Hello all,
I have been trying to achieve single sign-on with IE 6.1 on Win2k systems.
Basically, trying to emulate IIS and IE kerberos auth exchange. In my case
the server happens to be Tomcat.
IIS and IE exchange GSSAPI token using SPNEGO mechanism. IIS sets HTTP
header "WWW-Authenticate:" to "Negotiate". IE responds with HTTP Header
"Authorization:" set to "Negotiate b64[gssapi-token]".
Exchange goes on until gss context is established.
My setup is as follows:
Server
-------
1. Solaris 2.6
2. Tomcat Servlet Engine
3. JDK 1.4.1 JGSS
4. Login configuration
com.sun.security.jgss.accept = {
com.sun.security.auth.module.Krb5LoginModule required debug=true
useKeyTab=true keyTab="/etc/krb5/v5srvtab" storekey=true
principal="[EMAIL PROTECTED]";};
5. create /etc/krb5/krb5.conf
6. Create W2K KDC user principal "dlsun685", trusted for delegation, use des
encryption
7. ktpass -princ [EMAIL PROTECTED] -pass
welcome -mapuser dlsun685 -out v5srvtab
8. copy v5srvtab to (dlsun685:/etc/krb5)
9. Coded $TOMCAT_HOME/webapps/ROOT/WEB-INF/classes/SnoopServlet.java. This
uses JGSS to frame gss tokens.
Client
-------
1. Win2k
2. IE 6.1
3. URL : http://dlsun685.us.oracle.com:8080/servlet/SnoopServlet
Servlet is able to access keytab and get creds [output follows]
>Getting creds for [EMAIL PROTECTED]
>Debug is true storeKey true useTicketCache false useKeyTab true
doNotPrompt true ticketCache is
>KeyTab is /etc/krb5/v5srvtab principal is HTTP/dlsun685.us.oracle.com
tryFirstPass is false
>useFirstPass is false storePass is false clearPass is false
>principal's key obtained from the keytab
>principal is [EMAIL PROTECTED]
>Added server's keyKerberos Principal
[EMAIL PROTECTED] Version 1key
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 52 0D D9 9D 61 C8 E6 7A
> [Krb5LoginModule] added Krb5Principal
[EMAIL PROTECTED] to Subject
>Commit Succeeded
But when I pass the gss token from IE into acceptSecContext() it raises an
exception [stack trace follows]
2002-09-20 09:46:41 - Ctx( ): Exception in: R( + /servlet/SnoopServlet +
null) - javax.servlet.ServletException: 1.3.6.1.5.5.2 usage: Accept
at SnoopServlet.doGet(SnoopServlet.java:127)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
org.apache.tomcat.core.ServletWrapper.doService(ServletWrapper.java:404)
at org.apache.tomcat.core.Handler.service(Handler.java:286)
at
org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java:372)
at
org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:79
7)
at
org.apache.tomcat.core.ContextManager.service(ContextManager.java:743)
at
org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(HttpC
onnectionHandler.java:210)
at
org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:416)
at
org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java:498)
at java.lang.Thread.run(Thread.java:536)
Root cause:
GSSException: 1.3.6.1.5.5.2 usage: Accept
at
sun.security.jgss.GSSCredentialImpl.getElement(GSSCredentialImpl.java:481)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:282)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
at SnoopServlet.gssAuthenticate(SnoopServlet.java:78)
at SnoopServlet.doGet(SnoopServlet.java:117)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
org.apache.tomcat.core.ServletWrapper.doService(ServletWrapper.java:404)
at org.apache.tomcat.core.Handler.service(Handler.java:286)
at
org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java:372)
at
org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:79
7)
at
org.apache.tomcat.core.ContextManager.service(ContextManager.java:743)
at
org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(HttpC
onnectionHandler.java:210)
at
org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:416)
at
org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java:498)
at java.lang.Thread.run(Thread.java:536)
Finally, on win2k client cache i see a service tkt for
[EMAIL PROTECTED] of type DES-CBC-MD5.
Any ideas why this is happening? Also, is jgss implementation on Solaris
based on Sun GSSAPI C implementation? Is SSPI different from GSSAPI?
/T$R
(Ramana Turlapati)
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
http://mailman.mit.edu/mailman/listinfo/kerberos
