Felix & Friends,
I've made a fair amount of progress, though I'm still not able to log in with a
domain credential. The domain account ID doesn't appear in the Tomcat7 logging
at all, though it is in tomcat-users.xml. So I might now only be confused as to
the syntax of: server.xml for JAAS; the webapp's "realm" bits in web.xml for
SPNEGO, or; tomcat-users.xml. I have tried changing tomcat-users.xml to
"OPENIDMDEV/esiewick", "COM.OPENIDMDEV/esiewick" and just "esiewick". And, I've
adjusted the Account ID in the Windows Security prompt to match each of these.
On the progress, here's some detail for the listserv archive.
A first issue was how I was trying to get the CATALINA_OPTS set, so I should
start with a "Thank you" for nudging me on the CATALINA_OPTS bit. I had tried
to add CATALINA_OPTS to the init.d script, which apparently was getting
over-written later in the Tomcat7 startup sequence. To correct, I simply added
"-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true" to the
bin/setenv.sh, vice the init.d script. After this, debug=true appeared properly
in the resulting process, below.
ps ajx | grep tomc
27474 29541 29541 27446 pts/3 29541 S+ 0 0:00 tail -f
/var/log/tomcat7/catalina.out
1 29585 29571 27391 pts/0 29626 Sl 0 0:36
/usr/java/jre1.6.0_39/bin/java
-Djava.util.logging.config.file=/usr/share/tomcat7c/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Xmx512m -XX:MaxPermSize=256m -XX:PermSize=256m
-Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true
-Djava.endorsed.dirs=/usr/share/tomcat7c/endorsed
-classpath
/usr/share/tomcat7c/bin/bootstrap.jar:/usr/share/tomcat7c/bin/tomcat-juli.jar
-Dcatalina.base=/usr/share/tomcat7c -Dcatalina.home=/usr/share/tomcat7c
-Djava.io.tmpdir=/usr/share/tomcat7c/temp
org.apache.catalina.startup.Bootstrap start
This changed the error logging, adding a clue that smelled like a crypto module
limitation:
Found unsupported keytype (18) for
HTTP/[email protected]
The trace was:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt
true ticketCache is null isInitiator true KeyTab is
/usr/share/tomcat7c/conf/tomcat7.keytab refreshKrb5Config is false principal is
HTTP/[email protected] tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
>>> KeyTabInputStream, readName(): OPENIDMDEV.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): openid-linux.openidmdev.com
>>> KeyTab: load() entry length: 98; type: 18
Found unsupported keytype (18) for
HTTP/[email protected]
Key for the principal HTTP/[email protected] not
available in /usr/share/tomcat7c/conf/tomcat7.keytab
[Krb5LoginModule] authentication failed
Unable to obtain password from user
In
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
I found:
"NOTE: The JCE framework within JDK includes an ability to enforce restrictions
regarding the cryptographic algorithms and maximum cryptographic strengths
available to applications. Such restrictions are specified in "jurisdiction
policy files". The jurisdiction policy files bundled in Java SE limits the
maximum key length. Hence, in order to use AES256 encryption type, you will
need to install the JCE crypto policy with the unlimited version to allow AES
with 256-bit key."
So, the second issue pertained to cryptography limitations set in
/usr/java/jre1.6.0_39/lib/security/. The tomcat7.keytab was created only with
"aes256-cts-hmac-sha1-96" and the /etc/krb5.conf has a likewise limited suite.
The fix was to download Oracle's jce_policy-6.zip, unzip it, and copy the
"unlimited" versions of local_policy.jar and US_export_policy.jar into
/usr/java/jre1.6.0_39/lib/security/.
After the jce_policy-6.zip *.jar files were in place, I got:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt
true ticketCache is null isInitiator true KeyTab is
/usr/share/tomcat7c/conf/tomcat7.keytab refreshKrb5Config is false principal is
HTTP/[email protected] tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
>>> KeyTabInputStream, readName(): OPENIDMDEV.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): openid-linux.openidmdev.com
>>> KeyTab: load() entry length: 98; type: 18
Added key: 18version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18.
0: EncryptionKey: keyType=18 kvno=0 keyValue (hex dump)=
0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
principal's key obtained from the keytab
Acquire TGT using AS Exchange
>>> KdcAccessibility: reset
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number
>>> of retries =3, #bytes=168
>>> KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt
>>> =1, #bytes=168
>>> KrbKdcReq send: #bytes read=210
>>> KrbKdcReq send: #bytes read=210
>>> KdcAccessibility: remove openiddc.openidmdev.com:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Jun 03 13:11:34 EDT 2013 1370279494000
suSec is 37310
error code is 25
error Message is Additional pre-authentication required
realm is OPENIDMDEV.COM
sname is krbtgt/OPENIDMDEV.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18
PA-ETYPE-INFO2 salt = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
PA-ETYPE-INFO2 s2kparams = null
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
Updated salt from pre-auth = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
>>>KrbAsReq salt is OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
default etypes for default_tkt_enctypes: 18.
Pre-Authenticaton: find key for etype = 18
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number
>>> of retries =3, #bytes=255
>>> KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt
>>> =1, #bytes=255
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: #bytes read=100
>>> KdcAccessibility: remove openiddc.openidmdev.com:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Jun 03 13:11:34 EDT 2013 1370279494000
suSec is 209191
error code is 52
error Message is Response too big for UDP, retry with TCP
realm is OPENIDMDEV.COM
sname is krbtgt/OPENIDMDEV.COM
msgType is 30
>>> KrbKdcReq send: kdc=openiddc.openidmdev.com TCP:88, timeout=30000, number
>>> of retries =3, #bytes=255
>>> KDCCommunication: kdc=openiddc.openidmdev.com TCP:88, timeout=30000,Attempt
>>> =1, #bytes=255
>>>DEBUG: TCPClient reading 1611 bytes
>>> KrbKdcReq send: #bytes read=1611
>>> KrbKdcReq send: #bytes read=1611
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/openid-linux.openidmdev.com
principal is HTTP/[email protected]
EncryptionKey: keyType=18 keyBytes (hex dump)=0000: F3 27 EC F5 C3 55 4D E0
01 F5 40 7E DB 2F DB 0C .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
Added server's keyKerberos Principal
HTTP/[email protected] Version 0key EncryptionKey:
keyType=18 keyBytes (hex dump)=
0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
[Krb5LoginModule] added Krb5Principal
HTTP/[email protected] to Subject
Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5AcceptCredential)
Found key for HTTP/[email protected](18)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt
true ticketCache is null isInitiator true KeyTab is
/usr/share/tomcat7c/conf/tomcat7.keytab refreshKrb5Config is false principal is
HTTP/[email protected] tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
KeyTab instance already exists
Added key: 18version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18.
0: EncryptionKey: keyType=18 kvno=0 keyValue (hex dump)=
0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number
>>> of retries =3, #bytes=168
>>> KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt
>>> =1, #bytes=168
>>> KrbKdcReq send: #bytes read=210
>>> KrbKdcReq send: #bytes read=210
>>> KdcAccessibility: remove openiddc.openidmdev.com:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Jun 03 13:11:49 EDT 2013 1370279509000
suSec is 608182
error code is 25
error Message is Additional pre-authentication required
realm is OPENIDMDEV.COM
sname is krbtgt/OPENIDMDEV.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18
PA-ETYPE-INFO2 salt = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
PA-ETYPE-INFO2 s2kparams = null
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
Updated salt from pre-auth = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
>>>KrbAsReq salt is OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
default etypes for default_tkt_enctypes: 18.
Pre-Authenticaton: find key for etype = 18
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number
>>> of retries =3, #bytes=255
>>> KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt
>>> =1, #bytes=255
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: #bytes read=100
>>> KdcAccessibility: remove openiddc.openidmdev.com:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Jun 03 13:11:49 EDT 2013 1370279509000
suSec is 614041
error code is 52
error Message is Response too big for UDP, retry with TCP
realm is OPENIDMDEV.COM
sname is krbtgt/OPENIDMDEV.COM
msgType is 30
>>> KrbKdcReq send: kdc=openiddc.openidmdev.com TCP:88, timeout=30000, number
>>> of retries =3, #bytes=255
>>> KDCCommunication: kdc=openiddc.openidmdev.com TCP:88, timeout=30000,Attempt
>>> =1, #bytes=255
>>>DEBUG: TCPClient reading 1611 bytes
>>> KrbKdcReq send: #bytes read=1611
>>> KrbKdcReq send: #bytes read=1611
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/openid-linux.openidmdev.com
principal is HTTP/[email protected]
EncryptionKey: keyType=18 keyBytes (hex dump)=0000: F3 27 EC F5 C3 55 4D E0
01 F5 40 7E DB 2F DB 0C .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
Added server's keyKerberos Principal
HTTP/[email protected] Version 0key EncryptionKey:
keyType=18 keyBytes (hex dump)=
0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
[Krb5LoginModule] added Krb5Principal
HTTP/[email protected] to Subject
Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5AcceptCredential)
Found key for HTTP/[email protected](18)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt
true ticketCache is null isInitiator true KeyTab is
/usr/share/tomcat7c/conf/tomcat7.keytab refreshKrb5Config is false principal is
HTTP/[email protected] tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
KeyTab instance already exists
Added key: 18version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18.
0: EncryptionKey: keyType=18 kvno=0 keyValue (hex dump)=
0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number
>>> of retries =3, #bytes=168
>>> KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt
>>> =1, #bytes=168
>>> KrbKdcReq send: #bytes read=210
>>> KrbKdcReq send: #bytes read=210
>>> KdcAccessibility: remove openiddc.openidmdev.com:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Jun 03 13:11:56 EDT 2013 1370279516000
suSec is 589895
error code is 25
error Message is Additional pre-authentication required
realm is OPENIDMDEV.COM
sname is krbtgt/OPENIDMDEV.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18
PA-ETYPE-INFO2 salt = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
PA-ETYPE-INFO2 s2kparams = null
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
Updated salt from pre-auth = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
>>>KrbAsReq salt is OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
default etypes for default_tkt_enctypes: 18.
Pre-Authenticaton: find key for etype = 18
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number
>>> of retries =3, #bytes=255
>>> KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt
>>> =1, #bytes=255
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: #bytes read=100
>>> KdcAccessibility: remove openiddc.openidmdev.com:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Jun 03 13:11:56 EDT 2013 1370279516000
suSec is 595755
error code is 52
error Message is Response too big for UDP, retry with TCP
realm is OPENIDMDEV.COM
sname is krbtgt/OPENIDMDEV.COM
msgType is 30
>>> KrbKdcReq send: kdc=openiddc.openidmdev.com TCP:88, timeout=30000, number
>>> of retries =3, #bytes=255
>>> KDCCommunication: kdc=openiddc.openidmdev.com TCP:88, timeout=30000,Attempt
>>> =1, #bytes=255
>>>DEBUG: TCPClient reading 1611 bytes
>>> KrbKdcReq send: #bytes read=1611
>>> KrbKdcReq send: #bytes read=1611
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/openid-linux.openidmdev.com
principal is HTTP/[email protected]
EncryptionKey: keyType=18 keyBytes (hex dump)=0000: F3 27 EC F5 C3 55 4D E0
01 F5 40 7E DB 2F DB 0C .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
Added server's keyKerberos Principal
HTTP/[email protected] Version 0key EncryptionKey:
keyType=18 keyBytes (hex dump)=
0000: F3 27 EC F5 C3 55 4D E0 01 F5 40 7E DB 2F DB 0C .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4 3C 4B 5A BE F6 41 49 07 .L.V....<KZ..AI.
[Krb5LoginModule] added Krb5Principal
HTTP/[email protected] to Subject
Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>,
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>,
sun.security.jgss.krb5.Krb5AcceptCredential)
Found key for HTTP/[email protected](18)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
--
________________________________________
From: Felix Schumacher [[email protected]]
Sent: Sunday, June 02, 2013 12:20 PM
To: [email protected]
Subject: Re: Tomcat7 and SPNEGO configuration questions
Hi Edward,
a few more questions:
* What is your CATALINA_BASE and what CATALINA_HOME?
* Have you verified, that your options (set by your JAVA_OPTS) are
really used by your tomcat installation?
Greetings
Felix
Am 31.05.2013 17:17, schrieb Edward Siewick:
> Hi.
>
> I'm trying to get a baseline configuration working, following the
> http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. I'm
> apparently off in the weeds having missed something, though. So I'd really
> appreciate a sanity check of my configuration, and the testcase I'm
> attempting. I've got something messed up, and I'm looking for guidance on
> what to check.
>
> Environment is:
> Tomcat-7.0.33
> Redhat RHEL 6.3
> Linux openid-linux 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012
> x86_64 x86_64 x86_64 GNU/Linux
>
> AD is on a Win2008R2 server.
> Client is MSIE on a Win2007 workstation. "Enable Integrated Windows
> Authentication" is set to true.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
