tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ravindhar Konka <ravindhar_ko...@persistent.com>
Subject Tomcat windows 7 authentication
Date Thu, 07 May 2015 10:01:39 GMT
Hi
I am working on windows authentication with tomcat 7.
I have gone through the following doc.
windows-auth-howto Tomcat_instance_(Windows_server)<http://shodhganga.inflibnet.ac.in:8080/docs/windows-auth-howto.html#Tomcat_instance_(Windows_server)>


apache-tomcat-7.0.61
windows server 2008 R2
java 1.8.0_25
active directory machine ( DOMAIN-ad)
tomcat instance machine (windows-sso-demo)
username (ss0admin@domain.com<mailto:ss0admin@domain.com>)
password (XXXXXX)

setspn -A HTTP/WINDOWS-SSO-DEMO ssoadmin
ktpass /out c:\tomcat.keytab /mapuser ssoadmin@domain.COM /princ HTTP/WINDOWS-SSO-DEMO@DOMAIN.COM
/pass XXXXX /kvno 0

C:\apache-tomcat-7.0.61\conf\jass.conf

com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/WINDOWS-SSO-DEMO@DOMAIN.COM"
    useKeyTab=true
    keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab"
    storeKey=true;
};

com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/WINDOWS-SSO-DEMO@DOMAIN.COM"
    useKeyTab=true
   keyTab="C:/apache-tomcat-7.0.61/conf/tomcat.keytab"
    storeKey=true;
};

C:\apache-tomcat-7.0.61\conf\krb5.ini

[libdefaults]
default_realm = DOMAIN.COM
default_keytab_name = FILE:C:\apache-tomcat-7.0.61\conf\tomcat.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true

[realms]
DOMAIN.COM = {
        kdc = DOMAIN-ad:88
}

[domain_realm]
dev.local= DOMAIN.COM
.dev.local= DOMAIN.COM

C:\apache-tomcat-7.0.61\conf\server.xml

<Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>

                                                <Realm className="org.apache.catalina.realm.JNDIRealm"
 debug="99"
           connectionURL="ldap://DOMAIN-ad:389"
           alternateURL="ldap://DOMAIN-ad:389"
           connectionName="CN=ssoadmin,CN=Users,DC=DOMAIN,DC=com"
           connectionPassword="XXXX"
           referrals="follow"
           userBase="CN=Users, DC=DOMAIN, DC=com"
           userSearch="(sAMAccountName={0})"
           userSubtree="true"
           roleBase="CN=Users, DC=DOMAIN, DC=com"
           roleName="CN"
           roleSubtree="true"
           roleSearch="(member={0})" />



      </Realm>


C:\apache-tomcat-7.0.61\webapps\sample\META-INF\context.xnl

<?xml version="1.0" encoding="UTF-8"?>
<Context>
   <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator" />
</Context>



C:\apache-tomcat-7.0.61\webapps\sample\WEB-INF\web.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
    version="2.4">



                <security-constraint>
    <display-name>All users</display-name>
    <web-resource-collection>
      <web-resource-name>All requests</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>

  <security-role>
    <description>All users</description>
    <role-name>*</role-name>
  </security-role>

  <login-config>
    <auth-method>SPNEGO</auth-method>
  </login-config>


    <display-name>Hello, World Application</display-name>
    <description>
                This is a simple web application with a source code organization
                based on the recommendations of the Application Developer's Guide.
    </description>

    <servlet>
        <servlet-name>HelloServlet</servlet-name>
        <servlet-class>mypackage.Hello</servlet-class>
    </servlet>

    <servlet-mapping>
        <servlet-name>HelloServlet</servlet-name>
        <url-pattern>/hello</url-pattern>
    </servlet-mapping>


</web-app>



My error is

SEVERE: Unable to login as the service principal
javax.security.auth.login.LoginException: Clock skew too great (37)
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr
b5LoginModule.java:804)
        at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.ja
va:617)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:483)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:1
95)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:6
80)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
        at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(Sp
negoAuthenticator.java:192)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
torBase.java:577)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:170)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:103)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
950)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
a:423)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp
11Processor.java:1079)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(
AbstractProtocol.java:620)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoin
t.java:318)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh
read.java:61)
        at java.lang.Thread.run(Thread.java:745)
Caused by: KrbException: Clock skew too great (37)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr
b5LoginModule.java:776)
        ... 26 more
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
        at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
        at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)

Ravindhar Konka | Software Engineering
ravindhar_konka@persistent.co.in<mailto:ravindhar_konka@persistent.co.in>| Cell: +91-99633
74753 | Tel: +91-20-674 42058
Persistent Systems Ltd. | Partner in Innovation | www.persistent.com<http://www.persistent.com/>


DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent
Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed.
If you are not the intended recipient, you are not authorized to read, retain, copy, print,
distribute or use this message. If you have received this communication in error, please notify
the sender and delete all copies of this message. Persistent Systems Ltd. does not accept
any liability for virus infected mails.


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message