2013/11/15 chris <ch...@ottmountainbike.co.uk>: > Any help with this would be very much appreciated. We are trying to proof of > concept this to return the remote user's domain login name to use it in a Web > application. Attempting to use a keytab method to hopefully negate any > requirement for exposing the kerberos principal delegate in any server > configuration files. > > We have a test configuration for SpnegoAuthenticator authentication using > Apache > Tomcat/7.0.47 in sandbox environment. From a remote client workstation we are > seeing an HTTP 500 error when testing and looking for some insight as to what > is > wrong or missing in our test environment. > > Environment: > > Apache Tomcat/7.0.47 > Java JDK/JRE 1.7.0_45 > Test Workstation: Windows 7 x64 (domain joined) > Test Server: Windows Server 2008 R2 > > When testing see Log dump ---> > > Nov 14, 2013 10:04:50 PM > org.apache.catalina.authenticator.SpnegoAuthenticator > authenticate > > SEVERE: Unable to login as the service principal > > javax.security.auth.login.LoginException: Unable to obtain password from > user > > at > com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source) > at > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown [..] > > > SPN is delegated to the domain account with UPN: svctomca...@mydom.int > > (Setspn –a http/tomcatsvr.mydom.int:8080 svctomcatdv)
No need for the port when defining a SPN. > > * Domain Controller DC1 is Server 2008 R2 > * Windows server hosting Tomcat is Server 2008 R2 > * PC is Windows 7 and configured to automatically login in Intranet zone > identified by *.mydom.int > > Keytab generated using the ktpass.exe utility with command: > > ktpass /crypto AES256-SHA1 /princ svctomca...@mydom.int /pass * /kvno 0 /ptype > KRB5_NT_SRV_INST /out "C:\temp\tc.keytab" > I have found that an error like this indicates a bad keytab. I generate keytab with the /princ option set to the SPN of the user (as indicated on tomcat documentation : http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html#Domain_Controller) Could you try it this way? ktpass /crypto AES256-SHA1 /princ http/tomcatsvr.mydom....@mydom.int /pass * /kvno 0 /out "C:\temp\tc.keytab" Cédric --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
