Re: Tomcat7 and SPNEGO configuration questions

Felix Schumacher Sun, 02 Jun 2013 09:20:44 -0700

Hi Edward,

a few more questions:


 * What is your CATALINA_BASE and what CATALINA_HOME?

* Have you verified, that your options (set by your JAVA_OPTS) arereally used by your tomcat installation?


Greetings
 Felix

Am 31.05.2013 17:17, schrieb Edward Siewick:

Hi.

I'm trying to get a baseline configuration working, following the 
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. I'm apparently 
off in the weeds having missed something, though. So I'd really appreciate a 
sanity check of my configuration, and the testcase I'm attempting.  I've got 
something messed up, and I'm looking for guidance on what to check.

Environment is:
Tomcat-7.0.33
Redhat RHEL 6.3
Linux openid-linux 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012 
x86_64 x86_64 x86_64 GNU/Linux

AD is on a Win2008R2 server.
Client is MSIE on a Win2007 workstation. "Enable Integrated Windows 
Authentication" is set to true.

The MSA, keytab and Linux Kerberos bits seem to be OK. For completeness, here's 
what I've got.

setspn -A HTTP/openid-linux.openidmdev.com tomcat7
ktpass -princ 
HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
 -mapuser tomc...@openidmdev.com<mailto:tomc...@openidmdev.com> -crypto AES256-SHA1 -pass 
"mySecret,78."  -ptype KRB5_NT_PRINCIPAL -kvno 0 -out tomcat7.keytab

/etc/krb5.conf:

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = OPENIDMDEV.COM
  default_keytab_name = FILE:/usr/share/tomcat7c/conf/tomcat7.keytab
  default_tkt_enctypes = aes256-cts-hmac-sha1-96
  default_tgs_enctypes = aes256-cts-hmac-sha1-96
  forwardable = true
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 7d

[realms]
OPENIDMDEV.COM = {
     kdc = openiddc.openidmdev.com:88
     admin_server = openiddc.openidmdev.com
}
[domain_realm]
openidmdev.com  = OPENIDMDEV.COM
.openidmdev.com = OPENIDMDEV.COM

The krb5.conf generally works. Using my domain username and password:

kinit -V esiewick
Using default cache: /tmp/krb5cc_0
Using principal: esiew...@openidmdev.com<mailto:esiew...@openidmdev.com>
Password for esiew...@openidmdev.com<mailto:esiew...@openidmdev.com>:
Authenticated to Kerberos v5

The keytab contains one key:

klist -e -k /usr/share/tomcat7c/conf/tomcat7.keytab
Keytab name: WRFILE:/usr/share/tomcat7c/conf/tomcat7.keytab
KVNO Principal
---- --------------------------------------------------------------------------
    0 
HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
 (aes256-cts-hmac-sha1-96)

The krb5 config is generally happy with the contents of the keytab:

kinit -V -k -t /usr/share/tomcat7c/conf/tomcat7.keytab  
HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
Using default cache: /tmp/krb5cc_0
Using principal: 
HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
Using keytab: /usr/share/tomcat7c/conf/tomcat7.keytab
Authenticated to Kerberos v5

So I'm confident the MSA and the keytab are OK.

The Tomcat7 configurations are localized, based on the descriptions in the 
windows-auth-howto.html.
For the Java options, the init script uses:

JAVA_OPTS="-Djava.awt.headless=true -Dfile.encoding=UTF-8 -server \
   -Djava.security.krb5.conf=/etc/krb5.conf \
   -Djava.security.auth.login.config=/usr/share/tomcat7c/conf/jaas.conf \
   -Djavax.security.auth.useSubjectCredsOnly=false \
   -Xms1536m \
   -Xmx1536m \
   -XX:NewSize=256m \
   -XX:MaxNewSize=256m \
   -XX:PermSize=256m \
   -XX:MaxPermSize=256m \
   -XX:+DisableExplicitGC"

/usr/share/tomcat7c/conf/jaas.conf is:

com.sun.security.jgss.krb5.initiate {
     com.sun.security.auth.module.Krb5LoginModule required
     doNotPrompt=true
     
principal="HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>"
     useKeyTab=true
     keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
     storeKey=true
     debug=true;
};
com.sun.security.jgss.krb5.accept {
     com.sun.security.auth.module.Krb5LoginModule required
     doNotPrompt=true
     
principal="HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>"
     useKeyTab=true
     keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
     storeKey=true
     debug=true;
};

In /usr/share/tomcat7c/conf/server.xml, I've simply uncommented:

<Valve className="org.apache.catalina.authenticator.SingleSignOn" />

For a testcase, I'm using the Tomcat7 "manager" webapp.
In /usr/share/tomcat7c/webapps/manager/WEB-INF/web.xml
I've simply adjusted:

<login-config>
     <auth-method>BASIC</auth-method>
     <realm-name>Tomcat Manager Application</realm-name>
   </login-config>
to:
   <login-config>
     <auth-method>SPNEGO</auth-method>
     <realm-name>Tomcat Manager Application</realm-name>
   </login-config>

For /usr/share/tomcat7c/conf/tomcat-users.xml:

<tomcat-users>
<role rolename="tomcat"/>
<role rolename="manager"/>
<role rolename="manager-gui"/>
<user username="esiew...@openidmdev.com<mailto:esiew...@openidmdev.com>" password="" 
roles="tomcat,manager,manager-gui"/>
</tomcat-users>

In actually trying to use this configuration,
http://openid-linux.openidmdev.com:8080/manager/status
gives HTTP 500 and logs:

Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true 
ticketCache is null isInitiator true KeyTab is 
/usr/share/tomcat7c/confx/tomcat7.keytab refreshKrb5Config is false principal is 
HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
 tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Key for the principal 
HTTP/openid-linux.openidmdev....@openidmdev.com<mailto:HTTP/openid-linux.openidmdev....@openidmdev.com>
 not available in /usr/share/tomcat7c/confx/tomcat7.keytab
                 [Krb5LoginModule] authentication failed

Unable to obtain password from user

May 31, 2013 8:55:15 AM org.apache.catalina.authenticator.SpnegoAuthenticator 
authenticate
SEVERE: Unable to login as the service principal
javax.security.auth.login.LoginException: Unable to obtain password from user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
         at 
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown 
Source)
         at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
         at java.lang.reflect.Method.invoke(Unknown Source)
         at javax.security.auth.login.LoginContext.invoke(Unknown Source)
         at javax.security.auth.login.LoginContext.access$000(Unknown Source)
         at javax.security.auth.login.LoginContext$4.run(Unknown Source)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
         at javax.security.auth.login.LoginContext.login(Unknown Source)
         at 
org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:215)
         at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
         at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
         at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
         at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:931)
         at 
org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:309)
         at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
         at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
         at 
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
         at 
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
         at 
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
         at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown 
Source)
         at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
         at java.lang.Thread.run(Unknown Source)
                 [Krb5LoginModule]: Entering logout
                 [Krb5LoginModule]: logged out Subject

I trust that the configuration at least is reading the jaas.conf, since the 
first line of logging refects its settings. However, I'm not convinced 
Krb5LoginModule is actually reading /usr/share/tomcat7c/conf/tomcat7.keytab; I 
can change:
keyTab="/usr/share/tomcat7c/conf/tomcat7.keytab"
to:
keyTab="/usr/share/tomcat7c/conf-junk/tomcat7.keytab"
and get the same log "Key for the principal...not available" result (+ "-junk" 
of course).

Well-founded guidance, clues, and even good guesses are all welcome.

Edward



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat7 and SPNEGO configuration questions

Reply via email to