Re: Tomcat7 and SPNEGO configuration questions

Felix Schumacher Wed, 05 Jun 2013 13:13:06 -0700

Am 03.06.2013 20:48, schrieb Edward Siewick:

Felix & Friends,


I've made a fair amount of progress, though I'm still not able to log in with a domain credential. The domain account 
ID doesn't appear in the Tomcat7 logging at all, though it is in tomcat-users.xml. So I might now only be confused as 
to the syntax of: server.xml for JAAS; the webapp's "realm" bits in web.xml for SPNEGO, or; tomcat-users.xml. 
I have tried changing tomcat-users.xml to "OPENIDMDEV/esiewick", "COM.OPENIDMDEV/esiewick" and just 
"esiewick". And, I've adjusted the Account ID in the Windows Security prompt to match each of these.

If I read your logs at the end of your mail correctly, I think youhaven't gotten that far as to have authenticated an user. In my logs youcould see an user00001 being authenticated. But I can't really tell you,why your user was not authenticated.

At https://issues.apache.org/bugzilla/show_bug.cgi?id=53480 I havedescribed how I setup a tomcat with apacheds as a kerberos server. Youmight want to try that setup.


Regards
 Felix


On the progress, here's some detail for the listserv archive.

A first issue was how I was trying to get the CATALINA_OPTS set, so I should start with a 
"Thank you" for nudging me on the CATALINA_OPTS bit. I had tried to add CATALINA_OPTS  to 
the init.d script, which apparently was getting over-written later in the Tomcat7 startup sequence. 
To correct, I simply added "-Dsun.security.krb5.debug=true 
-Dsun.security.jgss.debug=true" to the bin/setenv.sh, vice the init.d script. After this, 
debug=true appeared properly in the resulting process, below.

ps ajx | grep tomc
27474 29541 29541 27446 pts/3    29541 S+       0   0:00 tail -f 
/var/log/tomcat7/catalina.out
     1 29585 29571 27391 pts/0    29626 Sl       0   0:36 
/usr/java/jre1.6.0_39/bin/java
  -Djava.util.logging.config.file=/usr/share/tomcat7c/conf/logging.properties
  -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
  -Xmx512m -XX:MaxPermSize=256m -XX:PermSize=256m
  -Dsun.security.krb5.debug=true -Dsun.security.jgss.debug=true
  -Djava.endorsed.dirs=/usr/share/tomcat7c/endorsed
  -classpath 
/usr/share/tomcat7c/bin/bootstrap.jar:/usr/share/tomcat7c/bin/tomcat-juli.jar
  -Dcatalina.base=/usr/share/tomcat7c -Dcatalina.home=/usr/share/tomcat7c
  -Djava.io.tmpdir=/usr/share/tomcat7c/temp 
org.apache.catalina.startup.Bootstrap start

This changed the error logging, adding a clue that smelled like a crypto module 
limitation:

Found unsupported keytype (18) for 
HTTP/openid-linux.openidmdev....@openidmdev.com

The trace was:

Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt 
true ticketCache is null isInitiator true KeyTab is 
/usr/share/tomcat7c/conf/tomcat7.keytab refreshKrb5Config is false principal is 
HTTP/openid-linux.openidmdev....@openidmdev.com tryFirstPass is false 
useFirstPass is false storePass is false clearPass is false

KeyTabInputStream, readName(): OPENIDMDEV.COM
KeyTabInputStream, readName(): HTTP
KeyTabInputStream, readName(): openid-linux.openidmdev.com
KeyTab: load() entry length: 98; type: 18

Found unsupported keytype (18) for 
HTTP/openid-linux.openidmdev....@openidmdev.com
Key for the principal HTTP/openid-linux.openidmdev....@openidmdev.com not 
available in /usr/share/tomcat7c/conf/tomcat7.keytab
                 [Krb5LoginModule] authentication failed
Unable to obtain password from user

In 
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
I found:

"NOTE: The JCE framework within JDK includes an ability to enforce restrictions regarding the 
cryptographic algorithms and maximum cryptographic strengths available to applications. Such 
restrictions are specified in "jurisdiction policy files". The jurisdiction policy files 
bundled in Java SE limits the maximum key length. Hence, in order to use AES256 encryption type, 
you will need to install the JCE crypto policy with the unlimited version to allow AES with 256-bit 
key."

So, the second issue pertained to cryptography limitations set in 
/usr/java/jre1.6.0_39/lib/security/. The tomcat7.keytab was created only with 
"aes256-cts-hmac-sha1-96" and the /etc/krb5.conf has a likewise limited suite. The fix 
was to download Oracle's jce_policy-6.zip, unzip it, and copy the "unlimited" versions of 
local_policy.jar and US_export_policy.jar into /usr/java/jre1.6.0_39/lib/security/.

After the jce_policy-6.zip *.jar files were in place, I got:

Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt 
true ticketCache is null isInitiator true KeyTab is 
/usr/share/tomcat7c/conf/tomcat7.keytab refreshKrb5Config is false principal is 
HTTP/openid-linux.openidmdev....@openidmdev.com tryFirstPass is false 
useFirstPass is false storePass is false clearPass is false

KeyTabInputStream, readName(): OPENIDMDEV.COM
KeyTabInputStream, readName(): HTTP
KeyTabInputStream, readName(): openid-linux.openidmdev.com
KeyTab: load() entry length: 98; type: 18

Added key: 18version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18.
0: EncryptionKey: keyType=18 kvno=0 keyValue (hex dump)=
0000: F3 27 EC F5 C3 55 4D E0   01 F5 40 7E DB 2F DB 0C  .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4   3C 4B 5A BE F6 41 49 07  .L.V....<KZ..AI.

principal's key obtained from the keytab
Acquire TGT using AS Exchange

KdcAccessibility: reset

default etypes for default_tkt_enctypes: 18.

KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number of 
retries =3, #bytes=168
KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt =1, 
#bytes=168
KrbKdcReq send: #bytes read=210
KrbKdcReq send: #bytes read=210
KdcAccessibility: remove openiddc.openidmdev.com:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:

          sTime is Mon Jun 03 13:11:34 EDT 2013 1370279494000
          suSec is 37310
          error code is 25
          error Message is Additional pre-authentication required
          realm is OPENIDMDEV.COM
          sname is krbtgt/OPENIDMDEV.COM
          eData provided.
          msgType is 30

Pre-Authentication Data:

          PA-DATA type = 19
          PA-ETYPE-INFO2 etype = 18
          PA-ETYPE-INFO2 salt = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
          PA-ETYPE-INFO2 s2kparams = null
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
Updated salt from pre-auth = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com

KrbAsReq salt is OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com

default etypes for default_tkt_enctypes: 18.
Pre-Authenticaton: find key for etype = 18
AS-REQ: Add PA_ENC_TIMESTAMP now

EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number of 
retries =3, #bytes=255
KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt =1, 
#bytes=255
KrbKdcReq send: #bytes read=100
KrbKdcReq send: #bytes read=100
KdcAccessibility: remove openiddc.openidmdev.com:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:

          sTime is Mon Jun 03 13:11:34 EDT 2013 1370279494000
          suSec is 209191
          error code is 52
          error Message is Response too big for UDP, retry with TCP
          realm is OPENIDMDEV.COM
          sname is krbtgt/OPENIDMDEV.COM
          msgType is 30

KrbKdcReq send: kdc=openiddc.openidmdev.com TCP:88, timeout=30000, number of 
retries =3, #bytes=255
KDCCommunication: kdc=openiddc.openidmdev.com TCP:88, timeout=30000,Attempt =1, 
#bytes=255
DEBUG: TCPClient reading 1611 bytes
KrbKdcReq send: #bytes read=1611
KrbKdcReq send: #bytes read=1611
EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
KrbAsRep cons in KrbAsReq.getReply HTTP/openid-linux.openidmdev.com

principal is HTTP/openid-linux.openidmdev....@openidmdev.com
EncryptionKey: keyType=18 keyBytes (hex dump)=0000: F3 27 EC F5 C3 55 4D E0   
01 F5 40 7E DB 2F DB 0C  .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4   3C 4B 5A BE F6 41 49 07  .L.V....<KZ..AI.
Added server's keyKerberos Principal 
HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COMKey Version 0key EncryptionKey: 
keyType=18 keyBytes (hex dump)=
0000: F3 27 EC F5 C3 55 4D E0   01 F5 40 7E DB 2F DB 0C  .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4   3C 4B 5A BE F6 41 49 07  .L.V....<KZ..AI.

                 [Krb5LoginModule] added Krb5Principal  
HTTP/openid-linux.openidmdev....@openidmdev.com to Subject
Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, 
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, 
sun.security.jgss.krb5.Krb5AcceptCredential)
Found key for HTTP/openid-linux.openidmdev....@openidmdev.com(18)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
                 [Krb5LoginModule]: Entering logout
                 [Krb5LoginModule]: logged out Subject
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt 
true ticketCache is null isInitiator true KeyTab is 
/usr/share/tomcat7c/conf/tomcat7.keytab refreshKrb5Config is false principal is 
HTTP/openid-linux.openidmdev....@openidmdev.com tryFirstPass is false 
useFirstPass is false storePass is false clearPass is false
KeyTab instance already exists
Added key: 18version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18.
0: EncryptionKey: keyType=18 kvno=0 keyValue (hex dump)=
0000: F3 27 EC F5 C3 55 4D E0   01 F5 40 7E DB 2F DB 0C  .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4   3C 4B 5A BE F6 41 49 07  .L.V....<KZ..AI.

principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 18.

KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number of 
retries =3, #bytes=168
KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt =1, 
#bytes=168
KrbKdcReq send: #bytes read=210
KrbKdcReq send: #bytes read=210
KdcAccessibility: remove openiddc.openidmdev.com:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:

          sTime is Mon Jun 03 13:11:49 EDT 2013 1370279509000
          suSec is 608182
          error code is 25
          error Message is Additional pre-authentication required
          realm is OPENIDMDEV.COM
          sname is krbtgt/OPENIDMDEV.COM
          eData provided.
          msgType is 30

Pre-Authentication Data:

          PA-DATA type = 19
          PA-ETYPE-INFO2 etype = 18
          PA-ETYPE-INFO2 salt = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
          PA-ETYPE-INFO2 s2kparams = null
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
Updated salt from pre-auth = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com

KrbAsReq salt is OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com

default etypes for default_tkt_enctypes: 18.
Pre-Authenticaton: find key for etype = 18
AS-REQ: Add PA_ENC_TIMESTAMP now

EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number of 
retries =3, #bytes=255
KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt =1, 
#bytes=255
KrbKdcReq send: #bytes read=100
KrbKdcReq send: #bytes read=100
KdcAccessibility: remove openiddc.openidmdev.com:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:

          sTime is Mon Jun 03 13:11:49 EDT 2013 1370279509000
          suSec is 614041
          error code is 52
          error Message is Response too big for UDP, retry with TCP
          realm is OPENIDMDEV.COM
          sname is krbtgt/OPENIDMDEV.COM
          msgType is 30

KrbKdcReq send: kdc=openiddc.openidmdev.com TCP:88, timeout=30000, number of 
retries =3, #bytes=255
KDCCommunication: kdc=openiddc.openidmdev.com TCP:88, timeout=30000,Attempt =1, 
#bytes=255
DEBUG: TCPClient reading 1611 bytes
KrbKdcReq send: #bytes read=1611
KrbKdcReq send: #bytes read=1611
EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
KrbAsRep cons in KrbAsReq.getReply HTTP/openid-linux.openidmdev.com

principal is HTTP/openid-linux.openidmdev....@openidmdev.com
EncryptionKey: keyType=18 keyBytes (hex dump)=0000: F3 27 EC F5 C3 55 4D E0   
01 F5 40 7E DB 2F DB 0C  .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4   3C 4B 5A BE F6 41 49 07  .L.V....<KZ..AI.
Added server's keyKerberos Principal 
HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COMKey Version 0key EncryptionKey: 
keyType=18 keyBytes (hex dump)=
0000: F3 27 EC F5 C3 55 4D E0   01 F5 40 7E DB 2F DB 0C  .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4   3C 4B 5A BE F6 41 49 07  .L.V....<KZ..AI.

                 [Krb5LoginModule] added Krb5Principal  
HTTP/openid-linux.openidmdev....@openidmdev.com to Subject
Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, 
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, 
sun.security.jgss.krb5.Krb5AcceptCredential)
Found key for HTTP/openid-linux.openidmdev....@openidmdev.com(18)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
                 [Krb5LoginModule]: Entering logout
                 [Krb5LoginModule]: logged out Subject
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt 
true ticketCache is null isInitiator true KeyTab is 
/usr/share/tomcat7c/conf/tomcat7.keytab refreshKrb5Config is false principal is 
HTTP/openid-linux.openidmdev....@openidmdev.com tryFirstPass is false 
useFirstPass is false storePass is false clearPass is false
KeyTab instance already exists
Added key: 18version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18.
0: EncryptionKey: keyType=18 kvno=0 keyValue (hex dump)=
0000: F3 27 EC F5 C3 55 4D E0   01 F5 40 7E DB 2F DB 0C  .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4   3C 4B 5A BE F6 41 49 07  .L.V....<KZ..AI.

principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 18.

KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number of 
retries =3, #bytes=168
KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt =1, 
#bytes=168
KrbKdcReq send: #bytes read=210
KrbKdcReq send: #bytes read=210
KdcAccessibility: remove openiddc.openidmdev.com:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:

          sTime is Mon Jun 03 13:11:56 EDT 2013 1370279516000
          suSec is 589895
          error code is 25
          error Message is Additional pre-authentication required
          realm is OPENIDMDEV.COM
          sname is krbtgt/OPENIDMDEV.COM
          eData provided.
          msgType is 30

Pre-Authentication Data:

          PA-DATA type = 19
          PA-ETYPE-INFO2 etype = 18
          PA-ETYPE-INFO2 salt = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com
          PA-ETYPE-INFO2 s2kparams = null
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
Updated salt from pre-auth = OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com

KrbAsReq salt is OPENIDMDEV.COMHTTPopenid-linux.openidmdev.com

default etypes for default_tkt_enctypes: 18.
Pre-Authenticaton: find key for etype = 18
AS-REQ: Add PA_ENC_TIMESTAMP now

EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=openiddc.openidmdev.com UDP:88, timeout=30000, number of 
retries =3, #bytes=255
KDCCommunication: kdc=openiddc.openidmdev.com UDP:88, timeout=30000,Attempt =1, 
#bytes=255
KrbKdcReq send: #bytes read=100
KrbKdcReq send: #bytes read=100
KdcAccessibility: remove openiddc.openidmdev.com:88
KDCRep: init() encoding tag is 126 req type is 11
KRBError:

          sTime is Mon Jun 03 13:11:56 EDT 2013 1370279516000
          suSec is 595755
          error code is 52
          error Message is Response too big for UDP, retry with TCP
          realm is OPENIDMDEV.COM
          sname is krbtgt/OPENIDMDEV.COM
          msgType is 30

KrbKdcReq send: kdc=openiddc.openidmdev.com TCP:88, timeout=30000, number of 
retries =3, #bytes=255
KDCCommunication: kdc=openiddc.openidmdev.com TCP:88, timeout=30000,Attempt =1, 
#bytes=255
DEBUG: TCPClient reading 1611 bytes
KrbKdcReq send: #bytes read=1611
KrbKdcReq send: #bytes read=1611
EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
KrbAsRep cons in KrbAsReq.getReply HTTP/openid-linux.openidmdev.com

principal is HTTP/openid-linux.openidmdev....@openidmdev.com
EncryptionKey: keyType=18 keyBytes (hex dump)=0000: F3 27 EC F5 C3 55 4D E0   
01 F5 40 7E DB 2F DB 0C  .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4   3C 4B 5A BE F6 41 49 07  .L.V....<KZ..AI.
Added server's keyKerberos Principal 
HTTP/openid-linux.openidmdev.com@OPENIDMDEV.COMKey Version 0key EncryptionKey: 
keyType=18 keyBytes (hex dump)=
0000: F3 27 EC F5 C3 55 4D E0   01 F5 40 7E DB 2F DB 0C  .'...UM...@../..
0010: F6 4C 17 56 91 A6 A6 D4   3C 4B 5A BE F6 41 49 07  .L.V....<KZ..AI.

                 [Krb5LoginModule] added Krb5Principal  
HTTP/openid-linux.openidmdev....@openidmdev.com to Subject
Commit Succeeded
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, 
sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, 
sun.security.jgss.krb5.Krb5AcceptCredential)
Found key for HTTP/openid-linux.openidmdev....@openidmdev.com(18)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
                 [Krb5LoginModule]: Entering logout
                 [Krb5LoginModule]: logged out Subject


--

________________________________________
From: Felix Schumacher [felix.schumac...@internetallee.de]
Sent: Sunday, June 02, 2013 12:20 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat7 and SPNEGO configuration questions

Hi Edward,

a few more questions:

   * What is your CATALINA_BASE and what CATALINA_HOME?
   * Have you verified, that your options (set by your JAVA_OPTS) are
really used by your tomcat installation?

Greetings
   Felix

Am 31.05.2013 17:17, schrieb Edward Siewick:

Hi.

I'm trying to get a baseline configuration working, following the 
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html. I'm apparently 
off in the weeds having missed something, though. So I'd really appreciate a 
sanity check of my configuration, and the testcase I'm attempting.  I've got 
something messed up, and I'm looking for guidance on what to check.

Environment is:
Tomcat-7.0.33
Redhat RHEL 6.3
Linux openid-linux 2.6.32-279.el6.x86_64 #1 SMP Wed Jun 13 18:24:36 EDT 2012 
x86_64 x86_64 x86_64 GNU/Linux

AD is on a Win2008R2 server.
Client is MSIE on a Win2007 workstation. "Enable Integrated Windows 
Authentication" is set to true.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat7 and SPNEGO configuration questions

Reply via email to