From users-return-265569-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Wed Sep 19 23:10:38 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id AE1B3180621 for ; Wed, 19 Sep 2018 23:10:37 +0200 (CEST) Received: (qmail 19033 invoked by uid 500); 19 Sep 2018 21:10:35 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 19022 invoked by uid 99); 19 Sep 2018 21:10:35 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Sep 2018 21:10:35 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 5465E18637F for ; Wed, 19 Sep 2018 21:10:35 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.749 X-Spam-Level: X-Spam-Status: No, score=0.749 tagged_above=-999 required=6.31 tests=[KAM_INFOUSMEBIZ=0.75, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id sF8sPnOvpHNc for ; Wed, 19 Sep 2018 21:10:32 +0000 (UTC) Received: from thor.wissensbank.com (thor.wissensbank.com [81.169.250.120]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 821025F1B3 for ; Wed, 19 Sep 2018 21:10:32 +0000 (UTC) Received: from thor.wissensbank.com (localhost [127.0.0.1]) by thor.wissensbank.com (Postfix) with ESMTP id BE76B1E104024 for ; Wed, 19 Sep 2018 23:10:30 +0200 (CEST) Received: by thor.wissensbank.com (Postfix, from userid 500) id B2F7E1E104542; Wed, 19 Sep 2018 23:10:30 +0200 (CEST) Received: from [192.168.245.236] (p5B2D7A31.dip0.t-ipconnect.de [91.45.122.49]) (Authenticated sender: andre.warnier@ice-sa.com) by thor.wissensbank.com (Postfix) with ESMTPA id 428FB1E104024 for ; Wed, 19 Sep 2018 23:10:30 +0200 (CEST) Subject: Re: HTTPD pass off delegation credentials to Apache Tomcat 8.5.23 for SSO Kerberos To: users@tomcat.apache.org References: <5BA239A6.5020703@ice-sa.com> From: =?UTF-8?Q?Andr=c3=a9_Warnier_=28tomcat=29?= Message-ID: <5BA2BBA0.8030604@ice-sa.com> Date: Wed, 19 Sep 2018 23:12:00 +0200 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Hi. Much better.. I don't know if I will be able to help you, considering my little knowledge of Kerberos, but I'm sure that someone else now will be. On 19.09.2018 16:08, Thomas Delaney wrote: > Here is more detail into what I went through for setting up Apache Tomcat.: > I configured each Apache Tomcat instance using this bit of documentation: > SPNEGO > http://spnego.sourceforge.net/ > > I also used this documentation in order to get my workstation to accept > Kerberos authentication and not default to NTLM. > https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM > > *I created/configured the following based on what was outlined from the > SPNEGO doc:* > login.conf > krb.conf > HelloKDC.java successfully connected when testing > The SPNEGO filter in Apache Tomcat's web.xml > Took the source code for spnego.jar and placed it in Apache Tomcat's library > hello_spnego.jsp successfully displayed the correct remote user on the web > page > hello_delegate.jsp successfully displayed the correct delegated credentials > on the webpage. Ok, so we can assume - that the basic Kerberos infrastructure works - that you know how to set it up - and that it works when you do the Kerberos authentication in Tomcat itself, and access tomcat directly from the browser. > > Once I was able to verify that the above steps worked on Apache Tomcat. I > tested the same web pages on Apache HTTPD. You mean "when accessing Tomcat /through/ the Apache httpd front-end, right ? From your original description, I thought that you wanted to do the Kerberos authentication in the front-end Apache httpd, and pass on the authenticated user-id to the back-end Tomcats then. That's still an option anyway. But from the description below it looks like you want to keep the SPNEGO/Kerberos authentication at the Tomcat level, and just want the front-end httpd to be "transparent" with respect to the Kerberos authentication exchanges. Do I get this right ? I ran into issues when testing > hello_spnego.jsp and hello_delegate.jsp. > > Here have been my results: > hello_spnego.jsp -> "hello root !" (root being a unix user and not the > AD/Windows user signed onto the domain). > hello_delegate.jsp -> "No delegated creds." > > *Here is the section of the SPNEGO doc source on how to setup > hello_delegation.jsp and create hello_spnego.jsp:* > http://spnego.sourceforge.net/credential_delegation.html Mmm. This is quite complicated, but I think that I'm starting to guess what the problem is. I think that "delegation" is not really what you want to do here. It might work in the absolute (if everything was set up correctly to do it), but I believe that it is overkill in your case; and I believe that you are missing one piece of the puzzle anyway. Taking into account my total lack of experience with SPNEGO/Kerberos delegation - and thus taking this with a grain of salt - I believe (from the above documentation page) that for such a delegation to work with an Apache httpd front-end, your browser would /first/ need to be authenticated already by the front-end (for example, "as you"), and that this front-end /itself/ would need to have /its own (separate) account/ in your infrastructure - and an account with special properties - in order to be allowed to authenticate "as you" (otherwise said : "impersonate you") with the Tomcat back-end's SPNEGO/Kerberos Valve. > > *Here is how I have Apache HTTPD forwarding requests to Tomcat. * > Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" > env=BALANCER_ROUTE_CHANGED > > BalancerMember "http://localhost:8081/application" route=node1 > BalancerMember "http://localhost:8082/application" route=node2 > BalancerMember "http://localhost:8083/application" route=node3 > ProxySet lbmethod=byrequests stickysession=ROUTEID > > > ProxyPass /application balancer://application/ > ProxyPassReverse /application balancer://application/ > What you are setting up here is a standard Apache httpd "reverse proxy + load-balancer". But, as far as I can see from the above, this proxy does not (itself) authenticate the browsers which talk to it. So this front-end proxy does not really have a (browser-originating) user-id for which it would be able to request a "delegated authentication". And it is also not set up to do "delegated authentication" with the back-end Tomcat's SPNEGO/Krberos Valve. This may be a bit confusing, and maybe this article explains it better than I could : https://blogs.informatica.com/2018/05/07/the-kerberos-conundrum-a-proxys-plight/#fbid=UtL4Ic19fwv (Obviously, this is talking about some other front-end proxy software, but you can see that one needs something additional on the front-end proxy, to do this kind of thing). All in all, if all that you need is that the application installed under Tomcat would be able to obtain an authenticated "current user-id", I would suggest that instead of trying to configure this using impersonation/delegation, you try something simpler to set up : - remove the SPNEGO/Kerberos authentication part in Tomcat - add an SPNEGO/Kerberos authentication at the Apache httpd front-end level, so that the front-end authenticates the user, *before* proxying the requests to the back-end Tomcat - then configure the front-end to pass along this by now authenticated user-id, in the requests that it passes to Tomcat - and configure Tomcat to pick up this user-id from the request, and take it as the Tomcat-level user-id for the request For the first part, you could use this as a guide : http://www.microhowto.info/howto/configure_apache_to_use_kerberos_authentication.html or this : http://modauthkerb.sourceforge.net/configure.html For the second part, the easiest way is to use the AJP-protocol proxying between Apache httpd and Tomcat, as indicated in a previous message to the list. > > > On Wed, Sep 19, 2018 at 7:57 AM André Warnier (tomcat) > wrote: > >> On 18.09.2018 23:24, Thomas Delaney wrote: >>> Hello All, >>> >>> I have recently configured Apache Tomcat on a SuSe Enterprise 12 SP3 >> server >>> to get Kerberos SSO working with a web client application. I have also in >>> addition configured Apache HTTPD 2.4.29 on the same machine.When I reach >>> that website I am failing to get SSO working. The web server is not >> passing >>> off the delegation credentials to Apache Tomcat server. I have the web >>> server load balance proxying it's request to multiple Apache Tomcat >>> instances. I have tried applying mody_proxy_http environment variables, >> but >>> the site continues to fail SSO. Is there a guide or configuration that >>> HTTPD and Apache Tomcat both use to involve Apache HTTPD passing off >>> delegation credentials to Apache Tomcat? >>> >> >> If you would like someone here to be able to help you, you would need to >> be much more >> precise than that. You write "I have done this" and "I have done that", >> but without >> giving any clue as to /how/ you did this or that. >> You are not even saying /where/ you have configured the Kerberos SSO. >> Under the Apache >> httpd front-end ? or under Tomcat ? >> >> To point you nevertheless in a possible direction, read this : >> >> https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Apache_httpd >> (and, in your mind, substitute "Windows authentication" by "Kerberos >> authentication") >> >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: users-help@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org