Hi.
Just nitpicking, but with Kerberos everything has to be "just right" :
Is the keytab file used by Tomcat owned by the user under which Tomcat runs ?
(This may or may not matter under Windows, but it is absolutely mandatory under Linux, so
you may want to check).
Also verify that your SPNs are really in the form required by Windows AD/Kerberos. I seem
to remember that there was something special there for the form of the services/hostnames,
as compared to a Linux-style environment.
tip : (maybe you already did that in a previous post) : there exists a Kerberos
command-line utility which allows to check, from the client side, that this client (at the
Windows level) can login to the Kerberos DC. Unfortunately, I do not remember its exact
name, nor if it is available under Windows. (kinit ?)
(You may need to install the MIT Kerberos binaries for Windows :
http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0.html)
tip : in an environment supposed to do SSO, you are right in thinking that if you see a
login dialog from the browser, it is already a sign that something in the settings is not
right. That browser login dialog is kind of a browser's "last resort" if something else
before did not work.
Related tip : under Linux, there is a Kerberos config file at the webserver level, and
inside it there is a parameter :
KrbMethodK5Passwd on/off
If "off", you should never see a browser login dialog (*). If "on", you may see one (but
see previous tip).
I do not know if the same config file or parameter type is also used under
windows/Tomcat/Kerberos.
(*) you may instead just see a blank browser page
This is one of the most complete articles I've seen so far, about what settings are
exactly needed at browser level (and what happens otherwise) :
https://ping.force.com/Support/PingIdentityArticle?id=kA3400000008RiECAU
(make sure that you *really* follow every detail; Kerberos stuff is *really*
picky)
More useful pages :
http://web.mit.edu/kerberos/
http://web.mit.edu/kerberos/krb5-1.13/doc/index.html
http://web.mit.edu/kerberos/krb5-latest/doc/user/tkt_mgmt.html#obtaining-tickets-with-kinit
(and display them with klist)
And finally, here is a hodgepodge of pages which I found relevant during a recent bout of
fighting with Kerberos auth (that was with Apache httpd, not Tomcat, but the underlying
stuff is the same). A lot of information is repeated over these pages, and some of it is
contradictory, but it might save you some hours of browsing anyway :
http://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-debian-and-windows-server-2008-r2/
https://www.drupal.org/node/2123615
http://stackoverflow.com/questions/19842318/apache-kerberos-authentication-client-didnt-delegate-us-their-credential
http://blogs.msdn.com/b/friis/archive/2009/12/31/things-to-check-when-kerberos-authentication-fails-using-iis-ie.aspx
https://msdn.microsoft.com/library/aa480609.aspx#wss_ch7_kerbtechsupp_topic5
https://www.johnthedeveloper.co.uk/single-sign-on-active-directory-php-ubuntu
http://seriousbirder.com/blogs/apache-with-kerberos-active-directory-authentication/
http://fluxcoil.net/doku.php/software/kerberos/kerberized_apache
http://serverfault.com/questions/641974/apache-kerberos-authentication-to-active-directory-not-happening-is-krb5kdc-er
http://www.websense.com/content/support/library/shared/v76/auth_service_config/test_ie8.aspx
http://www.microhowto.info/howto/add_a_host_or_service_principal_to_a_keytab_using_mit_kerberos.html
http://windowsitpro.com/security/kerberos-active-directory
David Marsh wrote:
Everything is as described and still not working, except the jaas.conf is :-
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
In other words the principal is the tomcat server as it should be.
Date: Tue, 24 Mar 2015 21:17:59 +0100
From: felix.schumac...@internetallee.de
To: users@tomcat.apache.org
Subject: Re: SPNEGO test configuration with Manager webapp
Am 24.03.2015 um 21:05 schrieb David Marsh:
Sorry thats :-
principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
under jaas.conf, it is set to the tomcat server DNS.
Is it working with this configuration, or just to point out, that you
copied the wrong jaas.conf for the mail?
Felix
----------------------------------------
From: dmars...@outlook.com
To: users@tomcat.apache.org
Subject: SPNEGO test configuration with Manager webapp
Date: Tue, 24 Mar 2015 20:02:04 +0000
I'm trying to get SPNEGO authentication working with Tomcat 8.
I've created three Windows VMs :-
Tomcat Server - Windows 8.1 32 bit VM
Test Client - Windows 8.1 32 bit VM
Domain Controller - Windows Server 2012 R2 64 bit VM
The Tomcat Server and the Test Client are joined to the same domain
kerbtest.local, they are logged in with domain logins.
The firewall is disabled on the Tomcat Server VM.
I've followed the guidelines on the Apache Tomcat website.
jaas.conf
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-dc01.kerbtest.local@KERBTEST.LOCAL"
useKeyTab=true
keyTab="C:/Program Files/Apache Software Foundation/Tomcat
8.0/conf/tomcat.keytab"
storeKey=true;
};
krb5.ini
[libdefaults]
default_realm = KERBTEST.LOCAL
default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat
8.0\conf\tomcat.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
[realms]
KERBTEST.LOCAL = {
kdc = win-dc01.kerbtest.local:88
}
I want to use the tomcat manager app to test SPNEGO with Active Directory.
I have tried to keep the setup as basic and vanilla to the instructions as
possible.
Users were created as instructed.
Spn was created as instructed
setspn -A HTTP/win-tc01.kerbtest.local tc01
keytab was created as instructed
ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ
HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass /kvno 0
I have tried to test with firefox, chrome and IE, after ensuring
http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added
http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and
network.negotiate-auth.trusted-uris.
Tomcat is running as a Windows service under the tc01@kerbtest.local account.
Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in
firefox results in 401 three times.
Looking at the Network tab in developer tools in firefox shows 401 response
with WWW-Authenticate: Negotiate response http header.
The next has an Authorization request http header with long encrypted string.
IE still prompts for credentials with a popup, not sure why as does chrome.
The setting User Authentication, Logon, Automatic Logon only in Intranet Zone,
is selected under trusted sites.
It seems like authentication is never completed ?
There are no errors in tomcat logs.
Any ideas what is happening and what I can do to troubleshoot ?
I'm quite happy to help improve the documentation and follow the instructions,
however I have tried that and cannot get a working basic set up.
many thanks
David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
