From users-return-265573-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Thu Sep 20 15:37:51 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id EF580180671 for ; Thu, 20 Sep 2018 15:37:50 +0200 (CEST) Received: (qmail 45249 invoked by uid 500); 20 Sep 2018 13:37:49 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 45236 invoked by uid 99); 20 Sep 2018 13:37:49 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Sep 2018 13:37:49 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id B42251819DE for ; Thu, 20 Sep 2018 13:37:48 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.639 X-Spam-Level: ** X-Spam-Status: No, score=2.639 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, KAM_INFOUSMEBIZ=0.75, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, WEIRD_PORT=0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id PjLG0963xxE0 for ; Thu, 20 Sep 2018 13:37:45 +0000 (UTC) Received: from mail-lf1-f66.google.com (mail-lf1-f66.google.com [209.85.167.66]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 3F0EF5F433 for ; Thu, 20 Sep 2018 13:37:45 +0000 (UTC) Received: by mail-lf1-f66.google.com with SMTP id v77-v6so8369391lfa.6 for ; Thu, 20 Sep 2018 06:37:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=NXZY4KUFA7rmN8nl+6gGqG/i0/V2yjTBVxF01o/dvCM=; b=fV564k3n0IMgnY96BwW5LLKLVYHggDhwb2Cse1cMsdmClkmH4Ah37p/NaFldKT1OU7 u3H+n8qa/sceUnBU5bequFxHju8WrScm1TjFUyy13/Vx0z83i9fuIGpavWYs4DYAQx14 AEVqy46Pl7cRN0POucwA/G+fr5/y6+xXp39KErbt6ExYFCpjMYn0dafq5DogEiMgAOqa 3+tMpGm1OyV+eSSnc264B7Pg459eDDY1MY6wpIL0rns13knz2k9qz+z9uE7QX2yqvaZq ++6PrV4JThJq2dngajF0geYmak3aFAPnw/2k/77edPosGXefWmuzFO+Cm1EdS20jWuQt gnfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=NXZY4KUFA7rmN8nl+6gGqG/i0/V2yjTBVxF01o/dvCM=; b=F0+bydwxZ+f5YtkBqAIYqeooGul74BGY9ttS/PBTkviNGFsZi5H/KZXSwKRQ0/DuQz qO+Wqz5BvOfulu7svpMwAAMW2/ChySCL1qsYq+ZLTGrvpZWbB++ixT+hfyJLkpfufurR buWhbzFq1l6Jdx/GBwCgz5Bh+f1jC9nSJWsbdKN5YY3+BJLgcTtckkQd8modFijVC9wK HZ6ifBGsTJNN0v+7g7BAamwppm1ZD9/p2G/HMqTicAZ1WtwlmqZpL06lWO0cYG+nU+KR o0laBGDAzRnzy1Mo7dQ79vLQOQZOOzusbKk1xEdl+3af1b4U1JnYBTNRYp/fQqDFj3w8 yuRg== X-Gm-Message-State: APzg51B6ROPOwjuBIlt3iUTWh7OHr/EYJdF2NusMyWlpqWhqw+5Tt8VV Ypw7Y0rvYliDoYzEvBz4acFHaw72q4wdTj8fJ6LcOzdP X-Google-Smtp-Source: ANB0VdY3mNzK4Aako4QyeNKmI6rg9ca+bhqNhuZKhCLilOHsCdo/gXaZTqw1RsvLrMthnmRSwoiPUhNJQoKlO51i4d8= X-Received: by 2002:a19:9b12:: with SMTP id d18-v6mr2317799lfe.132.1537450663382; Thu, 20 Sep 2018 06:37:43 -0700 (PDT) MIME-Version: 1.0 References: <5BA239A6.5020703@ice-sa.com> <5BA2BBA0.8030604@ice-sa.com> In-Reply-To: <5BA2BBA0.8030604@ice-sa.com> From: Thomas Delaney Date: Thu, 20 Sep 2018 09:38:32 -0400 Message-ID: Subject: Re: HTTPD pass off delegation credentials to Apache Tomcat 8.5.23 for SSO Kerberos To: Tomcat Users List Content-Type: multipart/alternative; boundary="000000000000a6953d05764da0c6" --000000000000a6953d05764da0c6 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Andr=C3=A9, I was able to use the reference you made about making tomcatAuthentication false. With this Tomcat setting combined with HTTPD's mod_proxy_ajp proxy rules I was able to get this working. I am still testing this but looks clear to me that this is the solution. Thanks for the quick responses yesterday! On Wed, Sep 19, 2018 at 5:10 PM Andr=C3=A9 Warnier (tomcat) wrote: > Hi. > Much better.. > I don't know if I will be able to help you, considering my little > knowledge of Kerberos, > but I'm sure that someone else now will be. > > On 19.09.2018 16:08, Thomas Delaney wrote: > > Here is more detail into what I went through for setting up Apache > Tomcat.: > > I configured each Apache Tomcat instance using this bit of documentatio= n: > > SPNEGO > > http://spnego.sourceforge.net/ > > > > I also used this documentation in order to get my workstation to accept > > Kerberos authentication and not default to NTLM. > > > https://ping.force.com/Support/PingFederate/Integrations/How-to-configure= -supported-browsers-for-Kerberos-NTLM > > > > *I created/configured the following based on what was outlined from the > > SPNEGO doc:* > > login.conf > > krb.conf > > HelloKDC.java successfully connected when testing > > The SPNEGO filter in Apache Tomcat's web.xml > > Took the source code for spnego.jar and placed it in Apache Tomcat's > library > > hello_spnego.jsp successfully displayed the correct remote user on the > web > > page > > hello_delegate.jsp successfully displayed the correct delegated > credentials > > on the webpage. > > Ok, so we can assume > - that the basic Kerberos infrastructure works > - that you know how to set it up > - and that it works when you do the Kerberos authentication in Tomcat > itself, and access > tomcat directly from the browser. > > > > > Once I was able to verify that the above steps worked on Apache Tomcat.= I > > tested the same web pages on Apache HTTPD. > > You mean "when accessing Tomcat /through/ the Apache httpd front-end, > right ? > > From your original description, I thought that you wanted to do the > Kerberos > authentication in the front-end Apache httpd, and pass on the > authenticated user-id to the > back-end Tomcats then. That's still an option anyway. > But from the description below it looks like you want to keep the > SPNEGO/Kerberos > authentication at the Tomcat level, and just want the front-end httpd to > be "transparent" > with respect to the Kerberos authentication exchanges. > Do I get this right ? > > I ran into issues when testing > > hello_spnego.jsp and hello_delegate.jsp. > > > > Here have been my results: > > hello_spnego.jsp -> "hello root !" (root being a unix user and not the > > AD/Windows user signed onto the domain). > > hello_delegate.jsp -> "No delegated creds." > > > > *Here is the section of the SPNEGO doc source on how to setup > > hello_delegation.jsp and create hello_spnego.jsp:* > > http://spnego.sourceforge.net/credential_delegation.html > > Mmm. This is quite complicated, but I think that I'm starting to guess > what the problem is. > I think that "delegation" is not really what you want to do here. It migh= t > work in the > absolute (if everything was set up correctly to do it), but I believe tha= t > it is overkill > in your case; and I believe that you are missing one piece of the puzzle > anyway. > > Taking into account my total lack of experience with SPNEGO/Kerberos > delegation - and thus > taking this with a grain of salt - I believe (from the above documentatio= n > page) that for > such a delegation to work with an Apache httpd front-end, your browser > would /first/ need > to be authenticated already by the front-end (for example, "as you"), and > that this > front-end /itself/ would need to have /its own (separate) account/ in you= r > infrastructure > - and an account with special properties - in order to be allowed to > authenticate "as you" > (otherwise said : "impersonate you") with the Tomcat back-end's > SPNEGO/Kerberos Valve. > > > > > *Here is how I have Apache HTTPD forwarding requests to Tomcat. * > > Header add Set-Cookie "ROUTEID=3D.%{BALANCER_WORKER_ROUTE}e; path=3D/" > > env=3DBALANCER_ROUTE_CHANGED > > > > BalancerMember "http://localhost:8081/application" route=3Dnode1 > > BalancerMember "http://localhost:8082/application" route=3Dnode2 > > BalancerMember "http://localhost:8083/application" route=3Dnode3 > > ProxySet lbmethod=3Dbyrequests stickysession=3DROUTEID > > > > > > ProxyPass /application balancer://application/ > > ProxyPassReverse /application balancer://application/ > > > > What you are setting up here is a standard Apache httpd "reverse proxy > + load-balancer". But, as far as I can see from the above, this proxy > does not (itself) > authenticate the browsers which talk to it. > > So this front-end proxy does not really have a (browser-originating) > user-id for which it > would be able to request a "delegated authentication". > And it is also not set up to do "delegated authentication" with the > back-end Tomcat's > SPNEGO/Krberos Valve. > > This may be a bit confusing, and maybe this article explains it better > than I could : > > > https://blogs.informatica.com/2018/05/07/the-kerberos-conundrum-a-proxys-= plight/#fbid=3DUtL4Ic19fwv > (Obviously, this is talking about some other front-end proxy software, bu= t > you can see > that one needs something additional on the front-end proxy, to do this > kind of thing). > > All in all, if all that you need is that the application installed under > Tomcat would be > able to obtain an authenticated "current user-id", I would suggest that > instead of trying > to configure this using impersonation/delegation, you try something > simpler to set up : > > - remove the SPNEGO/Kerberos authentication part in Tomcat > - add an SPNEGO/Kerberos authentication at the Apache httpd front-end > level, so that the > front-end authenticates the user, *before* proxying the requests to the > back-end Tomcat > - then configure the front-end to pass along this by now authenticated > user-id, in the > requests that it passes to Tomcat > - and configure Tomcat to pick up this user-id from the request, and take > it as the > Tomcat-level user-id for the request > > For the first part, you could use this as a guide : > > http://www.microhowto.info/howto/configure_apache_to_use_kerberos_authent= ication.html > or this : > http://modauthkerb.sourceforge.net/configure.html > > For the second part, the easiest way is to use the AJP-protocol proxying > between Apache > httpd and Tomcat, as indicated in a previous message to the list. > > > > > > > > > > > On Wed, Sep 19, 2018 at 7:57 AM Andr=C3=A9 Warnier (tomcat) > > wrote: > > > >> On 18.09.2018 23:24, Thomas Delaney wrote: > >>> Hello All, > >>> > >>> I have recently configured Apache Tomcat on a SuSe Enterprise 12 SP3 > >> server > >>> to get Kerberos SSO working with a web client application. I have als= o > in > >>> addition configured Apache HTTPD 2.4.29 on the same machine.When I > reach > >>> that website I am failing to get SSO working. The web server is not > >> passing > >>> off the delegation credentials to Apache Tomcat server. I have the we= b > >>> server load balance proxying it's request to multiple Apache Tomcat > >>> instances. I have tried applying mody_proxy_http environment variable= s, > >> but > >>> the site continues to fail SSO. Is there a guide or configuration tha= t > >>> HTTPD and Apache Tomcat both use to involve Apache HTTPD passing off > >>> delegation credentials to Apache Tomcat? > >>> > >> > >> If you would like someone here to be able to help you, you would need = to > >> be much more > >> precise than that. You write "I have done this" and "I have done > that", > >> but without > >> giving any clue as to /how/ you did this or that. > >> You are not even saying /where/ you have configured the Kerberos SSO. > >> Under the Apache > >> httpd front-end ? or under Tomcat ? > >> > >> To point you nevertheless in a possible direction, read this : > >> > >> > https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Apache_h= ttpd > >> (and, in your mind, substitute "Windows authentication" by "Kerberos > >> authentication") > >> > >> > >> > >> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > >> For additional commands, e-mail: users-help@tomcat.apache.org > >> > >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --000000000000a6953d05764da0c6--