Edward Siewick wrote:
Hi.
I'm trying to get a baseline configuration working, following the
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. I'm apparently
off in the weeds having missed something, though. So I'd really appreciate a
sanity check of my configuration, and the testcase I'm attempting. I've got
something messed up, and I'm looking for guidance on what to check.
Environment is:
Tomcat-7.0.33
Redhat RHEL 6.3
Linux openid-linux 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012
x86_64 x86_64 x86_64 GNU/Linux
AD is on a Win2008R2 server.
Client is MSIE on a Win2007 workstation. "Enable Integrated Windows
Authentication" is set to true.
The MSA, keytab and Linux Kerberos bits seem to be OK. For completeness, here's
what I've got.
setspn -A HTTP/openid-linux.openidmdev.com tomcat7
ktpass -princ
HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
-mapuser tomc...@openidmdev.com<mailto:tomc...@openidmdev.com> -crypto AES256-SHA1 -pass
"mySecret,78." -ptype KRB5_NT_PRINCIPAL -kvno 0 -out tomcat7.keytab
/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = OPENIDMDEV.COM
default_keytab_name = FILE:/usr/share/tomcat7c/conf/tomcat7.keytab
default_tkt_enctypes = aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96
forwardable = true
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
[realms]
OPENIDMDEV.COM = {
kdc = openiddc.openidmdev.com:88
admin_server = openiddc.openidmdev.com
}
[domain_realm]
openidmdev.com = OPENIDMDEV.COM
.openidmdev.com = OPENIDMDEV.COM
The krb5.conf generally works. Using my domain username and password:
kinit -V esiewick
Using default cache: /tmp/krb5cc_0
Using principal: esiew...@openidmdev.com<mailto:esiew...@openidmdev.com>
Password for esiew...@openidmdev.com<mailto:esiew...@openidmdev.com>:
Authenticated to Kerberos v5
The keytab contains one key:
klist -e -k /usr/share/tomcat7c/conf/tomcat7.keytab
Keytab name: WRFILE:/usr/share/tomcat7c/conf/tomcat7.keytab
KVNO Principal
---- --------------------------------------------------------------------------
0
HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
(aes256-cts-hmac-sha1-96)
The krb5 config is generally happy with the contents of the keytab:
kinit -V -k -t /usr/share/tomcat7c/conf/tomcat7.keytab
HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
Using default cache: /tmp/krb5cc_0
Using principal:
HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
Using keytab: /usr/share/tomcat7c/conf/tomcat7.keytab
Authenticated to Kerberos v5
So I'm confident the MSA and the keytab are OK.
The Tomcat7 configurations are localized, based on the descriptions in the
windows-auth-howto.html.
For the Java options, the init script uses:
JAVA_OPTS="-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server \
-Djava.security.krb5.conf=/etc/krb5.conf \
-Djava.security.auth.login.config=/usr/share/tomcat7c/conf/jaas.conf \
-Djavax.security.auth.useSubjectCredsOnly=false \
-Xms1536m \
-Xmx1536m \
-XX:NewSize=256m \
-XX:MaxNewSize=256m \
-XX:PermSize=256m \
-XX:MaxPermSize=256m \
-XX:+DisableExplicitGC"
/usr/share/tomcat7c/conf/jaas.conf is:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>"
useKeyTab=true
keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
storeKey=true
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>"
useKeyTab=true
keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
storeKey=true
debug=true;
};
In /usr/share/tomcat7c/conf/server.xml, I've simply uncommented:
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
For a testcase, I'm using the Tomcat7 "manager" webapp.
In /usr/share/tomcat7c/webapps/manager/WEB-INF/web.xml
I've simply adjusted:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>
to:
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>
For /usr/share/tomcat7c/conf/tomcat-users.xml:
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="manager"/>
<role rolename="manager-gui"/>
<user username="esiew...@openidmdev.com<mailto:esiew...@openidmdev.com>" password=""
roles="tomcat,manager,manager-gui"/>
</tomcat-users>
In actually trying to use this configuration,
http://openid-linux.openidmdev.com:8080/manager/status
gives HTTP 500 and logs:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true
ticketCache is null isInitiator true KeyTab is
/usr/share/tomcat7c/confx/tomcat7.keytab refreshKrb5Config is false principal is
HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Key for the principal
HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
not available in /usr/share/tomcat7c/confx/tomcat7.keytab
[Krb5LoginModule] authentication failed
Unable to obtain password from user
May 31, 2013 8:55:15 AM org.apache.catalina.authenticator.SpnegoAuthenticator
authenticate
SEVERE: Unable to login as the service principal
javax.security.auth.login.LoginException: Unable to obtain password from user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown
Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at
org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:215)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:931)
at
org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:309)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
I trust that the configuration at least is reading the jaas.conf, since the
first line of logging refects its settings. However, I'm not convinced
Krb5LoginModule is actually reading /usr/share/tomcat7c/conf/tomcat7.keytab; I
can change:
keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
to:
keyTab="/usr/share/tomcat7c/conf-junk/tomcat7.keytab"
and get the same log "Key for the principal...not available" result (+ "-junk"
of course).
Well-founded guidance, clues, and even good guesses are all welcome.
Answering in the spirit of your last phrase above (because I really know nothing about the
Tomcat SPNEGO Valve, and very little about Kerberos) :
The error message :
javax.security.auth.login.LoginException: Unable to obtain password from user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
would tend to indicate that something is trying to prompt the user for a
password.
That should not really happen, in a Windows SSO mechanism, unless the Windows Domain
Controller (to which the SPNEGO Valve is ultimately talking) is configured to accept HTTP
Basic authentication as a fall-back for a Windows Integrated Authentication that doesn't work.
One reason for which WIA could possibly not work, would be if your Windows workstation
does not consider the Tomcat server to which it is connecting, as at least a "trusted"
server. In such a case, the *browser* will even refuse to start a WIA dialog with the server.
So, first thing : are you sure that the workstation and the Tomcat server, from a Windows
authentication point of view, are part of the same Windows Domain ?
(And if you are not sure, and you are allowed to do this, what happens if you go into the
IE settings, and add the tomcat hostname explicitly into the list of "trusted" servers ?).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
