exe utility with command:
>
> ktpass /crypto AES256-SHA1 /princ svctomcatdv@mydom.int /pass * /kvno 0 /ptype
> KRB5_NT_SRV_INST /out "C:\temp\tc.keytab"
>

I have found that an error like this indicates a bad keytab.

I generate keytab with the /princ option set to the SPN of the user
(as indicated on tomcat documentation :
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Domain_Controller)

Could you try it this way?
ktpass /crypto AES256-SHA1 /princ  http/tomcatsvr.mydom.int@MYDOM.INT
/pass * /kvno 0  /out "C:\temp\tc.keytab"

Cédric

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message