tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Delaney <tdelaney....@gmail.com>
Subject Re: HTTPD pass off delegation credentials to Apache Tomcat 8.5.23 for SSO Kerberos
Date Wed, 19 Sep 2018 14:08:30 GMT
Here is more detail into what I went through for setting up Apache Tomcat.:
I configured each Apache Tomcat instance using this bit of documentation:
SPNEGO
http://spnego.sourceforge.net/

I also used this documentation in order to get my workstation to accept
Kerberos authentication and not default to NTLM.
https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM

*I created/configured the following based on what was outlined from the
SPNEGO doc:*
login.conf
krb.conf
HelloKDC.java successfully connected when testing
The SPNEGO filter in Apache Tomcat's web.xml
Took the source code for spnego.jar and placed it in Apache Tomcat's library
hello_spnego.jsp successfully displayed the correct remote user on the web
page
hello_delegate.jsp successfully displayed the correct delegated credentials
on the webpage.

Once I was able to verify that the above steps worked on Apache Tomcat. I
tested the same web pages on Apache HTTPD. I ran into issues when testing
hello_spnego.jsp and hello_delegate.jsp.

Here have been my results:
hello_spnego.jsp -> "hello root !" (root being a unix user and not the
AD/Windows user signed onto the domain).
hello_delegate.jsp -> "No delegated creds."

*Here is the section of the SPNEGO doc source on how to setup
hello_delegation.jsp and create hello_spnego.jsp:*
http://spnego.sourceforge.net/credential_delegation.html

*Here is how I have Apache HTTPD forwarding requests to Tomcat. *
Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/"
env=BALANCER_ROUTE_CHANGED
<Proxy balancer://application>
    BalancerMember "http://localhost:8081/application" route=node1
   BalancerMember "http://localhost:8082/application" route=node2
   BalancerMember "http://localhost:8083/application" route=node3
    ProxySet lbmethod=byrequests stickysession=ROUTEID
</Proxy>

ProxyPass /application balancer://application/
ProxyPassReverse /application balancer://application/



On Wed, Sep 19, 2018 at 7:57 AM André Warnier (tomcat) <aw@ice-sa.com>
wrote:

> On 18.09.2018 23:24, Thomas Delaney wrote:
> > Hello All,
> >
> > I have recently configured Apache Tomcat on a SuSe Enterprise 12 SP3
> server
> > to get Kerberos SSO working with a web client application. I have also in
> > addition configured Apache HTTPD 2.4.29 on the same machine.When I reach
> > that website I am failing to get SSO working. The web server is not
> passing
> > off the delegation credentials to Apache Tomcat server. I have the web
> > server load balance proxying it's request to multiple Apache Tomcat
> > instances. I have tried applying mody_proxy_http environment variables,
> but
> > the site continues to fail SSO. Is there a guide or configuration that
> > HTTPD and Apache Tomcat both use to involve Apache HTTPD passing off
> > delegation credentials to Apache Tomcat?
> >
>
> If you would like someone here to be able to help you, you would need to
> be much more
>   precise than that.  You write "I have done this" and "I have done that",
> but without
>   giving any clue as to /how/ you did this or that.
> You are not even saying /where/ you have configured the Kerberos SSO.
> Under the Apache
> httpd front-end ? or under Tomcat ?
>
> To point you nevertheless in a possible direction, read this :
>
> https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Apache_httpd
> (and, in your mind, substitute "Windows authentication" by "Kerberos
> authentication")
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message