Re: Tomcat7 and SPNEGO configuration questions

[Felix Schumacher]

Am Freitag, den 31.05.2013, 10:17 -0500 schrieb Edward Siewick:
> Hi.
> 
> I'm trying to get a baseline configuration working, following the 
> http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. I'm 
> apparently off in the weeds having missed something, though. So I'd really 
> appreciate a sanity check of my configuration, and the testcase I'm 
> attempting.  I've got something messed up, and I'm looking for guidance on 
> what to check.
> 
> Environment is:
> Tomcat-7.0.33
> Redhat RHEL 6.3
> Linux openid-linux 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012 
> x86_64 x86_64 x86_64 GNU/Linux
> 
> AD is on a Win2008R2 server.
> Client is MSIE on a Win2007 workstation. "Enable Integrated Windows 
> Authentication" is set to true.
> 
> The MSA, keytab and Linux Kerberos bits seem to be OK. For completeness, 
> here's what I've got.
> 
> setspn -A HTTP/openid-linux.openidmdev.com tomcat7
> ktpass -princ 
> HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
>  -mapuser tomc...@openidmdev.com<mailto:tomc...@openidmdev.com> -crypto 
> AES256-SHA1 -pass "mySecret,78."  -ptype KRB5_NT_PRINCIPAL -kvno 0 -out 
> tomcat7.keytab
I hope the mailto: links are not part of your principals.

> 
> /etc/krb5.conf:
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = OPENIDMDEV.COM
>  default_keytab_name = FILE:/usr/share/tomcat7c/conf/tomcat7.keytab
>  default_tkt_enctypes = aes256-cts-hmac-sha1-96
>  default_tgs_enctypes = aes256-cts-hmac-sha1-96
>  forwardable = true
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
> 
> [realms]
> OPENIDMDEV.COM = {
>     kdc = openiddc.openidmdev.com:88
>     admin_server = openiddc.openidmdev.com
> }
> [domain_realm]
> openidmdev.com  = OPENIDMDEV.COM
> .openidmdev.com = OPENIDMDEV.COM
> 
> The krb5.conf generally works. Using my domain username and password:
> 
> kinit -V esiewick
> Using default cache: /tmp/krb5cc_0
> Using principal: esiew...@openidmdev.com<mailto:esiew...@openidmdev.com>
> Password for esiew...@openidmdev.com<mailto:esiew...@openidmdev.com>:
> Authenticated to Kerberos v5
> 
> The keytab contains one key:
> 
> klist -e -k /usr/share/tomcat7c/conf/tomcat7.keytab
> Keytab name: WRFILE:/usr/share/tomcat7c/conf/tomcat7.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>    0 
> HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
>  (aes256-cts-hmac-sha1-96)
> 
> The krb5 config is generally happy with the contents of the keytab:
> 
> kinit -V -k -t /usr/share/tomcat7c/conf/tomcat7.keytab  
> HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
> Using default cache: /tmp/krb5cc_0
> Using principal: 
> HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
> Using keytab: /usr/share/tomcat7c/conf/tomcat7.keytab
> Authenticated to Kerberos v5
> 
> So I'm confident the MSA and the keytab are OK.
> 
> The Tomcat7 configurations are localized, based on the descriptions in the 
> windows-auth-howto.html.
> For the Java options, the init script uses:
> 
> JAVA_OPTS="-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server \
>   -Djava.security.krb5.conf=/etc/krb5.conf \
>   -Djava.security.auth.login.config=/usr/share/tomcat7c/conf/jaas.conf \
>   -Djavax.security.auth.useSubjectCredsOnly=false \
>   -Xms1536m \
>   -Xmx1536m \
>   -XX:NewSize=256m \
>   -XX:MaxNewSize=256m \
>   -XX:PermSize=256m \
>   -XX:MaxPermSize=256m \
>   -XX:+DisableExplicitGC"
Better would be CATALINA_OPTS instead of JAVA_OPTS, since those values
are only needed for startup.

> 
> /usr/share/tomcat7c/conf/jaas.conf is:
> 
> com.sun.security.jgss.krb5.initiate {
>     com.sun.security.auth.module.Krb5LoginModule required
>     doNotPrompt=true
>     
> principal="HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>"
>     useKeyTab=true
>     keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
>     storeKey=true
>     debug=true;
> };
> com.sun.security.jgss.krb5.accept {
>     com.sun.security.auth.module.Krb5LoginModule required
>     doNotPrompt=true
>     
> principal="HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>"
>     useKeyTab=true
>     keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
>     storeKey=true
>     debug=true;
> };
> 
> In /usr/share/tomcat7c/conf/server.xml, I've simply uncommented:
> 
> <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
That valve is not needed for SPNego. You can leave it commented.

> 
> For a testcase, I'm using the Tomcat7 "manager" webapp.
> In /usr/share/tomcat7c/webapps/manager/WEB-INF/web.xml
> I've simply adjusted:
> 
> <login-config>
>     <auth-method>BASIC</auth-method>
>     <realm-name>Tomcat Manager Application</realm-name>
>   </login-config>
> to:
>   <login-config>
>     <auth-method>SPNEGO</auth-method>
>     <realm-name>Tomcat Manager Application</realm-name>
>   </login-config>
> 
> For /usr/share/tomcat7c/conf/tomcat-users.xml:
> 
> <tomcat-users>
> <role rolename="tomcat"/>
> <role rolename="manager"/>
> <role rolename="manager-gui"/>
> <user username="esiew...@openidmdev.com<mailto:esiew...@openidmdev.com>" 
> password="" roles="tomcat,manager,manager-gui"/>
> </tomcat-users>
> 
> In actually trying to use this configuration,
> http://openid-linux.openidmdev.com:8080/manager/status
> gives HTTP 500 and logs:
> 
> Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt 
> true ticketCache is null isInitiator true KeyTab is 
> /usr/share/tomcat7c/confx/tomcat7.keytab refreshKrb5Config is false principal 
> is 
> HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
>  tryFirstPass is false useFirstPass is false storePass is false clearPass is 
> false
> 
> Key for the principal 
> HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
>  not available in /usr/share/tomcat7c/confx/tomcat7.keytab
>                 [Krb5LoginModule] authentication failed
> 
> Unable to obtain password from user
> 
> May 31, 2013 8:55:15 AM org.apache.catalina.authenticator.SpnegoAuthenticator 
> authenticate
> SEVERE: Unable to login as the service principal
> javax.security.auth.login.LoginException: Unable to obtain password from user
> at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
>         at 
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown 
> Source)
>         at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
>         at java.lang.reflect.Method.invoke(Unknown Source)
>         at javax.security.auth.login.LoginContext.invoke(Unknown Source)
>         at javax.security.auth.login.LoginContext.access$000(Unknown Source)
>         at javax.security.auth.login.LoginContext$4.run(Unknown Source)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
>         at javax.security.auth.login.LoginContext.login(Unknown Source)
>         at 
> org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:215)
>         at 
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
>         at 
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
>         at 
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
>         at 
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:931)
>         at 
> org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:309)
>         at 
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
>         at 
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
>         at 
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
>         at 
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
>         at 
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown 
> Source)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
>         at java.lang.Thread.run(Unknown Source)
>                 [Krb5LoginModule]: Entering logout
>                 [Krb5LoginModule]: logged out Subject
> 
> I trust that the configuration at least is reading the jaas.conf, since the 
> first line of logging refects its settings. However, I'm not convinced 
> Krb5LoginModule is actually reading /usr/share/tomcat7c/conf/tomcat7.keytab; 
> I can change:
> keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
> to:
> keyTab="/usr/share/tomcat7c/conf-junk/tomcat7.keytab"
> and get the same log "Key for the principal...not available" result (+ 
> "-junk" of course).
> 
> Well-founded guidance, clues, and even good guesses are all welcome.

I would look, if IE is sending an authorization header.

Greetings
 Felix

> 
> Edward
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org