Krishnan, Babu wrote:
Hello
We are having Desktop SSO for an application hosted on tomcat. The Desktop SSO
uses kerberos authentication. We are using spnego.sourceforge.net solution for
enabling SSO on tomcat end. Now, desktop SSO works charm.
Now we would like to front tomcat with APache and use mod_jk for connecting. We
have Apache 2.2.15, mod_jk 1.2.30 on Tomcat 6.0.24. As such apache & mod_jk is
working fine with tomcat when SSO is turned off on tomcat i.e apache and mod_jk
have been configured properly.
When i turn on SSO on tomcat, i get error when going through Apache but when i
hit tomcat directly i don't get any error.
Here is the error i'm getting
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum
failed)
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
Does it mean that i need to tweak some configuration on apache and mod_jk to
work with tomcat when sso is enabled?
I will hazard a guess..
I do not think that there is anything that you can do, as such, at the
Apache or mod_jk configuration level.
I believe that what is hitting you is this (again, just a guess) :
Kerberos is a very secure protocol. As such, it probably has measures
against "man-in-the-middle" attacks. That means that it makes sure that
the client (the workstation) is talking directly to the server (Tomcat),
and that there is nobody in the middle that could be listening to the
conversation, record it, and maybe use this recording later for a
"playback" attack.
When you have Apache (+ mod_jk) between the workstation and Tomcat, in
effect you do have a man-in-the-middle : Apache.
That may be the reason why Kerberos (at the Tomcat side) is rejecting
the authentication : it sees that who is talking to him is Apache, and
that it is not the workstation who started the Kerberos negociation
(they have a different IP for example).
One way to solve the problem would be to do the Kerberos authentication
at the Apache level, and pass the resulting user-id to Tomcat via
mod_jk. If Apache authenticates the user, and the
"tomcatAuthentication" attribute is set to "false" in the Tomcat AJP
Connector, then this will happen automatically.
Then you would not need the Kerberos module in Tomcat anymore, since the
user-id, as authenticated by Apache, would be secure anyway.
If all which I am writing above is correct (a big if), then you should
start looking for a Kerberos authentication module for Apache.
Another suggestion is to try to get in touch with the
spnego.sourceforge.net people. They might have encountered the same
situation already, and may have a solution inbterms of settings at the
level of that module.
And please, report to the list anything else you find. This kind of
topic seems to be in fashion nowadays.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
