Hi. I'm trying to get a baseline configuration working, following the http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. I'm apparently off in the weeds having missed something, though. So I'd really appreciate a sanity check of my configuration, and the testcase I'm attempting. I've got something messed up, and I'm looking for guidance on what to check.
Environment is: Tomcat-7.0.33 Redhat RHEL 6.3 Linux openid-linux 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012 x86_64 x86_64 x86_64 GNU/Linux AD is on a Win2008R2 server. Client is MSIE on a Win2007 workstation. "Enable Integrated Windows Authentication" is set to true. The MSA, keytab and Linux Kerberos bits seem to be OK. For completeness, here's what I've got. setspn -A HTTP/openid-linux.openidmdev.com tomcat7 ktpass -princ HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com> -mapuser tomc...@openidmdev.com<mailto:tomc...@openidmdev.com> -crypto AES256-SHA1 -pass "mySecret,78." -ptype KRB5_NT_PRINCIPAL -kvno 0 -out tomcat7.keytab /etc/krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = OPENIDMDEV.COM default_keytab_name = FILE:/usr/share/tomcat7c/conf/tomcat7.keytab default_tkt_enctypes = aes256-cts-hmac-sha1-96 default_tgs_enctypes = aes256-cts-hmac-sha1-96 forwardable = true dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d [realms] OPENIDMDEV.COM = { kdc = openiddc.openidmdev.com:88 admin_server = openiddc.openidmdev.com } [domain_realm] openidmdev.com = OPENIDMDEV.COM .openidmdev.com = OPENIDMDEV.COM The krb5.conf generally works. Using my domain username and password: kinit -V esiewick Using default cache: /tmp/krb5cc_0 Using principal: esiew...@openidmdev.com<mailto:esiew...@openidmdev.com> Password for esiew...@openidmdev.com<mailto:esiew...@openidmdev.com>: Authenticated to Kerberos v5 The keytab contains one key: klist -e -k /usr/share/tomcat7c/conf/tomcat7.keytab Keytab name: WRFILE:/usr/share/tomcat7c/conf/tomcat7.keytab KVNO Principal ---- -------------------------------------------------------------------------- 0 HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com> (aes256-cts-hmac-sha1-96) The krb5 config is generally happy with the contents of the keytab: kinit -V -k -t /usr/share/tomcat7c/conf/tomcat7.keytab HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com> Using default cache: /tmp/krb5cc_0 Using principal: HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com> Using keytab: /usr/share/tomcat7c/conf/tomcat7.keytab Authenticated to Kerberos v5 So I'm confident the MSA and the keytab are OK. The Tomcat7 configurations are localized, based on the descriptions in the windows-auth-howto.html. For the Java options, the init script uses: JAVA_OPTS="-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server \ -Djava.security.krb5.conf=/etc/krb5.conf \ -Djava.security.auth.login.config=/usr/share/tomcat7c/conf/jaas.conf \ -Djavax.security.auth.useSubjectCredsOnly=false \ -Xms1536m \ -Xmx1536m \ -XX:NewSize=256m \ -XX:MaxNewSize=256m \ -XX:PermSize=256m \ -XX:MaxPermSize=256m \ -XX:+DisableExplicitGC" /usr/share/tomcat7c/conf/jaas.conf is: com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>" useKeyTab=true keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab" storeKey=true debug=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>" useKeyTab=true keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab" storeKey=true debug=true; }; In /usr/share/tomcat7c/conf/server.xml, I've simply uncommented: <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> For a testcase, I'm using the Tomcat7 "manager" webapp. In /usr/share/tomcat7c/webapps/manager/WEB-INF/web.xml I've simply adjusted: <login-config> <auth-method>BASIC</auth-method> <realm-name>Tomcat Manager Application</realm-name> </login-config> to: <login-config> <auth-method>SPNEGO</auth-method> <realm-name>Tomcat Manager Application</realm-name> </login-config> For /usr/share/tomcat7c/conf/tomcat-users.xml: <tomcat-users> <role rolename="tomcat"/> <role rolename="manager"/> <role rolename="manager-gui"/> <user username="esiew...@openidmdev.com<mailto:esiew...@openidmdev.com>" password="" roles="tomcat,manager,manager-gui"/> </tomcat-users> In actually trying to use this configuration, http://openid-linux.openidmdev.com:8080/manager/status gives HTTP 500 and logs: Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /usr/share/tomcat7c/confx/tomcat7.keytab refreshKrb5Config is false principal is HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com> tryFirstPass is false useFirstPass is false storePass is false clearPass is false Key for the principal HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com> not available in /usr/share/tomcat7c/confx/tomcat7.keytab [Krb5LoginModule] authentication failed Unable to obtain password from user May 31, 2013 8:55:15 AM org.apache.catalina.authenticator.SpnegoAuthenticator authenticate SEVERE: Unable to login as the service principal javax.security.auth.login.LoginException: Unable to obtain password from user at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source) at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at javax.security.auth.login.LoginContext.invoke(Unknown Source) at javax.security.auth.login.LoginContext.access$000(Unknown Source) at javax.security.auth.login.LoginContext$4.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(Unknown Source) at javax.security.auth.login.LoginContext.login(Unknown Source) at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:215) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:931) at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:309) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject I trust that the configuration at least is reading the jaas.conf, since the first line of logging refects its settings. However, I'm not convinced Krb5LoginModule is actually reading /usr/share/tomcat7c/conf/tomcat7.keytab; I can change: keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab" to: keyTab="/usr/share/tomcat7c/conf-junk/tomcat7.keytab" and get the same log "Key for the principal...not available" result (+ "-junk" of course). Well-founded guidance, clues, and even good guesses are all welcome. Edward
