Am 10.06.2013 22:06, schrieb Edward Siewick:
I've tried an AES128 keytab and matching krb5.conf; this didn't get any further.
Could you try an arc4 one?

Felix

Edward


________________________________________
From: Edward Siewick [esiew...@ementum.com]
Sent: Monday, June 10, 2013 3:31 PM
To: Tomcat Users List
Subject: RE: Tomcat7 and SPNEGO configuration questions

Felix,

Thanks for the example. And yes, I agree -- my setup isn't getting far enough to attempt an 
authentication of an end user. I *think* I've got the keytab and MSA aspect working. So two 
possibilities seem worth digging at. First, there's likely a gap in my understanding of the 
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html instructions. I'm trying to 
use the most simple authentication / authorization example available in the default Tomcat7 
kit, the manager-gui <auth-constraint> / <role-name> and an ordinary 
conf/tomcat-users.xml. Regarding  the web.xml, the HowTo only mentions that SPNEGO is to be 
used, vice BASIC. Other than swapping the string BASIC for SPNEGO, though, I'm out of 
guesses on that point in the instruction. Is there something more needed in the web.xml?

Second, I'm restricting my configuration to only AES256 
(aes256-cts-hmac-sha1-96) and a keytab created only for AES256. Is the default 
pre-built Tomcat7 kit known to work with that, by just adding Oracle's 
jce_policy-6.zip? I'm picking at this because, where my log trace seems OK with 
the AD MSA's keytab, for a user authentication it jumps straight to a logout:

Entered Krb5Context.acceptSecContext with state=STATE_NEW
                   [Krb5LoginModule]: Entering logout
                   [Krb5LoginModule]: logged out Subject

It's at this point that your trace goes on to "Using builtin default etypes for 
permitted_enctypes," authenticates an end user, and seems to be waiting for further 
end users. It does pick up both type 18 (AES256) and 17 (AES128), but only reports using 
the AES128:

Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 17version: 1
Added key: 18version: 1
Added key: 3version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 17.
EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23 1 3.
EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
replay cache for user00...@example.com is null.
object 0: 1370027872357/357663
KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 758340766
Krb5Context setting mySeqNumber to: 758340766

Edward

P.S.: The example server.xml bit from your bugzilla test kit provides for role 
based authorization. If I can get my very simple example to work, I'll try to 
use it. On that point, the bit:

      <Realm className="org.apache.catalina.realm.JNDIRealm"
         connectionURL="ldap://localhost:10389";
         userBase="ou=users,ou=security,dc=example,dc=com"
         userSearch="(uid={0})"
         roleBase="ou=groups,dc=example,dc=com"
         roleName="cn"
         roleSearch="(uniqueMember={0})"
         useDelegatedCredential="false"
      />

or a similar tidy might be added to the HowTo, right after:

"The SPNEGO authenticator will work with any Realm but if used with the JNDI Realm, 
by default the JNDI Realm will use the user's delegated credentials to connect to the 
Active Directory."




________________________________________
From: Felix Schumacher [felix.schumac...@internetallee.de]
Sent: Wednesday, June 05, 2013 4:12 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat7 and SPNEGO configuration questions

Am 03.06.2013 20:48, schrieb Edward Siewick:
Felix & Friends,

I've made a fair amount of progress, though I'm still not able to log in with a domain credential. The domain account ID 
doesn't appear in the Tomcat7 logging at all, >though it is in tomcat-users.xml. So I might now only be confused as to the 
syntax of: server.xml for JAAS; the webapp's "realm" bits in web.xml for SPNEGO, or; > tomcat-users.xml. I have 
tried changing tomcat-users.xml to "OPENIDMDEV/esiewick", "COM.OPENIDMDEV/esiewick" and just 
"esiewick". And, I've adjusted the Account ID in the Windows Security prompt to match each of these.
If I read your logs at the end of your mail correctly, I think you
haven't gotten that far as to have authenticated an user. In my logs you
could see an user00001 being authenticated. But I can't really tell you,
why your user was not authenticated.

At https://issues.apache.org/bugzilla/show_bug.cgi?id=53480 I have
described how I setup a tomcat with apacheds as a kerberos server. You
might want to try that setup.

Regards
   Felix
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to