________________________________________ From: Felix Schumacher [felix.schumac...@internetallee.de] Sent: Friday, May 31, 2013 3:22 PM To: users@tomcat.apache.org Subject: Re: Tomcat7 and SPNEGO configuration questions
Hi Edward. Am Freitag, den 31.05.2013, 13:24 -0500 schrieb Edward Siewick: > ________________________________________ > From: Felix Schumacher [felix.schumac...@internetallee.de] > Sent: Friday, May 31, 2013 1:18 PM > To: users@tomcat.apache.org > Subject: Re: Tomcat7 and SPNEGO configuration questions > > Am Freitag, den 31.05.2013, 10:17 -0500 schrieb Edward Siewick: > >> Hi. > >> > >> I'm trying to get a baseline configuration working, following the > >> http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. I'm > >> apparently off in the weeds having missed something, though. So I'd really > >> appreciate a sanity check of my configuration, and the testcase I'm > >> attempting. I've got something messed up, and I'm looking for guidance on > >> what to check. > >> > <snip> > >> Well-founded guidance, clues, and even good guesses are all welcome. > > > I would look, if IE is sending an authorization header. > > Felix, > > Thanks. tcpdump shows an authz header, though it seems to be associated with > the client's first call to the server. Let me know if I should be expecting > some other packets in the exchange. It goes on for a few packets; the > beginning of the Authorization: header from the client is below. > > Edward > > openid-wdw.openidmdev.com.50784 > openid-linux.openidmdev.com.webcache: > Flags [.], seq 1:1461, ack 1, win 16425, length 1460 > E...i.@...5> > .!` > .!a.`....._K...P.@). ..GET /manager/status HTTP/1.1^M > Accept: application/x-ms-application, image/jpeg, application/xaml+xml, > image/gif, image/pjpeg, application/x-ms-xbap, */*^M > Accept-Language: en-US^M > User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; > Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR > 3.0.30729; .NET4.0C; .NET4.0E)^M > Accept-Encoding: gzip, deflate^M > Host: openid-linux.openidmdev.com:8080^M > Connection: Keep-Alive^M > Cookie: JSESSIONID=58B85BF870EA8328FC7A76D70C39EAF5^M > Authorization: Negotiate > YIIGpwYGKwYBBQUCoIIGmzCCBpegMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBmEEggZdYIIGWQYJKoZIhvcSAQICAQBuggZIMIIGRKADAgEFoQMCAQ6iBwMFACAAAACjggTKYYIExjCCBMKgAwIBBaEQGw5PUEVOSURNREVWLkNPTaIuMCygAwIBAqElMCMbBEhUVFAbG29wZW5pZC1saW51eC5vcGVuaWRtZGV2LmNvbaOCBHcwggRzoAMCARehAwIBBqKCBGUEggRhtG1hWlctx9Ey75vGdQsRwKC5hNhuDW+qC4Kr2Dov2b/9TT94u8NZ30rqi4nJOKgK9VfcEsqgCwuLgnG0AdLmhXhaBYVk/p8xcJpXTeyUd3OOBVE1Z8BHD6fNlJ/c01o5r4iYV The header looks good. What does a klist say on the client? Is HTTP/openid-linux.openidmdev....@openidmdev.com listed? Can you add -Dsun.security.krb5.debug=true to your CATALINA_OPTS? On my installation it prints the following lines when I login with principal user00...@example.com on the server www.example.com >>> KeyTabInputStream, readName(): EXAMPLE.COM >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): www.example.com >>> KeyTab: load() entry length: 67; type: 23 >>> KeyTabInputStream, readName(): EXAMPLE.COM >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): www.example.com >>> KeyTab: load() entry length: 59; type: 3 >>> KeyTabInputStream, readName(): EXAMPLE.COM >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): www.example.com >>> KeyTab: load() entry length: 83; type: 18 >>> KeyTabInputStream, readName(): EXAMPLE.COM >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): www.example.com >>> KeyTab: load() entry length: 67; type: 17 Config name: /home/felix/Developer/apache-tomcat-7.0.40/conf/krb5.ini Added key: 17version: 1 Added key: 18version: 1 Added key: 3version: 1 Added key: 23version: 1 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 18 17. >>> KdcAccessibility: reset Added key: 17version: 1 Added key: 18version: 1 Added key: 3version: 1 Added key: 23version: 1 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 18 17. default etypes for default_tkt_enctypes: 18 17. >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=localhost UDP:60088, timeout=30000, number of retries =3, #bytes=153 >>> KDCCommunication: kdc=localhost UDP:60088, timeout=30000,Attempt =1, #bytes=153 >>> KrbKdcReq send: #bytes read=187 >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 17, salt = null, s2kparams = null PA-ETYPE-INFO2 etype = 16, salt = null, s2kparams = null PA-ETYPE-INFO2 etype = 3, salt = null, s2kparams = null >>> KdcAccessibility: remove localhost:60088 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Fri May 31 21:17:52 CEST 2013 1370027872000 suSec is 0 error code is 25 error Message is Additional pre-authentication required realm is EXAMPLE.COM sname is krbtgt/EXAMPLE.COM eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 17, salt = null, s2kparams = null PA-ETYPE-INFO2 etype = 16, salt = null, s2kparams = null PA-ETYPE-INFO2 etype = 3, salt = null, s2kparams = null KRBError received: Additional pre-authentication required KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ default etypes for default_tkt_enctypes: 18 17. Added key: 17version: 1 Added key: 18version: 1 Added key: 3version: 1 Added key: 23version: 1 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 18 17. Added key: 17version: 1 Added key: 18version: 1 Added key: 3version: 1 Added key: 23version: 1 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 18 17. default etypes for default_tkt_enctypes: 18 17. >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=localhost UDP:60088, timeout=30000, number of retries =3, #bytes=240 >>> KDCCommunication: kdc=localhost UDP:60088, timeout=30000,Attempt =1, #bytes=240 >>> KrbKdcReq send: #bytes read=537 >>> KdcAccessibility: remove localhost:60088 Added key: 17version: 1 Added key: 18version: 1 Added key: 3version: 1 Added key: 23version: 1 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 18 17. >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType >>> KrbAsRep cons in KrbAsReq.getReply HTTP/www.example.com Added key: 17version: 1 Added key: 18version: 1 Added key: 3version: 1 Added key: 23version: 1 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 18 17. Found KeyTab Found KerberosKey for HTTP/www.example....@example.com Found KerberosKey for HTTP/www.example....@example.com Found KerberosKey for HTTP/www.example....@example.com Found KerberosKey for HTTP/www.example....@example.com Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key: 17version: 1 Added key: 18version: 1 Added key: 3version: 1 Added key: 23version: 1 Ordering keys wrt default_tkt_enctypes list default etypes for default_tkt_enctypes: 18 17. >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType Using builtin default etypes for permitted_enctypes default etypes for permitted_enctypes: 18 17 16 23 1 3. >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType replay cache for user00...@example.com is null. object 0: 1370027872357/357663 >>> KrbApReq: authenticate succeed. Krb5Context setting peerSeqNumber to: 758340766 Krb5Context setting mySeqNumber to: 758340766 My kerberos server is listening on localhost and port 60088 (and is actually apacheds 2.0.0M12) Greetings Felix > --------------------------------------------------------------------- Felix, Thanks. I've added the "-Dsun.security.krb5.debug=true" to CATALINA_OPTS in the init script. This didn't change anything in the logging. I also exported it via the shell. Again, no change in the logging. I have a Windows 2007 workstation in the lab configured for development, though. So to try to better isolate the problem, e.g., exclude the Tomcat7 bits, I wrote a simple JAAS test framework based on a quick mash-up of http://www.avajava.com/tutorials/lessons/how-do-i-create-a-login-module.html and http://download.java.net/jdk8/docs/technotes/guides/security/jgss/single-signon.html The logging is nearly the same as appears in catalina.out. So I'm fairly certain I've got the right classes in play for emulating what Tomcat is doing. The first thing I've noticed is that nobody's checking whether the keytab file actually exists. So, regardless of whether I use a valid or bogus path to the keytab, the logging is the same. TestCallbackHandler: constructor called Debug is true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/Dev/krb5-servlet/src/main/java/krb5servlet/tomcat7.keytab.BOGUS refreshKrb5Config is false principal is HTTP/openid-linux.openidmdev....@openidmdev.com tryFirstPass is false useFirstPass is false storePass is false clearPass is false Acquire TGT from Cache Principal is HTTP/openid-linux.openidmdev....@openidmdev.com null credentials from Ticket Cache Key for the principal HTTP/openid-linux.openidmdev....@openidmdev.com not available in C:/Dev/krb5-servlet/src/main/java/krb5servlet/tomcat7.keytab.BOGUS [Krb5LoginModule] authentication failed Unable to obtain password from user javax.security.auth.login.LoginException: Unable to obtain password from user at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:789) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:654) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at krb5servlet.JaasAuthenticationTest.main(JaasAuthenticationTest.java:44) I forgot to note in the original posting, JVM on the server is java version "1.6.0_39" Java(TM) SE Runtime Environment (build 1.6.0_39-b04) Java HotSpot(TM) 64-Bit Server VM (build 20.14-b01, mixed mode) Also, thanks for mentioning that ApacheDS can be used as a KDC. I'll be out of the lab for the weekend; I don't run any MS stuff at home. But, I can try a bit more testing against a ApacheDS based KDC. Edward --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
